[Docker] chroot
It's a Linux command that allows you to set the root directory of a new process. In our container use case, we just set the root directory to be where-ever the new container's new root directory should be. And now the new container group of processes can't see anything outside of it, eliminating our security problem because the new process has no visibility outside of its new root.
Let's try it. Start up a Ubuntu VM however you feel most comfortable
docker run -it --name docker-host --rm --privileged ubuntu:bionic
To see what version of Ubuntu you're using
cat /etc/issue
Ubuntu 18.04.6 LTS \n \l
Okay, so let's attempt to use chroot right now.
1. Make a new folder in your home: mkdir new-root
2. Insider that new folder run echo "my super secret thing" >> /new-root/secret.txt
3. Now try to run chroot /new-root bash and see the error it gives you
chroot: failed to run command 'bash': No such file or directory
You should see something about failing to run a shell or not being able to find bash. That's because bash is a program and your new root wouldn't have bash to run (because it can't reach outside of its new root.) So let's fix that! Run:
1. mkdir /new-root/bin
2. cp /bin/bash /bin/ls /bin/cat /new-root/bin/
3. chroot /new-root bash
chroot: failed to run command 'bash': No such file or directoryStill not working! The problem is that these commands rely on libraries to power them and we didn't bring those with us.
So let's do that too. Run ldd /bin/bash
root@d93ae2aee53d:/# ldd /bin/bash
linux-vdso.so.1 (0x00007ffec7767000)
libtinfo.so.5 => /lib/x86_64-linux-gnu/libtinfo.so.5 (0x00007f3e95023000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f3e94e1f000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f3e94a2e000)
/lib64/ld-linux-x86-64.so.2 (0x00007f3e95567000)These are the libraries we need for bash. Let's go ahead and copy those into our new environment.
1. mkdir /new-root/lib{,64}
2. Then we need to copy all those paths (ignore the lines that don't have paths) into our directory. Make sure you get the right files in the right directory. In my case above (yours likely will be different) it'd be two commands:
cp /lib/x86_64-linux-gnu/libtinfo.so.5 /lib/x86_64-linux-gnu/libdl.so.2 /lib/x86_64-linux-gnu/libc.so.6 /new-root/libcp /lib64/ld-linux-x86-64.so.2 /new-root/lib64
3. Do it again for ls. Run ldd /bin/ls
root@d93ae2aee53d:/# ldd /bin/ls
linux-vdso.so.1 (0x00007ffd4939c000)
libselinux.so.1 => /lib/x86_64-linux-gnu/libselinux.so.1 (0x00007f817b198000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f817ada7000)
libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007f817ab36000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f817a932000)
/lib64/ld-linux-x86-64.so.2 (0x00007f817b5e2000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f817a713000)4. Follow the same process to copy the libraries for ls to new-root
cp /lib/x86_64-linux-gnu/libselinux.so.1 /lib/x86_64-linux-gnu/libpcre.so.3 /lib/x86_64-linux-gnu/libpthread.so.0 /new-root/lib
Now finally, run chroot /new-root bashand then ls
root@d93ae2aee53d:/# chroot /new-root bash
bash-4.4# ls
bin lib lib64 secret.txt
bash-4.4# cat secret.txt
my super secret thingYou should successfully see everything in the directory. Now try pwd to see your working directory. You should see /. You can't get out of here! This, before being called containers, was called a jail for this reason. At any time, hit CTRL+D or run exit to get out of your chrooted environment.
chroot is similar to a isolated file system, it isolated files from different root. But what is doesn't do is hiding process from other process. This is what namespace comes in to play.
浙公网安备 33010602011771号