Minimal config chroot networking

There are plenty of reasons not to use chroot and maybe that’s a topic for another day… but I have a project that I can deploy inside a chroot’d environment on othr Linux and BSD distros… But for some reason I am not able to resolve DNS from inside the chroot even though I composed a /etc/resolv.conf. My guess is that because ClearLinux uses system-resolvd it does not behave the same…

Any reommendations for resolving DNS inside chroot when the host is using systemd-resolvd?

AFAIK /etc/resolv.conf is just a link to /run/systemd/resolve/resolv.conf. You can try to copy this file directly, or even better just create a /etc/resolv.conf with “nameserver” or some other dns provider address.

I tried that and it did not work.

$ ./bin/curl
curl: (6) Could not resolve host:


Can you ping or your router address?

The easiest way to get chroot work is using mount:

# mkdir /mnt/chroot
# mount -t proc /proc /mnt/chroot/proc
# mount -o bind /sys /mnt/chroot/sys
# mount -o bind /dev /mnt/chroot/dev
# mount -o bind /dev/pts /mnt/chroot/dev/pts
# mount -o bind /run /mnt/chroot/run
# chroot /mnt/chroot
This way your chroot has access to the devices
1 Like

That was really close… I did not go that way because binding ALL those directories cannot be the best way to secure a chroot. Granted I do not know enough to know enough :slight_smile: but it got me to thinking… And for that thanks. I had not installed ping. my bin folder only had three apps in it and I used ldd to determine the deps. I can say now that I was missing some deps.

I used the following but it was not enough…

"ldd ${jail}/bin/* | egrep -o '\[^ \]*/lib\[^ \]*\[.\]\[0-9\]+' |sort|uniq| xargs -I{} -P1 sudo cp -v {} ${jail}{} "                                                 

then I added these because I needed the libnss_dns*. Someone said some libs are loaded without a link reference in ldd.

"find /usr -iname 'libnss*'|grep lib\[36\] | xargs -I{} -P1 sudo cp -v {} ${jail}{} "

then I added this one per your mention. Seems I also needed libreslv*.

"ldd /usr/bin/ping | egrep -o '\[^ \]*/lib\[^ \]*\[.\]\[0-9\]+' |sort|uniq| xargs -I{} -P1 sudo cp -v {} ${jail}{} "                                

(there are plenty of other details the entire tcl shell bits. I’m still tesing and some other elements can likely be reoved)
Thanks again for the push…

               set todo [subst {                                                                                                                                                            
                        [list "echo \"MODE=$mode; REMOTE=$remote\""]                                                                                                                         
                        "sudo mkdir -p ${jail}/bin"                                                                                                                                          
                        "sudo cp /bin/sh ${jail}/bin/."                                                                                                                                      
                        "sudo cp /usr/bin/curl ${jail}/bin/."                                                                                                                                
                        "sudo mkdir -p ${jail}/etc/ssl/certs"                                                                                                                                
                        "sudo cp /etc/resolv.conf ${jail}/etc/."                                                                                                                             
                        "sudo cp -f /etc/ssl/certs/* ${jail}/etc/ssl/certs/."                                                                                                                
                        "sudo rm -rf ${jail}//usr"                                                                                                                                           
                        "sudo rm -rf ${jail}//lib*"                                                                                                                                          
                        "sudo mkdir -p ${jail}/lib64"                                                                                                                                        
                        "sudo mkdir -p ${jail}/usr/lib32"                                                                                                                                    
                        "sudo mkdir -p ${jail}/usr/lib64/haswell"                                                                                                                            
                        "sudo cp bin/* ${jail}/bin/."                                                                                                                                        
                        "sudo mkdir -p ${jail}/www"                                                                                                                                          
                        "sudo mkdir -p ${jail}/other"                                                                                                                                        
                        "sudo mkdir -p ${jail}/var/data"                                                                                                                                     
                        "sudo cp -r www/* ${jail}/www/."                                                                                                                                     
                        "sudo cp -r other/* ${jail}/other/."                                                                                                                                 
                        "sudo cp ${HOME}/.ssh/ ${jail}/bin/."                                                                                                                         
                        "sudo chown -R usr:grp  ${jail}"                                                                                                                             
                        "sudo /bin/sh -c 'mount -t devtmpfs devtmpfs ${jail}/dev'"                                                                                                           
                        "ldd /usr/bin/ping | egrep -o '\[^ \]*/lib\[^ \]*\[.\]\[0-9\]+' |sort|uniq| xargs -I{} -P1 sudo cp -v {} ${jail}{} "                                                 
                        "ldd ${jail}/bin/* | egrep -o '\[^ \]*/lib\[^ \]*\[.\]\[0-9\]+' |sort|uniq| xargs -I{} -P1 sudo cp -v {} ${jail}{} "                                                 
                        "find /usr -iname 'libnss*'|grep lib\[36\] | xargs -I{} -P1 sudo cp -v {} ${jail}{} "                                                                                
                        {!ls -lt bin}                                                                                                                                                        
                doit $todo