From ArchWiki
Revision as of 03:18, 12 July 2014 by Kynikos (talk | contribs) (update link(s) (avoid redirect if it differs only by capitalization))
Jump to: navigation, search

ro:Chroot zh-CN:Change Root Chroot is an operation that changes the apparent root directory for the current running process and its children. A program that is run in such a modified environment cannot access files and commands outside the designated directory tree. The modified environment is called a chroot jail.


Changing root is commonly done for performing system maintenance on systems where booting and/or logging in is no longer possible. Common examples are:


  • Root privilege
  • You need to boot from another working Linux environment. This can be from a LiveCD or USB flash media, or from another installed Linux distribution.
  • The architecture of the Linux environment you have booted into must match the architecture of the root directory you wish to enter (i.e. i686, x86_64). You can find the architecture of your current environment with # uname -m.
  • Kernel modules needed in the chroot environment must be loaded before chrooting.
  • Initialize your swap before chrooting using swapon /dev/sdxY.
  • Establish an internet connection before chrooting.

Mount the partitions

The root partition of the Linux system that you are trying to chroot into needs to be mounted first. To find out the device name assigned by the kernel, run:

# lsblk

Now create a directory where you would like to mount the root partition and mount it:

# mkdir /mnt/arch
# mount /dev/sdx1 /mnt/arch

Next, if you have separate filesystems for other directories of your system, for example /boot or /home, mount them, too:

# mount /dev/sdx2 /mnt/arch/boot/
# mount /dev/sdx3 /mnt/arch/home/
# mount ...
Note: If trying to access an encrypted filesystem, do not forget to first unlock its container (e.g. with # cryptsetup open /dev/sdX# name for dm-crypt/LUKS-based encryption), then mount the device using its previously supplied device-mapper name (under the form # mount /dev/mapper/name /mnt/arch/...). More info: Unlocking/Mapping LUKS partitions with the device mapper.

While it is possible to mount filesystems when chrooted, it is more convenient to do so beforehand. Also, this allows for a safer shutdown. Because the external environment knows all mounted partitions, it can safely unmount them during shutdown.

Change root

Using arch-chroot

The bash script arch-chroot is part of the arch-install-scripts package from the official repositories. Before running /usr/bin/chroot the script mounts api filesystems like /proc and makes /etc/resolv.conf available from the chroot.

Run arch-chroot with the new root directory as first argument:

# arch-chroot /mnt/arch

To run a bash shell instead of the default sh:

# arch-chroot /mnt/arch /bin/bash

To run mkinitcpio -p linux from the chroot, and exit again:

# arch-chroot /mnt/arch /usr/bin/mkinitcpio -p linux

Using plain chroot

Mount the api filesystems:

# cd /mnt/arch
# mount -t proc proc proc/
# mount --rbind /sys sys/
# mount --rbind /dev dev/

If you have established an internet connection and want to use it in the chroot environment, it may be necessary to copy over your DNS details:

# cp /etc/resolv.conf etc/resolv.conf

To change root into a bash shell, do:

# chroot /mnt/arch /bin/bash
Note: If you see the error chroot: cannot run command '/usr/bin/bash': Exec format error, it is likely that the architectures of the host environment and chroot environment do not match.
Note: If you see the error chroot: '/usr/bin/bash': permission denied, remount with the exec permission: mount -o remount,exec /mnt/arch.

Optionally, to source your Bash configuration (~/.bashrc and /etc/bash.bashrc), run:

# source ~/.bashrc
# source /etc/profile

Optionally, create a unique prompt to be able to differentiate your chroot environment:

# export PS1="(chroot) $PS1"

Using systemd-nspawn

systemd-nspawn may be used to run a command or OS in a light-weight namespace container. In many ways it is similar to chroot, but more powerful since it fully virtualizes the file system hierarchy, as well as the process tree, the various IPC subsystems and the host and domain name.

Change directory to the mountpoint of the root partition and run systemd-nspawn:

# cd /mnt/arch
# systemd-nspawn

It is not necessary to mount api filesystems like /proc manually, as systemd-nspawn starts a new init process in the contained environment which takes care of everything. It is like booting up a second Linux OS on the same machine, but it is not a virtual machine.

To quit, just log out or issue the poweroff command. You can then unmount the partitions as described below.

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: Describe the steps to run an X server inside the systemd-nspawn container. (Discuss in Talk:Chroot#)

Related: See Arch systemd container.

Running graphical applications from chroot

If you have an X server running on your system, you can start graphical applications from the chroot environment.

To allow the chroot environment to connect to an X server, open a virtual terminal inside the X server (i.e. inside the desktop of the user that is currently logged in), then run the xhost command, which gives permission to anyone to connect to the user's X server:

$ xhost +

Then, to direct the applications to the X server from chroot, set the DISPLAY environment variable inside the chroot to match the DISPLAY variable of the user that owns the X server. So for example, run

$ echo $DISPLAY

as the user that owns the X server to see the value of DISPLAY. If the value is ":0" (for example), then in the chroot environment run

# export DISPLAY=:0

Exit from the chroot environment

When you are finished with system maintenance, exit from the chroot:

# exit

Next, if you are using chroot instead of arch-chroot, unmount the temporary filesystems:

# cd /mnt/arch
# umount {proc,sys,dev/pts,dev}

Finally, attempt to unmount your root partition, and any sub-mounts using -R:

# cd ..
# umount -R /mnt/arch/
Note: If you get an error saying that /mnt (or any other filesystem) is busy, this can mean one of two things:
  • A program was left running inside of the chroot.
  • A sub-mount still exists (e.g. /mnt/arch/boot within /mnt/arch). This should not happen as the option -R attempts to unmount all the sub-mounts. You can use lsblk to check if there are any mountpoints left.
If you are still unable to unmount a filesystem, use the --force option:
# umount -f /mnt

Aftwerwards you are able to reboot safely.


Tango-edit-clear.pngThis article or section needs language, wiki syntax or style improvements. See Help:Style for reference.Tango-edit-clear.png

Reason: Please detail what "Internet attacks" this can protect from. Do not use comments in code blocks, instead use normal text. Explain every command. Is listing everything here command really necessary, or could links be used instead? Could arch-chroot be used? (Discuss in Talk:Chroot#)

This may protect your system from Internet attacks during browsing:

# # as root: 
# cd /home/user
# mkdir myroot
# pacman -S arch-install-scripts
# # pacstrap must see myroot as mounted: 
# mount --bind myroot myroot
# pacstrap -i myroot base base-devel
# mount -t proc proc myroot/proc/
# mount -t sysfs sys myroot/sys/
# mount -o bind /dev myroot/dev/
# mount -o gid=5 -t devpts pts myroot/dev/pts/
# cp -i /etc/resolv.conf myroot/etc/
# chroot myroot
# # inside chroot: 
# passwd # set a password 
# useradd -m -s /bin/bash user
# passwd user # set a password
# # in a shell outside the chroot: 
# pacman -S xorg-server-xnest
# # in a shell outside the chroot you can run this as user: 
$ Xnest -ac -geometry 1024x716+0+0 :1
# # continue inside the chroot: 
# pacman -S xterm
# xterm
# # xterm is now running in Xnest 
# pacman -S xorg-server xorg-xinit xorg-server-utils
# pacman -S openbox
# # for java we need icedtea-web which requires some fonts: 
# nano /etc/locale.gen
# # uncomment en_US.UTF-8 UTF-8, save and exit 
# locale-gen
# echo LANG=en_US.UTF-8 > /etc/locale.conf
# export LANG=en_US.UTF-8
# pacman -S ttf-dejavu
# pacman -S icedtea-web
# pacman -S firefox
# firefox
# # firefox is now running in Xnest 
# exit
# # outside chroot: 
# chroot --userspec=user myroot
# # inside chroot as user: 
$ openbox &
$ HOME="/home/user"
$ firefox

See also:

Without root privileges

Chroot requires root privileges, which may not be desirable or possible for the user to obtain in certain situations. There are, however, various ways to simulate chroot-like behavior using alternative implementations.


Proot may be used to change the apparent root directory and use mount --bind without root privileges. This is useful for confining applications to a single directory or running programs built for a different CPU architecture, but it has limitations due to the fact that all files are owned by the user on the host system. Proot provides a --root-id argument that can be used as a workaround for some of these limitations in a similar (albeit more limited) manner to fakeroot.


fakechroot is a library shim which intercepts the chroot call and fakes the results. It can be used in conjunction with fakeroot to simulate a chroot as a regular user.

# fakechroot fakeroot chroot ~/my-chroot bash