Created
December 2, 2017 20:55
-
-
Save o11c/341393fe1ea96f72f21e1c77197f04f8 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# Helper script, don't call directly | |
mount --rbind /dev ./dev | |
mount --rbind /proc ./proc | |
mount --rbind /sys ./sys | |
# Do not mount /run or /tmp | |
mount --rbind / ./mnt/outer | |
hostname -F ./etc/hostname | |
getent hosts joyplim.local > ./etc/hosts | |
exec /usr/sbin/chroot . /usr/bin/env -i \ | |
TERM="$TERM" \ | |
su - |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# This is the main entry point. | |
# Do not unshare: | |
# * the user namespace (the second time) | |
# * the PID namespace (use dumb-init if you want one) | |
# * the net namespace | |
cd ${1:-sid}/ | |
exec lxc-usernsexec -m b:0:1000:1 -m b:65534:100999:1 -m b:1:100001:998 -- unshare -imuC -- ../chroot.sh |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
dir=$1 | |
tarball=${dir}.tar.xz | |
exec lxc-usernsexec -m b:0:1000:1 -m b:65534:100999:1 -m b:1:100001:998 -- sh -c "mkdir $dir && cd $dir && tar -xaf ../../$tarball" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
How to create privilegeless (only util-linux and shadow-utils) chroots. | |
FOR LINUX HOSTS ONLY! | |
On some machine with real root (or in a VM): | |
1. preferably, install an apt proxy, such as apt-cacher-ng | |
2. run debootstrap (or equivalent) as real root (or see if fakeroot works?) | |
3. delete the device files under /dev | |
4. create a tarball using --numeric-owner (VERY IMPORTANT) | |
On the host, with root: | |
1. add relevant users to /etc/subuid and /etc/subgid, if login.defs isn't already set up | |
a. the documentation lies, somewhat | |
b. good choices for number of IDs are 1000 or 10,000 or 100,000 | |
c. some special care is taken below if there are less than 65536 | |
2. ensure shadow-utils includes the (setuid) `newuidmap` and `newgidmap` | |
3. ensure util-linux includes (privilegeless) `unshare` | |
4. ensure that your kernel supports user namespaces (since 3.8) | |
a. If Debian, enable them by sysctl kernel.unprivileged_userns_clone=1 | |
On the host, as user: | |
1. copy and modify the scripts. | |
2. run extract.sh | |
3. optional post-fixups: | |
a. create ./mnt/outer | |
b. modify ./etc/hostname | |
c. cp /etc/apt/apt.conf with proxy information | |
4. run either shell.sh or enter.sh |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
exec lxc-usernsexec -m b:0:1000:1 -m b:65534:100999:1 -m b:1:100001:998 -- bash |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment