Install Debian (based) Linux Distributions in a Folder

From Whonix


Ambox warning pn.svg.png Documentation for this entry is incomplete. Contributions are happily considered!

Chroot Use Cases[edit]

Chroot Security[edit]

chroot is not a security feature [archive].




Quote Changing Roots [archive]:

  • systemd-nspawn tool which acts as chroot(1) on steroids

  • it makes use of file system and PID namespaces to boot a simple lightweight container on a file system tree.

  • It can be used almost like chroot(1), except that the isolation from the host OS is much more complete, a lot more secure and even easier to use

  • systemd-nspawn is capable of booting a complete systemd or sysvinit OS in container with a single command.

  • Booting of the container can take less than 3 seconds.


Can systemd-nspawn be made a secure jail? The following quote might be outdated and/or not reflect a "hardened container". Quote systemd lead developer [archive]:

Note however that this protects the host OS only from accidental changes of its parameters. A process in the container can manually remount the file systems read-writeable and then change whatever it wants to change.

What are these issues? Related to running root vs non-root inside the container? Can these security holes nowadays be closed?

Since we are inside a VM already, can containers be used for better security?

Quote systemd-nspawn man page [archive]:


Specify one or more additional capabilities to drop for the container. This allows running the container with fewer capabilities than the default (see above).

Quote [archive]

systemd-nspawn supports unprivileged containers,


, though the containers need to be booted as root.

That could be an OK limitation?

See also:

Exit systemd-nspawn[edit]

To leave the chroot press keep holding key CTRL and press key 5 quickly 3 times within 1 second. [1]

See Also[edit]

LXC[edit] [archive]


mmdebstrap is a tool that can be used to securely create chroots.

Using debootstrap is insecure at times such as if APT is vulnerable and the fixed package only available from APT repository not the regular Debian repository because it can use only 1 APT repository at a time. And does not include all packages created to create a chroot.

A secure alternative is mmdebstrap. [2] See also other advantages of mmdebstrap [archive].


  • xchroot [archive]: chroot for users with Xorg/X11 forwarding and automatic mounting + aufs/unionfs read only root support.


Fosshost is sponsors Kicksecure ™ stage server Whonix old logo.png
Fosshost About Advertisements

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki

Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: 1024px-Telegram 2019 Logo.svg.png Discourse logo.png Matrix logo.svg.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png link=mailto:?subject=Installation of Debian based Linux distributions in a folder chroot&body= link= of Debian based Linux distributions in a folder chroot link= of Debian based Linux distributions in a folder chroot link= of Debian based Linux distributions in a folder chroot%20 of Debian based Linux distributions in a folder chroot

Have you read our Documentation, Design and Developer Portal links yet?

https link onion link Priority Support | Investors | Professional Support

Whonix | © ENCRYPTED SUPPORT LP | Heckert gnu.big.png Freedom Software / Osi standard logo 0.png Open Source (Why?)

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent.