June 14, 2020 - Reading time: ~1 minute

Changes the apparent root directory of a process. Process inside chroot can't access the rest of the filesystem tree.

# create chroot and subdirs
root@w540:/var/tmp# mkdir testchroot
root@w540:/var/tmp# mkdir testchroot/{bin,lib64}
# copy binaries
root@w540:/var/tmp# cd testchroot/bin/
root@w540:/var/tmp/testchroot/bin# cp /bin/ls .
root@w540:/var/tmp/testchroot/bin# cp /bin/bash .
# identify libraries
root@w540:/var/tmp/testchroot# ldd /bin/bash (0x00007ffed07f0000) => /lib/x86_64-linux-gnu/ (0x00007f7fb4bbf000) => /lib/x86_64-linux-gnu/ (0x00007f7fb49bb000) => /lib/x86_64-linux-gnu/ (0x00007f7fb45ca000)
        /lib64/ (0x00007f7fb5103000)
# copy ALL required libraries for bash and ls
# create a new file
root@w540:/var/tmp/testchroot# echo "hello" > test.txt
# move into the chrooted environment - chroot NEWROOT [COMMAND]
root@w540:/var/tmp/testchroot# chroot /var/tmp/testchroot/ /bin/bash
bash-4.4# ls
bin  lib  lib64  test.txt
bash-4.4# cat test.txt
bash: cat: command not found
# ls is available, but cat isn't
bash-4.4# pwd
bash-4.4# cd ..
bash-4.4# pwd
# I'm in the root directory

chroot can be used in sshd with the ChrootDirectory directive as the action when Matching a group of users.


June 14, 2020 - Reading time: ~1 minute
  • 1970 mainframe computers - centralized, shared, scarce resource
  • 1979 chroot command - first step towards containerization - changes the root directory of the process and all its child processes
  • 2000 free BSD creates jail command - more isolation than chroot
  • 2006 google starts working with process containers - aka c-groups or containers groups - it's like jail or chroot plus resource allocation (cpu/mem)
  • 2007 LXC
  • 2013 Google creates LMCTFY let me containerize that for you
  • 2014 google donates the code to docker
  • 2015 google creates k8s