Difference between revisions of "Change root"

From ArchWiki
Jump to: navigation, search
(Undo revision 512665 by PXf (talk) - systemd-nspawn is already in the "Related articles" box)
(172 intermediate revisions by 48 users not shown)
Line 1: Line 1:
 
[[Category:System recovery]]
 
[[Category:System recovery]]
{{i18n|Change Root}}
+
[[es:Change root]]
 +
[[fa:تغییر ریشه]]
 
[[fr:Chroot]]
 
[[fr:Chroot]]
 +
[[ja:Change Root]]
 +
[[pt:Change root]]
 +
[[ro:Chroot]]
 +
[[ru:Change root]]
 +
[[zh-hans:Change root]]
 +
{{Related articles start}}
 +
{{Related|PRoot}}
 +
{{Related|Linux Containers}}
 +
{{Related|systemd-nspawn}}
 +
{{Related articles end}}
 +
[[Wikipedia:Chroot|Chroot]] is an operation that changes the apparent root directory for the current running process and their children. A program that is run in such a modified environment cannot access files and commands outside that environmental directory tree.  This modified environment is called a ''chroot jail''.
  
Changing Root is the process of changing of the apparent disk root directory (and the current running process and its children) to another root directory.  When you change root to another directory you cannot access files and commands outside that directory.  This directory is called a ''chroot jail''.  Changing root is commonly done for system maintenance for such tasks as reinstalling [[Grub#Bootloader_installation|GRUB]] or resetting a forgotten password. Changing root is often done from from a LiveCD or LiveUSB into a mounted partition that contains an installed system.
+
== Reasoning ==
 +
 
 +
Changing root is commonly done for performing system maintenance on systems where booting and/or logging in is no longer possible. Common examples are:
 +
 
 +
* Reinstalling the [[bootloader]].
 +
* Rebuilding the [[mkinitcpio|initramfs image]].
 +
* Upgrading or [[downgrading packages]].
 +
* Resetting a [[Password recovery|forgotten password]].
 +
* Building packages in a clean chroot, see [[DeveloperWiki:Building in a Clean Chroot]].
 +
 
 +
See also [[Wikipedia:Chroot#Limitations]].
  
 
== Requirements ==
 
== Requirements ==
  
* You'll need to boot to another working Linux environment (for example, to a LiveCD or USB flash disk). For Arch install mediums there is both the [http://www.archlinux.org/download/ LiveCD and USB Flash disk].
+
* Root privilege.
 +
 
 +
* Another Linux environment, e.g. a LiveCD or USB flash media, or from another existing Linux distribution.
 +
 
 +
* Matching architecture environments; i.e. the chroot from and chroot to.  The architecture of the current environment can be discovered with: {{ic|uname -m}} (e.g. i686 or x86_64).
 +
 
 +
* Kernel modules loaded that are needed in the chroot environment.
 +
 
 +
* Swap enabled if needed: {{bc|# swapon /dev/sd''xY''}}
 +
 
 +
* Internet connection established if needed.
 +
 
 +
== Usage ==
 +
 
 +
{{Note|
 +
*Some [[systemd]] tools such as ''localectl'' and ''timedatectl'' can not be used inside a chroot, as they require an active [[dbus]] connection. [https://github.com/systemd/systemd/issues/798#issuecomment-126568596]
 +
*The file system that will serve as the new root ({{ic|/}}) of your chroot must be accessible (i.e., decrypted, mounted).}}
 +
 
 +
There are two main options for using chroot, described below.
 +
 
 +
=== Using arch-chroot ===
 +
 
 +
The bash script {{ic|arch-chroot}} is part of the {{Pkg|arch-install-scripts}} package. Before it runs {{ic|/usr/bin/chroot}}, the script mounts api filesystems like {{ic|/proc}} and makes {{ic|/etc/resolv.conf}} available from the chroot.
 +
 
 +
==== Enter a chroot ====
 +
 
 +
Run arch-chroot with the new root directory as first argument:
 +
 
 +
# arch-chroot ''/location/of/new/root''
 +
 
 +
For example, in the [[installation guide]] this directory would be {{ic|/mnt}}:
 +
 
 +
# arch-chroot /mnt
 +
 
 +
To exit the chroot simply use:
 +
 
 +
# exit
 +
 
 +
==== Run a single command and exit ====
  
* Root privileges are required in order to chroot.
+
To run a command from the chroot, and exit again append the command to the end of the line:
  
* Be sure that the architectures of the Linux environment you have booted into matches the architecture of the root directory you wish to enter (i.e. i686, x86_64). You can find the architecture of your current environment by:
+
# arch-chroot ''/location/of/new/root'' ''mycommand''
  
uname -m
+
For example, to run {{ic|mkinitcpio -p linux}} for a chroot located at {{ic|/mnt/arch}} do:
  
* If you need any kernel modules loaded in the chroot environment, load them before chrooting. It may also be useful to initialize your swap ({{ic|swapon /dev/<device-or-partition-name>}}) and to connect to your network before chrooting.
+
# arch-chroot /mnt/arch mkinitcpio -p linux
  
== Mounting the device ==
+
=== Using chroot ===
  
The device or partition with the Linux system on it will need to be mounted. To discover the kernel name of the storage device name, type:
+
{{Warning|When using {{ic|--rbind}}, some subdirectories of {{ic|dev/}} and {{ic|sys/}} will not be unmountable. Attempting to unmount with {{ic|umount -l}} in this situation will break your session, requiring a reboot. If possible, use {{ic|-o bind}} instead.}}
  
fdisk -l
+
In the following example ''/location/of/new/root'' is the directory where the new root resides.
  
Create a directory where you would like to mount the device or partition, then mount it:
+
First, mount the temporary api filesystems:
  
  mkdir /mnt/arch
+
  # cd ''/location/of/new/root''
  mount /dev/<device-or-partition-name> /mnt/arch
+
  # mount -t proc /proc proc/
 +
# mount --rbind /sys sys/
 +
# mount --rbind /dev dev/
  
== Changing Root ==
+
And optionally:
  
Mount the temporary filesystems:
+
# mount --rbind /run run/
  
cd /mnt/arch
+
Next, in order to use an internet connection in the chroot environment copy over the DNS details:
mount -t proc proc proc/
 
mount -t sysfs sys sys/
 
mount -o bind /dev dev/
 
  
Mount other parts of your filesystem (e.g. {{ic|/boot}}, {{ic|/var}}, {{ic|/usr}}...) that reside on separate partitions but which you need access to. For example:
+
# cp /etc/resolv.conf etc/resolv.conf
  
mount /dev/<device-or-partition-name> boot/
+
Finally, to change root into ''/location/of/new/root'' using a bash shell:
  
It's possible to mount filesystems after you've chrooted, but it's more convenient to do so beforehand.  The reasoning for this is you'll have to unmount the temporary filesystems after you exit a chroot so this lets you umount all the filesystems in a single command.  This also allows a safer shutdown.  Because the external Linux environment knows all mounted partitions it can safely unmount them during shutdown.
+
# chroot ''/location/of/new/root'' /bin/bash
  
If you've setup your network and want to use it in the chroot environment, copy over your DNS servers so that you will be connected to the network:
+
{{Note|If you see the error:
 +
* {{ic|chroot: cannot run command '/usr/bin/bash': Exec format error}}, it is likely that the architectures of the host environment and chroot environment do not match.
 +
* {{ic|chroot: '/usr/bin/bash': permission denied}}, remount with the exec permission: {{ic|mount -o remount,exec /mnt/arch}}.
 +
}}
  
cp -L /etc/resolv.conf etc/resolv.conf
+
After chrooting it may be necessary to load the local bash configuration:
  
Now chroot to your installed device or partition and define your shell:
+
# source /etc/profile
 +
# source ~/.bashrc
  
chroot . /bin/bash
+
{{Tip|Optionally, create a unique prompt to be able to differentiate your chroot environment:
 +
{{bc|1=# export PS1="(chroot) $PS1"}}
 +
}}
  
If you see the error, "{{Ic|chroot: cannot run command '/bin/bash': Exec format error}}" it is likely the two architectures do not match.
+
When finished with the chroot, you can exit it via:
  
If you use bash, your root {{ic|$HOME/.bashrc}} will be sourced on login provided your {{ic|~/.bash_profile}} specifies it ({{Ic|source ~/.bashrc}}). To source your chrooted, global bash configuration do:
+
  # exit
  
  source /etc/profile
+
Then unmount the temporary file systems:
  
If your bash configuration doesn't use a unique prompt, consider creating one to be able to differentiate your chroot environment:
+
# cd /
 +
# umount --recursive ''/location/of/new/root''
  
  export PS1="(chroot) $PS1"
+
{{Note|If there is an error mentioning something like: {{ic|umount: /path: device is busy}} this usually means that either: a program (even a shell) was left running in the chroot or that a sub-mount still exists.  Quit the program and use {{ic|mount | grep /mnt/arch}} to find and {{ic|umount}} sub-mounts).  It may be tricky to {{ic|umount}} some things and one can hopefully have {{ic|umount --force}} work, as a last resort use {{ic|umount --lazy}} which just releases them.  In either case to be safe, {{ic|reboot}} as soon as possible if these are unresolved to avoid possible future conflicts.}}
  
== Perform System Maintenance ==
+
== Run graphical applications from chroot ==
  
At this point you can perform whatever system maintenance you require inside the chroot environment, some common examples being:
+
If you have an [[X server]] running on your system, you can start graphical applications from the chroot environment.
  
* Upgrade or [[Downgrading_Packages|downgrade]] packages
+
To allow the chroot environment to connect to an X server, open a virtual terminal inside the X server (i.e. inside the desktop of the user that is currently logged in), then run the [[xhost]] command, which gives permission to anyone to connect to the user's X server:
* [[Mkinitcpio|Rebuild your initcpio image]]
 
* Reset a [[Password_Recovery|forgotten password]]
 
* Fix your [[Fstab|/etc/fstab]]
 
* [[GRUB#Bootloader_installation|Reinstall GRUB]].
 
  
== Exiting chroot ==
+
$ xhost +local:
  
When you're finished with system maintenance, exit the chroot shell:
+
Then, to direct the applications to the X server from chroot, set the DISPLAY environment variable inside the chroot to match the DISPLAY variable of the user that owns the X server. So for example, run
  
  exit
+
  $ echo $DISPLAY
  
Then unmount the temporary filesystems and any mounted devices:
+
as the user that owns the X server to see the value of DISPLAY. If the value is ":0" (for example), then in the chroot environment run
  
  umount {proc,sys,dev,boot...}
+
  # export DISPLAY=:0
  
Finally attempt to unmount your hard drive:
+
== Without root privileges ==
  
cd ..
+
Chroot requires root privileges, which may not be desirable or possible for the user to obtain in certain situations. There are, however, various ways to simulate chroot-like behavior using alternative implementations.
umount arch/
 
  
If you get an error saying that {{ic|/mnt}} (or any other partition) is busy, this can mean one of two things:
+
=== PRoot ===
  
* A program was left running inside of the chroot.
+
[[PRoot]] may be used to change the apparent root directory and use {{ic|mount --bind}} without root privileges. This is useful for confining applications to a single directory or running programs built for a different CPU architecture, but it has limitations due to the fact that all files are owned by the user on the host system. PRoot provides a {{ic|--root-id}} argument that can be used as a workaround for some of these limitations in a similar (albeit more limited) manner to ''fakeroot''.
* Or more frequently: a sub-mount still exists. For example, {{ic|/mnt/arch/usr}} within {{ic|/mnt/arch}}.  
 
  
In the latter case, unmount the sub-mount mount point first. To get a reminder of all the current mount points, run {{Ic|mount}} with no parameters.  If you still are unable to mount a partition, use the force option:
+
=== Fakechroot ===
  
umount -f /mnt
+
{{Pkg|fakechroot}} is a library shim which intercepts the chroot call and fakes the results. It can be used in conjunction with {{Pkg|fakeroot}} to simulate a chroot as a regular user.
  
After this you will be able to safely reboot.
+
# fakechroot fakeroot chroot ~/my-chroot bash
  
== Resources ==
+
== See also ==
  
* [http://en.wikipedia.org/wiki/Chroot Wikipedia] - for the introduction.
+
* [https://help.ubuntu.com/community/BasicChroot Basic Chroot]

Revision as of 12:26, 4 March 2018

ro:Chroot

Chroot is an operation that changes the apparent root directory for the current running process and their children. A program that is run in such a modified environment cannot access files and commands outside that environmental directory tree. This modified environment is called a chroot jail.

Reasoning

Changing root is commonly done for performing system maintenance on systems where booting and/or logging in is no longer possible. Common examples are:

See also Wikipedia:Chroot#Limitations.

Requirements

  • Root privilege.
  • Another Linux environment, e.g. a LiveCD or USB flash media, or from another existing Linux distribution.
  • Matching architecture environments; i.e. the chroot from and chroot to. The architecture of the current environment can be discovered with: uname -m (e.g. i686 or x86_64).
  • Kernel modules loaded that are needed in the chroot environment.
  • Swap enabled if needed:
    # swapon /dev/sdxY
  • Internet connection established if needed.

Usage

Note:
  • Some systemd tools such as localectl and timedatectl can not be used inside a chroot, as they require an active dbus connection. [1]
  • The file system that will serve as the new root (/) of your chroot must be accessible (i.e., decrypted, mounted).

There are two main options for using chroot, described below.

Using arch-chroot

The bash script arch-chroot is part of the arch-install-scripts package. Before it runs /usr/bin/chroot, the script mounts api filesystems like /proc and makes /etc/resolv.conf available from the chroot.

Enter a chroot

Run arch-chroot with the new root directory as first argument:

# arch-chroot /location/of/new/root

For example, in the installation guide this directory would be /mnt:

# arch-chroot /mnt

To exit the chroot simply use:

# exit

Run a single command and exit

To run a command from the chroot, and exit again append the command to the end of the line:

# arch-chroot /location/of/new/root mycommand

For example, to run mkinitcpio -p linux for a chroot located at /mnt/arch do:

# arch-chroot /mnt/arch mkinitcpio -p linux

Using chroot

Warning: When using --rbind, some subdirectories of dev/ and sys/ will not be unmountable. Attempting to unmount with umount -l in this situation will break your session, requiring a reboot. If possible, use -o bind instead.

In the following example /location/of/new/root is the directory where the new root resides.

First, mount the temporary api filesystems:

# cd /location/of/new/root
# mount -t proc /proc proc/
# mount --rbind /sys sys/
# mount --rbind /dev dev/

And optionally:

# mount --rbind /run run/

Next, in order to use an internet connection in the chroot environment copy over the DNS details:

# cp /etc/resolv.conf etc/resolv.conf

Finally, to change root into /location/of/new/root using a bash shell:

# chroot /location/of/new/root /bin/bash
Note: If you see the error:
  • chroot: cannot run command '/usr/bin/bash': Exec format error, it is likely that the architectures of the host environment and chroot environment do not match.
  • chroot: '/usr/bin/bash': permission denied, remount with the exec permission: mount -o remount,exec /mnt/arch.

After chrooting it may be necessary to load the local bash configuration:

# source /etc/profile
# source ~/.bashrc
Tip: Optionally, create a unique prompt to be able to differentiate your chroot environment:
# export PS1="(chroot) $PS1"

When finished with the chroot, you can exit it via:

# exit

Then unmount the temporary file systems:

# cd /
# umount --recursive /location/of/new/root
Note: If there is an error mentioning something like: umount: /path: device is busy this usually means that either: a program (even a shell) was left running in the chroot or that a sub-mount still exists. Quit the program and use mount to find and umount sub-mounts). It may be tricky to umount some things and one can hopefully have umount --force work, as a last resort use umount --lazy which just releases them. In either case to be safe, reboot as soon as possible if these are unresolved to avoid possible future conflicts.

Run graphical applications from chroot

If you have an X server running on your system, you can start graphical applications from the chroot environment.

To allow the chroot environment to connect to an X server, open a virtual terminal inside the X server (i.e. inside the desktop of the user that is currently logged in), then run the xhost command, which gives permission to anyone to connect to the user's X server:

$ xhost +local:

Then, to direct the applications to the X server from chroot, set the DISPLAY environment variable inside the chroot to match the DISPLAY variable of the user that owns the X server. So for example, run

$ echo $DISPLAY

as the user that owns the X server to see the value of DISPLAY. If the value is ":0" (for example), then in the chroot environment run

# export DISPLAY=:0

Without root privileges

Chroot requires root privileges, which may not be desirable or possible for the user to obtain in certain situations. There are, however, various ways to simulate chroot-like behavior using alternative implementations.

PRoot

PRoot may be used to change the apparent root directory and use mount --bind without root privileges. This is useful for confining applications to a single directory or running programs built for a different CPU architecture, but it has limitations due to the fact that all files are owned by the user on the host system. PRoot provides a --root-id argument that can be used as a workaround for some of these limitations in a similar (albeit more limited) manner to fakeroot.

Fakechroot

fakechroot is a library shim which intercepts the chroot call and fakes the results. It can be used in conjunction with fakeroot to simulate a chroot as a regular user.

# fakechroot fakeroot chroot ~/my-chroot bash

See also