«
»

Interacting With a chroot Environment

No Gravatar

Some services are capable of running in a chroot environment without having to build a separate chroot environment for them. OpenSSH and bind9 are both examples of chroot aware services. Simple config options will get you on your way to secure use of either of those. But for other services, like Apache2, things get more complicated.

It’s sometimes helpful to make a stand alone chroot environment so that you can run multiple versions of software. For example, it’s sometimes useful to run one version of php for your live server and experiment with upgrading to the newest php by running the newest php in a chroot. But how can you interact with the services running in the chroot?

To get into the chroot interactive so you can type commands:
/usr/sbin/chroot /path-to-chroot
so for example,
/usr/sbin/chroot    /var/chroot/debian
and from here I can type:
/etc/init.d/apache2 start
to start my apache2 server.

You can also interact with your chrooted services from outside of the chroot. This is extremely useful for scripting things from your main system.

To restart my apache2 server without interactively typing commands in the chroot environment, just add the command you wish to run after the chroot command. It will run the command as the chroot, then exit.
example: /usr/sbin/chroot  /etc/init.d/apache2 stop

chroot might be available to your user in the $PATH, so you might not need to use the location of chroot. simply:  chroot  /etc/init.d/apache2 stop
If you’re writing that command into an init script or a start/stop script of some kind, you might want to include the path to chroot, as your init script may not have a $PATH defined at that point in the startup cycle.

How about a start/stop script for a chrooted apache2 so your main system can restart it? Assuming you already have a start/stop script in /path/to/your/chroot/etc/init.d/apache2:

#!/bin/sh -e

case $1 in


start)
/usr/sbin/chroot /path/to/chroot/etc/init.d/apache2 start
;;


stop)
/usr/sbin/chroot /path/to/chroot/etc/init.d/apache2 stop
;;




reload | force-reload)
/usr/sbin/chroot /path/to/chroot/etc/init.d/apache2 reload
;;


restart)
/usr/sbin/chroot /path/to/chroot/etc/init.d/apache2 restart
;;






*)
log_success_msg "Usage: /etc/init.d/apache2 {start|stop|restart|reload}"
exit 1
;;




esac
place the above in a file in /etc/init.d/scriptname, place the appropriate execute/read permissions on it, and you can restart apache2 simply with: /etc/init.d/scriptname restart
Hope this helps,
–Chris

This entry was posted by Chris Chatelain on Thursday, July 15th, 2010 at 3:23 pm and is filed under Linux System Administration. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply