Installing mediabrowser in a jail root
I have been playing around with media browser lately. Media browser is a streaming server, like plex. For me it has the advantage that I can host the website and security at home. That way I can easily stream over https and control user authentication myself. For security reasons I installed it in a jail root using schroot on my debian box. This is how I did it.
Preparing your host
First make sure you have a working installation of schroot on your box (using sudo here to show which steps should be executed as root):
sudo apt-get install schroot debootstrap
Then make the directory for your jail and install a base system:
sudo mkdir -p /srv/chroot/mediabrowser
sudo debootstrap jessie /srv/chroot/mediabrowser http://ftp.de.debian.org/debian
Please note that you will need to install jessie to get the right mono versions for your installation. If you don’t install jessie, you need to manually install the latest mono packages for debian. Please also note that I install from the local German debian repository. You can change to your local one if needed.
You need to create a user for your installation. The idea is that this user is known with the same ID in both your host and your jail (the guest system). This will make it easier to give the user access to system wide resources.
sudo adduser --system --shell /bin/false --disabled-password --no-create-home mediabrowser
The system will output something like this:
Adding system user `mediabrowser’ (UID 122) …
You should remember the UID (you can later check the /etc/passwd file as well, if you know how to do that).
Configuring schroot
Make sure schroot knows your environment. We need to create / change some config files. First Now, as root, create the file /etc/schroot/chroot.d/mediabrowser and give it the following content:
[mediabrowser] aliases=mb directory=/srv/chroot/mediabrowser type=directory description=Chroot for the media browser service users=mediabrowser groups=root root-groups=root profile=mediabrowser personality=linux preserve-environment=true
This will make sure schroot knows about your jail. Schroot also needs to know how it should configure your jail. For that create the following directory:
sudo mkdir -p /etc/schroot/mediabrowser
In it you need to create three files (as root): copyfiles and fstab. The contents of /etc/schroot/mediabrowser/copyfiles should be:
# Files to copy into the chroot from the host system. # # <source and destination> /etc/resolv.conf
The contents of /etc/schroot/mediabrowser/fstab should be as follows. Please note that I assume that you have your content locally on the host you are installing your jail. If your content is on a remote (samba or nfs) host, you need to add the right commands to mount those remote filesystems.
# fstab: static file system information for chroots. # Note that the mount point will be prefixed by the chroot path # (CHROOT_PATH) # # <file system> <mount point> <type> <options> <dump> <pass> /proc /proc none rw,bind 0 0 /sys /sys none rw,bind 0 0 /dev /dev none rw,bind 0 0 /dev/pts /dev/pts none rw,bind 0 0 #/home /home none rw,bind 0 0 /tmp /tmp none rw,bind 0 0 # Add mounts to your content files here, what follows is an example /path/to/content/on/your/host /path/on/your/guest/to/mount/that/content none rw,bind 0 0
Note: you can also specify an nssdatabases file in this directory. I personally don’t want to copy any configuration files from my host to my guest, so I don’t use it. See the schroot documentation to make use of this feature.