Re: chroot or virtual machine
On Tue, 2012-05-15 at 11:10 +0000, Ramon Hofer wrote:
> On Tue, 15 May 2012 11:45:58 +0200, David Sastre Medina wrote:
>
> > On Sun, May 13, 2012 at 07:13:23PM +0000, Ramon Hofer wrote:
> >> Hi all
> >>
> >> I'm planning on setting up my new media server.
> >>
> >> So I was thinking of putting mythbackend, logitech media server,
> >> rtorrent, nfs, samba, etc. into virtual machines.
> >
> > A virtual machine for every server? On what purpose? Is it about
> > security?
>
> No no, not each in separate one.
> But let's assume I want to switch from mythtv 0.24 to 0.25. Now I'd like
> to test it before I replace the working version.
> I think this should be possible with chroot too but I don't know if I can
> adapt the init script.
>
> Or if I get a mess with library versions I can have separate ones. I
> can't remember exactly but I needed a newer python version which was
> depended on a new gcc.
> Maybe I can put the new libraries into the chroot envirmonment and still
> have the stable ones on the normal system.
>
> I have never used chroot before. So I have no clue what it's really used
> for. I read that you can change the root directory for a program.
> Does it also work for daemons?
>
> Maybe I have to install a second Debian as described for Gentoo by
> Raymond described in the link. But is there a "stage 3" tarball for
> Debian too?
>
I've been running myth in a chroot because my host system is Lenny. At
least as I've set it up,
/dev/daisy/chroot /mnt/chroot ext3 defaults 0 2
proc-testing /mnt/chroot/proc proc defaults 0 0
sysfs-testing /mnt/chroot/sys sysfs defaults 0 0
#/dev/pts /mnt/chroot/dev/pts bind defaults,bind 0 0
/dev /mnt/chroot/dev rbind defaults,rbind 0 0
the ports are shared with the host. That means if you run mythbackend
or mysql server in a chroot it will conflict with the same programs in
the host or other chroots. And if you run mythtv 0.25 it will upgrade
your mythtv 0.24 database (which is basically irreversible) unless
you're careful. And, of course, your myth backends will all be fighting
over the same port. Although I tried to avoid running most services in
the chroot, my recent upgrade to 0.25 pulled in avahi and I have a
conflict with mDNS on the host.
I think because of port sharing my sysloging from the chroot is ending
up in the host syslog, and even though I've set /etc/hostname in the
chroot the log lines have the name of the host on them.
If you do the vanilla Debian setup the user ids and groups in the chroot
and the host will not necessarily match, both in the sense that
different users (e.g., mythtv) may be on different systems, and the ids
of the users and groups will differ. This means the names of the users
and groups of a file may differ when accessed from the chroot vs the
host. Recently I've had some doubts about whether this might cause
problems: since the chroot is running the same kernel as the host, I
wonder if identity info from the host could leak into the chroot.
Like you, I'm figuring this out, and so my understanding could be wrong
or suboptimal. I tried to avoid the sys/proc/dev sharing, but found I
needed to do them to make things work. Sharing those virtual file
systems removes a lot of the isolation between the chroot and the host.
Perhaps someone who knows more will say more :)
Ross Boylan
Reply to: