# Faketoo

## jmglov

I just finished setting up a "fake" Gentoo installation inside a chroot jail. Seems to work pretty well for development, I can experiment with no fear of sodding up my actual workstation. In case anyone is interested, here is my "Captain's Log" that details the commands that I ran to build my "Faketoo" instance.

You should run these commands from a working Gentoo installation. Do not reboot off of the Gentoo install CD or anything.

My Faketoo host (i.e. my actual workstation) is a Dell PowerEdge 400SC with a Pentium 4 2.4GHz CPU (hyperthreading enabled) and 512MB of RAM, running a 2.6.3-gentoo-r1 SMP kernel (hyperthreading makes the kernel think it has two processors) and Gentoo 2004.0.

And now, without further ado, here is the Captain's Log:

```

# ==========================================================

# Faketoo: Building a development Gentoo install inside a chroot jail

#

# Version: 1.0.2

#

# Changelog:

#   1.0.2

#     - Mounting /etc/init.d as loop,noexec

#     - Mounting /usr/portage as bind

#     - Creating PORTDIR_OVERLAY /usr/local/portage

#     - Stuff proxy-related environment variables into ~juser/.bashrc

#   1.0.1

#     - Preserving permissions when creating virgin tarball

#   1.0.0

#     - Initial revision

# ==========================================================

# Insert Gentoo i686 LiveCD (Disc 1)

mount /mnt/cdrom

# Create chroot jail

mkdir ~/faketoo

# Create loopback filesystems that we will need for the jail

mkdir ~/faketoo/loopbacks

dd if=/dev/zero of=~/faketoo/loopbacks/etc-init.d seek=5K count=16 bs=1

mkreiserfs -f ~/faketoo/loopbacks/etc-init.d

# Install Gentoo in jail

cd ~/faketoo

mkdir -p etc/init.d

sudo mount -o loop,noexec loopbacks/etc-init.d etc/init.d

sudo tar xvjpf /mnt/cdrom/stages/stage3-pentium4-20040218.tar.bz2

sudo tar xvjf /mnt/cdrom/snapshots/portage-20040223.tar.bz2 -C usr/

sudo mkdir usr/portage/distfiles/

sudo cp /mnt/cdrom/distfiles/* usr/portage/distfiles/

sudo cp -ar /lib/modules ~/faketoo/lib/modules

sudo rm -rf ~/faketoo/dev

sudo mkdir ~/faketoo/dev

sudo chown root:root ~/faketoo/dev

sudo chmod 755 ~/faketoo/dev

sudo rm -rf ~/faketoo/usr/portage

sudo mkdir ~/faketoo/usr/portage

sudo chown root:root ~/faketoo/usr/portage

sudo chmod 755 ~/faketoo/usr/portage

# Swap Gentoo Pentium4 Package CD into CDROM drive

umount /mnt/cdrom

# Enter jail

sudo mount -o bind -t devfs /dev ~/faketoo/dev

sudo mount -t proc none ~/faketoo/proc

sudo mount -o bind /usr/portage ~/faketoo/usr/portage

sudo cp /etc/resolv.conf ~/faketoo/etc/

sudo chroot ~/faketoo /bin/bash

env-update

source /etc/profile

export PS1=': \u@FAKETOO; '

# Set localtime

ln -sf /usr/share/zoneinfo/America/New_York /etc/localtime

# Create /etc/fstab

cat >/etc/fstab <<EOF

/loopbacks/etc-init.d   /etc/init.d     reiserfs        loop,noexec     0 0

/dev/cdroms/cdrom0      /mnt/cdrom      iso9660         noauto,ro,user  0 0

EOF

# Setup networking

echo faketoo >/etc/hostname

echo domain.tld >/etc/dnsdomainname

# Configure rc.conf

sed -i -e 's/^EDITOR/#EDITOR/' -e 's/^#\(EDITOR=.\+vim"\)$/\1/' /etc/rc.conf 

# Fix USE flags

sed -i -e 's/^USE="\(.\+\)"$/USE="\1 -gpm"/' /etc/make.conf

# Setup Portage to use binary packages when available

mount /mnt/cdrom

export PKGDIR=/mnt/cdrom

# Install system logger and cron daemon

emerge -k syslog-ng

emerge -k vixie-cron

# Setup root's environment

passwd

cat >~/.bashrc <<EOF

export PS1=': \u@FAKETOO; '

export PS2=': ; '

mount -a &>/dev/null

EOF

# Accounts management

groupadd juser

useradd juser -m -g juser -G users,wheel,audio,games,portage -s /bin/bash

passwd juser

cat >~juser/.bashrc <<EOF

export PS1=': \u@FAKETOO; '

export PS2=': ; '

EOF

for i in `env |grep -i proxy`; do echo "export $i" >>~juser/.bashrc; done

# Install a decent editor

emerge vim

# Setup sudo

emerge -k sudo

sed -i -e 's/^# \(%wheel\tALL=(ALL)\tALL\)$/\1/' /etc/sudoers

cat >>/etc/sudoers <<EOF

Defaults        !lecture,timestamp_timeout=60

EOF

# Setup Portage overlay (for ebuild development)

mkdir /usr/local/portage

chown root:root /usr/local/portage

chmod 755 /usr/local/portage

cat >>/etc/make.conf <<EOF

## For ebuild development

#PORTDIR_OVERLAY=/usr/local/portage

#ACCEPT_KEYWORDS='~x86 ~amd64 ~sparc ~ppc ~alpha ~mips ~hppa ~ia64 ~ppc64'

## Debug options

#CFLAGS="-march=pentium4 -pipe -g"

#CXXFLAGS=""

#USE=" debug"

#FEATURES=" nostrip keeptemp keepwork noclean"

EOF

# Leave jail

umount /mnt/cdrom

exit

# Create virgin image

cd

sudo umount ~/faketoo/dev

sudo umount ~/faketoo/proc

sudo tar cvjpf ~/faketoo.tbz2 faketoo

```

And here is a script that can be used to enter the jail:

faketoo.sh

```

#!/bin/bash

# ==========================================================

# faketoo.sh: Enter the Faketoo jail

#

# Version: 1.0.1

#

# Changelog:

#   1.0.1

#     - Fixing the erroneous $HOME environment variable for root

#   1.0.0

#     - Initial revision

# ==========================================================

if [ $UID -ne 0 ]; then

  echo You must be root!

  exit 1

fi # if (not root)

# Are /dev and /proc mounted inside the jail?

mounted=`mount`

# Mount /dev if it is not already

echo "${mounted}" | grep $HOME/faketoo/dev &>/dev/null

if [ $? -ne 0 ]; then

  echo mount -o bind -t devfs /dev $HOME/faketoo/dev

  mount -o bind -t devfs /dev $HOME/faketoo/dev

fi # if (mounting /dev)

# Mount /proc if it is not already

echo "${mounted}" | grep $HOME/faketoo/proc &>/dev/null

if [ $? -ne 0 ]; then

  echo mount -t proc none $HOME/faketoo/proc

  mount -t proc none $HOME/faketoo/proc

fi # if (mounting /proc)

# Mount /usr/portage if it is not already

echo "${mounted}" | grep $HOME/faketoo/usr/portage &>/dev/null

if [ $? -ne 0 ]; then

  echo mount -o bind /usr/portage $HOME/faketoo/usr/portage

  mount -o bind /usr/portage $HOME/faketoo/usr/portage

fi # if (mounting /usr/portage)

# Enter the jail

HOME=/root chroot ~/faketoo /bin/bash

```

----------

## bmichaelsen

How do you think about posting this to the

http://gentoo-wiki.com/

... things get lost in the gentoo forums way too fast ...

----------

## jmglov

 *bmichaelsen wrote:*   

> How do you think about posting this to the
> 
> http://gentoo-wiki.com/
> 
> ... things get lost in the gentoo forums way too fast ...

 

http://gentoo-wiki.com/TIP_Faketoo

OK, twist my arm! ;)

----------

## jjasghar

 *Quote:*   

> I just finished setting up a "fake" Gentoo installation inside a chroot jail. Seems to work pretty well for development, I can experiment with no fear of sodding up my actual workstation. In case anyone is interested, here is my "Captain's Log" that details the commands that I ran to build my "Faketoo" instance.
> 
> 

 

i guess i must be slow...but this creates a "fake" workstation? 

why would you want to do this?

----------

## PowerFactor

 *jjasghar wrote:*   

> why would you want to do this?

 

Like he said, for testing stuff that could screw up the system.  It's kinda like a "lightweight" usermode linux.  But not quite.

----------

## jj11888

 *jjasghar wrote:*   

> 
> 
> i guess i must be slow...but this creates a "fake" workstation? 
> 
> why would you want to do this?

 

To test various configurations and packages

but why would this be any better then using UML?

----------

## jamesrt

 *jj11888 wrote:*   

>  *jjasghar wrote:*   why would you want to do this? 
> 
> but why would this be any better then using UML?

 

UML doesn't work (kernel won't compile, or just coredumps when run) if you have glibc compiled with NPTL support  (he says, speaking from experience).

I have used a very similar technique to "clone" my live gentoo system into a chroot jail - I use LVM2 to grab and release the disk space on-the-fly.  (I've got a large script, too long to post unless people are really keen)

I use this to do things like compile latest QT & KDE packages when not wanting to break my "real" desktop.  Using "emerge -b" means binary packages are created, which I can then "emerge -k" onto my "real" machine once the full build is complete.

----------

## arkane

 *jj11888 wrote:*   

>  *jjasghar wrote:*   
> 
> i guess i must be slow...but this creates a "fake" workstation? 
> 
> why would you want to do this? 
> ...

 

Not better, just different.  UML is for testing kernel interaction and such.  chrooting is to isolate the filesystem.  The kernel space is still in the same kernel.

----------

## BudgetDedicated

Why not use a real usermode kernel as well... UML is very suitable for this job (see http://user-mode-linux.sf.net/ for more info).

This wil only be dangerous to experiment in for real... one wrong /etc/init.d/net.eth0 start from within the chrooted gentoo and you may be disconnected... or emerging incompatible GCC versions... I can imagine this could raise hell on a production system. Would never dare try it...

If you want an extra chroot for the UML kernel that's possible too (bind mount /proc/cpuinfo, /proc/mm, /dev/net/tun and preferably /tmp to tmpfs). But that's if you don't trust the UML kernel enough AND maybe don't trust the users inside.

Your script is very suitable for creating a UML root filesystem, though. Juist loop mount a freshly create filesystem...

```
dd if=/dev/zero of=./root_fs seek=5K count=0 bs=1M

mkreiserfs -f root_fs

mount -o loop root_fs mnt/fakegentoo/

```

[edit]typo[/edit]

----------

## jmglov

 *BudgetDedicated wrote:*   

> Why not use a real usermode kernel as well... UML is very suitable for this job (see http://user-mode-linux.sf.net/ for more info).

 

As noted above, my primary motivation for this is for ebuild testing. Yes, UML or VMware would also work, but a simple chroot jail is much more lightweight than both of them, and much more free as in beer than VMware.

 *BudgetDedicated wrote:*   

> This wil only be dangerous to experiment in for real... one wrong /etc/init.d/net.eth0 start from within the chrooted gentoo and you may be disconnected...

 

Agreed, the init scripts are problematic. See my Danger Will Robinson note above. I am looking for a work-around, maybe taking the 

```
chmod a-x /etc/init.d/*
```

 would be a start. Another (better) idea would be to make /etc/init.d (inside the jail) a loopback filesystem and mount it with the 'noexec' option. I will try this out when I have some time and report back.

 *BudgetDedicated wrote:*   

> or emerging incompatible GCC versions...

 

And how would these GCC versions break out of jail?

 *BudgetDedicated wrote:*   

> I can imagine this could raise hell on a production system. Would never dare try it...

 

I do not really consider my workstation a "production" machine, and the worst thing that can happen is a spurious reboot (which is undesirable, but not fatal, and hopefully I will have a solution for this before long). I consider this safe enough for my needs.

----------

## jmglov

 *jmglov wrote:*   

> 
> 
>  *BudgetDedicated wrote:*   This wil only be dangerous to experiment in for real... one wrong /etc/init.d/net.eth0 start from within the chrooted gentoo and you may be disconnected... 
> 
> Agreed, the init scripts are problematic. See my Danger Will Robinson note above. I am looking for a work-around, maybe taking the 
> ...

 

Yes, mounting /etc/init.d loop,noexec works. As you can see, I updated the Captain's Log to do this for safety's sake.

I will look into getting init scripts to actually work safely, but this will at least protect you in the time being.

----------

## FarcePest

I've done this myself. All you need to start is some stage tarball. Unpack it in your filesystem. Then cd to that directory and run this:

```
#!/bin/bash -x

binds="/proc /dev /usr/portage /usr/local/portage /tmp"

for b in ${binds}; do mount --bind ${b} .${b}; done

env - TERM=${TERM} chroot . su -

for b in ${binds}; do umount .${b}; done

```

I never run init scripts while in the chroot. I used this primarily for developing an NFS read-only root system: The filesystem was NFS-mounted.

----------

## rich0

FYI - Many people use a similar technique with AMD64 as a temporary fix for stubborn 32-bit-only apps.  My solution isn't too involved - I created a new root directory and installed an x86 stage1 tarball in it.  I then do a mount --bind to map a few key key directories (/tmp for X11, /home for user files, /usr/portage/distfiles to go easy on the mirrors), but for the most part it is a complete installation.  You do want to mount --bind /tmp otherwise you have to use TCP sockets for X apps and performance is much lower.  Then again, for testing purposes it should be fine not to mount it - in the AMD world the 32-bit chroot is actually used for production.

I even use some init.d scripts to run daemons which are stubborn in the 64-bit world, and Java apps (the JVM's are pretty unstable in 64-bit-land, or at least they are for me...).

Check out the AMD forums for some tips - the same techniques would work for a 32-bit chroot jail.

Also, if you're back in the 2.4 world the grsecurity patches provide additional protection for chroot environments I believe (from my casual reading they seem to come close to real user-mode-linux).

----------

## polto

Grsecurity on your host kernel (nothing to have with UML) can deny disk mounting/unmounting from your chroot jail, some TCP/IP staff restrictions and more.

Grsecurity is easy to build in gentoo's kernel to only protect a jail. Not comparable to try to build a workstation with PAX or SElinux...  :Smile: 

----------

## zioponics

 *Quote:*   

> UML doesn't work (kernel won't compile, or just coredumps when run) if you have glibc compiled with NPTL support (he says, speaking from experience). 

 

I was wondering, if glibc with PIC enabled on the host, can brake my UML??

Sometimes my UML die unexpectedly...

PS for POLTO: Try to build a DMZ with three different UMLs with SELinux   :Wink:    I'm doing just that   :Shocked:   :Exclamation: 

Thanks to you POLTO, you made me discover Gentoo as you gave me the LPI101 courses.!!! Do you know who I am???

----------

## hadees

replay to bookmark

----------

## gralves

There's another use for this....

Imagine you have a dual optron workstation. And a 486 laptop  :Smile:  how would you install a custoimized gentoo on the laptop? chroot it's harddrive on the workstation, compile everything and then just swap the hd...

----------

## AllTom

 *gralves wrote:*   

> There's another use for this....
> 
> Imagine you have a dual optron workstation. And a 486 laptop  how would you install a custoimized gentoo on the laptop? chroot it's harddrive on the workstation, compile everything and then just swap the hd...

 

I was going to say that I have used this method twice now to install an operating system onto computers that don't have CD-ROM drives, but can boot from floppy disks.

I create the chroot and basically follow the handbook for every step after chrooting into /mnt/gentoo. I can emerge and configure packages (but haven't dared running init scripts there) on my fast machine without setting up distcc or anything. Then I start an FTP server, share a zipped version of the filesystem, boot the client machine with a floppy that has wget, tar, and preferably bzip2. On the target machine I mount the partitions in the correct places and unload it all to the root partition, preserving permissions and such.

Actually, that is one of my favorite features of this operating system: I can install the whole thing on a completely isolated computer before copying!

----------

## zdawg

Thanks for the guide, followed up to mkreiserfs -f ...etc. ;seems I have run into a snag though:

```
/root/faketoo/loopbacks/etc-init.d is not a block special device

Continue (y/n):y

Guessing about desired format.. Kernel 2.6.9-zdawg-rc3 is running.

reiserfs_create: can not create that small (1 blocks) filesystem

```

Hmmm ...

----------

## pfplawes

...in the same hole this AM and dug my way out by increasing the size of the file being created by dd and specifying a small reiser block size .... 

```
dd if=/dev/zero of=~/faketoo/loopbacks/etc-init.d seek=10249K count=16 bs=1

mkreiserfs -b 512 -ff ~/faketoo/loopbacks/etc-init.d
```

Though I must admit I am not sure what this loopbacked file is giving me except a headache....

----------

## Strowi

hi,

i was just gonna try it out, when i saw jamesrt's post:

 *Quote:*   

> 
> 
> UML doesn't work (kernel won't compile, or just coredumps when run) if you have glibc compiled with NPTL support (he says, speaking from experience). 
> 
> 

 

Is there no way to get it working with NPTL?

Thx in advance...

----------

## lothar

Is it possible to have different network settings in the chroot jail? Can I have one ip and gateway in the usual shell and a different ip and gateway in the chroot jail?

----------

## zrubi

 *lothar wrote:*   

> Is it possible to have different network settings in the chroot jail? Can I have one ip and gateway in the usual shell and a different ip and gateway in the chroot jail?

 

I don't think so. These network settings are in the proc/sys filesystem and it can't be different. These settings are around the kernel wich is the same in the main system and a chroot jail.

The chroot jail is only a separated filesystem. So every settings wich lives in the filesystem level can be different only.

----------

## rey4

There's a similar howto posted at http://kapcoweb.com/p/static/docs/jc-gentoo-howto/jc-gentoo-howto.html on running gentoo in a chroot within another distro (redhat). The process is very much the same. Plus it seems to have init scripts working.

----------

## whitesouls

guys..hold on a second...wat is faketoo?

wat's the purpose...i'm lost...please guide me in this wonderful world of gentoo...

----------

## gfa

 *lothar wrote:*   

> Is it possible to have different network settings in the chroot jail? Can I have one ip and gateway in the usual shell and a different ip and gateway in the chroot jail?

 

yes, you could have another ip 4 the jail

ej:

eth0 10.0.0.1 (real nic)

eth0:0 192.168.0.1 (virtual nic)

man ifconfig

----------

## Strowi

hi,

i am trying to follow the tutorial, goes fine, until:

```

root@Sleipnir faketoo # mount -o loop,noexec loopbacks/etc-init.d etc/init.d/

ioctl: LOOP_CLR_FD: Das Gerät oder die Ressource ist belegt

mount: Sie müssen den Dateisystemtyp angeben

root@Sleipnir faketoo # cat /usr/src/linux/.config|grep LOOP

CONFIG_CC_ALIGN_LOOPS=0

CONFIG_BLK_DEV_LOOP=y

# CONFIG_BLK_DEV_CRYPTOLOOP is not set

```

running amd64 /2005.0-profile.

what am i doing wrong?

----------

## Enlight

 *Strowi wrote:*   

> hi,
> 
> i am trying to follow the tutorial, goes fine, until:
> 
> ```
> ...

 

and what about grep -i reiser /usr/src/linux ? if you don't have it maybe you shoud switch the mkreiserfs part to mk_my_current_fs.

----------

## Strowi

hi,

i am using reiserfs + reiser4 (i know, unstable), on different partitions and compiled into the kernel. I just tried it again with ext3 and it seem to work.

Thx for the tip, i didn't think about a fs-problem.

----------

