Shared libraries loaded after chroot

Paul Kosinski prk at iment.com
Tue May 17 00:51:41 UTC 2016


I have avoided the problem chroot causes in a fairly general fashion by
using "mount --bind". For example:

  /bin/mount --bind /lib /chroot/dns/lib

will make the entire /lib directory available to the chrooted BIND,
assuming the path /chroot/dns is created beforehand to serve as the
chroot base for running BIND.

N.B. The "--bind" option to mount has nothing to do with BIND or DNS.
     (Look at the 'mount' manual for more details.)

This can be made as specific as desired by using multiple "mount --bind"
commands as needed for example:

  /bin/mount --bind /usr/bin   /chroot/dns/usr/bin
  /bin/mount --bind /usr/lib   /chroot/dns/usr/lib
  /bin/mount --bind /usr/lib64 /chroot/dns/usr/lib64

This is a lot easier than figuring out what files to copy, and all that
is needed after an update is to re-issue all the relevant "mount --bind"
commands.

I have heard that chroot does not provide unbreakable isolation, and,
of course, many extra files are made available to the chrooted process
compared to copying the minimum number of individual files. But I have
more than 500 separate "mount --bind" instances on one of my Linux
machines, setting up multiple chroot environments, and have not seen
any problems.



More information about the bind-users mailing list