2

I have a daemon running in a chroot jail that I have generated with debootstrap.

I'd like to remove apt and dpkg from the jail, but I want to keep the other packages updated.

Can I upgrade the packages in the jail, running apt-get from outside?

Giacomo Tesio
  • 137
  • 5

1 Answers1

3

I'm not sure why you want to do this. dpkg and apt are fundamental parts of a Debian system, and your chroot won't function independently without them. Running

chroot /path/to/chroot apt-get update

and so on is a supported method that doesn't require removing dpkg and apt.

But if you're sure you want to do it, you can run

APT_CONFIG=/path/to/apt.conf apt-get update

where /path/to/apt.conf is the path of an apt.conf file that includes

RootDir /path/to/chroot;

The rest of the apt configuration will then be read from /path/to/chroot/etc/apt/apt.conf.d, or somewhere else under /path/to/chroot if you change Dir::Etc in the apt.conf file. See the Description and Directories sections of man apt.conf for details.

Andrew Schulman
  • 8,561
  • 21
  • 31
  • 47
  • I don't trust the daemon, and I want to harden the chroot a bit. I have already changed permissions in the chroot to avoid the user running the daemon can mknod, mount and so on... I want to remove apt and dpkg just because that they are not needed by the daemon to run: IMHO minimalism is a powerful security tool! – Giacomo Tesio Dec 31 '14 at 11:51
  • Reading the man page again, I'm not sure if this will cause the packages to install into the chroot. Have you tried it, and did it work? – Andrew Schulman Jan 01 '15 at 11:01
  • Didn't tried yet. But I've found a [debian bug report](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=659387) related to this option. However defining "DPkg::Run-Directory" as "/" should be a viable workaround to that (still unfixed!) bug. As a last resort, I could use `dpkg --root=/chroot -i package.deb` – Giacomo Tesio Jan 02 '15 at 11:34