Re: chroot or virtual machine
Hi, On Thu, May 17, 2012 at 11:33:21AM +0100, Roger Leigh wrote: On Thu, May 17, 2012 at 09:15:26AM +0100, Chris Davies wrote: Roger Leigh rle...@codelibre.net wrote: http://people.debian.org/~rleigh/schroot.pdf This is schroot(8) in PDF :-) ... Arguably, we should probably document the setup procedure. While we describe all the configuration options, we don't detail how to set up the actual chroot--it's assumed it already exists, though we should probably include examples of how to create them. I think you have enough information already. They are just a bit convoluted, though. In schroot(8), you have sbuild(8) as SEE ALSO. Then, in sbuild(8), you have sbuild-setup(7) and sbuild-createchroot(8) as SEE ALSO. There are enough information in sbuild-setup(7) and sbuild-createchroot(8) needed for making chroot. I wish a bit more direct and obvious connection from schroot(8) to the content of sbuild-setup(7). In some way, sbuild-setup(7) could be renamed as schroot-setup(7) and moved into schroot package, etc. There may be additional reorganization needed along with this change. Then everything is quite tidy and nice. Regards, Osamu -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120518150832.GA10441@localhost
Re: chroot or virtual machine
On Tue, 2012-05-15 at 17:24 +0100, Roger Leigh wrote: On Tue, May 15, 2012 at 08:19:23AM -0700, Ross Boylan wrote: Like you, I'm figuring this out, and so my understanding could be wrong or suboptimal. I tried to avoid the sys/proc/dev sharing, but found I needed to do them to make things work. Sharing those virtual file systems removes a lot of the isolation between the chroot and the host. Perhaps someone who knows more will say more :) Did you discover schroot yet? It will do all of that stuff for you, and more, including setting up all the system passwd databases etc. The next stable release will also allow services to be stopped and started in the chroot automatically as well. http://people.debian.org/~rleigh/schroot.pdf I think I looked at it based on Osamu's pointer in the Debian Reference, but it seemed like a lot to understand when I didn't even even understand the basic chroot fully. Perhaps, as some of the later discussion in this thread indicates, the documentation could be a bit more helpful, but there may be an irreducible complexity. Ross -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1337356257.25428.7.ca...@corn.betterworld.us
Re: chroot or virtual machine
On Sat, May 19, 2012 at 12:08:32AM +0900, Osamu Aoki wrote: On Thu, May 17, 2012 at 11:33:21AM +0100, Roger Leigh wrote: On Thu, May 17, 2012 at 09:15:26AM +0100, Chris Davies wrote: Roger Leigh rle...@codelibre.net wrote: Arguably, we should probably document the setup procedure. While we describe all the configuration options, we don't detail how to set up the actual chroot--it's assumed it already exists, though we should probably include examples of how to create them. I think you have enough information already. They are just a bit convoluted, though. In schroot(8), you have sbuild(8) as SEE ALSO. Then, in sbuild(8), you have sbuild-setup(7) and sbuild-createchroot(8) as SEE ALSO. There are enough information in sbuild-setup(7) and sbuild-createchroot(8) needed for making chroot. I wish a bit more direct and obvious connection from schroot(8) to the content of sbuild-setup(7). In some way, sbuild-setup(7) could be renamed as schroot-setup(7) and moved into schroot package, etc. There may be additional reorganization needed along with this change. Then everything is quite tidy and nice. Yes, I agree the organisation could be much better. Note that I have on my plan (http://wiki.debian.org/Schroot/Roadmap#Easy items 2 and 3) the automatic bootstrapping of a new chroot, which would make all of the sbuild and schroot chroot setup completely transparent. Essentially, you could have a chroot definition in /etc/schroot/chroot.d provided by a package. But there would also be some additional keys telling it which repository, suite etc. to use to run debootstrap. So the user would just run schroot --create -c $name and it will run all the setup scripts with a create argument. The package postinst could even do this automatically. And this would be usable by hand- make chroots as well, so you never need to deal with all those setup instructions, it will just be built-in. Note: this probably won't be achievable in the wheezy freeze timeframe, but certainly for wheezy+1. Once this is done, I'll be able to reorganise the documentation to be much friendlier! And tools like sbuild-createchroot will no longer need to exist--their setup tasks can just be merged with the chroot setup scripts. Regards, Roger -- .''`. Roger Leigh : :' : Debian GNU/Linuxhttp://people.debian.org/~rleigh/ `. `' schroot and sbuild http://alioth.debian.org/projects/buildd-tools `-GPG Public Key F33D 281D 470A B443 6756 147C 07B3 C8BC 4083 E800 -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120518181352.gj22...@codelibre.net
Re: chroot or virtual machine
Roger Leigh rle...@codelibre.net wrote: http://people.debian.org/~rleigh/schroot.pdf As a curious party (i.e. not the original poster) I've taken a look at this and installed it. Thank you Roger for the pointer. However, what I cannot see is what configuration I need to do to make it work. I've uncommented (and tweaked slightly) what looks like the most basic configuration in /etc/schroot/schroot.conf: [test] description=Testing chroot directory=/home/chroot/test users=chris groups=staff root-groups=staff aliases=default What else do I need to do? I assumed I needed to create /home/chroot/test, so I did that. But now what? schroot --verbose --chroot=test ls E: Failed to change to directory ‘/home/chris’: No such file or directory If I specify --directory=/ I then get an error about ls not being present. I assume this is because I've missed out some step or other for defining the content of the target chroot, but I found nothing explicit about that in any of the documentation I came across. I'm familiar with chroots, having created them too many times (!) by hand on Linux and Solaris platforms. But if schroot can help me I'd be thrilled. Cheers, Chris -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/mloe89ximf@news.roaima.co.uk
Re: chroot or virtual machine
On Thu, May 17, 2012 at 09:15:26AM +0100, Chris Davies wrote: Roger Leigh rle...@codelibre.net wrote: http://people.debian.org/~rleigh/schroot.pdf However, what I cannot see is what configuration I need to do to make it work. I've uncommented (and tweaked slightly) what looks like the most basic configuration in /etc/schroot/schroot.conf: [test] description=Testing chroot directory=/home/chroot/test users=chris groups=staff root-groups=staff aliases=default What else do I need to do? I assumed I needed to create /home/chroot/test, so I did that. But now what? I think you probably need to actually create the chroot under /home/chroot/test with e.g. debootstrap. I would suggest adding type=directory to the above as well. Arguably, we should probably document the setup procedure. While we describe all the configuration options, we don't detail how to set up the actual chroot--it's assumed it already exists, though we should probably include examples of how to create them. Regards, Roger -- .''`. Roger Leigh : :' : Debian GNU/Linuxhttp://people.debian.org/~rleigh/ `. `' schroot and sbuild http://alioth.debian.org/projects/buildd-tools `-GPG Public Key F33D 281D 470A B443 6756 147C 07B3 C8BC 4083 E800 -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120517103321.gg22...@codelibre.net
Re: chroot or virtual machine
Roger Leigh rle...@codelibre.net wrote: On Thu, May 17, 2012 at 09:15:26AM +0100, Chris Davies wrote: However, what I cannot see is what configuration I need to do [...] What else do I need to do? I assumed I needed to create /home/chroot/test, so I did that. But now what? I think you probably need to actually create the chroot under /home/chroot/test with e.g. debootstrap. Ah, yes. OK. I would suggest adding type=directory to the above as well. Thanks for that hint. Arguably, we should probably document the setup procedure. While we describe all the configuration options, we don't detail how to set up the actual chroot--it's assumed it already exists, though we should probably include examples of how to create them. At the least, please could I recommend that you tell/remind people it's necessary to use debootstrap (or whatever) to create the chroot. Cheers Chris -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/ldef89xc9o@news.roaima.co.uk
Re: chroot or virtual machine
On 05/15/2012 06:24 PM, Roger Leigh wrote: On Tue, May 15, 2012 at 08:19:23AM -0700, Ross Boylan wrote: Like you, I'm figuring this out, and so my understanding could be wrong or suboptimal. I tried to avoid the sys/proc/dev sharing, but found I needed to do them to make things work. Sharing those virtual file systems removes a lot of the isolation between the chroot and the host. Perhaps someone who knows more will say more :) Did you discover schroot yet? It will do all of that stuff for you, and more, including setting up all the system passwd databases etc. The next stable release will also allow services to be stopped and started in the chroot automatically as well. http://people.debian.org/~rleigh/schroot.pdf Regards, Roger Hi All, I didn't really follow the discussion, but another approach can be Linux Containers: http://wiki.debian.org/LXC (just in case no one mentioned before) Best regards, Alex -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4fb37fc4.7020...@biotec.tu-dresden.de
Re: chroot or virtual machine
On Sun, May 13, 2012 at 07:13:23PM +, Ramon Hofer wrote: Hi all I'm planning on setting up my new media server. So I was thinking of putting mythbackend, logitech media server, rtorrent, nfs, samba, etc. into virtual machines. A virtual machine for every server? On what purpose? Is it about security? There's a discussion in the mythtv-users mailing list about virtual machines. Especially this post got me thinking: http://www.gossamer-threads.com/lists/mythtv/users/517075#517075 Is it possible to have a working mythbackend and test a new version. If all goes well replace the production backend? -- Primary key fingerprint: AD8F BDC0 5A2C FD5F A179 60E7 F79B AB04 5299 EC56 signature.asc Description: Digital signature
Re: chroot or virtual machine
On Tue, 15 May 2012 11:45:58 +0200, David wrote in message 20120515094556.ga4...@pris.crapsteak.org: On Sun, May 13, 2012 at 07:13:23PM +, Ramon Hofer wrote: Hi all I'm planning on setting up my new media server. So I was thinking of putting mythbackend, logitech media server, rtorrent, nfs, samba, etc. into virtual machines. A virtual machine for every server? On what purpose? Is it about security? ..yup, the idea is deny bad code access to as much as possible, it can only kill whatever it can see and touch, such as vm's. -- ..med vennlig hilsen = with Kind Regards from Arnt Karlsen ...with a number of polar bear hunters in his ancestry... Scenarios always come in sets of three: best case, worst case, and just in case. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120515125144.22294...@celsius.lan
Re: chroot or virtual machine
On Tue, May 15, 2012 at 12:51:44PM +0200, Arnt Karlsen wrote: On Tue, 15 May 2012 11:45:58 +0200, David wrote in message 20120515094556.ga4...@pris.crapsteak.org: On Sun, May 13, 2012 at 07:13:23PM +, Ramon Hofer wrote: Hi all I'm planning on setting up my new media server. So I was thinking of putting mythbackend, logitech media server, rtorrent, nfs, samba, etc. into virtual machines. A virtual machine for every server? On what purpose? Is it about security? ..yup, the idea is deny bad code access to as much as possible, it can only kill whatever it can see and touch, such as vm's. I see. SELinux can help, both in the case of using VMs (different VMs can be executed in different MLS levels), and in the case of not using VMs at all. -- Primary key fingerprint: AD8F BDC0 5A2C FD5F A179 60E7 F79B AB04 5299 EC56 signature.asc Description: Digital signature
Re: chroot or virtual machine
On Tue, 15 May 2012 11:45:58 +0200, David Sastre Medina wrote: On Sun, May 13, 2012 at 07:13:23PM +, Ramon Hofer wrote: Hi all I'm planning on setting up my new media server. So I was thinking of putting mythbackend, logitech media server, rtorrent, nfs, samba, etc. into virtual machines. A virtual machine for every server? On what purpose? Is it about security? No no, not each in separate one. But let's assume I want to switch from mythtv 0.24 to 0.25. Now I'd like to test it before I replace the working version. I think this should be possible with chroot too but I don't know if I can adapt the init script. Or if I get a mess with library versions I can have separate ones. I can't remember exactly but I needed a newer python version which was depended on a new gcc. Maybe I can put the new libraries into the chroot envirmonment and still have the stable ones on the normal system. I have never used chroot before. So I have no clue what it's really used for. I read that you can change the root directory for a program. Does it also work for daemons? Maybe I have to install a second Debian as described for Gentoo by Raymond described in the link. But is there a stage 3 tarball for Debian too? Best regards Ramon -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/jotdj0$ivm$1...@dough.gmane.org
Re: chroot or virtual machine
On Tue, 2012-05-15 at 11:10 +, Ramon Hofer wrote: On Tue, 15 May 2012 11:45:58 +0200, David Sastre Medina wrote: On Sun, May 13, 2012 at 07:13:23PM +, Ramon Hofer wrote: Hi all I'm planning on setting up my new media server. So I was thinking of putting mythbackend, logitech media server, rtorrent, nfs, samba, etc. into virtual machines. A virtual machine for every server? On what purpose? Is it about security? No no, not each in separate one. But let's assume I want to switch from mythtv 0.24 to 0.25. Now I'd like to test it before I replace the working version. I think this should be possible with chroot too but I don't know if I can adapt the init script. Or if I get a mess with library versions I can have separate ones. I can't remember exactly but I needed a newer python version which was depended on a new gcc. Maybe I can put the new libraries into the chroot envirmonment and still have the stable ones on the normal system. I have never used chroot before. So I have no clue what it's really used for. I read that you can change the root directory for a program. Does it also work for daemons? Maybe I have to install a second Debian as described for Gentoo by Raymond described in the link. But is there a stage 3 tarball for Debian too? I've been running myth in a chroot because my host system is Lenny. At least as I've set it up, /dev/daisy/chroot /mnt/chroot ext3 defaults 0 2 proc-testing/mnt/chroot/proc proc defaults 0 0 sysfs-testing /mnt/chroot/sys sysfs defaults 0 0 #/dev/pts /mnt/chroot/dev/ptsbind defaults,bind 0 0 /dev/mnt/chroot/devrbind defaults,rbind 0 0 the ports are shared with the host. That means if you run mythbackend or mysql server in a chroot it will conflict with the same programs in the host or other chroots. And if you run mythtv 0.25 it will upgrade your mythtv 0.24 database (which is basically irreversible) unless you're careful. And, of course, your myth backends will all be fighting over the same port. Although I tried to avoid running most services in the chroot, my recent upgrade to 0.25 pulled in avahi and I have a conflict with mDNS on the host. I think because of port sharing my sysloging from the chroot is ending up in the host syslog, and even though I've set /etc/hostname in the chroot the log lines have the name of the host on them. If you do the vanilla Debian setup the user ids and groups in the chroot and the host will not necessarily match, both in the sense that different users (e.g., mythtv) may be on different systems, and the ids of the users and groups will differ. This means the names of the users and groups of a file may differ when accessed from the chroot vs the host. Recently I've had some doubts about whether this might cause problems: since the chroot is running the same kernel as the host, I wonder if identity info from the host could leak into the chroot. Like you, I'm figuring this out, and so my understanding could be wrong or suboptimal. I tried to avoid the sys/proc/dev sharing, but found I needed to do them to make things work. Sharing those virtual file systems removes a lot of the isolation between the chroot and the host. Perhaps someone who knows more will say more :) Ross Boylan -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1337095163.3669.107.ca...@corn.betterworld.us
Re: chroot or virtual machine
On Tue, 2012-05-15 at 08:19 -0700, Ross Boylan wrote: I've been running myth in a chroot because my host system is Lenny. At least as I've set it up, /dev/daisy/chroot /mnt/chroot ext3 defaults 0 2 proc-testing/mnt/chroot/proc proc defaults 0 0 sysfs-testing /mnt/chroot/sys sysfs defaults 0 0 #/dev/pts /mnt/chroot/dev/ptsbind defaults,bind 0 0 /dev/mnt/chroot/devrbind defaults,rbind 0 0 To clarify, that's in the host /etc/fstab. Also, there has been some recent discussion of virtualization/chroots on the myth user list. Ross -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1337095354.3669.109.ca...@corn.betterworld.us
Re: chroot or virtual machine
On Tue, May 15, 2012 at 08:19:23AM -0700, Ross Boylan wrote: Like you, I'm figuring this out, and so my understanding could be wrong or suboptimal. I tried to avoid the sys/proc/dev sharing, but found I needed to do them to make things work. Sharing those virtual file systems removes a lot of the isolation between the chroot and the host. Perhaps someone who knows more will say more :) Did you discover schroot yet? It will do all of that stuff for you, and more, including setting up all the system passwd databases etc. The next stable release will also allow services to be stopped and started in the chroot automatically as well. http://people.debian.org/~rleigh/schroot.pdf Regards, Roger -- .''`. Roger Leigh : :' : Debian GNU/Linuxhttp://people.debian.org/~rleigh/ `. `' schroot and sbuild http://alioth.debian.org/projects/buildd-tools `-GPG Public Key F33D 281D 470A B443 6756 147C 07B3 C8BC 4083 E800 -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120515162430.gq23...@codelibre.net
chroot or virtual machine
Hi all I'm planning on setting up my new media server. So I was thinking of putting mythbackend, logitech media server, rtorrent, nfs, samba, etc. into virtual machines. There's a discussion in the mythtv-users mailing list about virtual machines. Especially this post got me thinking: http://www.gossamer-threads.com/lists/mythtv/users/517075#517075 Is it possible to have a working mythbackend and test a new version. If all goes well replace the production backend? Best regards Ramon -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/jop14j$he7$1...@dough.gmane.org
