1 00:00:00,000 --> 00:00:11,080 In this video, I will tell you how to work with cheroot DILs. 2 00:00:11,080 --> 00:00:12,080 So what is it? 3 00:00:12,080 --> 00:00:16,680 Well, a cheroot DIL is an isolated environment where users and processes don't get access 4 00:00:16,680 --> 00:00:19,480 to other parts of the operating system. 5 00:00:19,480 --> 00:00:25,540 You use them typically for specific processes that need an extra layer of security. 6 00:00:25,540 --> 00:00:29,120 And in order to use them, you need to set it up correctly. 7 00:00:29,120 --> 00:00:34,380 In a cheroot DIL, the user that runs the process needs to have access to all relevant files 8 00:00:34,380 --> 00:00:35,740 and processes. 9 00:00:35,740 --> 00:00:39,180 So you need more than just the program file in this DIL. 10 00:00:39,180 --> 00:00:42,820 You also need all the relevant configuration. 11 00:00:42,820 --> 00:00:47,020 On modern Linux, cheroot has further evolved into namespaces. 12 00:00:47,020 --> 00:00:52,060 And namespaces are pretty important in container environments. 13 00:00:52,060 --> 00:00:57,820 Now the cheroot DIL itself should include a shell, binaries like LS if these are needed, 14 00:00:57,820 --> 00:01:02,400 but above all, also the libraries that are used by these binaries. 15 00:01:02,400 --> 00:01:05,800 And which files these are is different per process. 16 00:01:05,800 --> 00:01:08,639 So let's talk a bit about namespaces as well. 17 00:01:08,639 --> 00:01:13,160 The Linux kernel implements isolation at different levels using namespaces. 18 00:01:13,160 --> 00:01:20,620 There's a network namespace, a mount namespace, a process namespace, a user namespace. 19 00:01:20,620 --> 00:01:23,680 And these namespaces make that you are all alone. 20 00:01:23,680 --> 00:01:26,300 Well, you think you're all alone in your network. 21 00:01:26,300 --> 00:01:27,980 You only see your own mounts. 22 00:01:27,980 --> 00:01:30,239 You only see your own process table. 23 00:01:30,239 --> 00:01:34,739 And you also only see your own user accounts. 24 00:01:34,739 --> 00:01:37,839 Namespaces are used a lot by containers. 25 00:01:37,839 --> 00:01:42,900 And if you want to do a quick test, you can use sudo unshare, minus minus fork, minus 26 00:01:42,900 --> 00:01:48,239 minus PID, minus minus mount proc bash and see what is happening. 27 00:01:48,239 --> 00:01:49,879 Let's do that. 28 00:01:49,879 --> 00:01:57,239 So I'm going to an ordinary, oops, editor, let's start it again. 29 00:01:57,239 --> 00:02:02,040 So this time from a non-privileged shell, I'm using sudo unshare. 30 00:02:02,040 --> 00:02:08,839 It's a default command, how you can run namespaces, minus minus fork, minus minus PID, minus minus 31 00:02:08,839 --> 00:02:09,839 mount proc. 32 00:02:09,839 --> 00:02:15,240 This is making sure that we have sufficient information available in the namespace. 33 00:02:15,240 --> 00:02:17,320 And then I'm using PSAUX. 34 00:02:17,320 --> 00:02:19,160 And do you see what is happening? 35 00:02:19,160 --> 00:02:23,279 This unshare has unshared my bash process from the current environment. 36 00:02:23,279 --> 00:02:27,800 And the result is that I have bash being PID number one. 37 00:02:27,800 --> 00:02:31,800 And the good thing is that if you start your application in this way, your application 38 00:02:31,800 --> 00:02:35,080 doesn't even see other processes on your system. 39 00:02:35,080 --> 00:02:37,440 And that makes it really secure. 40 00:02:37,440 --> 00:02:40,320 Now type exit to get out of the namespace. 41 00:02:40,320 --> 00:02:45,639 And I would also like to show you the chroot environment. 42 00:02:45,639 --> 00:02:51,520 Step one, I'm going into the boot directory and I'm using chroot dot. 43 00:02:51,520 --> 00:02:55,039 And that is giving me an error because I made a typo. 44 00:02:55,039 --> 00:02:59,479 And here we get fail to run command bin bash, no such file or directory. 45 00:02:59,479 --> 00:03:00,479 Why is that? 46 00:03:00,479 --> 00:03:05,600 Well, in the chrooted environment, you need a minimal system environment. 47 00:03:05,600 --> 00:03:09,759 And that includes a bash shell, some libraries, and more. 48 00:03:09,759 --> 00:03:13,039 Let me show you a practical case of the chroot environment. 49 00:03:13,039 --> 00:03:15,080 I'm going to reboot. 50 00:03:15,080 --> 00:03:20,479 And while rebooting, I'm entering my grub boot prompt. 51 00:03:20,479 --> 00:03:23,119 And I'll have to enter a password all the time now. 52 00:03:23,119 --> 00:03:27,559 And I'm going to start with the option rd.break. 53 00:03:27,559 --> 00:03:29,880 That will break into the init.ramfs. 54 00:03:29,880 --> 00:03:35,880 And in the init.ramfs, you get in a specific environment, that's a system image that is 55 00:03:35,880 --> 00:03:37,919 within the init.ramfs. 56 00:03:37,919 --> 00:03:45,759 And what we will see is that the real system environment is available on a specific directory. 57 00:03:45,759 --> 00:03:49,199 And let me first type my password. 58 00:03:49,199 --> 00:03:56,119 And then let me type ls, oh, cd slash, and then ls where we can see the sysroot environment. 59 00:03:56,119 --> 00:04:00,919 So here, you can see the dracu.sh file, that's my init.ramfs. 60 00:04:00,919 --> 00:04:04,020 Now I'm going into the sysroot environment. 61 00:04:04,020 --> 00:04:08,580 And there I can find my entire on-disk root file system. 62 00:04:08,580 --> 00:04:11,300 And now I can use chroot dot. 63 00:04:11,300 --> 00:04:13,020 And oh, boy, command not found. 64 00:04:13,020 --> 00:04:14,020 Why is that? 65 00:04:14,020 --> 00:04:16,640 Well, that's probably because it's not in the path. 66 00:04:16,640 --> 00:04:24,019 So I need user has been chroot on dot. 67 00:04:24,019 --> 00:04:27,140 And I think I made the wrong guess. 68 00:04:27,140 --> 00:04:33,059 And I also need to refer to it from this slash sysroot directory. 69 00:04:33,100 --> 00:04:36,380 So slash sysroot slash user slash has been. 70 00:04:36,380 --> 00:04:37,380 And there we go. 71 00:04:37,380 --> 00:04:38,380 Now it works. 72 00:04:38,380 --> 00:04:40,500 PWD, look at that. 73 00:04:40,500 --> 00:04:44,779 Suddenly, I am in the root of the file system. 74 00:04:44,779 --> 00:04:50,540 Even if we see that a couple of lines above, I changed into the sysroot directory. 75 00:04:50,540 --> 00:04:53,859 Now when I use exit, then I'm out of it again. 76 00:04:53,859 --> 00:04:58,140 And why would I want to be in this slash sysroot directory using chroot? 77 00:04:58,220 --> 00:05:02,980 Well, for troubleshooting, that is convenient, because all utilities will be in the right 78 00:05:02,980 --> 00:05:04,220 location if we do.