During my learning of docker, I hear that the Linux command chroot is not enough to isolate the container and we need a new command called pivot_root, Why? I look up the manual for them but just be confused by more unfamiliar concepts. Especially in the pivot_root man page, it says pivot_root changes the root mount in the mount namespace of the calling process. So what does root mount mean? I know that during the boot time of Linux, it mounts the root device to / (I'm not sure if I am right), so what's the effect of mounting the root device to another directory using pivot_root? Also I am curious why we need this strange root device. Is it a physical device just like a hard disk?
What's the difference between chroot and pivot_root?
Asked Answered
During my learning of docker, I hear that the Linux command chroot is not enough to isolate the container and we need a new command called pivot_root, Why?
You can see in the man page of chroot(2) that chroot can be easily escaped using cd ... This is because the root directory of the system is not the root node of a filesystem, and as a result, cd .. that traverses the filesystem can escape the chroot.
I look up the manual for them but just be confused by more unfamiliar concepts. Especially in the pivot_root man page, it says pivot_root changes the root mount in the mount namespace of the calling process. So what does root mount mean?
To get a rough idea of these concepts, think of filesystems as a backend for files and folders. We have different filesystems (NTFS, ext4, etc.) that implement a tree of files on a hard disk. There are also special filesystems that are not backed by a hard disk, like tmpfs (a temporary filesystem using RAM) or devfs (which roughly maps each device to a file). Now, mounting is the mapping between the directories and files of the system and the filesystems.
Therefore, pivot_root, instead of changing the directory that is set as the root (as chroot does), changes the mount table, making / point to another filesystem backend. Consequently, cd .. will not be defined anymore.
I know that during the boot time of Linux, it mounts the root device to / (I'm not sure if I am right), so what's the effect of mounting the root device to another directory using pivot_root? Also I am curious why we need this strange root device. Is it a physical device just like a hard disk?
The boot procedure has a few stages that we will not describe in detail here. At one point, the system is running, and the directories are backed by a filesystem in the RAM (to do the early stuff). Then, to switch from this root directory to another one (which is backed by the hard disk), we can use pivot_root (more on that here). So, to just answer your question, the root device is not a physical device, but any (virtual or real) filesystem that is mounted to /.
Additionally, for the case of containers, we mount a (somewhat virtual) filesystem to a directory, and then we pivot_root a process into that directory, making the root directory of that process and its children point to that filesystem. This prevents escaping that filesystem (and the directory), which is one step toward a fully sandboxed container experience.
© 2022 - 2024 — McMap. All rights reserved.
pivot_rootis for use when the the kernel is started with an initial ram disk image. The initial ram disk image is mounted as root by the kernel before it starts the init process (whose executable resides in the initial ram disk image). When init on the ram disk is ready for the main system to take over, it "pivots" root to the proper system root (as specified by theroot=kernel command-line parameter) and then execs the proper system init program. – Alisun