mid_kid

Wrote a silly script to showcase how to use unshare + chroot/pivot_root in order to manually enter a #linux #chroot / #container without needing #root privileges:

https://gist.github.com/mid-kid/9293f4f0617052b9c3aa45422fb89f90

I rarely see anyone mention how this can be done without needing to reach for #bubblewrap or systemd-nspawn, and I think it's important to see how you can leverage the primitives that drive container technology.

The script can be simplified, but not without sacrificing correctness. I hope the comments help.

Create and enter a chroot without root permissions, using unshare + pivot_root

Create and enter a chroot without root permissions, using unshare + pivot_root - chrootless

Gist
Apr 24 at 10:19amWeb
Show threadmid_kidApr 24
Pinging @neobrain on this one since he recently realized you don't need full-fat containers to do this (although bubblewrap is still more appropriate for his use case :P)
Show threadAlexander MonakovApr 24
@mid_kid I'm a bit surprised the 'mount -R . tmp' step commutes with the dev/sys/proc mounts. For some reason when I worked out the "enter a container by hand" sequence, I made it the first thing after unshare: https://mastodon.gamedev.place/@amonakov/114465972373267814
Show threadmid_kidApr 24
@amonakov Yeah, me too. Most implementations of this create a bind-mount at first but this worked too and kept the weird pivot_root cludge self-contained.
I still wonder if I can somehow do without mounting on /tmp, I swear one of my scripts that did this before used to work, but now it doesn't pass the test mentioned in the bugs.gentoo.org link.
Show threadmid_kidApr 24

@amonakov Oh wow, doing "mount --rbind . . && cd .", followed by "pivot_root . . && umount -l /" works really well.
Only problem I have is that I don't know where the "umount" command is inside the rootfs, and to know I need to source /etc/profile, but symlinks that pass through / are broken until I do the umount, symlinks which /etc/profile might rely on, so I still can't do without a temporary subdirectory.

That is, unless pivot_root starts supporting an --umount-old flag, hehe.