In a *nix
based Os, root directory (/) is the top directory. Root file system sits on the
disk partition where root directory is located and all other file system mount
on this root file system.
We all
know that the there is root process with Pid 1 is the first thing that gets
started when we start the Linux machine. All other process or jobs that start
will be children of this process. Every Processes in linux can access any one
file or directory in the filesystem
What if we
want to restrict the file system view for the process running?. What if i want
to block the file system access to a process that i'm running or debugging.
Linux provides an option for this which is called “chroot”. Every process
running by default know that root directory for this is the working directory
where the process has been started and process though it starts from a
directory will be sub process for the pid 1 that started long back.
More over
the pid 1 know that the root directory is available on the root filesystem
which make root file system as current working directory. So naturally all sub
process that start from pid 1 will have access to the root file system. Those
processes can see all files that are available in every directory on the root
file system.
Chroot is
an operation that allows a system to change the root directory for current
process and all its children. It means whatever the process that we start will
have the current working directory as root directory. This makes the process
that we started with the chroot will become pid 1. This chroot essentially
restricts the view of the file system for process. This makes the process
capable of accessing files only available in that chroot location.
In order
to use chroot, all we have to do is to have a file system which looks like
linux file system. We can also do another thing, download a docker image ,
export that to a tar file and finally extract the tar file to a rootfs
directory and use chroot on that
Chroot space-
[root@manja17-I18060
testing]# chroot rootfs /bin/bash
root@testing-machine-name:/#
which python
/usr/local/bin/python
root@testing-machine-name:/#
/usr/local/bin/python -V
Python
3.7.0 (default, Sep 5 2018, 03:25:31)
[GCC 6.3.0
20170516]
root@testing-machine-name:/#
exit
exit
Host Machine -
[root@manja17-I18060
testing]# which python
/usr/bin/python
[root@manja17-I18060
testing]# /usr/bin/python -V
Python
2.7.5
If you see
in the above output , the chroot command is invoked on the rootfs file system
that we got from a docker image. We see that the python version is 3.7.0 which
is available in the rootfs filesystem, and it is dependent on the rootfs file
system libraries. If we use exit to come out of the chroot and run a python
version available on host, we see a different version.
Similarly
from inside the chroot, if we try to access the files inside /root , we will be
seeing nothing whereas when we try to access them from the host machine we see
a couple of files
Chroot Space -
root@testing-machine-name:~#
cd /root/
root@testing-machine-name:~#
/bin/ls /root/
root@testing-machine-name:~# exit
exit
Host Machine -
[root@manja17-I18060
testing]# cd /root/
[root@manja17-I18060
~]# ls
anaconda-ks.cfg
apache-maven-3.5.4-bin.tar.gz one-context_4.14.4.rpm
What does
chroot provide for containers?
Chroot
helps in starting containers with their own file system provided from the image
and this is what makes process running inside a container to view only file
system available in the container image. Chroot make the process running inside
a container not able to access any file outside of the container file system.
No comments :
Post a Comment