Hacker News new | ask | show | jobs
by stabbles 1798 days ago
On many linux distro's you can already do this with user namespaces:

    $ mkdir rootfs
    $ docker export $(docker create ubuntu:20.04) | tar -C rootfs -xf -
    $ unshare -r chroot rootfs bash
    # ls
    bin   dev  home ...
Very often when you use chroot you also want unprivileged mounts, in particular overlay mounts if you don't want to mutate the underlying rootfs. You can do that with mount namespaces: `unshare -rm`, but you need Linux kernel 5.13 (or a distro with a patched kernel like Ubuntu) to allow unpriviliged overlayfs.
2 comments
dividuum 1798 days ago
An alternative to unshare is also bubblewrap (https://github.com/containers/bubblewrap) which also sets up a new namespace. You can build up your own new filesystem by binding existing paths into the new root and then run a process within it:

    $ mkdir -p root/bin
    $ cp /bin/busybox root/bin/
    $ bwrap --bind root / /bin/busybox sh

    BusyBox v1.27.2 (Ubuntu 1:1.27.2-2ubuntu3.3) built-in shell (ash)
    Enter 'help' for a list of built-in commands.

    / $ ls -l /
    total 0
    drwxrwxr-x    2 1000     1000            60 Jul 22 11:07 bin
link
Cloudef 1798 days ago
I used bubblewrap to do a lightweight containers on top of arch + pacman. Basically you could install packages on overlays of the host and do whatever there without affecting the host fs. It was pretty nice.
link
stabbles 1798 days ago
So how does this work? Can you mount / as the lower layer of the overlayfs? Doesn't that create a weird recursion because the mountpoint is a path inside /?
link
Cloudef 1798 days ago
I used unionfs first to combine the sandbox and / where host / is read-only. Then simply bubblewrap into it. I also mounted / to /host if for some reason you wanted to access host fs from inside the sandbox.
link
gigatexal 1798 days ago
Interesting. Going to check out Bubblewrap
link
rkeene2 1798 days ago
As an alternative, one can also use User Mode Linux (UML) to implement a pretty fancy chroot (and fakeroot).

It can do a few things userns can't, like load kernel modules. I've had to use this to deal with bugs in BtrFS before.

link
gunapologist99 1798 days ago
I love UML. I used to use it all the time. Is it still developed? It was really a pretty slick system and very easy to work with.

http://user-mode-linux.sourceforge.net/

(another good site: https://wiki.archlinux.org/title/User-mode_Linux )

link
kasabali 1798 days ago
It's in mainline kernel (can be compiled as an architecture), but I don't think it's being actively developed.
link