Virtual Machine chroot environment build + openssh Login

Virtual Machine chroot environment build + openssh Login

Recently, the project needs to use the chroot environment. If you do not know about chroot, You can google your brain. After learning about it, google found that there are generally three methods:
1. copy an existing file from the host system to a sub-system. Important files may be omitted during copy.

2. Use the makejail tool to quickly generate a chroot environment. After a preliminary understanding of the makejail tool, it is found that the tool is an environment created by the waiter configured according to the configuration file, some service templates are included in the software package. You should be able to generate the minimum chroot environment that can run the service. Of course, you can also use multiple configuration files to generate a complex environment.

3. Use debootstrap to build a basic debian system. That is to say, the tool can be used to build a small system, so we can use the software to quickly build a relatively complete chroot environment.
After comprehensive evaluation, I think the third method is the most suitable for me. Although the chroot environment it builds will be relatively large, the following experiment builds the chroot environment based on debootstrap.
Physical server: 10.1.6.235 Ubuntu 12.10
Virtual Machine: 10.1.6.28 Ubuntu 12.10
1. Install debootstrap. It downloads and installs basic system components. 1.
Apt-get-y install debootstrap2 install schroot, which can be used to manage chroot environment 1
Apt-get-y install schroot3/etc/default/schroot File
This file is used to manage the default behavior after the shcroot service is stopped and does not need to be modified by default. 4. schroot configuration file directory structure: 1
/Etc/schroot
2
── Buildd
3
── Chroot. d
4
── Default
5
── Desktop
6
── Minimal
7
── Sbuild
8
── Schroot. conf
9
── Setup. d/etc/schroot. conf. This is the definition file of the chroot environment.
/Etc/schroot/chroot. d this directory is the directory for storing configuration files in the additional chroot environment
/Etc/schroot/setup. d. This directory is the setup file directory of the chroot creation process. 5. The/etc/schroot. conf configuration file is added at the end of the file as follows: 1
[Test]
2
Description = user test chroot
3
Type = directory
4
Directory =/opt
5
Users = test
6
Groups = root
7
Root-groups = root6 check whether the configuration file has error 1
Schroot-l
The chroot environment named test is correct. 7. Use debootstrap to build the chroot environment of ubuntu12.10 1
Debootstrap -- variant = buildd -- arch = amd64 quantal/opt/http: // 10.1.1.187/ubuntu you can see that a directory similar to a small system has been created under the/opt directory based on the configuration file.
8. After the installation is complete, log on to the chroot environment 1.
Schroot-c test-u root
Schroot will automatically execute/etc/schroot/setup. d/The scripts found below. When chroot is started, it will be executed with the file name order and the setup-start option, when the chroot is left, it is executed in reverse order and with the setup-stop option. You can add the action you want to perform in the existing configuration file, or create a new script on your own.
In this way, debootstrap is used to install the chroot environment. If you think this can be used in the production environment, it is too simple. We also need to perform the following upgrades: 1. modify the configuration file of schroot. We have created a chroot environment named test. To use this environment in the production environment, we also need to add some configuration parameters: 01
[Test]
02
Description = user test chroot
03
Type = directory
04
Directory =/opt
05
Users = root, test, guol
06
Root-users = root, guol
07
Groups = root
08
Root-groups = root
09
Setup. copyfiles = default/copyfiles
10
Setup. fstab = default/fstab
11
Setup. nssdatabases = default/nssdatabases
12
Shell =/bin/bash
13
Preserve-environment = true:

[Test]: name of the chroot environment
Description: The description of the chroot environment.
Type: it can be one of plain, directory, file, loopback, block-device, btrfs-snapshot, and lvm-snapshot. Plain and directory are both folders. The difference is that directory will automatically execute the preset setup script and mount some directories, while plain will not do anything. You can use file to directly regard archive as the chroot target.
Directory: Specifies the target location when type is set to plain or directory.
File: Specifies the target location when type is file.
Users: users in the original system who can access this subsystem through schroot.
Root-users: users in the original system who can access this subsystem through schroot and obtain root permissions.
Groups: You can access the group of this subsystem through schroot in the original system.
Root-groups: the group in the original system that can access this subsystem through schroot and obtain root permissions.
Setup. copyfiles: Specifies the file that will be copied to the sub-system every time you enter the sub-system.
Setup. fstab: Specify the directory in which the system will be mounted to the sub-system. The format is the same as/etc/fstab in the system. Note that under the Preset conditions, schroot automatically sends the/home of the host to the bind. If the/home of the subsystem is changed, the original system will also be affected. If not necessary, we recommend that you comment out this line.
Setup. nssdatabases: specifies that each time you enter the subsystem, the original system will be copied to the subsystem database, such as passwd, shadow, and group. Note that the changes made to these databases in the sub-system are overwritten. This is very important because we want to add users in the original system and then log on to the chroot environment. If you add a user to the chroot environment and then enter the chroot environment again, the related files will be overwritten by the original system.
Shell: Specifies the shell used to log on to the chroot environment. 2. Modify the default files loaded when logging on to the chroot environment: 01
#/Etc/schroot/default/copyfiles
02
/Etc/hosts
03
/Etc/resolv. conf
04
/Etc/network/interfaces
05
/Etc/apt/sources. list
06
/Etc/hostname
07
/Etc/sudoers
08
#/Etc/schroot/default/fstab
09
/Proc none rw, bind 0 0
10
/Sys none rw, bind 0 0
11
/Dev none rw, bind 0 0
12
/Dev/pts none rw, bind 0 0
13
/Tmp none rw, bind 0 0
14
Tmpfs/dev/shm tmpfs defaults 0 0
15
/Run none rw, bind 0 0
16
/Run/lock none rw, bind 0 0
17
/Dev/shm none rw, bind 0 0
18
/Run/shm none rw, bind 0 0
19
#/Etc/schroot/default/nssdatabases
20
Passwd
21
Shadow
22
Group
23
Gshadow
24
Services
25
Protocols
26
Networks
27
Modify the ssh configuration of hosts3 so that common users can directly log on to the ssh environment through ssh. This function is supported after openssh 4.9. Add the following at the end of the configuration file: 1
#/Etc/ssh/sshd_config
2
Match User test
3
ChrootDirectory/opt/
4
ForceCommand internal-sftp
5
AllowTcpForwarding no
6
Match User guol
7
ChrootDirectory/opt
8
ForceCommand internal-sftp
9
Why must AllowTcpForwarding no be added to the end of the ssh configuration file, because the end of the Match configuration segment begins with the next Match configuration. In addition to matching the user, Match can also be matched based on many options. For more information, see man.

Let's first test the current improved configuration.
1. log on to the chroot environment directly on the local machine. Test with test and guol user respectively

You can see how the warning message is displayed when the test user logs on, while the guol user logs on normally. Follow the prompts to use the -- directory parameter. Man is explained as follows: 1
Change to directory inside the chroot before running the command or login shell. If directory is not available, schroot will exit with an error status.
2
The default behaviour is as follows (all directory paths are inside the chroot ). A login shell is run in the current working directory. if this is not available, it will try $ HOME (when -- preserve-environment is used), then the user's home directory, and/inside the chroot in turn. A command is always run in the current working directory inside the chroot. if none of the directories are available, Schroot will exit with an error status. according to the explanation, When you log on to the shell of the chroot environment, you will be given a directory to choose from. If not set, the current directory will be selected as the chroot environment directory by default. If the current directory is unavailable, you will find your home directory and then the root directory. It seems that the execution of schroot logon to chroot is also related to the current context. There must be no/etc/schroot directory in the chroot environment, and the/home directory is canceled in the bind of fstab, therefore, there is no home directory for related users in the chroot environment.

The improvements are as follows:

2. log on to the chroot environment through ssh.


The basic configuration has been completed. You can customize the chroot environment based on your needs. When apt-get is used in the chroot environment, the following error occurs: 1
Dpkg: unrecoverable fatal error, aborting:
2
Syntax error: unknown group 'ssl-cert' in statoverride file
3
E: Sub-process/usr/bin/dpkg returned an error code (2) indicates that the system does not have an ssl-cert group when dpkg is used, but the group file of the host system is viewed, this group does not exist. The new key group can be used normally.