Availability of CHROOT in Docker containers and clusters

Question

Is the Linux tool chroot generally usable in a Docker container running in clusters and cloud platforms?

(background) I'm developing an application where I may need to use chroot inside a Docker container. In a related question I expressed my confusion about chroot and the SYS_CHROOT Linux capability, which may or may not be required anymore to run chroot and may or may not be granted by default by Docker. That's why I think I have to tell system administrators when deploying my applications to specify --cap-add SYS_CHROOT to Docker in case it's not granted by default. But that's a command line argument of docker run and I don't know if I can give it for granted that most cloud providers and cluster administrators will be able to grant the SYS_CHROOT capability to my container. Basically I'm trying to predict issues that a system administrator may encounter when trying to install my application without being able to easily contact me for example.

I don't need *one* chroot, I need many of them inside one container, as a possible solution I'm focused on as explained in my related, linked question: https://security.stackexchange.com/q/271856/297040. — Matteo T., Aug 24 '23 at 10:11
@GeraldSchneider your comment is interesting because containers are a very different path that I'm already following as an alternative, except I think it's common to use a container per *service* and not per *task* or job. My jobs are very short-lived (milliseconds) and I also look for some performance. Do you have sources, references, examples or anything? Thanks — Matteo T., Aug 25 '23 at 08:00
Also, a container per task may also involve copying files. The performance drawback may be uncomparable to that of a simpler chroot. — Matteo T., Aug 25 '23 at 14:43
People who are upvoting the comment of Gerald can also explain their opinion? — Matteo T., Sep 01 '23 at 09:33

Availability of CHROOT in Docker containers and clusters

0 Answers0