Availability of CHROOT in Docker containers and clusters

Matteo T.

8/24/24, 9:39 AM

Is the Linux tool chroot generally usable in a Docker container running in clusters and cloud platforms?

(background) I'm developing an application where I may need to use chroot inside a Docker container. In a related question I expressed my confusion about chroot and the SYS_CHROOT Linux capability, which may or may not be required anymore to run chroot and may or may not be granted by default by Docker. That's why I think I have to tell system administrators when deploying my applications to specify --cap-add SYS_CHROOT to Docker in case it's not granted by default. But that's a command line argument of docker run and I don't know if I can give it for granted that most cloud providers and cluster administrators will be able to grant the SYS_CHROOT capability to my container. Basically I'm trying to predict issues that a system administrator may encounter when trying to install my application without being able to easily contact me for example.

0 + 6

linux

cloud

cluster

chroot

docker

Gerald Schneider

8/24/24, 9:42 AM

Why would you need chroot INSIDE a container?

Matteo T.

8/24/24, 10:11 AM

I don't need *one* chroot, I need many of them inside one container, as a possible solution I'm focused on as explained in my related, linked question: https://security.stackexchange.com/q/271856/297040.

Gerald Schneider

8/24/24, 10:43 AM

The common way is to use a container per task.

Matteo T.

8/25/24, 8:00 AM

@GeraldSchneider your comment is interesting because containers are a very different path that I'm already following as an alternative, except I think it's common to use a container per *service* and not per *task* or job. My jobs are very short-lived (milliseconds) and I also look for some performance. Do you have sources, references, examples or anything? Thanks

Matteo T.

8/25/24, 2:43 PM

Also, a container per task may also involve copying files. The performance drawback may be uncomparable to that of a simpler chroot.

Matteo T.

9/1/24, 9:33 AM

People who are upvoting the comment of Gerald can also explain their opinion?

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Availability of CHROOT in Docker containers and clusters

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.