chroot is (in a sense) the goodfather of all container technology. It allows to create a process with a different view of the filesystem. Since you are root within the new file-system you have all the power - so maybe not the most practical way of allowing users to BYOFS (bring-your-own-file-system).


Fetch Image

In the case of chroot, let us assume we fetch the tarball of alpine as the image.

export URI=v3.13/releases/x86_64/alpine-minirootfs-3.13.4-x86_64.tar.gz
wget -qO alpine-minirootfs.tar.gz${URI}


For chroot to pick up the root file-system we need to extract the tar-ball (called snapshot in container terms).

mkdir -p rootfs
tar xfz alpine-minirootfs.tar.gz -C rootfs/


We need to bind-mount the VFS to expose /proc, /sys and /dev within the chroot environment. For that we need root-privileges on the system. TO read more about bind-mounts see the mount manpage.

sudo mount -t proc /proc ./rootfs/proc
sudo mount -o bind /sys ./rootfs/sys
sudo mount -o bind /dev ./rootfs/dev
sudo mount --make-rslave ./rootfs/sys
sudo mount --make-rslave ./rootfs/dev
sudo chroot rootfs sh

This spawn a process within the root-filesystem.

cat /etc/alpine-release 


The process within the chroot environment is not isolated and constrainted at all. Furthermore you need privileges to create the bind-mounts.

This blog post (from 2013) states:

Putting a regular user in a chroot() will prevent them from having access to the rest of the system. This means using a chroot is not less secure, but it is not more secure either. If you have proper permissions configured on your system, you are no safer inside a chroot than relying on system permissions to keep a user in check. Of course you can make the argument that everyone makes mistakes, so running inside a chroot is safer than running outside of one where something is going to be misconfigured. This argument is possibly true, but note that setting up a chroot can be far more complex than configuring a system. Configuration mistakes could lead to the chroot environment being less secure than non-chroot environments.

Thus, let us move on to the next option.


sudo umount ./rootfs/proc                                                                                               
sudo umount ./rootfs/sys
sudo umount ./rootfs/dev