1

I have installed software that runs in a chroot jail in Redhat 7.3. Unfortunately, there are no repositories installed in this jail, so I can not download the packages I need through yum. I would like to add the Redhat repositories to the jail but I have not found a way to do so. Simply copying over the repository files from the host doesn't work because the repos require keys and certificates. Copying over the keys and certs doesn't seem to work either.

How can I install the Redhat repositories onto a machine with no repositories installed? I do have yum and yum-config-manager.

pv93
  • 11
  • 1
  • 2
  • you might not be using the jail correctly if you want to install yum in there, what is the point of having the jail if a user can just escalate privileges and install whatever they want? If you need to install packages into the chroot jail use `yum` with the `installroot` option or `rpm` with the `--root` option set appropriately – Matt Apr 05 '17 at 21:48
  • Any hints as to what I should set the installroot to? What is it normally? – pv93 Apr 05 '17 at 22:10
  • install rood should be the directory for your chroot, so if you use /var/chroot `--installroot=/var/chroot` – Matt Apr 06 '17 at 00:26
  • I tried that @Matt, but it looks like that command tried to use the repositories inside of the chroot jail instead of the repositories in the host machine.. any idea why? – pv93 Apr 06 '17 at 20:23
  • from `yum` man page: --installroot=root Specifies an alternative installroot, relative to which all packages will be installed. Think of this like doing "chroot yum" except using --installroot allows yum to work before the chroot is created. Note: You may also want to use the option --releasever=/ when creating the installroot as otherwise the $releasever value is taken from the rpmdb within the installroot (and thus. will be empty, before creation). – Matt Apr 06 '17 at 21:55
  • based on that you need to initialize an RPM DB inside of the chroot or specify `realeasever` – Matt Apr 06 '17 at 21:56
  • Use RHEL Docker containers. They will automatically pull entitlements from the host. – Michael Hampton Oct 06 '20 at 23:26

1 Answers1

0

The path of least resistance might be just to run your software in a docker or LXC. But the simplest way I know to get this to work in a chroot is to set up a filesystem with an entire working linux distribution. So here's how to copy your entire existing OS into a /chroot directory and then you can do in the chroot pretty much anything you could do with the base system.

I don't have a RHEL system lying around, so this instructions were tested on CentOS 7.

run all of these as root:

Move to the root directory

cd /

Create a chroot directory

mkdir chroot

Copy most of the operating system

cp {bin,etc,lib,lib64,sbin,usr} /chroot/ -a

Make placeholders for the rest

mkdir /chroot/{root,dev,home,mnt,opt,proc,run,sys,tmp,var}

mount the special filesystems to your chroot

mount -o bind /run /chroot/run/

mount -o bind /proc /chroot/proc/

mount -o bind /sys /chroot/sys/

mount -o bind /dev /chroot/dev/

Enter the chroot

chroot chroot

Since we didn't copy /var or /run, yum won't be able to resolve the $releasever and $basearch variables, so we hard code them into the repo file. This is the path to the CentOS repo, you should change this to whatever Red Hat uses. S you might replace CentOS-Base.repo with RedHat-Base.repo or whatever is your base repository in the /etc/yum.repos.d/ directory. ALso, make sure the architecture matches, this instruction is for 64-bit x86, which is most likely what your using, but if you have a PowerPC server or something really strange, then modify accordingly.

sed s/\$basearch/x86_64/g /etc/yum.repos.d/CentOS-Base.repo -i

sed s/\$releasever/7/g /etc/yum.repos.d/CentOS-Base.repo -i

Now you can invoke yum and install software

yum intall vim

This will install vim in your chroot but not your base system. For hardening, you might want to go through and remove a bunch of packages from your chroot, as this is pretty much a full fledged Red Hat server running in the chroot at this point.

TopherIsSwell
  • 151
  • 6
  • LXC or docker would be better, what you have just described is not a good way to go about creating a chroot directory. beyond /var/chroot being the obvious place to put everything copying indiscriminately kind of defeats the purpose of the chroot to begin with. Take a look at how the Werewulf HPC provisioning system goes about it if you like Perl https://github.com/ajdecon/warewulf/tree/master/vnfs/libexec/wwmkchroot – Matt Apr 06 '17 at 22:02