Re: Daemons in schroot or how to start chroot automatically
On Sam, 2012-07-21 at 22:18 +0100, Roger Leigh wrote:
> On Sat, Jul 21, 2012 at 11:54:58AM +0000, Ramon Hofer wrote:
> > On Fri, 20 Jul 2012 17:32:14 +0100, Roger Leigh wrote:
> >
> > > On Fri, Jul 20, 2012 at 12:48:49PM +0000, Ramon Hofer wrote:
> > >> On Fri, 20 Jul 2012 10:42:58 +0100, Roger Leigh wrote:
> > >>
> > >> > On Thu, Jul 19, 2012 at 12:34:26PM +0000, Ramon Hofer wrote:
> > >> >> I have some questions about starting daemons in a chroot environment
> > >> >> or rather about starting schroot on bootup.
> > >> >> The reason I want to do this is to clean up my server. It's a
> > >> >> Squeeze with an AMD64 kernel from backports. Some packages are from
> > >> >> testing which gives me problems because of dependencies that can't
> > >> >> be fullfilled: sabnzbdplus from testing depends on python so I can't
> > >> >> install build- essential...
> > >> >>
> > >> >> So far I was able to setup a chroot with schroot and installed sid
> > >> >> in it.
> > >> >>
> > >> >> [sid]
> > >> >> description=Debian sid (unstable)
> > >> >> directory=/srv/chroot/sid users=hoferr groups=hoferr
> > >> >> root-groups=root aliases=unstable,default
> > >> >
> > >> > set type=directory here
> > >>
> > >> That sounds great what I can read in the schroot.conf manpage:
> > >> "In consequence, filesystems such as /proc are not mounted in
> > >> plain chroots; it is the responsibility of the system
> > >> administrator to configure such chroots by hand, whereas directory
> > >> chroots are automatically configured."
> > >>
> > >> This means I can remove the remounts of /proc, /dev and /sys to /srv/
> > >> chroot/sid/... from my /etc/fstab?
> > >
> > > Yes, exactly. You still have an fstab--it's /etc/schroot/default/fstab,
> > > though this is configurable (set script=config with schroot 1.4.x, or
> > > profile= with schroot 1.6.x).
> >
> > Very nice!
> > This is the default fstab which is used for all schroots right?
>
> Yes.
>
> > Is there another one which I can use to set specific mounts?
> > Like in my case the config dir in my home for sabnzbd?
>
> Not provided with the package. You could just
> sudo cp -r /etc/schroot/default /etc/schroot/sabnzbd
> and then set
> script-config=/etc/schroot/sabnzdb/config
> (you'll need to edit this file to update the paths in it from
> /etc/schroot/default to /etc/schroot/sabnzdb.
This has made me want to have a separate sid schroot for sabnzbd :-)
That's why I renamed /srv/chroot/sid to /srv/chroot/sid-sab and the
session name in /etc/schroot/schroot.conf to sid-sab too:
[sid-sab]
type=directory
description=Debian sid (unstable) for SABnzbd
directory=/srv/chroot/sid-sab
users=hoferr
groups=hoferr
root-groups=root,hoferr
script-config=/etc/schroot/sid-sab/config
After copying /etc/schroot/default to /etc/schroot/sid-sab I have
manually edited the three paths in /etc/schroot/sabnzdb/config:
FSTAB="/etc/schroot/sid-sab/fstab"
COPYFILES="/etc/schroot/sid-sab/copyfiles"
NSSDATABASES="/etc/schroot/sid-sab/nssdatabases"
Unfortunately when I started the schroot session I got
$ schroot -v -p -c sid-sab
I: Executing ‘00check setup-start ok’
E: 00check: error: script-config file
'/etc/schroot/etc/schroot/sid-sab/config' does not exist
...
That's why I changed script-config to
script-config=sid-sab/config
Now it's working. :-)
Because in my init.d script now both --session-name and --chroot are
sid-sab I feared that this would lead to problems. But doesn't seem to.
Is this true?
> > And I should copy/bind another config file. Is it possible to have
> > different /etc/schroot/default/copyfiles for different schroot
> > environments?
>
> > Something like /etc/schroot/[SCHROOT]/fstab and /etc/schroot/[SCHROOT]/
> > copyfiles would be very handy :-)
>
> Not using the same /etc/schroot/default/copyfiles file, but by
> creating your own chroot-specific config directory as above, it's
> definitely possible. See the other options like
> /etc/schroot/desktop for pre-canned profiles provided as
> alternatives to "default".
That's great! Thanks :-)
I will in the next weeks probably play a lot with it ;-)
Not only desktop/config but maybe also sbuild/config. I always wanted to
learn about building my own package :-)
> > >> >> In the chroot I have created a new user called hoferr and am now
> > >> >> able to login without root privilieges.
> > >> >> But in there sudo is missing. Maybe this can be resolved by
> > >> >> installing the correct base system meta package mentioned above?
> > >> >
> > >> > You could install sudo. But why? This is what schroot /is/ (chroot
> > >> > +
> > >> > sudo). If you want to do stuff as root inside the chroot,
> > >> > just add yourself to root-groups/root-users.
> > >>
> > >> Or start it with `sudo schroot -p -c sid`.
> > >
> > > That's a possibility, though I would personally just configure schroot
> > > to give me root access directly.
> >
> > I have tried to set root-groups=root,sudo in /etc/schroot/schroot.conf
> > for the (only) but this doesn't give me root access (even though I'm
> > member of the sudo group outside the chroot and inside it as it seems
> > the /etc/group files are the same).
> >
> > I've also tried to add my user directly to the root-groups without
> > success. What could I possibly do wrong?
>
> Did you run with "-u root" to switch to the root user inside the
> chroot? If you don't use "-u" it will just run as the current
> user, rather than switching. So long as one of the groups you
> are a member of is in root-groups or root-users, you'll be
> allowed to switch without a password. If you aren't in one of those,
> you'll be prompted for a password IIRC.
Aha, I thought my user would have the right to directly run commands
like apt-get without sudo.
But still when I run `sudo -u root` I get
sudo: effective uid is not 0, is sudo installed setuid root?
I read that this could be because the filesystem is mounted with
'nosuid' [1]. But this isn't the case. Here's my fstab for this schroot:
/proc /proc none rw,rbind 0 0
/sys /sys none rw,rbind 0 0
/dev /dev none rw,rbind 0 0
/home /home none rw,bind 0 0
/tmp /tmp none rw,bind 0 0
I did
(sid)# dpkg-reconfigure sudo
invoke-rc.d: policy-rc.d denied execution of stop.
This is my /usr/sbin/policy-rc.d inside the schroot session
while [ $# -gt 0 ]; do
case $1 in
--list) exit 101 ;;
--quiet) shift ;;
-*) shift ;;
cron) exit 0 ;;
nullmailer) exit 0 ;;
*) exit 101 ;;
esac
done
exit 101
> > >> I'm still using version 1.4.19. But this feature sounds very good!
> > >>
> > >> Btw I have accidentally run `schroot -v` instead -V to get the version
> > >> number. First I got a little shock but now the prompt shows the name of
> > >> the chroot I'm logged into even if I only do `schroot -p -c sid`.
> > >> That's great :-)
> > >
> > > Fantastic! That's one of the little details set up by the setup scripts
> > > (50chrootname). It will also handle other things like copying over the
> > > passwd database so you have the same accounts inside the chroot that you
> > > have on the host.
> >
> > What do you mean by the setup script? Using the -v option?
> > Or is it `setup-start`? Should I run it after I've changed schroot.conf
> > which is maybe the solution to my problem with the permission from above?
>
> This is all done automatically, and irrespective of -v (this just
> shows you want it's doing, it's still done when you don't use it).
> The setup scripts are run when you begin or end a session using -b
> or -e. If you don't use -b or -e, it's done all in the one command
> automatically.
I thought that when logging in before starting the first time with -v I
struggled knowing if I'm inside the chroot. But maybe I used a wrong
command. Can't remember exactly anymore :-?
But now it's working great :-D
> > Btw do you know a some documentation on how I schroot and chroot work? Is
> > it really only changing the root directory. I'm wondering because when I
> > install a package from sid it's not sure that it'll work with the Squeeze
> > kernel?
>
> Both are just changing the root directory. schroot does some additional
> stuff as well such as creating/snapshotting the chroot and running the
> setup scripts, and also handling authentication and user switching, but
> ultimately both just call the chroot(2) system call, and then run a
> shell or command.
>
> If you run software in a sid chroot that uses specific features of the
> sid kernel not available in squeeze, then it will fail. But all of the
> important stuff like devices, procfs, sysfs are inherited from the
> host system--the chroot is not a standalone environment, and does not
> run the rcS scripts or anything at startup. So in practice it will
> work for all but the most esoteric software. All of the Debian
> autobuilders run squeeze, using sid chroots with schroot for package
> building--issues arising from using a squeeze kernel and a sid chroot
> are almost unheard of (and would be considered a bug in the package).
Very interesting. Thanks for the explanation.
I read that chroot doesn't create any overhead except disk space. So
there's no drawback on using separate schroot environments for different
daemons except the extra disk space?
E.g. the python libraries are only loaded once for each sid session I
run? No matter if python is installed in /srv/chroot/sid-sab and as well
in a new /srv/chroot/sid-mythbackend?
And does it make sense to use different partitions for each chroot
environment: Should I put /srv/chroot/sid-sab to an own partition?
Atm I have a ~300 GB partition mounted to /srv. The /srv/chroot/sid-sab
directory uses 466 MB so I could create a 5 GB partition for it?
Sorry for all the question ;-)
Best regards
Ramon
[1] http://www.gratisoft.us/sudo/troubleshooting.html
Reply to: