jchroot - chroot with more isolation
JCHROOT(8) System Manager’s Manual JCHROOT(8)
NAME
jchroot — chroot with more isolation
SYNOPSIS
jchroot [−h | −-help] [−U | −-new-user-ns] [−N | −-new-network-ns] [−u | −-user user] [−g | −-group group] [−f | −-fstab fstab] [−n | −-hostname hostname] [−M | −-uid-map map] [−G | −-gid-map map] [−p | −-pidfile pidfile] [−e | −-env name=value] [−c | −-chdir directory] [−b | −-background] target [--] command
DESCRIPTION
jchroot provides a chroot to run a command or a shell with more isolation, thanks to features introduced in recent Linux kernels (2.6.24 or later). Like chroot(8), jchroot will change the root directory to the specified target before running the provided command but it will also provide a new PID namespace, a new mount namespace and a new IPC namespace to ensure better isolation.
Moreover, when the command exits, the kernel will automatically kill any process that was started by the command, umount any filesystems mounted by jchroot or the commmand and cleanup the IPC namespace. Therefore, most daemons can be run safely from the chroot: they will be killed on exit.
The options are as follows:
−N | −-new-network-ns
Switch to a new network namespace. The program will be run in a fresh network namespace. Unless additional actions are taken, this means that the program won’t get any network access.
−U | −-new-user-ns
Switch to a new user namespace. It allows jchroot to be run without being root. It requires a recent kernel (3.8+) with support for user namespace.
−M | −-uid-map mapping
Use the provided user-mapping in the new user namespace. This option should not be used without The −U option. The mapping is explained in user_namespaces(7) manual page. A mapping is a record with the ID range start inside the namespace, the ID range start outside the namespace and the length of the range.
−G | −-gid-map mapping
Use the provided group-mapping in the new user namespace. See −M for more information.
−u | −-user user
Specify user to use after chrooting. This can be specified as a user name or an UID. In case of a user name, the primary group of the user is also used unless another group is specified.
−g | −-group group
Specify primary group to use after chrooting. This can be specified as a group name or a GID.
−f | −-fstab fstab
Specify a file location in the fstab(5) format containing mount points relative to target to mount inside the chroot. Here is an example of such a file:
proc /proc proc
defaults 0 0
sys /sys sysfs defaults 0 0
/home /home none bind,rw 0 0
/dev/pts /dev/pts none bind,rw 0 0
/var/run /var/run tmpfs rw,nosuid,noexec,mode=755 0 0
/etc/resolv.conf /etc/resolv.conf none bind,ro 0 0
−n | −-hostname name
Specify a hostname for the chroot. This enables UTS namespace.
−p | −-pidfile file
Write PID of child process to file.
−e | −-env name=value
Set an environment variable. This option can be specified more than once.
−c | −-chdir directory
Change to the specified directory after entering the chroot.
−b | −-background
Allow processes started by jchroot to continue in the background. Otherwise, they will be killed abruptly with a SIGKILL signal once jchroot terminates. Due to the use of a PID namespace, the process running as PID 1 in the chroot will only handle SIGKILL and SIGSTOP from an ancestor, and all other signals need a specific handler (no default handler). Therefore, when using this option and using Ctrl-C to stop a process, the process may continue the background instead of terminating. Note this option does not put the command in background by itself.
−h | −-help
Get help.
SEE ALSO
chroot(8), clone(2), lxc(7)
AUTHORS
The jchroot program was written by Vincent Bernat <[email protected]>. GNU August 17, 2011 JCHROOT(8)