mount dev, proc, sys in a chroot environment?

I'm trying to create a Linux image with custom picked packages.
_{What I'm trying to do is to hand craft the packages I'm going to use on an XO laptop, because compiling packages takes really long time on the real XO hardware, if I can build all the packages I need and just flash the image to the XO, I can save time and space.}

When I tried to install some packages, it failed to configure due to missing the proc, sys, dev directories. So, I learned from other places that I need to "mount" the host proc, ... directories to my chroot environment.

I saw two syntax and am not sure which one to use.

In host machine:

  mount --bind /proc <chroot dir>/proc

and another syntax (in chroot environment):

  mount -t proc none /proc

Which one should I use, and what are the difference?

Patrick

Posted 2010-07-18T19:06:10.477

Reputation: 1 500

@JonathanLeffler a root user in a chroot can always escape the chroot anyway. – LtWorf – 2016-05-10T11:41:57.853

Beware: granting access to the disk devices means that you lose some of the benefits of 'chroot()'. In particular, the determined can read files outside of their section of the file system if you are not careful. – Jonathan Leffler – 2010-07-18T19:18:39.363

2@Jonathan Leffler: that doesn't sound like an issue for what he is doing. – Zifre – 2010-07-19T01:02:46.600

Answers

For /proc and /sys, I suppose you could use either method. They are both special file systems so they can be recreated any number of times (the bind mount method uses the exact same mount as the host system, whereas the other method uses a new mount). I've always seen the bind mount recommended in guides, so I'd use that. As far as I know, there is no real important difference.

However, /dev is usually a tmpfs mount that is managed by udev, so it has to be the actual same file system as on the host machine. That means that you would need to use the bind mount method.

If this chroot is going to be around for awhile, you can put these entries in /etc/fstab on the host system to simplify things.

Zifre

Posted 2010-07-18T19:06:10.477

Reputation: 1 390

I would like to ask if it make sense to copy (bind) the proc/sys from host to some other machine ? Why should they match that machine ? – ransh – 2017-03-30T09:08:30.483

@ransh it make sens if you bind /proc to $chrootdir/proc , you will have possibility to handles proccess and whats going on inside /proc of both systems from both systems ; e.g: from chroot you can check if a program is running on the host ... etc – Jonah – 2017-05-23T15:37:42.617

Maybe the sys type of file system appears (today) to not exist anymore? – 174140 – 2018-04-25T11:36:56.743

118

The Arch Linux Wiki suggests the following commands:

cd /mnt/arch # or where you are preparing the chroot dir
mount -t proc proc proc/
mount --rbind /sys sys/
mount --rbind /dev dev/

gacrux

Posted 2010-07-18T19:06:10.477

Reputation: 1 611

4In my case (also Ubuntu) I needed a "mount -o bind /dev/pts dev/pts", too. – Thomas – 2016-05-30T08:42:59.473

Please include the link to the source. – styrofoam fly – 2018-12-04T18:34:13.763

@styrofoamfly Added. – gacrux – 2018-12-05T19:45:41.880

1As of 2019, the ArchLinux wiki now does --rbind for sys and dev. – Saad Malik – 2019-07-12T23:30:54.387

dont forget to unmount this when done, i had an issue with this on an alinux2. also command on this was also --rbind. Hmm, now i see @Saad mentioned this already, i had to test at it :-) https://unix.stackexchange.com/questions/61885/how-to-unmount-a-formerly-chrootd-filesystem

– Brian Thomas – 2019-11-02T00:22:31.367

2They also seemed to work for me in ubuntu. – isaaclw – 2012-09-28T21:01:16.270

The Gentoo Handbook specifically calls out these two commands for re-mounting /proc and /dev. I've used them several times.

mount -t proc none /mnt/chroot/proc
mount -o bind /dev /mnt/chroot/dev

I suspect /sys is just a regular folder, so you should be able to make a hard link.

ln /sys /mnt/chroot/sys

robert

Posted 2010-07-18T19:06:10.477

Reputation: 1 344

17You can't hardlink a directory (usually) like you suggest for /sys, and if you use a symlink it'll break as soon as you chroot. – None – 2010-07-19T00:31:46.197

They've added some new ones, based on systemd. Perhaps it's a good idea to add them. – AzP – 2018-10-03T22:53:36.000

It may be worth noting in this popular question, that Arch Linux has made a script arch-chroot; download arch-install-scripts-15-1-any.pkg.tar.xz

This which takes care of various related problems both in Arch-Linux and Manjaro , where I used it successfully, too. Possibly more Arch-derivates like Parabola are compatible just as well.

While a simple standard chroot into a secondary Manjaro installation will not allow you to run

pacman --sync linux

(the silver bullet after a system crash), replacing the line with

arch-chroot /run/media/*YOURSELF*/manja-disk2

will enable you to fix your secondary Arch-derivate installation via

pacman --sync linux

like a charm. The bash script arch-chroot takes care of /dev /sys /proc and much more, which are left alone by the standard chroot.

see also: Using arch-chroot

y guy

Posted 2010-07-18T19:06:10.477

Reputation: 21

-1

Easiest way is to use a for loop:

cd /

for i in proc sys dev; do mount -o bind $i /folder/$i; done

oleberlin

Posted 2010-07-18T19:06:10.477

Reputation: 1

-1

There are other pseudo filesystems and tmpfs locations. This is on debian:

/dev/pts 
/run
/run/shm
/proc/sys/fs/binfmt_mist
/var/lib/nfs/rpc_pipefs
/proc/fs/nfsd
/proc/bus/usb

It should be okay to mount the usbfs, rpc_pipefs and devpts pseudo-filesystems from within the chroot. I reccomend not binding /proc to the chroot's /proc, since the kernel has the concept of namespaces, and can actually put different things in the chroot's proc.

Update: according to this mailing list thread, /sys should not be bind mounted, especially if the chrooted processes is using its own network namespace.

It's a bad idea to mount the system's /var or /run onto the chroot, if the chroot has its own pid namespace.

Brian Minton

Posted 2010-07-18T19:06:10.477

Reputation: 410

Speculation? On superuser (and other stack-forums) it's usually better to hold off, or research and answer with linked sources, if you're unsure. This is to avoid risking spreading misguided hints. Sorry if disappoint and good luck! – Simon B. – 2016-03-09T13:05:39.193

@SimonB. I've added a link to a mailing list supporting the idea that /sys should not be bind mounted. – Brian Minton – 2016-03-31T12:43:53.960

With pid namespace, you're talking about more advanced user namespace features we can find on modern linux kernels (i.e. the features "containers" are based on), while when we use the term chroot, we refer to the traditional file namespace change (and nothing else). – Johan Boulé – 2016-12-11T18:58:05.360