logo

 

This site is now 100% read-only, and retired.

schroot - chroot for any users

Posted by amadeu on Tue 27 Nov 2007 at 15:06

Tags: , , , , , , ,
From manpages: schroot allows the user to run a command or a login shell in a chroot environment. If no command is specified, a login shell will be started in the user current working directory inside the chroot.

I've been trying some virtual machines solutions to execute some programs 32bits in my machine. But it's take very time, start a xen VM or virtualbox. Often this solutions needs some maintain additional costs to setup a X server to run any X-based program.

My initial motivation was that wengophone wasn't in Debian lenny for amd64 until some days ago. Thus I did want to run a x-based program in a single chroot as normal user.

The schroot makes a chroot's use easy! Very easy for end users.

  1. install into your original installation: 
     # aptitude install schroot
  2. configure the /etc/schroot/schroot.conf like: 
    [sid]
description=Debian sid (unstable)
type=directory
location=/srv/chroot/sid
priority=3
users=YOUR_USER
groups=SOME_GROUP_LIKE_users
root-groups=YOUR_ADMIN_USER
run-setup-scripts=true
run-exec-scripts=true
  3. creating a chroot: 
     # debootstrap --arch i386 sid /srv/chroot/sid http://ftp.br.debian.org/debian
  4. installing 32bit programs in the chroot: 
     # schroot -c sid -p aptitude install wengophone
  5. to run X programs make sure that your X session accept it and execute the schroot: 
    $ xhost +
$ schroot -c sid -p wengophone
  6. there is a more safer way to run X programs like comments below and a example of wengophone_wrapper script
  7. it isn't need mount /proc on fstab or other because run-setup-scripts and run-exec-scripts take care of this, but you should look the /etc/schroot/mount-defaults to set your specific directories
Shortcuts:
  1. create a wrapper script /usr/local/bin/wengophone_wrapper: 
    #!/bin/bash
## UPDATED after the comment #16 to reduce security risk ;-)
# right way for export Xauthority file
xauth extract /srv/chroot/sid$HOME/.Xauthority $DISPLAY
# run your command
schroot -c sid -p wengophone
# remove the Xauthority
rm -f /srv/chroot/sid$HOME/.Xauthority
  2. permissions : 
     # chmod +x /usr/local/bin/wengophone_wrapper
  3. now you could create some wengo.desktop for your users :-)
PS: maybe wengophone example it's trivial, but try it with others programs only 32bit like the non-free skype

 

 

 

#
Re: schroot - chroot for any users
Posted by dreynolds (212.140.xx.xx) on Tue 27 Nov 2007 at 16:25
You spelt debootstrap wrong, which I wouldn't have noticed had I not copied and pasted it ;)

Cheers

--
Dave

[ Parent ]

#
Re: schroot - chroot for any users
Posted by Steve (80.68.xx.xx) on Tue 27 Nov 2007 at 16:28
[ View Weblogs ]

Fixed now, thanks. I didn't test all the steps myself on this one - I'll be more careful in the future.

Steve

[ Parent ]

#
Re: schroot - chroot for any users
Posted by Anonymous (209.104.xx.xx) on Tue 27 Nov 2007 at 19:34
Why do xhost + when your x session could (potentially) be compromised? You can do something more secure like:
xhost localhost


Even though the chances of someone exploiting your explicit allow of x clients is unlikely, it isn't impossible.

---
Jeff Schroeder
http://www.digitalprognosis.com

[ Parent ]

#
Re: schroot - chroot for any users
Posted by ajt (85.211.xx.xx) on Tue 27 Nov 2007 at 20:52
[ View Weblogs ]
I can't remember doing any messing with xhost to get apps to work when I used a chroot to run 32-bit apps on my 64-bit Sarge systems.

Back when I used a chroot I followed the guide on Alioth:
https://alioth.debian.org/docman/view.php/30192/21/debian-amd64-h owto.html

--
"It's Not Magic, It's Work"
Adam

[ Parent ]

#
Re: schroot - chroot for any users
Posted by amadeu (139.82.xx.xx) on Tue 27 Nov 2007 at 23:55
ohh Adam, really very nice how-to I didn't known that. Thanks for the great reference. Amadeu :)

[ Parent ]

#
Re: schroot - chroot for any users
Posted by ajt (204.193.xx.xx) on Wed 28 Nov 2007 at 12:11
[ View Weblogs ]
While a chroot has it's use, normally you don't need one to run most x86 32-bit applications on an AMD64 64-bit Debian system. See: http://www.debian-administration.org/articles/534 for details on how.

--
"It's Not Magic, It's Work"
Adam

[ Parent ]

#
Re: schroot - chroot for any users
Posted by amadeu (139.82.xx.xx) on Tue 27 Nov 2007 at 23:51
Really it's a very dangerous thing (xhost +), but when I tried xhost localhost I get a "connection refused" like: 
amadeu@sarang:~$ xhost
access control enabled, only authorized clients can connect
amadeu@sarang:~$ xhost localhost
localhost being added to access control list
amadeu@sarang:~$ schroot -c sid -p skype
I: [sid chroot] Running command: "skype"
Xlib: connection to ":0.0" refused by server
Xlib: No protocol specified

But when I try xhost + works.. then I recommend xhost + before the schroot and xhost - after. Really I didn't understand why xhost localhost don't work with me.. ;) Amadeu

[ Parent ]

#
Re: schroot - chroot for any users
Posted by Anonymous (86.32.xx.xx) on Tue 4 Dec 2007 at 18:48
"xhost localhost" would only work, if you connect to your XServer via tcp(e.g. DISPLAY=localhost:0.0).

If you want to enable local connections (as in DISPLAY=:0.0), "xhost +local:" is your command.

Cheers,
Johannes

[ Parent ]

#
Re: schroot - chroot for any users
Posted by Anonymous (89.228.xx.xx) on Tue 4 Mar 2014 at 17:21
Hi, according to xhost and Xsecurity manpages You can specify the family:
> xhost + local:
this results in allowing "non-network local connections".
It's is safe and it's working.

Regards
tomazzi

[ Parent ]

#
Re: schroot - chroot for any users
Posted by Anonymous (89.228.xx.xx) on Tue 4 Mar 2014 at 20:26
Hi,
I forgot to mention, that in this way we have full hw 3D acceleration, provided that necessary 32-bit GL libraries are installed (most important is libGL.so for NV or ATI)

Regards
tomazzi

[ Parent ]

#
Re: schroot - chroot for any users
Posted by Anonymous (24.23.xx.xx) on Fri 7 Dec 2007 at 01:19
Which Unix are you running this schroot on? Thanks.

[ Parent ]

#
Re: schroot - chroot for any users
Posted by Anonymous (77.121.xx.xx) on Sun 9 Dec 2007 at 10:59
Don't do mounts by yourself.
Please read manpage (look for "startup scripts", "exec scripts")

[ Parent ]

#
Re: schroot - chroot for any users
Posted by amadeu (139.82.xx.xx) on Fri 28 Mar 2008 at 23:20
Yeah! Thanks a lot for your comment I reconfigure my chroot.conf for this and it's much more nice now !! eheheheh nothing of mount -o bind on hand, the schroot now create a session and I just enjoy it ! ehehhe

Thanks again.. :)
PS: I updated the article because this ;-)

[ Parent ]

#
Re: schroot - chroot for any users
Posted by Anonymous (93.95.xx.xx) on Sun 8 Feb 2009 at 10:56
Can you show schroot.conf for automount ?

[ Parent ]

#
Re: schroot - chroot for any users
Posted by amadeu (201.53.xx.xx) on Sun 8 Feb 2009 at 19:30
What you did mean with 'automount'? If you did mean mount some devices/other_directories it's easy:
1. use the file /etc/schroot/mount-defaults (in debian works) and add there lines like in /etc/fstab
2. example, to mount a directory from my main installation:
/home /home none rw,bind 0 0
/dev/hda /media/cdrom udf,iso9660 user,noauto 0 0

If you want usb devices and others.. I think the right way is to install hal/dbus in your chroot installation. If you want 'automount' feature from autofs, you need just put some line in mount-defaults as in /etc/fstab (tips: http://www.linuxfocus.org/Turkce/January2001/article141.meta.shtm l).

Regards, Amadeu.

[ Parent ]

#
Re: schroot - chroot for any users
Posted by andmalc (69.159.xx.xx) on Thu 7 Jan 2010 at 21:55
For anyone still following this:

For auto-mounting from /etc/schroot/mount-defaults to work, you must have a 'type=' in schroot.conf set to one of the types other than 'plain'. If type is 'plain' or is omitted, auto-mounting is disabled. See 'man schroot.conf' for details.

[ Parent ]

#
Re: schroot - chroot for any users
Posted by Anonymous (134.158.xx.xx) on Fri 28 Mar 2008 at 16:18
You should use:

'xhost +local:'

instead of

'xhost +'

which is muuuuuuuuuuuch safer

[ Parent ]

#
Re: schroot - chroot for any users
Posted by amadeu (139.82.xx.xx) on Fri 28 Mar 2008 at 23:17
It isn't need (reread this tuto because I changed it now ;-)).. it's safer use the xauth features to extract the session ids to a new .Xauthority of your $DISPLAY, after just execute your command and remove the .Xauthority cloned on chroot. It's nice for a wrapper script ;-).

Thanks a lot.

[ Parent ]

#
Re: schroot - chroot for any users
Posted by Anonymous (85.178.xx.xx) on Wed 25 Jun 2008 at 02:16
If you get:

schroot -p xterm
I: [my_system chroot] Running command: "xterm"
Warning: Tried to connect to session manager, Authentication Rejected, reason : None of the authentication protocols specified are supported and host-based authentication failed
xterm: Error 32, errno 2: No such file or directory
Reason: get_pty: not enough ptys

try adding:

/dev/pts /path_to_chroot/dev/pts devpts bind,defaults 0 0

in /etc/fstab

and executing

mount -a

[ Parent ]

#
Re: openroot - chroot for X11 and for read only access
Posted by Anonymous (91.114.xx.xx) on Sun 17 Jan 2010 at 12:33
chroot and schroot do not allow X11 access of GUI programs.
Use openroot for this: http://www.elstel.com/openroot/
other features: auto-mounting of /dev, /proc, /media, ...
other features: chroot to read-only partition with temporary changes

[ Parent ]

#
Re: openroot - chroot for X11 and for read only access
Posted by andmalc (204.50.xx.xx) on Mon 3 May 2010 at 13:23
'schroot -p' sure works for me.

[ Parent ]

#
Re: openroot - chroot for X11 and for read only access
Posted by lindi (81.17.xx.xx) on Sat 5 Jun 2010 at 10:13
Here's what I've been using for several years on etch and lenny. Currently the largest problem is that passwords are not synced. I do not want to just overwrite chroot's passwd periodically since the chroot could have system users that are not outside it. Any hints on how to solve this?

1) sudo apt-get install debootstrap schroot
2) sudo mkdir /sid
3) sudo debootstrap sid /sid MIRROR
4) Add the following to /etc/schroot/schroot.conf

[sid]
description=Debian sid (unstable)
location=/sid
aliases=unstable,default
users=user1,user2

where user1 and user2 are users that are allowed to use the chroot
(change them!).

5) Add the following to /etc/fstab

/home /sid/home none bind 0 0
/dev /sid/dev none bind 0 0
/dev/pts /sid/dev/pts none bind 0 0
/dev/shm /sid/dev/shm none bind 0 0
/proc /sid/proc none bind 0 0
/sys /sid/sys none bind 0 0
/tmp /sid/tmp none bind 0 0
/var/run/dbus /sid/var/run/dbus none bind 0 0

5.1) sudo mkdir /sid/var/run/dbus

6) sudo mount -a

7) sudo cp /etc/sudoers /etc/hosts /etc/hostname /etc/passwd /etc/shadow /etc/group /sid/etc

8) Create /usr/local/bin/sid with the following lines

#!/bin/sh
schroot -c sid -p -q -- "$@"

8.1) sudo chmod a+x /usr/local/bin/sid

9) Create /sid/usr/sbin/policy-rc.d to prevent daemons from starting
accidentally inside the chroot with the following lines

#!/bin/sh
logger "sid $0 invoked with $@"
exit 101

9.1) sudo chmod a+x /sid/usr/bin/policy-rc.d

10) (just an example) sudo sid apt-get install openoffice.org

11) (just an example) sid openoffice.org



[ Parent ]

#
Re: openroot - chroot for X11 and for read only access
Posted by Anonymous (78.27.xx.xx) on Fri 17 Dec 2010 at 10:21
This is a very nice setup lindi, however on squeeze it can only launch terminal based apps, it cannot connect to the X window system so no kde or gnome apps. Also no direct video so no games as well. Lastly "location=" still works but has been depreciated. Could somebody please modernize this setup instruction for installing as su sid and launching as sid of apps for Debian Squeeze Schroot?

[ Parent ]

#
Re: openroot - chroot for X11 and for read only access
Posted by lindi (81.17.xx.xx) on Fri 17 Dec 2010 at 11:13
Hmm. I can launch X11 applications with this setup in squeeze too. The X11 unix socket is in /tmp which is shared so there should be no problem.

I keep an up-to-date version at http://iki.fi/lindi/schroot.txt -- I don't want to replace "location" with "directory" just yet for compatibility. Maybe I'll do that when squeeze becomes stable.

[ Parent ]

#
Re: openroot - chroot for X11 and for read only access
Posted by Anonymous (78.27.xx.xx) on Fri 17 Dec 2010 at 18:52
I double checked if everything went as described. I tried it on a fresh x86 net-install of squeeze and it gave me:

No protocol specified
parley: cannot connect to X server :0.0


Tried a gnome based thingie, installed mousepad text editor, starting it:
sid mousepad
W: line 25 [sid]: Deprecated key 'location' used
I: This option will be removed in the future; please update your configuration

(process:3539): Gtk-WARNING **: Locale not supported by C library.
Using the fallback 'C' locale.
Gtk-Message: Failed to load module "canberra-gtk-module": libcanberra-gtk-module.so: cannot open shared object file: No such file or directory
No protocol specified

(mousepad:3539): Gtk-WARNING **: cannot open display: :0.0

[ Parent ]

#
Re: openroot - chroot for X11 and for read only access
Posted by Anonymous (193.166.xx.xx) on Fri 17 Dec 2010 at 21:24
Debugging this over the forum is bit tedious, can you run

sid strace -o xclock.strace -s4096 -f xclock

and send xclock.strace to me at timo.lindfors@iki.fi?

[ Parent ]

#
Re: schroot - chroot for any users
Posted by rleigh (144.32.xx.xx) on Mon 6 Sep 2010 at 19:06
Hi,

This article is very useful, thanks! Have you considered updating it so that it will work with current versions of schroot? The 1.4.x releases current in squeeze and sid at this time have removed/renamed a number of the options in your examples.

For example:
location=/path is now directory=/path
run-exec-scripts and run-setup-scripts are no longer required
priority=num is deprecated and will be removed in the future
/etc/schroot/mount-defaults is now /etc/schroot/default/fstab (and there's an /etc/schroot/desktop/fstab to go with the "desktop" profile).
Just set script-config=desktop/config. This will solve some of the X11 issues mentioned in the comments.

Regards,
Roger

[ Parent ]