Cheatsheet for debootstrap

/en/linux/snippets/ debootstrapchroot
12/August/2018
authorRentaro
Rentaro

Deploying the required system for a quick debugging


Sometimes you need to quickly test something in a specific environment that is native to that application, such as Ubuntu.
And no, it’s not Docker, because you often need to have a normal ability to work with this environment as a system, edit configs, install packages, and so on.
Rebuilding docker images or configuring something inside them is a very specific and strange pleasure.
KVM is not needed here, LXC takes longer to set up and is more difficult to interact with.
Yes, the easiest way is debootstrap and good old chroot.

Let me note that this is not about isolation and security, but about a quick way to run trusted software in a specific environment.

amd64 xenial

1
2

mkdir /data/.box/amd64_xenial
/usr/sbin/debootstrap --verbose --include=nano,bash-completion,aptitude --arch amd64 xenial /data/.box/amd64_xenial http://archive.ubuntu.com/ubuntu/

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

mount -t proc proc /data/.box/amd64_xenial/proc
mount --bind /dev /data/.box/amd64_xenial/dev
mount -t devpts devpts /data/.box/amd64_xenial/dev/pts
mount -t sysfs sysfs /data/.box/amd64_xenial/sys

chroot /data/.box/amd64_xenial

# Add a user, the user's uid and gid must be different from the host's defaults

groupadd --gid 7231 user
adduser --home /home/user --ingroup user --uid 7231 user

dpkg --add-architecture i386
apt-get update
apt-get install software-properties-common
add-apt-repository multiverse
apt-get update
aptitude install locales binutils
dpkg-reconfigure locales

i386 xenial

1
2

mkdir /data/.box/i386_xenial
/usr/sbin/debootstrap --verbose --include=nano,bash-completion,aptitude --arch i386 xenial /data/.box/i386_xenial http://archive.ubuntu.com/ubuntu/

amd64 bionic

1
2

mkdir /data/.box/amd64_bionic
/usr/sbin/debootstrap --verbose --include=nano,bash-completion,aptitude --arch amd64 bionic /data/.box/amd64_bionic http://archive.ubuntu.com/ubuntu/

debian

1
2
3
4
5
6
7
8

/usr/sbin/debootstrap --verbose --include=mc,nano,htop,bash-completion,aptitude --arch amd64 jessie /data/.box/jessie http://ftp.de.debian.org/debian/
printf 'jessie' > /data/.box/jessie/etc/debian_chroot

# Unprivileged user, without shell and password
chroot /data/.box/jessie

groupadd --gid 11001 tester
adduser --home /home/tester --shell /bin/false --ingroup tester --disabled-password --uid 11000 tester

Restricting networks at the host level

1
2
3

# Access to localhost only
iptables -A OUTPUT -d 127.0.0.1 -m state --state NEW,RELATED,ESTABLISHED -m owner --uid-owner 11000 -j ACCEPT
iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -m owner --uid-owner 11000 -j DROP

Running a program in chroot

1
2
3

chroot /data/.box/jessie/ /usr/bin/sudo -u tester -H /usr/bin/uxterm >/dev/null 2>&1 &
# Or a rare Firefox
chroot /data/.box/lenny/ /usr/bin/sudo -u tester -H /opt/firefox_4/firefox >/dev/null 2>&1 &