|
|
|
|
|
|
by geofft
1798 days ago
|
|
|
On Linux, you can do unshare --user --mount --map-root-user chroot /path/to/whatever
and if you need to bind-mount some directories, you can do that before the chroot, e.g., $ unshare --user --mount --map-root-user
# mount --bind /proc /path/to/whatver/proc
# mount --bind /proc /path/to/whatver/sys
# chroot /path/to/whatever
without being root. (This requires a sysctl to be enabled for unprivileged user namespaces, which is on by default in the kernel.org tree and I think all major distro kernels have it on now. The feature has been in the upstream kernel since 2013.)If you want to do this at scale, a handy tool is bwrap(1) from https://github.com/containers/bubblewrap . (The README talks about how bwrap is a setuid program to prevent the need for that sysctl, but it also works great as a non-setuid program when that sysctl is enabled, and its value is it has a bunch of handy command-line flags for this sort of thing. We use it extensively at my workplace in non-setuid mode for things that don't quite need containers but need to see alternative root directories etc.) |
|
|