Chroot

Chroot (Change root) is Article description::a Unix system utility used to change the apparent root directory to create a new environment logically separate from the main system's root directory. This new environment is known as a "chroot jail." A user operating inside the jail cannot see or access files outside of the environment they have been locked into.

One of the main uses for chrooting is to create a separate Linux system on top of a the current one for the purpose of testing or software compatibility. Chroot is often seen as a lightweight alternative to virtualization because it is able to run without the overhead of a hypervisor.

Setting up the environment
When creating a new chroot setup, the first thing needed is a directory in which the chroot can reside. For example, a chroot could be created in :

To mount an existing installation from a partition the following command can be run. Be sure to replace the  string in the example below with the drive and partition of the existing installation:

If an installation has been previously created in a sub directory of the current root file system, the above steps need not be repeated.

Unpacking the system files
When building a new install, the next step is to download the stage3 tarball and unpack it to chroot location. For more information on this process please see and  in the Gentoo.

Configuration
Before entering the chroot a number of directories must be mounted:

Some basic configuration files must be copied from the host. Do not copy when using an existing installation:

Usage
Once done, enter the chroot environment by executing the following commands:

When creating a new installation, Portage should be synced to make sure everything is up to date.

The system is now ready. Feel free to install software, mess with settings, test experimental packages and configurations -- all without having any effect on the main system. To leave the chroot simply type or press +. Doing so will return the console to the normal environment. Do not forget to the directories that have been mounted.

systemd-nspawn
If the system uses systemd, can be used, which can automatically handle much of the boilerplate required in administering chroots. For example, to enter a chroot via systemd-nspawn with the same configuration as specified in the Configuration section, simply run:

Init scripts
If setting up chroots is a task that must be performed often, it is possible to speed up the mounting of the directories by using an init script. The script could be added to the default runlevel and therefore set up automatically on system boot:

When using a different directory or partition, add the necessary mounting commands in the  function and change  to the appropriate name.

Sound and graphics
The software running inside the chroot will by default not have access to the system sound- and display-server. Fixing this is done by either sharing a socket, or by running the communication with TCP over localhost.

Wayland
Wayland uses a socket to connect clients with the compositor. This socket needs to be shared with the chroot to make graphical applications work. The general procedure for finding this socket is:


 * 1) If WAYLAND_SOCKET is set, interpret it as a file descriptor number on which the connection is already established, assuming that the parent process configured the connection for us.
 * 2) If WAYLAND_DISPLAY is set, concat with XDG_RUNTIME_DIR to form the path to the Unix socket.
 * 3) Assume the socket name is   and concat with XDG_RUNTIME_DIR to form the path to the Unix socket.

Using WAYLAND_DISPLAY and XDG_RUNTIME_DIR is fine in most cases and will be used here. By default XDG_RUNTIME_DIR is set to. This directory will not be available in the chroot because the instructions bind mounts  non-recursively. Assuming the user's uid is 1000, this can be solved by either bind-mounting {{Path|/run/user/1000 with:

{{RootCmd|mkdir -p /mnt/mychroot/run/user/1000|mount --bind /run/user/1000 /mnt/mychroot/run/user/1000}}

or by simply recursively bind mounting with:

{{RootCmd|mount --rbind /run /mnt/mychroot/run}}

The Wayland library {{Package|dev-libs/wayland}} uses the same procedure for finding out the socket as listed above. So to share the socket with the chroot, the only thing that's needed to do is defining XDG_RUNTIME_DIR and WAYLAND_DISPLAY. Here it is assumed that the Wayland socket name WAYLAND_DISPLAY is.

{{RootCmd|prompt=(chroot) root #|color=orange|useradd -m user|su -l user}}

{{Cmd|prompt=(chroot) user $|color=cyan|export XDG_RUNTIME_DIR{{=}}/run/user/1000|export WAYLAND_DISPLAY{{=}}wayland-0|MOZ_ENABLE_WAYLAND{{=}}1 firefox-bin}}

Permission errors will occur if the user in the chroot does not have permissions to access the Wayland socket. This can be solved by using user namespace remapping or {{Link|Filesystem/Access_Control_List_Guide|ACLs}}. The easiest solution is to just make sure that the user ids match. The {{c|useradd -u, --uid UID}} option can be used when creating a user.

PipeWire
Like Wayland, PipeWire uses a socket to connect clients to the PipeWire daemon.

Applications assume that the PipeWire socket will be located in , so the only thing that's needed to get PipeWire clients to connect to the host's daemon is to expose XDG_RUNTIME_DIR to the chroot. This process is identical to the one described in. To expose XDG_RUNTIME_DIR, often /run/user/$(uid), the following commands are used:

XDG_RUNTIME_DIR will not be set when logging in inside the chroot, therefore XDG_RUNTIME_DIR needs to exported so the PipeWire client can find the socket:

Xorg
Xorg by default listens on a socket located in, as well as on localhost TCP port. The instructions in bind mounts, and therefore no additional configuration is needed except setting the DISPLAY variable before running a graphical application:

If the uid of the user inside the chroot does not match the uid outside the chroot, then setting permissions with xhost will be needed. To allow all local connections, run outside the chroot:

External resources

 * chroot on Archlinux's wiki