Friday, October 12, 2018

Understanding Chroot

In a *nix based Os, root directory (/) is the top directory. Root file system sits on the disk partition where root directory is located and all other file system mount on this root file system.

We all know that the there is root process with Pid 1 is the first thing that gets started when we start the Linux machine. All other process or jobs that start will be children of this process. Every Processes in linux can access any one file or directory in the filesystem

What if we want to restrict the file system view for the process running?. What if i want to block the file system access to a process that i'm running or debugging. Linux provides an option for this which is called “chroot”. Every process running by default know that root directory for this is the working directory where the process has been started and process though it starts from a directory will be sub process for the pid 1 that started long back.

More over the pid 1 know that the root directory is available on the root filesystem which make root file system as current working directory. So naturally all sub process that start from pid 1 will have access to the root file system. Those processes can see all files that are available in every directory on the root file system.

Chroot is an operation that allows a system to change the root directory for current process and all its children. It means whatever the process that we start will have the current working directory as root directory. This makes the process that we started with the chroot will become pid 1. This chroot essentially restricts the view of the file system for process. This makes the process capable of accessing files only available in that chroot location.

In order to use chroot, all we have to do is to have a file system which looks like linux file system. We can also do another thing, download a docker image , export that to a tar file and finally extract the tar file to a rootfs directory and use chroot on that

Chroot space-
[root@manja17-I18060 testing]# chroot rootfs /bin/bash
root@testing-machine-name:/# which python
root@testing-machine-name:/# /usr/local/bin/python -V
Python 3.7.0 (default, Sep  5 2018, 03:25:31)
[GCC 6.3.0 20170516]
root@testing-machine-name:/# exit

Host Machine -
[root@manja17-I18060 testing]# which python
[root@manja17-I18060 testing]# /usr/bin/python -V
Python 2.7.5

If you see in the above output , the chroot command is invoked on the rootfs file system that we got from a docker image. We see that the python version is 3.7.0 which is available in the rootfs filesystem, and it is dependent on the rootfs file system libraries. If we use exit to come out of the chroot and run a python version available on host, we see a different version.

Similarly from inside the chroot, if we try to access the files inside /root , we will be seeing nothing whereas when we try to access them from the host machine we see a couple of files

Chroot Space -
root@testing-machine-name:~# cd /root/
root@testing-machine-name:~# /bin/ls /root/
root@testing-machine-name:~# exit

Host Machine -
[root@manja17-I18060 testing]# cd /root/
[root@manja17-I18060 ~]# ls
anaconda-ks.cfg        apache-maven-3.5.4-bin.tar.gz  one-context_4.14.4.rpm

What does chroot provide for containers?  
Chroot helps in starting containers with their own file system provided from the image and this is what makes process running inside a container to view only file system available in the container image. Chroot make the process running inside a container not able to access any file outside of the container file system.

No comments :

Post a Comment