chroot jail : First step for jail

The jail mechanism is an implementation of operating system-level virtualization that allows administrators to partition a computer system into several independent mini-systems called jails.

A chroot on Unix operating systems is an operation that changes the apparent root directory for the current running process and its children. A program that is run in such a modified environment cannot name (and therefore normally cannot access) files outside the designated directory tree. The modified environment is called a chroot jail.

A chroot environment can be used to create and host a separate virtualized copy of the software system. This can be useful for Testing and development, Dependency control, Compatibility, Recovery, Privilege separation 

The actual jail development consisted of five parts:

1. Making sure you don’t escape the chroot/jail

2. Restricting process visibility

3. Deciding what “root” can and cannot do in a jail

4. Teach certain device drivers about jails

5. Giving each jail it’s own IP number.

Steps to create a chroot jail for another flavor of linux

Step 1. Have a Linux hosted machine.

Step 2. Copy Any other flavor of linex(e.g. Ubuntu)

[root@localhost ~]# cd /home/ajay/ws/chroot/ubuntu/rootfs/

a.txt      boot/      etc/       lib/       media/     opt/       root/      selinux/   sys/       tmp/       var/

bin/       dev/       home/      lib64/     mnt/       proc/      sbin/      srv/       test.test  usr/

Step 3. Use chroot command. It will chnage the promt details as shown below with "/".

[root@localhost chroot]# chroot /home/ajay/ws/chroot/ubuntu/rootfs/

groups: cannot find name for group ID 490

root@localhost:/# 

Step 4. Mount the devices.

if i run the command without mounting

root@localhost:/# ps -ef | grep vim

Cannot find /proc/version - is /proc mounted?

So mount

root@localhost:/# mount -t proc proc /proc/

root@localhost:/# mount -t sysfs sys /sys/

root@localhost:/# mount -o bind /dev /dev/

Now chroot environment to use ubuntu libs. Enjoy

Exit from chroot jail 
root@localhost:/# umount /proc
root@localhost:/# umount /sys
root@localhost:/# umount /dev
root@localhost:/# exit

Caution: It should only be used for processes that don't run as root, as root users can break out of the jail very easily. Your all files have complete access from main root. So all your files are visual and modifiable from outside.

Important terms should be known to improvise the solution

Operating-system-level virtualization is a server virtualization method in which the kernel of an operating system allows the existence of multiple isolated user-space instances, instead of just one. Such instances, which are sometimes called containers, software containers,[1] virtualization engines (VEs) or jails (FreeBSD jail or chroot jail), may look and feel like a real server from the point of view of its owners and users.

On Unix-like operating systems, this technology can be seen as an advanced implementation of the standard chroot mechanism. In addition to isolation mechanisms, the kernel often provides resource-management features to limit the impact of one container's activities on other containers.

Operating-system-level virtualization is not as flexible as other virtualization approaches since it cannot host a guest operating system different from the host one, or a different guest kernel. For example, with Linux, different distributions are fine, but other operating systems such as Windows cannot be hosted.

The storage hypervisor, a centrally-managed supervisory software program, provides a comprehensive set of storage control and monitoring functions that operate as a transparent virtual layer across consolidated disk pools to improve their availability, speed and utilization.

One more example:
[root@localhost chroot]# mkdir linx

[root@localhost chroot]# cd linx

[root@localhost linx]# mkdir bin lib dev tmp

[root@localhost linx]# chmod a=rwx tmp   [making accessible to every user and process]
[root@localhost linx]# ls -lrt
total 16
drwxrwxrwx 2 root root 4096 Jun 16 16:49 tmp
drwxr-xr-x 2 root root 4096 Jun 16 16:49 lib
drwxr-xr-x 2 root root 4096 Jun 16 16:49 dev
drwxr-xr-x 2 root root 4096 Jun 16 16:52 bin

Will restrict this jail to limited rights.

[root@localhost linx]#  cp /bin/bash /bin/ls bin

[root@localhost linx]# ldd bin/*
bin/bash:
        linux-vdso.so.1 =>  (0x00007fff0f9c8000)
        libtinfo.so.5 => /lib64/libtinfo.so.5 (0x0000003b28a00000)
        libdl.so.2 => /lib64/libdl.so.2 (0x0000003b1b200000)
        libc.so.6 => /lib64/libc.so.6 (0x0000003b1ae00000)
        /lib64/ld-linux-x86-64.so.2 (0x0000003b1a600000)
bin/ls:
        linux-vdso.so.1 =>  (0x00007fffe7ee3000)
        libselinux.so.1 => /lib64/libselinux.so.1 (0x0000003b1c600000)
        librt.so.1 => /lib64/librt.so.1 (0x0000003b1be00000)
        libcap.so.2 => /lib64/libcap.so.2 (0x0000003b1de00000)
        libacl.so.1 => /lib64/libacl.so.1 (0x0000003b2a200000)
        libc.so.6 => /lib64/libc.so.6 (0x0000003b1ae00000)
        libdl.so.2 => /lib64/libdl.so.2 (0x0000003b1b200000)
        /lib64/ld-linux-x86-64.so.2 (0x0000003b1a600000)
        libpthread.so.0 => /lib64/libpthread.so.0 (0x0000003b1b600000)
        libattr.so.1 => /lib64/libattr.so.1 (0x0000003b29600000)

[root@localhost linx]#  cp /lib64/libtinfo.so.5 /lib64/libdl.so.2 /lib64/libc.so.6 /lib64/ld-linux-x86-64.so.2 /lib64/libselinux.so.1 /lib64/librt.so.1 /lib64/libcap.so.2 /lib64/libacl.so.1 /lib64/libpthread.so.0 /lib64/libattr.so.1 lib/

Populating the jail with two basic devices
[root@localhost linx]#  ls -l /dev/null /dev/zero
crw-rw-rw- 1 root root 1, 3 Jun 10 15:01 /dev/null
crw-rw-rw- 1 root root 1, 5 Jun 10 15:01 /dev/zero

[root@localhost linx]# mknod dev/null c 1 3
[root@localhost linx]# mknod dev/zero c 1 5

[root@localhost linx]# ls -lrt dev/*
crw-r--r-- 1 root root 1, 3 Jun 16 17:01 dev/null
crw-r--r-- 1 root root 1, 5 Jun 16 17:01 dev/zero

[root@localhost linx]# chmod a=rw dev/null dev/zero

[root@localhost linx]# ls -lrt dev/*
crw-rw-rw- 1 root root 1, 3 Jun 16 17:01 dev/null
crw-rw-rw- 1 root root 1, 5 Jun 16 17:01 dev/zero

[root@localhost linx]# chroot /home/ajay/ws/chroot/linx
chroot: failed to run command `/bin/bash': No such file or directory

Error occurred so check the ldd command output you can see that all libs are in lib64 folder. so moving all libs from lib folder to lib64.

[root@localhost linx]# mv lib lib64

[root@localhost linx]# chroot /home/ajay/ws/chroot/linx
bash-4.1# pwd
/

bash-4.1#

Welcome to chroot jail. Now create customize applications over it.

virtualization : From college to corporate

"imperfect virtualization can and often is preferable to perfect virtualization"

Linux virtualization can be used for isolating specific apps, programming code or even an operating system itself, as well as for security and performance testing purposes.

The evolution of virtualization greatly revolves around this piece of very important software termed as hypervisor.
Hypervisor: A software layer or subsystem that controls hardware and provides guest operating systems with access to underlying hardware. The hypervisor allows multiple operating systems, called guests, to run on the same physical system by offering virtualized hardware to the guest operating system

Bare-metal Hypervisor. This type of hypervisor (pictured at the beginning of the article) is deployed as a bare-metal installation. This means that the first thing to be installed on a server as the operating system will be the hypervisor. The benefit of this software is that the hypervisor will communicate directly with the underlying physical server hardware. Those resources are then paravirtualized and delivered to the running VMs. This is the preferred method for many production systems.

Hosted Hypervisor. This model (shown below) is also known as a hosted hypervisor. The software is not installed onto the bare-metal, but instead is loaded on top of an already live operating system. For example, a server running Windows Server 2008R2 can have VMware Workstation 8 installed on top of that OS. Although there is an extra hop for the resources to take when they pass through to the VM – the latency is minimal and with today’s modern software enhancements, the hypervisor can still perform optimally.

Important terms to understand virtualization.

Full virtualization: The guest operating system and any applications on the guest virtual machine are unaware of their virtualized environment and run normally. Hardware-assisted virtualization is the technique used for full virtualization with KVM (Kernel-based Virtual Machine) in Red Hat Enterprise Linux.

Para-virtualization: After the guest VM is installed on top of the hypervisor, there usually is a set of tools which are installed into the guest VM. These tools provide a set of operations and drivers for the guest VM to run more optimally. For example, although natively installed drivers for a NIC will work, paravirtualized NIC drivers will communicate with the underlying physical layer much more efficiently. Furthermore, advanced networking configurations become a reality when paravirtualized NIC drivers are deployed.

Software virtualization (or emulation): Software virtualization uses slower binary translation and other emulation techniques to run unmodified operating systems.

Migration: Migration describes the process of moving a guest virtual machine from one host to another. This is possible because the virtual machines are running in a virtualized environment instead of directly on the hardware. There are two ways to migrate a virtual machine: live and offline.
eg. Load balancing, Upgrading or making changes to the host, Energy saving, Geographic migration

Key : KVM, VMware ESX, and Hyper-V.

Playing Groups in Linux

[root@localhost ws]# more /etc/group
root:x:0:
bin:x:1:bin,daemon
daemon:x:2:bin,daemon
sys:x:3:bin,adm
adm:x:4:adm,daemon
[group_name, Password (x), Group ID (GID), Group List (multiple user names are separated by commas)]

[root@localhost ws]# id
uid=0(root) gid=0(root) groups=0(root),490(sfcb)

[root@localhost ws]# id ajay
uid=506(ajay) gid=507(ajay) groups=507(ajay)

Create a New Group
[root@localhost ws]# groupadd -g 601 HSS

Add the users in new group
[root@localhost ws]# usermod -G HSS ajay

[root@localhost ws]# id ajay
uid=506(ajay) gid=507(ajay) groups=507(ajay),601(HSS)


[root@localhost ws]# more /etc/login.defs
# Password aging controls:
#
#       PASS_MAX_DAYS   Maximum number of days a password may be used.
#       PASS_MIN_DAYS   Minimum number of days allowed between password changes.
#       PASS_MIN_LEN    Minimum acceptable password length.
#       PASS_WARN_AGE   Number of days warning given before a password expires.
#
PASS_MAX_DAYS   99999
PASS_MIN_DAYS   0
PASS_MIN_LEN    5
PASS_WARN_AGE   7
#
# Min/max values for automatic uid selection in useradd
#
UID_MIN                   500
UID_MAX                 60000
#
# Min/max values for automatic gid selection in groupadd
#
GID_MIN                   500
GID_MAX                 60000


Grant administrative rights to a normal user
[root@localhost ws]# vim /etc/sudoers
## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL
ajay    ALL=(ALL)       ALL

Change group of file/directory.
[root@localhost ws]# ls -lrt
total 4
-rwxr-xr-x 1 root ajay 878 Jun 14 11:22 glist.sh

[root@localhost ws]# chgrp HSS glist.sh
[root@localhost ws]# ls -lrt
total 4
-rwxr-xr-x 1 root HSS 878 Jun 14 11:22 glist.sh

Permission
You can use octal number to represent mode/permission:

• r: 4
• w: 2
• x: 1

For example, for file owner you can use octal mode as follows. Read, write and execute (full) permission on a file in octal is
0+r+w+x = 0+4+2+1 = 7

output of ls command will show permissions as below
-  = - for file d means directory
next three (bit 2,3,4) for user eg. rwx
next three (bit 5,6,7) for group eg. rwx
next three (bit 8,9,10) for others eg. rwx

Change the permission of file for user/group/others
[root@localhost ws]# chmod 775 glist.sh
[root@localhost ws]# ls -lrt
total 4
-rwxrwxr-x 1 root HSS 878 Jun 14 11:22 glist.sh

Graphical desktop file manager : Nautilus

Nautilus gives you a graphical display of your system and personal files. Nautilus is designed to be much more than a visual listing of files, however. It allows you to configure your desktop, configure your Red Hat Enterprise Linux system, browse your photo collection, access your network resources, and more all from one integrated interface. In essence, Nautilus becomes a shell for your entire desktop experience

[root@localhost ws]# nautilus
Initializing nautilus-open-terminal extension

Initializing nautilus-gdu extension

History @ linux shell

1. Delete specific index entry: history -d <number>
        number : the index number shown in output of history command.
2. Complete history file : history -c
3. Specific commands you want to hide:
[root@localhost local]# HISTCONTROL=ignorespace
This will remove history for command started with space.

4. Turn off history :
[root@localhost local]# set +o history

5. Turn on history:
[root@localhost local]# set -o history