Debian chrooted server

From campisano.org
Jump to navigation Jump to search

Debian chrooted server

The objective of this document is present a step-by-step command list to produce an independent 'guest' Debian server inside whatever gnu/linux hosting system

In this example, the final 'guest' system will be placed in the /srv folder in the hosting system. There will be a symbolic link named /srv/CHROOT that will point to the specific 'guest' folder, that we can name as we want, for instance according to the specific Debian version and hosting architecture. For example, the final folder name can be /srv/DEBIAN_stretch_amd64 if we use Debian 9 "Stretch" version under an amd64 architecture.

This tutorial does not use the classic boot programs (systemv or systemd) in the 'guest' system, because the 'host' system will take care of the machine bootstrap. So, in this document we separate another group of folder, in the /srv/config folder inside the 'guest' system (that means in the complete path /srv/CHROOT/srv/config in the 'host' system) to configure the services that the 'guest' system will start up.

For that, we will use the Debootstrap tutorial to produce a minimal image and the scripts chroot.sh and linuxrc.sh to configure the a simple bootstrap service alternative.

In this example, we will enable a simple iptables rule to limit repetitive access at ssh service, and the cron service to be able to configure periodic scripts. The resulting scripts will have the follow structure:

/etc/init.d/chroot.sh -> /srv/CHROOT/srv/config/chroot.sh   # 'host' script to bootstrap the 'guest' system
/srv/CHROOT                                                 # folder of the 'guest' system in the 'host' filesystem
(/srv/CHROOT)/srv/config/chroot.sh                          # real place of the bootstrap script that use the linuxrc.sh script
(/srv/CHROOT)/srv/config/linuxrc.sh                         # script to run the services configured in the 'guest' folder /srv/config/rc.d/
# sample service scripts
(/srv/CHROOT)/srv/config/init.d/iptables_SSHlimit.sh
(/srv/CHROOT)/srv/config/rc.d/S05_iptables_SSHlimit.sh -> ../init.d/iptables_SSHlimit.sh
(/srv/CHROOT)/srv/config/rc.d/K95_iptables_SSHlimit.sh -> ../init.d/iptables_SSHlimit.sh
(/srv/CHROOT)/srv/config/init.d/cron -> /etc/init.d/cron # link simbolico allo script di sistema
(/srv/CHROOT)/srv/config/rc.d/S15_cron -> ../init.d/cron
(/srv/CHROOT)/srv/config/rc.d/K85_cron -> ../init.d/cron

Prerequisites

Obtain a version of Debian to use as a chrooted 'guest' system, see Debootstrap or Cdebootstrap. We will make a symbolic link named '/srv/CHROOT' to simplify:

ln -s /srv/DEBIAN_stretch_amd64 /srv/CHROOT
  • NOTE: change the --arch option as necessary
  • NOTE: make sure to have disabled the boot programs (systemv or systemd) in the 'guest' system following the follow steps:
#### prevent services startup on install
echo '#!/bin/sh' > /srv/CHROOT/usr/sbin/policy-rc.d
echo 'exit 101' >> /srv/CHROOT/usr/sbin/policy-rc.d
chmod 0755 /srv/CHROOT/usr/sbin/policy-rc.d

NOTE: Just a suggestion: make a backuo of the obtained folder, to have a save point to repeat the process. Sometime, the best thing to do is to create two system, one for 'production' and one to test configurations and services. To obtain another 'guest' system, a simple copy (cp -a /srv/DEBIAN_stretch_amd64 /srv/DEBIAN_stretch_amd64_testing) of the 'guest' system can be performed (when the system is 'stopped').

Chroot script

After obtained the 'guest' system, we need to automatize it bootstrap. We will use the chroot.sh script.

It works togheter with another script that focus on start and stop 'guest' system services. It is the linuxrc.sh script.

Download the scripts and save them in the /srv/config folder of the 'guest' system:

chmod 0750 chroot.sh linuxrc.sh
mkdir -m 755 /srv/CHROOT/srv/config /srv/CHROOT/srv/config/rc.d /srv/CHROOT/srv/config/init.d
mv chroot.sh linuxrc.sh /srv/CHROOT/srv/config

Configure the 'guest' system to start at the 'host' bootstrap

We will create a symbolic link in the 'host' system to the place where the startupt script exists in the 'guest' system

NOTE: in some S.O. a symbolic link in /etc/init.d will not work, so you will need to copy the script there.

ln -s /srv/CHROOT/srv/config/chroot.sh /etc/init.d/chroot.sh
update-rc.d chroot.sh defaults      # for Debian based hosts
chkconfig chroot.sh on              # for RedHat based hosts
  • The system will be started in the next boot. To start it now, execute:
/etc/init.d/chroot.sh start

Add services in the 'guest' system

  • Cron example
chroot /srv/CHROOT
apt-get install cron
apt-get clean
ln -s /etc/init.d/cron /srv/config/init.d
ln -s ../init.d/cron /srv/config/rc.d/S15_cron
ln -s ../init.d/cron /srv/config/rc.d/K85_cron
/srv/config/init.d/cron start
exit

Save it and put it to work!

chmod 0750 iptables_SSHlimit.sh
mv iptables_SSHlimit.sh /srv/CHROOT/srv/config/init.d
chroot /srv/CHROOT
apt-get install iptables
apt-get clean
ln -s ../init.d/iptables_SSHlimit.sh /srv/config/rc.d/S05_iptables_SSHlimit.sh
ln -s ../init.d/iptables_SSHlimit.sh /srv/config/rc.d/K95_iptables_SSHlimit.sh
/srv/config/init.d/iptables_SSHlimit.sh start
exit