building “schroot” on RHEL-5.4

18 Feb

“schroot” is a secure chroot tool that allows a non-privileged user on a system to switch to a chroot in a secure manner. This can be used to set up automated builds etc. that don’t have to run as root.

Unfortunately, RedHat Enterprise doesn’t ship with schroot-packages, so here’s a way to build them:

1. Prerequisites: libboost-1.38

First, we build and install the required version of the boost c++ library. Since I don’t want to mess up the system with self-compiled headers and libs, I prefer to have it in an own directory somewhere in my home:

mkdir -pv ~/usr/src/boost
cd ~/usr/src/boost
wget "http://downloads.sourceforge.net/project/boost/boost/1.38.0/boost_1_38_0.tar.bz2"
tar xjf boost_1_38_0.tar.bz2
cd boost_1_38_0
./configure --prefix=/opt/schroot
make

wait…

mkdir /opt/schroot
./tools/jam/src/bin.linuxx86_64/bjam --prefix=/opt/schroot install

For a certain reason, boost/bjam installs the library-files with a spurious “-gcc41” in the name, making schroot’s configure-script burp and stop when checking the boost includes. An easy (and somewhat evil) way to fix this is to create symlinks in the same directory that don’t come with the compiler-name (there’s supposed to be a much more elegant way out there, but I haven’t found it. ./configure didn’t like me, but hey the dislike is mutual…):

cd /opt/schroot/lib
for file in * ; do
    TGT=$(echo $file | sed 's,-gcc41,,')
    ln -sv $file $TGT
done

2. build schroot

Next step, configure and build “schroot” itself, using the freshly built boost libs.

The sources for schroot can be obtained from packages.debian.org or via git://git.debian.org/buildd-tools/schroot

We have to tell configure explicitly where to find our friendly boost, so we need to set the corresponding envvars right. Don’t miss the “-rpath-link” part, since otherwise the linker won’t find some of the self-depending parts of boost…

export CPPFLAGS="-I/opt/schroot/include/boost-1_38/"
export LDFLAGS="-L/opt/schroot/lib -Wl,-rpath-link=/opt/schroot/lib"
./configure --prefix=/opt/schroot
make -j 16

Now wait before typing “make install” since it won’t work, even though we specified a nice prefix. schroot relies on PAM for authentication and thus ships with a configuration file – unfortunately this one (a) does not work with RedHat and (b) has a hardcoded path in /etc/ where a regular user can’t write to, so we’re not even able to do a test-install.

So we adjust the corresponding Makefile to prevent it copying the file to /etc/, then we can install:

cd bin/schroot/pam/
sed -i 's#^pamdir = /etc/pam.d#pamdir = ${prefix}/etc/pam.d#' Makefile
make install

3. adjust PAM

As explained above, we need to create a working PAM-configuration on our own, the shipped one is for debianish systems only. For eternal happiness, create “/etc/pam.d/schroot” with the following content:

# The PAM configuration file for `schroot' 
#
# This allows root to use schroot without passwords (normal operation)
auth       sufficient pam_rootok.so
 
# The standard Unix authentication modules, used with
# NIS (man nsswitch) as well as normal /etc/passwd and
# /etc/shadow entries.
auth       include      system-auth
account    include      system-auth
session    include      system-auth
password   include      system-auth

Finally, we have to create a symlink in /etc so schroot is able to find the scripts necessary to do the magic when chrooting a user:

ln -s /opt/schroot/etc/schroot /etc/

That’s it, now we should be able to use schroot the same way than on a debian-machine.

I’ve written another posting about how to setup a chroot-environment for “schroot”. For the RHEL-case, I prefer to create the raw chroot-directory on a debian/ubuntu machine (I don’t like to have “debootstrap” on RedHat for various reasons), and then just copy the prepared directory over to the RHEL.