openroot

chroot for read-only root with X11 forwarding and full disk access.

Introduction

Chroot allows to you to run commands from a different system installation without having to boot into that system. You do not even need a separate partition for the alternate root file system. This does of course only work if both systems are Linux installations or both systems are BSD derivates since there will always be the same kernel in operation. Only shared libraries (*.so, Windows: dll) are loaded from the new root on program invocation out of the chroot environment.

This is particularely useful if you have installed more than one Linux distro and want to run programs from another distro than you have actually booted to. Chroot is also widely in use for program development and packaging. It can also be used to run programs that are no more available for recent Linux distros.

Chroot works immediately and guarantees minimal effort. You do not have to wait until another system is booted. Memory usage is as little as possible. In Linux it is possible for a cracker to escape from a chroot environment while chroot is also considered to be a security function in FreeBSD.

The only thing you have to do in order to change to another chroot environment (system installation) is to issue a chroot command as root on the directory that should become the new root of the file system. Use exit to get back to your boot-root.

> chroot /mnt/debian

problems with chroot

Unfortunately you may find out soon that a pure chroot is very restricted. f.i. You can not run any GUI-applications. A workaround for this is to redirect all X11 drawing operations through localhost: > xhost +localhost > DISPLAY=localhost:0 chroot /mnt/debian;

However this will not work if your X server being responsible for all graphical output has been startet with the -nolisten tcp option which is the default for reasons of security in many distributions like Suse. In this case you would have to replicate the socket file /tmp/.X11-unix/X0 to /mnt/debian/tmp/.X11-unix/X0 which needs to be done by a proper socat rather than a pure link. Pure links do not work since a link equals to the character string of the referenced file which points to something different after the chroot. Find out about the command line X has been started with by the following command:

> ps ax|grep "X[^/]* " 1959 tty7 Ss+ 75:16 /usr/bin/Xorg -br -nolisten tcp :0 vt7 -auth /var/lib/xdm/authdir/authfiles/A:0-EgqjEQ

Furthermore programs like grub or gparted need direct access to your disk devices at /dev. You may simply mirror your /dev to /mnt/debian/dev in this example before you issue a chroot which can be accomplished by mount --bind /dev /mnt/debian/dev. Proceed the same way for your /sys and /proc directory.

OpenRoot - an extended version of chroot

Simply use openroot instead to accomplish all these tasks automatically:

> openroot /mnt/debian

OpenRoot will mount your new root filesystem and all sub-partitions as for /var /tmp /usr automatically on demand (only if necessary), provided that they are listed in your /etc/fstab. OpenRoot will mirror /sys, /proc and /dev and most important it will leverage the usage of GUI applications (DISPLAY=:X). Furthermore unlike with chroot you may specify any program in the chroot environment if you do not just wish to execute the bash standard shell:

> openroot /mnt/debian xterm

OpenRoot is also handy if you wanna leave your target chroot environment untouched for any kind of reason. This may be a necessity if your chroot environment is located on a read only media like your cdrom drive. Simply use the -a option and be sure that aufs is installed.

> openroot -a /mnt/debian

Readonly access is established like this: Changed files are copied to /tmp/openroot/$$ where $$ is the pid of the invoker. These files are kept for examination by default an need to be deleted later on by the user. The root where additional files from /tmp/openroot/$$ and the desired ro-root directory are combined is /mnt/debian-$$. If openroot has been terminated exceptionally you may want to issue an openroot cleanall /mnt/debian that cleans up all /tmp/openroot/$$ and all /mnt/debian-$$ directories.

How to create a chroot environment

You may simply use an old system installation as chroot environment instead of booting into it via qemu-kvm, VMWare or VirtualBox. On the other hand it is not difficult to create an own minimal chroot environment that does only contain the necessary packages to run a certain software or to compile a certain package

In Debian use debootstrap to initialize a new root

> debootstrap lenny /var/openroot/suse11.2 http://debian.uni-klu.ac.at/debian

In Suse use zypper with the --root option to add repositories and install software:

> mkdir /var/openroot/suse11.2 > mount /dev/sr0 /media/dvd > zypper --root /openroot/suse11.2 ar /media/dvd/ dvd Repository 'dvd' wird hinzugefügt [fertig] Repository 'dvd' erfolgreich hinzugefügt Aktiviert: Ja Autoaktualisierung: Nein URI: dir:///media/dvd > zypper --root /openroot/suse11.2 lr # | Alias | Name | Aktiviert | Aktualisieren --+-------+------+-----------+-------------- 1 | dvd | dvd | Ja | Nein > zypper --root /openroot/suse11.2 in rpm zypper xterm

get it!

Download:
openroot

Author:
Elmar Stellnberger estellnb@elstel.com
Hint: Don`t forget to chmod +x openroot


*** other interesting content from elstel ***



Comments

Britten Kerin wrote:

I love it, I hope you keep maintaining it, help propagate it into distros, etc.

I wanted to debug a weird assertion violation in inkscape that I suspect
is due to my weird random stack of gnome libs, I asked on garnome
list and even the garnome enthusiasts said to run in fear and just use
a chroot...

But of course chroot with X isn't totally automatic these days, until you
find openchroot! Thanks so much for this handy little script, it succeeded
where all the old broken advice on how to get X going in a chroot either
failed or wasn't what I wanted (I have no desire to restart X every time I
test of run an extra GDM or anything like that).

Very sweet.

Britton



*** other interesting content from elstel ***