Debian – Is it possible to run debootstrap within a fakeroot environment

debiandebootstrapfakeroot

I have a script that prepares an installation image by running debootstrap, does some modifications on the files and then copies the files to a disk image backed up by a file.

This works under root, but I wanted to be able to run the script without root privileges, as it really shouldn't need any privileged resources. I thought that I'd just run the whole script using fakeroot, but debootstrap fails with

W: Failure trying to run: chroot /tmp/tmp..... mount -t proc proc /proc

Is there a way around that?

Best Answer

In general, yes, it is possible to run debootstrap as a non-root user by way of fakeroot, but there are more details to it than that.

The immediate problem you seem to be having is trying to use chroot as a non-root user; you need to use fakechroot instead, in addition to fakeroot. For example:

fakechroot fakeroot debootstrap sid /tmp/sid

Later problems you may run in to include creating loopback mounts or creating disk image partition tables as a non-root user.

Instead of working through all these details one by one, you may find it easier to use a debootstrap variant like polystrap, which also handles cross-compilation (eg, generate an armhf image from x86-64) if you end up wanting that some day.

Related Solutions

Ssh – update-initramfs failing after upgrading to stretch from jessie

The same issue occured to me today and I could only find this question in the web. So I tried to debug it myself...

The script /etc/initramfs-tools/hooks/mount_cryptroot (line 21) is trying to put a file into the /var/tmp/mkinitramfs_uIC6Q0/root/ directory. This directory happens to be missing, according to the error message. The relevant part of the script is:

SCRIPT="${DESTDIR}/root/mount_cryptroot.sh"
cat > "${SCRIPT}" << 'EOF'

The /var/tmp/mkinitramfs_uIC6Q0/ directory is a temporary directory in which the contents of the new initrd are collected. My guess was that the initrd does not have a root subdirectory any more. So I took a look at the contents of the existing initrd image:

# mkdir initrd
# cd initrd
# gunzip -c /boot/initrd.img-4.9.0-3-amd64 | cpio -i
125955 blocks
# ls
bin  conf  etc  init  lib  lib64  root-aBcDeF  run  sbin  scripts
#

The root directory has a suffix with 6 random letters/numbers (changed here to aBcDeF). This is probably for security reasons. I found out that the suffix is different each time the initrd is generated.

So the solution is to extend the /etc/initramfs-tools/hooks/mount_cryptroot script to find out the true name of the root directory including the suffx and to use this instead of just root.

This can be done by inserting

ROOTDIR="$(cd "${DESTDIR}"; echo root-*)"

before the failing lines and changing the failing lines to

SCRIPT="${DESTDIR}/${ROOTDIR}/mount_cryptroot.sh"
cat > "${SCRIPT}" << 'EOF'

. There are two more lines that contain root without the suffix. Those have to be changed to

cat > "${DESTDIR}/${ROOTDIR}/.profile" << EOF

and

/${ROOTDIR}/mount_cryptroot.sh && exit 1 || echo "Run ./mount_cryptroot.sh to try unlocking again"

. This solved the issue for me and

update-initramfs -u -k all

as well as the entering of the password via SSH on bootup worked again.

My entire script /etc/initramfs-tools/hooks/mount_cryptroot after adaption:

#!/bin/sh

# Author: http://www.dont-panic.cc/capi/2012/10/24/fully-encrypted-vserver-with-ubuntu-12-04/
# This script generates two scripts in the initramfs output,
# /root-xxxxxx/mount_cryptroot.sh and /root-xxxxxx/.profile
ALLOW_SHELL=1
# Set this to 1 before running update-initramfs if you want
# to allow authorized users to type Ctrl-C to drop to a
# root shell (useful for debugging, potential for abuse.)
#
# (Note that even with ALLOW_SHELL=0 it may still be possible
# to achieve a root shell.)
#

if [ -z ${DESTDIR} ]; then
exit
fi

ROOTDIR="$(cd "${DESTDIR}"; echo root-*)"

SCRIPT="${DESTDIR}/${ROOTDIR}/mount_cryptroot.sh"
cat > "${SCRIPT}" << 'EOF'
#!/bin/sh
CMD=
while [ -z "$CMD" -o -z "`pidof askpass plymouth`" ]; do
CMD=`ps -o args | grep 'open --type luks' | grep -v grep`
sleep 0.1
done
while [ -n "`pidof askpass plymouth`" ]; do
$CMD && kill -9 `pidof askpass plymouth` && echo "Success"
done
EOF

chmod +x "${SCRIPT}"

# Run mount_cryptroot by default and close the login session afterwards
# If ALLOW_SHELL is set to 1, you can press Ctrl-C to get to an interactive prompt
cat > "${DESTDIR}/${ROOTDIR}/.profile" << EOF
ctrl_c_exit() {
exit 1
}
ctrl_c_shell() {
# Ctrl-C during .profile appears to mangle terminal settings
reset
}
if [ "$ALLOW_SHELL" == "1" ]; then
echo "Unlocking rootfs... Type Ctrl-C for a shell."
trap ctrl_c_shell INT
else
echo "Unlocking rootfs..."
trap ctrl_c_exit INT
fi
/${ROOTDIR}/mount_cryptroot.sh && exit 1 || echo "Run ./mount_cryptroot.sh to try unlocking again"
trap INT
EOF

Debian – Why debootstrap can only run as root

You need to be able to create a chroot when you use debootstrap. Plus if you plan on partitioning, or doing any mounts, etc. you will need root permissions.

If you check out the debootstrap manpage you should be able to use debootstrap with the --variant=fakechroot option to use fakechroot, which installs the packages without root privileges. An example in your case would be something along the lines of this:

debootstrap --variant=fakechroot stable ./dir $debian_ftp

Please read the Wiki for more information on how to use debootstrap.

Best Answer

Related Solutions

Ssh – update-initramfs failing after upgrading to stretch from jessie

Debian – Why debootstrap can only run as root

Related Question