CentOS locked into a chroot

It’s not only a question of security if you decide to lock some services of the system in a chrooted environment to minimize the damage they are able to cause. We know debootstrap as a cool and simple way of doing a very easy debian chroot.

But what about RPM based distributions like CentOS? They don’t offer a setup tool like that – even due to their wide distribution. In my case I need a CentOS environment to do some tests. CentOS uses RPM, just as its mother distribution RedHat. But in our case, it’s not that simple as we cannot emerge it and be done.

Due to the nature of the RPM package format – which basically is an archive with some dependency notes and stuff, we usually got what we need right in our hands. The only ‘problem’ is to strip the archive and unpack it. But that for, we got some tools like rpm2tar or similar.

Our first goal is a shell environment to be able to initialize the software management stuff RPM and yum. Sure, this is not as simple as it seems, but it’s worth it: We start with the base libraries like binutils and glibc and make our way through the dependencies of the bash shell and finally initialize the rpm database. As soon as rpm and yum are kind of running, it’s possible to let them install the base system again to find the not-that-obvious-but-missing libraries and we’re nearly done.

Last but not least, we need to set the root password and do some config work like /etc/resolv.conf. For getting services ready, it’s better to use startup scripts to kickstart the services from the outside and make sure /proc, /dev and /sys are mounted correctly…


2 thoughts on “CentOS locked into a chroot”

  • Beim chrooten geht es nicht darum, Eindringlinge zu finden, sondern nur um den Schaden den jemand anrichten kann zu minimieren. Um Eindringlinge zu finden, bedarf es meist etwas mehr, wie z.B. Prüfsummen über Dateien und ein Auswerten der Logfiles. Aber das ist wieder ein Thema für sich.

Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.