Debian chrooted server
NOTE, systemd is a common tool nowadays to achieve the same (and better) results than chroot (that it is great however). An improved article to perform the same objective of this one is available at Debian_systemd-nspawn_server.
Debian chrooted server
The objective of this document is present a step-by-step command list to produce an independent 'guest' Debian server inside whatever gnu/linux hosting system
In this example, the final 'guest' system will be placed in the /srv folder in the hosting system. There will be a symbolic link named /srv/CHROOT that will point to the specific 'guest' folder, that we can name as we want, for instance according to the specific Debian version and hosting architecture. For example, the final folder name can be /srv/DEBIAN_stretch_amd64 if we use Debian 9 "Stretch" version under an amd64 architecture.
This tutorial does not use the classic boot programs (systemv or systemd) in the 'guest' system, because the 'host' system will take care of the machine bootstrap. So, in this document we separate another group of folder, in the /srv/config folder inside the 'guest' system (that means in the complete path /srv/CHROOT/srv/config in the 'host' system) to configure the services that the 'guest' system will start up.
For that, we will use the Debootstrap tutorial to produce a minimal image and the scripts chroot.sh and linuxrc.sh to configure the a simple bootstrap service alternative.
In this example, we will enable a simple iptables rule to limit repetitive access at ssh service, and the cron service to be able to configure periodic scripts. The resulting scripts will have the follow structure:
/etc/init.d/chroot.sh -> /srv/CHROOT/srv/config/chroot.sh # 'host' script to bootstrap the 'guest' system /srv/CHROOT # folder of the 'guest' system in the 'host' filesystem (/srv/CHROOT)/srv/config/chroot.sh # real place of the bootstrap script that use the linuxrc.sh script (/srv/CHROOT)/srv/config/linuxrc.sh # script to run the services configured in the 'guest' folder /srv/config/rc.d/ # sample service scripts (/srv/CHROOT)/srv/config/init.d/iptables_SSHlimit.sh (/srv/CHROOT)/srv/config/rc.d/S05_iptables_SSHlimit.sh -> ../init.d/iptables_SSHlimit.sh (/srv/CHROOT)/srv/config/rc.d/K95_iptables_SSHlimit.sh -> ../init.d/iptables_SSHlimit.sh (/srv/CHROOT)/srv/config/init.d/cron -> /etc/init.d/cron # link simbolico allo script di sistema (/srv/CHROOT)/srv/config/rc.d/S15_cron -> ../init.d/cron (/srv/CHROOT)/srv/config/rc.d/K85_cron -> ../init.d/cron
Prerequisites
Obtain a version of Debian to use as a chrooted 'guest' system, see Debootstrap or Cdebootstrap. We will make a symbolic link named '/srv/CHROOT' to simplify:
ln -s /srv/DEBIAN_stretch_amd64 /srv/CHROOT
- NOTE: change the --arch option as necessary
- NOTE: make sure to have disabled the boot programs (systemv or systemd) in the 'guest' system following the follow steps:
#### prevent services startup on install echo '#!/bin/sh' > /srv/CHROOT/usr/sbin/policy-rc.d echo 'exit 101' >> /srv/CHROOT/usr/sbin/policy-rc.d chmod 0755 /srv/CHROOT/usr/sbin/policy-rc.d
NOTE: Just a suggestion: make a backuo of the obtained folder, to have a save point to repeat the process. Sometime, the best thing to do is to create two system, one for 'production' and one to test configurations and services. To obtain another 'guest' system, a simple copy (cp -a /srv/DEBIAN_stretch_amd64 /srv/DEBIAN_stretch_amd64_testing) of the 'guest' system can be performed (when the system is 'stopped').
Chroot script
After obtained the 'guest' system, we need to automatize it bootstrap. We will use the chroot.sh script.
It works togheter with another script that focus on start and stop 'guest' system services. It is the linuxrc.sh script.
Download the scripts and save them in the /srv/config folder of the 'guest' system:
chmod 0750 chroot.sh linuxrc.sh mkdir -m 755 /srv/CHROOT/srv/config /srv/CHROOT/srv/config/rc.d /srv/CHROOT/srv/config/init.d mv chroot.sh linuxrc.sh /srv/CHROOT/srv/config
Configure the 'guest' system to start at the 'host' bootstrap
We will create a symbolic link in the 'host' system to the place where the startupt script exists in the 'guest' system
NOTE: in some S.O. a symbolic link in /etc/init.d will not work, so you will need to copy the script there.
ln -s /srv/CHROOT/srv/config/chroot.sh /etc/init.d/chroot.sh update-rc.d chroot.sh defaults # for Debian based hosts chkconfig chroot.sh on # for RedHat based hosts
- The system will be started in the next boot. To start it now, execute:
/etc/init.d/chroot.sh start
Add services in the 'guest' system
- Cron example
chroot /srv/CHROOT apt-get install cron apt-get clean ln -s /etc/init.d/cron /srv/config/init.d ln -s ../init.d/cron /srv/config/rc.d/S15_cron ln -s ../init.d/cron /srv/config/rc.d/K85_cron /srv/config/init.d/cron start exit
- Another example: script to limit requests to sshd service iptables_SSHlimit.sh
Save it and put it to work!
chmod 0750 iptables_SSHlimit.sh mv iptables_SSHlimit.sh /srv/CHROOT/srv/config/init.d chroot /srv/CHROOT apt-get install iptables apt-get clean ln -s ../init.d/iptables_SSHlimit.sh /srv/config/rc.d/S05_iptables_SSHlimit.sh ln -s ../init.d/iptables_SSHlimit.sh /srv/config/rc.d/K95_iptables_SSHlimit.sh /srv/config/init.d/iptables_SSHlimit.sh start exit