Difference between revisions of "Change root"

From ArchWiki
Jump to: navigation, search
m (move bash to usr/bin)
(Change root: replace "do not work" with "cannot be used inside")
 
(78 intermediate revisions by 24 users not shown)
Line 1: Line 1:
 
[[Category:System recovery]]
 
[[Category:System recovery]]
[[es:Change Root]]
+
[[es:Change root]]
 
[[fa:تغییر ریشه]]
 
[[fa:تغییر ریشه]]
 
[[fr:Chroot]]
 
[[fr:Chroot]]
 
[[ja:Change Root]]
 
[[ja:Change Root]]
 
[[ro:Chroot]]
 
[[ro:Chroot]]
[[zh-CN:Change Root]]
+
[[ru:Change root]]
[[Wikipedia:Chroot|Chroot]] is the process of changing of the apparent disk root directory (and the current running process and its children) to another root directory. When you change root to another directory you cannot access files and commands outside that directory. This directory is called a ''chroot jail''. Changing root is commonly done for system maintenance, such as reinstalling the bootloader or resetting a forgotten password.
+
[[zh-cn:Change root]]
 +
{{Related articles start}}
 +
{{Related|Install bundled 32-bit system in Arch64}}
 +
{{Related|proot}}
 +
{{Related|systemd-nspawn}}
 +
{{Related articles end}}
 +
[[Wikipedia:Chroot|Chroot]] is an operation that changes the apparent root directory for the current running process and their children. A program that is run in such a modified environment cannot access files and commands outside that environmental directory tree. This modified environment is called a ''chroot jail''.
  
== Requirements ==
+
== Reasoning ==
  
* You'll need to boot from another working Linux environment (e.g. from a LiveCD or USB flash media, or from another installed Linux distribution).
+
Changing root is commonly done for performing system maintenance on systems where booting and/or logging in is no longer possible. Common examples are:
  
* Root privileges are required in order to chroot.
+
* Reinstalling the [[bootloader]].
 +
* Rebuilding the [[mkinitcpio|initramfs image]].
 +
* Upgrading or [[downgrading packages]].
 +
* Resetting a [[Password recovery|forgotten password]].
  
* Be sure that the architecture of the Linux environment you have booted into matches the architecture of the root directory you wish to enter (i.e. i686, x86_64). You can find the architecture of your current environment with:
+
See also [[Wikipedia:Chroot#Limitations]].
  
: {{bc|# uname -m}}
+
== Requirements ==
  
* If you need any kernel modules loaded in the chroot environment, load them before chrooting. It may also be useful to initialize your swap ({{ic|swapon /dev/sdxY}}) and to establish an internet connection before chrooting.
+
* Root privilege.
  
== Mount the partitions ==
+
* Another Linux environment, e.g. a LiveCD or USB flash media, or from another existing Linux distribution.
  
The root partition of the Linux system that you're trying to chroot into needs to be mounted first. To find out the device name assigned by the kernel, run:
+
* Matching architecture environments; i.e. the chroot from and chroot to. The architecture of the current environment can be discovered with: {{ic|uname -m}} (e.g. i686 or x86_64).
  
# lsblk /dev/sda
+
* Kernel modules loaded that are needed in the chroot environment.
  
You can also run the following to get an idea of your partition layout.
+
* Swap enabled if needed: {{bc|# swapon /dev/sdxY}}
  
# fdisk -l
+
* Internet connection established if needed.
  
Now create a directory where you would like to mount the root partition and mount it:
+
== Partition(s) mount ==
 +
 
 +
The root partition of the Linux system that you are trying to chroot into needs to be mounted first. To find out the device name assigned by the kernel, run:
 +
 
 +
# lsblk
 +
 
 +
Then create a directory for mounting the root partition to, and mount it:
  
 
  # mkdir /mnt/arch
 
  # mkdir /mnt/arch
  # mount /dev/sda3 /mnt/arch
+
  # mount /dev/sdx1 /mnt/arch
  
Next, if you have separate partitions for other parts of your system (e.g. {{ic|/boot}}, {{ic|/home}}, {{ic|/var}}, etc), you should mount them, as well:
+
Next, if there are separate filesystems for other system directories (e.g. {{ic|/boot}}, {{ic|/home}}...) mount them too:
  
  # mount /dev/sda1 /mnt/arch/boot/
+
  # mount /dev/sdx2 /mnt/arch/boot/
  # mount /dev/sdb5 /mnt/arch/home/
+
  # mount /dev/sdx3 /mnt/arch/home/
# mount ...
+
  
While it's possible to mount filesystems after you've chrooted, it is more convenient to do so beforehand. The reasoning for this is that you'll have to unmount the temporary filesystems after you exit the chroot, so this lets you umount all the filesystems with a single command. This also allows for a safer shutdown. Because the external Linux environment knows all mounted partitions, it can safely unmount them during shutdown.
+
{{Note|If trying to access an [[Disk_encryption|encrypted]] filesystem, do not forget to first unlock its container (e.g. with {{ic|# cryptsetup open /dev/sdX# ''name''}} for [[Disk_encryption#Block_device_encryption|dm-crypt/LUKS]]-based encryption), then mount the device using its previously supplied device-mapper ''name'' (under the form {{ic|# mount /dev/mapper/''name'' /mnt/arch/...}}). More info: [[Dm-crypt/Device_encryption#Unlocking.2FMapping LUKS partitions with the device mapper|Unlocking/Mapping LUKS partitions with the device mapper]].}}
  
 
== Change root ==
 
== Change root ==
  
Mount the temporary filesystems as root:
+
{{Note|Some [[systemd]] tools such as ''localectl'' and ''timedatectl'' can not be used inside a chroot, as they require an active [[dbus]] connection. [https://github.com/systemd/systemd/issues/798#issuecomment-126568596]}}
  
{{Note|Using a newer (2012) Arch release, the following commands can be replaced with {{ic|arch-chroot /mnt/arch}}. You must have {{pkg|arch-install-scripts}} installed to run arch-chroot. The following commands may still be used if you're using a different Linux distribution.}}
+
=== Using arch-chroot ===
  
cd /mnt/arch
+
The bash script {{ic|arch-chroot}} is part of the {{Pkg|arch-install-scripts}} package. Before running {{ic|/usr/bin/chroot}} the script mounts api filesystems like {{ic|/proc}} and makes {{ic|/etc/resolv.conf}} available from the chroot.
mount -t proc proc proc/
+
mount -t sysfs sys sys/
+
  mount -o bind /dev dev/
+
mount -t devpts pts dev/pts/
+
  
If you have established an internet connection and want to use it in the chroot environment, you may have to copy over your DNS configuration to be able to resolve hostnames.
+
Run arch-chroot with the new root directory as first argument:
  
  cp -L /etc/resolv.conf etc/resolv.conf
+
  # arch-chroot /mnt/arch
  
Now chroot into your installed system and define your shell:
+
To run a bash shell instead of the default sh:
  
  chroot /mnt/arch /usr/bin/bash
+
  # arch-chroot /mnt/arch /bin/bash
  
{{Note|If you see the error {{ic|chroot: cannot run command '/usr/bin/bash': Exec format error}}, it is likely that the two architectures do not match.}}
+
To run {{ic|mkinitcpio -p linux}} from the chroot, and exit again:
{{Note|If you see the error {{ic|chroot: '/usr/bin/bash': permission denied}}, remount with the exec permission: {{ic|mount -o remount,exec /mnt/arch}}.}}
+
Optionally, to source your Bash configuration ({{ic|~/.bashrc}} and {{ic|/etc/bash.bashrc}}), run:
+
  
  source ~/.bashrc
+
  # arch-chroot /mnt/arch /usr/bin/mkinitcpio -p linux
source /etc/profile
+
  
Optionally, create a unique prompt to be able to differentiate your chroot environment:
+
=== Using chroot ===
  
export PS1="(chroot) $PS1"
+
Mount the temporary api filesystems:
  
== Run graphical chrooted applications ==
+
# cd /mnt/arch
 +
# mount -t proc proc proc/
 +
# mount --rbind /sys sys/
 +
# mount --rbind /dev dev/
  
If you have [[X]] running on your system, you can start graphical applications from the chroot environment.
+
And optionally:
  
To allow the chroot environment to connect to an X server, open a terminal inside the X server (i.e. inside the desktop of the user that is currently logged in), then run the following command which gives permission to anyone to connect to the user's X server:
+
# mount --rbind /run run/
  
$ xhost +
+
To use an internet connection in the chroot environment copy over the DNS details:
  
Then, to direct the applications to the X server from chroot, set the DISPLAY environment variable inside the chroot to match the DISPLAY variable of the user that owns the X server. So for example, run
+
# cp /etc/resolv.conf etc/resolv.conf
  
$ echo $DISPLAY
+
To change root into a bash shell:
  
as the user that owns the X server to see the value of DISPLAY. If the value is ":0" (for example), then in the chroot environment run
+
# chroot /mnt/arch /bin/bash
  
# export DISPLAY=:0
+
{{Note|If you see the error:
 +
* {{ic|chroot: cannot run command '/usr/bin/bash': Exec format error}}, it is likely that the architectures of the host environment and chroot environment do not match.
 +
* {{ic|chroot: '/usr/bin/bash': permission denied}}, remount with the exec permission: {{ic|mount -o remount,exec /mnt/arch}}.
 +
}}
  
Now you can launch GUI apps from the chroot command line. ;)
+
After chrooting it may be necessary to load the local bash configuration:
  
== Perform system maintenance ==
+
# source /etc/profile
 +
# source ~/.bashrc
  
At this point you can perform whatever system maintenance you require inside the chroot environment. A few common examples are:
+
{{Tip|Optionally, create a unique prompt to be able to differentiate your chroot environment:
 +
{{bc|1=# export PS1="(chroot) $PS1"}}
 +
}}
  
* Reinstall the bootloader.
+
=== Using systemd-nspawn ===
* Rebuild your [[mkinitcpio|initramfs]] image.
+
* Upgrade or [[Downgrading_Packages|downgrade]] packages.
+
* Reset a [[Password_Recovery|forgotten password]].
+
  
== Exit the chroot environment ==
+
systemd-nspawn may be used to run a command or OS in a light-weight namespace container. In many ways it is similar to chroot, but more powerful since it fully virtualizes the file system hierarchy, as well as the process tree, the various IPC subsystems and the host and domain name.
  
When you're finished with system maintenance, exit the chroot:
+
Change directory to the mountpoint of the root partition and run systemd-nspawn:
 +
 
 +
# cd /mnt/arch
 +
# systemd-nspawn
 +
 
 +
It is not necessary to mount api filesystems like {{ic|/proc}} manually, as systemd-nspawn starts a new init process in the contained environment which takes care of everything. It is like booting up a second Linux OS on the same machine, but it is not a virtual machine.
 +
 
 +
To quit, just log out or issue the poweroff command. You can then unmount the partitions as described in [[#Exit from the chroot environment]].
 +
 
 +
== Run graphical applications from chroot ==
 +
 
 +
If you have an [[X server]] running on your system, you can start graphical applications from the chroot environment.
 +
 
 +
To allow the chroot environment to connect to an X server, open a virtual terminal inside the X server (i.e. inside the desktop of the user that is currently logged in), then run the [[xhost]] command, which gives permission to anyone to connect to the user's X server:
 +
 
 +
$ xhost +local:
 +
 
 +
Then, to direct the applications to the X server from chroot, set the DISPLAY environment variable inside the chroot to match the DISPLAY variable of the user that owns the X server. So for example, run
 +
 
 +
$ echo $DISPLAY
 +
 
 +
as the user that owns the X server to see the value of DISPLAY. If the value is ":0" (for example), then in the chroot environment run
 +
 
 +
# export DISPLAY=:0
 +
 
 +
== Exit from the chroot environment ==
 +
 
 +
When you are finished with system maintenance, exit from the chroot:
  
 
  # exit
 
  # exit
  
Then unmount the temporary filesystems and any mounted devices:
+
Last, unmount the temporary filesystems and the root partition:
  
  # umount {proc,sys,dev/pts,dev,boot,[...],}
+
# cd /
 +
  # umount --recursive /mnt/arch/
  
Finally, attempt to unmount your root partition:
+
{{Note|If there is an error mentioning something like: {{ic|umount: /path: device is busy}} this usually means that either: a program (even a shell) was left running in the chroot or that a sub-mount still exists.  Quit the program and use {{ic|mount | grep /mnt/arch}} to find and {{ic|umount}} sub-mounts).  It may be tricky to {{ic|umount}} some things and one can hopefully have {{ic|umount --force}} work, as a last resort use {{ic|umount --lazy}} which just releases them.  In either case to be safe, {{ic|reboot}} as soon as possible if these are unresolved to avoid future, possible conflicts.}}
  
# cd ..
+
== Without root privileges ==
# umount arch/
+
  
{{Note|If you get an error saying that {{ic|/mnt}} (or any other partition) is busy, this can mean one of two things:
+
Chroot requires root privileges, which may not be desirable or possible for the user to obtain in certain situations. There are, however, various ways to simulate chroot-like behavior using alternative implementations.
  
* A program was left running inside of the chroot.
+
=== Proot ===
  
* Or, more frequently, a sub-mount still exists (e.g. {{ic|/mnt/arch/boot}} within {{ic|/mnt/arch}}). Check with {{ic|lsblk}} to see if there are any mountpoints left:
+
[[Proot]] may be used to change the apparent root directory and use {{ic|mount --bind}} without root privileges. This is useful for confining applications to a single directory or running programs built for a different CPU architecture, but it has limitations due to the fact that all files are owned by the user on the host system. Proot provides a {{ic|--root-id}} argument that can be used as a workaround for some of these limitations in a similar (albeit more limited) manner to ''fakeroot''.
  
: {{bc|lsblk /dev/sda}}
+
=== Fakechroot ===
  
: If you are still unable to unmount a partition, use the {{ic|--force}} option:
+
{{Pkg|fakechroot}} is a library shim which intercepts the chroot call and fakes the results. It can be used in conjunction with {{Pkg|fakeroot}} to simulate a chroot as a regular user.
  
: {{bc|# umount -f /mnt}}}}
+
# fakechroot fakeroot chroot ~/my-chroot bash
  
After this, you will be able to safely reboot.
+
== See also ==
  
== Example ==
+
* [https://help.ubuntu.com/community/BasicChroot Basic Chroot]
This may protect your system from Internet attacks during browsing:
+
{{bc|1=
+
# # as root:
+
# cd /home/''user''
+
# mkdir myroot
+
# pacman -S arch-install-scripts
+
# # pacstrap must see myroot as mounted:
+
# mount --bind myroot myroot
+
# pacstrap -i myroot base base-devel
+
# mount -t proc proc myroot/proc/
+
# mount -t sysfs sys myroot/sys/
+
# mount -o bind /dev myroot/dev/
+
# mount -t devpts pts myroot/dev/pts/
+
# cp -i /etc/resolv.conf myroot/etc/
+
# chroot myroot
+
# # inside chroot:
+
# passwd # set a password
+
# useradd -m -s /usr/bin/bash ''user''
+
# passwd ''user'' # set a password
+
# # in a shell outside the chroot:
+
# pacman -S xorg-server-xnest
+
# # in a shell outside the chroot you can run this as ''user'':
+
$ Xnest -ac -geometry 1024x716+0+0 :1
+
# # continue inside the chroot:
+
# pacman -S xterm
+
# DISPLAY=:1
+
# xterm
+
# # xterm is now running in Xnest
+
# pacman -S xorg-server xorg-xinit xorg-server-utils
+
# pacman -S openbox
+
# # for java we need icedtea-web which requires some fonts:
+
# nano /etc/locale.gen
+
# # uncomment en_US.UTF-8 UTF-8, save and exit
+
# locale-gen
+
# echo LANG=en_US.UTF-8 > /etc/locale.conf
+
# export LANG=en_US.UTF-8
+
# pacman -S ttf-dejavu
+
# pacman -S icedtea-web
+
# pacman -S firefox
+
# firefox
+
# # firefox is now running in Xnest
+
# exit
+
# # outside chroot:
+
# chroot --userspec=''user'' myroot
+
# # inside chroot as ''user'':
+
$ DISPLAY=:1
+
$ openbox &
+
$ HOME="/home/''user''"
+
$ firefox
+
}}
+
See also: [https://help.ubuntu.com/community/BasicChroot Basic Chroot]
+

Latest revision as of 11:34, 6 July 2016

Chroot is an operation that changes the apparent root directory for the current running process and their children. A program that is run in such a modified environment cannot access files and commands outside that environmental directory tree. This modified environment is called a chroot jail.

Reasoning

Changing root is commonly done for performing system maintenance on systems where booting and/or logging in is no longer possible. Common examples are:

See also Wikipedia:Chroot#Limitations.

Requirements

  • Root privilege.
  • Another Linux environment, e.g. a LiveCD or USB flash media, or from another existing Linux distribution.
  • Matching architecture environments; i.e. the chroot from and chroot to. The architecture of the current environment can be discovered with: uname -m (e.g. i686 or x86_64).
  • Kernel modules loaded that are needed in the chroot environment.
  • Swap enabled if needed:
    # swapon /dev/sdxY
  • Internet connection established if needed.

Partition(s) mount

The root partition of the Linux system that you are trying to chroot into needs to be mounted first. To find out the device name assigned by the kernel, run:

# lsblk

Then create a directory for mounting the root partition to, and mount it:

# mkdir /mnt/arch
# mount /dev/sdx1 /mnt/arch

Next, if there are separate filesystems for other system directories (e.g. /boot, /home...) mount them too:

# mount /dev/sdx2 /mnt/arch/boot/
# mount /dev/sdx3 /mnt/arch/home/
Note: If trying to access an encrypted filesystem, do not forget to first unlock its container (e.g. with # cryptsetup open /dev/sdX# name for dm-crypt/LUKS-based encryption), then mount the device using its previously supplied device-mapper name (under the form # mount /dev/mapper/name /mnt/arch/...). More info: Unlocking/Mapping LUKS partitions with the device mapper.

Change root

Note: Some systemd tools such as localectl and timedatectl can not be used inside a chroot, as they require an active dbus connection. [1]

Using arch-chroot

The bash script arch-chroot is part of the arch-install-scripts package. Before running /usr/bin/chroot the script mounts api filesystems like /proc and makes /etc/resolv.conf available from the chroot.

Run arch-chroot with the new root directory as first argument:

# arch-chroot /mnt/arch

To run a bash shell instead of the default sh:

# arch-chroot /mnt/arch /bin/bash

To run mkinitcpio -p linux from the chroot, and exit again:

# arch-chroot /mnt/arch /usr/bin/mkinitcpio -p linux

Using chroot

Mount the temporary api filesystems:

# cd /mnt/arch
# mount -t proc proc proc/
# mount --rbind /sys sys/
# mount --rbind /dev dev/

And optionally:

# mount --rbind /run run/

To use an internet connection in the chroot environment copy over the DNS details:

# cp /etc/resolv.conf etc/resolv.conf

To change root into a bash shell:

# chroot /mnt/arch /bin/bash
Note: If you see the error:
  • chroot: cannot run command '/usr/bin/bash': Exec format error, it is likely that the architectures of the host environment and chroot environment do not match.
  • chroot: '/usr/bin/bash': permission denied, remount with the exec permission: mount -o remount,exec /mnt/arch.

After chrooting it may be necessary to load the local bash configuration:

# source /etc/profile
# source ~/.bashrc
Tip: Optionally, create a unique prompt to be able to differentiate your chroot environment:
# export PS1="(chroot) $PS1"

Using systemd-nspawn

systemd-nspawn may be used to run a command or OS in a light-weight namespace container. In many ways it is similar to chroot, but more powerful since it fully virtualizes the file system hierarchy, as well as the process tree, the various IPC subsystems and the host and domain name.

Change directory to the mountpoint of the root partition and run systemd-nspawn:

# cd /mnt/arch
# systemd-nspawn

It is not necessary to mount api filesystems like /proc manually, as systemd-nspawn starts a new init process in the contained environment which takes care of everything. It is like booting up a second Linux OS on the same machine, but it is not a virtual machine.

To quit, just log out or issue the poweroff command. You can then unmount the partitions as described in #Exit from the chroot environment.

Run graphical applications from chroot

If you have an X server running on your system, you can start graphical applications from the chroot environment.

To allow the chroot environment to connect to an X server, open a virtual terminal inside the X server (i.e. inside the desktop of the user that is currently logged in), then run the xhost command, which gives permission to anyone to connect to the user's X server:

$ xhost +local:

Then, to direct the applications to the X server from chroot, set the DISPLAY environment variable inside the chroot to match the DISPLAY variable of the user that owns the X server. So for example, run

$ echo $DISPLAY

as the user that owns the X server to see the value of DISPLAY. If the value is ":0" (for example), then in the chroot environment run

# export DISPLAY=:0

Exit from the chroot environment

When you are finished with system maintenance, exit from the chroot:

# exit

Last, unmount the temporary filesystems and the root partition:

# cd /
# umount --recursive /mnt/arch/
Note: If there is an error mentioning something like: umount: /path: device is busy this usually means that either: a program (even a shell) was left running in the chroot or that a sub-mount still exists. Quit the program and use mount to find and umount sub-mounts). It may be tricky to umount some things and one can hopefully have umount --force work, as a last resort use umount --lazy which just releases them. In either case to be safe, reboot as soon as possible if these are unresolved to avoid future, possible conflicts.

Without root privileges

Chroot requires root privileges, which may not be desirable or possible for the user to obtain in certain situations. There are, however, various ways to simulate chroot-like behavior using alternative implementations.

Proot

Proot may be used to change the apparent root directory and use mount --bind without root privileges. This is useful for confining applications to a single directory or running programs built for a different CPU architecture, but it has limitations due to the fact that all files are owned by the user on the host system. Proot provides a --root-id argument that can be used as a workaround for some of these limitations in a similar (albeit more limited) manner to fakeroot.

Fakechroot

fakechroot is a library shim which intercepts the chroot call and fakes the results. It can be used in conjunction with fakeroot to simulate a chroot as a regular user.

# fakechroot fakeroot chroot ~/my-chroot bash

See also