Running glibc programs

From Alpine Linux
Revision as of 19:05, 9 December 2018 by Astrawso (talk | contribs)
Jump to: navigation, search
Out of date clock icon.svg
This material is obsolete ...

Since 2014-04-09, Alpine has been shipping with musl instead of uclibc, as such, the instructions in this guide may be obsolete (Discuss)

Underconstruction clock icon gray.svg
This material is work-in-progress ...

Do not follow instructions here until this notice is removed.
(Last edited by Astrawso on 9 Dec 2018.)

If you want to run glibc programs in Alpine Linux, there are a few ways of doing so. You could install glibc as additional to uclibc (you would have to do this manually), or you could do it the easy way and use a chroot.

Because there are different use cases, this is just a slight overview about what's possible and what's intelligent.

Your options

Using BusyBox

First, the simplest approach for setting up a chroot is by using a glibc build of BusyBox.

This approach has just a few downsides:-

  • You have to link most /bin/ and /usr/bin programs against /bin/busybox, and some BusyBox builds break if you don't configure them correctly.
  • You have to manually download every library you need for your program manually.

However, if you want a small environment for one simple use case, then this is the solution you want.

Using a live CD

If you prefer using any special distro, you can always download and extract a live CD and use it as a chroot enviroment.

Using an image

For Gentoo, it is the slowest approach especially on slow machines since it is not binary distribution and can be indecisive, but you have the advantage of controlling the package version of whichever library you will install. A drawback would be a big build. You have to install a Portage tree, which uses up a lot of space. (It's not 100% necessary if you don't have to install any additional content that you won't need.) Sometimes the package will fail on compilation phase of emerge. You either end up patching it yourself or waiting for a fix to appear on their Bugzilla from an experienced user.

For Arch or Debian, it is recommended since packages are precompiled and better at unattended package installation. This approach isn't as easily executed as the other alternatives, but this may be the cleanest and most recommended one for the every day user.

How to do it

This is just a quick draft, so here it comes.

Using BusyBox

First, we need to download BusyBox. You can choose any of your favourite distros to download a prebuilt version. For instance, you could use Arch Linux packages, as follows:

wget -O busybox.pkg.tar.xz
wget -O glibc.pkg.tar.xz
mkdir -p ~/chroot/usr/bin/ ~/chroot/{dev,proc,root,etc}
for i in *.pkg.tar.xz;do
bsdtar xfJ $i -C ~/chroot
cp /etc/resolv.conf ~/chroot/etc/
ln -s /bin/busybox ~/chroot/bin/sh
ln -s /bin/busybox ~/chroot/bin/ln
sudo chroot ~/chroot/ /bin/sh

This creates a simple chroot enviroment, which we will expand through all the commands included in BusyBox:

for i in $(busybox --list);do ln -s /bin/busybox /usr/bin/$i;done

Using a live CD

Underconstruction clock icon gray.svg
This material is work-in-progress ...

Contributions welcome
(Last edited by Astrawso on 9 Dec 2018.)

Using an image

Gentoo Linux

Select a stage3 from here and portage latest from here at gentoo/snapshots/portage-latest.tar.xz.


sudo apk add xz

You also may need the vanilla kernel. If any time Gentoo decides to update PAM, you need it for it to emerge successfully without problems.

sudo apk add kernel-vanilla

Add the kernel-vanilla to Grub and reboot with the vanilla kernel if you are going to pull in both git and layman which they use to download user community supported packages.

Enter the chroot:

mkdir ~/chroot
cd ~/chroot
tar -xvf stage3-*.tar.xz
tar -xvf portage-latest.tar.xz
mv portage usr
sudo mount --bind /dev dev
sudo mount --bind /sys sys
sudo mount -t proc proc proc
cp /etc/resolv.conf etc
sudo chroot . /bin/bash

And voilà, you have your working Gentoo chroot!

You can now take a look at Gentoo's Handbook to find out how you can configure and install your system, or simply extract/copy the program you need to run in your chroot enviroment and execute it.

Here is a wrapper script that is similar to arch-chroot when you frequently reuse this chroot:

Also, create an account with the same user name as host current user to the chroot or make changes to the userspec option to chroot line.

Contents of

!/bin/bash CHROOT_PATH="/home/$USER/chroot" cd $CHROOT_PATH mount | grep $CHROOT_PATH/dev || sudo mount --bind /dev dev mount | grep $CHROOT_PATH/sys || sudo mount --bind /sys sys mount | grep $CHROOT_PATH/proc || sudo mount -t proc proc proc cp /etc/resolv.conf etc sudo chroot --userspec=$USER:users . /bin/bash echo "You must manually unmount $CHROOT_PATH/dev, $CHROOT_PATH/sys, $CHROOT_PATH/proc."

Do at chmod +x to get it to work.

Arch Linux

Although pacstrap is included with the arch-install-scripts package, it will not work unless the target directory is a mountpoint, so the Arch bootstrap image must be used instead (the image is updated every month, so change the date in the link as required):

 sudo apk add arch-install-scripts
 mkdir ~/chroot && cd ~/chroot
 curl -O
 tar xzf archlinux-bootstrap-2018.01.01-x86_64.tar.gz && rm archlinux-bootstrap-2018.01.01-x86_64.tar.gz
 sed -i '/evowise/s/^#//' root.x86_64/etc/pacman.d/mirrorlist
 sudo arch-chroot root.x86_64
 [chroot]# pacman-key --init
 [chroot]# pacman-key --populate archlinux

Once that is done, update the system and install the desired package(s) (denoted by "foo" in this example):

 [chroot]# pacman -Syu foo


Use the provided debootstrap package to create the Debian chroot. --arch is optional, depending of your needs.

On the linux-grsec kernel, you will need to relax chroot limitations:

 sudo apk add debootstrap
 for i in /proc/sys/kernel/grsecurity/chroot_*; do echo 0 | sudo tee $i; done
 mkdir ~/chroot
 sudo debootstrap --arch=i386 wheezy ~/chroot
 for i in /proc/sys/kernel/grsecurity/chroot_*; do echo 1 | sudo tee $i; done
 sudo chroot ~/chroot /bin/bash

You can now use apt-get to install needed packages.


Source dedicated server

Here is an easy example of how you can run srcds in a simple BusyBox chroot.

For this server, you will only need the basic chroot and an advanced tar version (the BusyBox version is not sufficient because of the missing -U command):

wget -O busybox.pkg.tar.xz
wget -O glibc.pkg.tar.xz
wget -O tar.pkg.tar.xz
mkdir -p ~/chroot/usr/bin/ ~/chroot/{dev,proc,root,etc}
for i in *.pkg.tar.xz;do
bsdtar xfJ $i -C ~/chroot
cp /etc/resolv.conf ~/chroot/etc/
ln -s /bin/busybox ~/chroot/bin/sh
ln -s /bin/busybox ~/chroot/bin/ln
sudo chroot ~/chroot/ /bin/sh

Now that you are in a working chroot, you can download the server and install it. You just have to execute the following self-explaining commands...

mkdir ~/work
cd ~/work
busybox wget
chmod +x hldsupdatetool.bin
ln -s /bin/busybox ./uncompress
cp /bin/tar . #right now executing programs from $PATH is buggy, soon to be fixed (no bug in BusyBox, but in my script)
./hdsupdatetool.bin #you can accept it or not ;)

...and you should have a working chroot with srcds installed in it.

If you think you are clever or elegant, you can use the server with a bash script:

chroot ~/chroot /root/work/steam $@

Just save it (in your Alpine installation) under /usr/bin/steam, do a chmod +x /usr/bin/steam and have fun!

Warning: This script would let Steam run with root priviliges. This is not recommended.


So let's run MegaCli in a chroot too, shall we? ;)

First we set up a uclibc chroot :)

MegaCli needs more than just glibc. It needs ncurses and the gcc-libs:

wget -O busybox.pkg.tar.xz
wget -O glibc.pkg.tar.xz
wget -O ncurses.pkg.tar.xz
wget -O gcc-libs.pkg.tar.xz
mkdir -p ~/chroot/usr/bin/ ~/chroot/{dev,proc,root,etc,sys}
cp /etc/resolv.conf ~/chroot/etc/
for i in *.pkg.tar.xz;do
bsdtar xfJ $i -C ~/chroot
ln -s /bin/busybox ~/chroot/bin/sh
ln -s /bin/busybox ~/chroot/bin/ln

After this, we visit this site and download

mkdir tmp
cd tmp
unzip ../
#Now comes code stolen from rpm2cpio
o=`expr 96 + 8`
set `od -j $o -N 8 -t u1 MegaCli-8.02.16-1.i386.rpm`
il=`expr 256 \* \( 256 \* \( 256 \* $2 + $3 \) + $4 \) + $5`
dl=`expr 256 \* \( 256 \* \( 256 \* $6 + $7 \) + $8 \) + $9`
sigsize=`expr 8 + 16 \* $il + $dl`
o=`expr $o + $sigsize + \( 8 - \( $sigsize \% 8 \) \) \% 8 + 8`
set `od -j $o -N 8 -t u1 MegaCli-8.02.16-1.i386.rpm`
il=`expr 256 \* \( 256 \* \( 256 \* $2 + $3 \) + $4 \) + $5`
dl=`expr 256 \* \( 256 \* \( 256 \* $6 + $7 \) + $8 \) + $9`
hdrsize=`expr 8 + 16 \* $il + $dl`
o=`expr $o + $hdrsize`
dd if=MegaCli-8.02.16-1.i386.rpm ibs=$o skip=1 2>/dev/null |bsdtar -xf -
#wow ...
rm opt/MegaRAID/MegaCli/MegaCli64 # who needs 64bit?
cp -r opt/ ~/chroot/

Now we have a working MegaCli client in our chroot.

As with srcds, we do not want to operate from inside the chroot, so here is a little script that should ease you up (use at your own risk):

if [ "$user" != "root" ];then
echo "This script needs root access"
mount -t proc proc ~/chroot/proc/
mount --bind /dev/ ~/chroot/dev/
mount --bind /sys/ ~/chroot/sys/
#we may need dev and maybe proc too to use this program
chroot ~/chroot /opt/MegaRAID/MegaCli/MegaCli $@
umount ~/chroot/proc
umount ~/chroot/dev
umount ~/chroot/sys

Save it under /usr/bin/MegaCli. Do a chmod +x /usr/bin/MegaCli and good luck.

Note: This method takes around 50mb. If you need something smaller, then you can strip a few files from glibc (not recommended), or work on a squashfs.

With the following, you can create a squashfs that is around 15mb small:

mksquashfs ~/chroot/ /chroot.sfs -b 65536

When you add a unionfs layer, you can even use it with write access, or you can bind some directories to the writeable directories before you chroot into it.

I will look into it later on.

You can save the chroot in another directory than your home directory, and you can even install a chroot through an APKBUILD (after someone wrote it).

With this, you could use many glibc-dependent programs through one chroot, but be aware that running programs like this should not be standard. This should only be used in extreme situations, as in _closed source_ tools linked against glibc.

Skype on Debian chroot

Underconstruction clock icon gray.svg
This material is work-in-progress ...

Not yet validated
(Last edited by Astrawso on 9 Dec 2018.)

This is an example on how to run Skype from a Debian 32b chroot.

 sudo chroot ~/chroot
 dpkg -i getskype-linux-deb

To fix missing dependencies, you will want to use:

 apt-get -f install

Then, exit the chroot:


Fix PAX flags on Skype binary - linux-grsec only.

ELF marking with paxctl cannot be used because Skype binary refuses to run if modified.

CONFIG_PAX_XATTR_PAX_FLAGS is NOT yet available in linux-grsec.

 sudo apk add attr
 sudo setfattr -n user.pax.flags -v "em" ~/chroot/usr/bin/skype

Mount needed directories in the chroot read-only to limit access to the system devices.

Give write access to /dev/v4l and to /dev/snd in order to let Skype use the webcam device: Skype is not compatible with Alsa anymore and requires Pulseaudio to be running.

 sudo mount -o bind /proc ~/chroot/proc
 sudo mount -o bind,ro,remount /proc ~/chroot/proc
 sudo mount -o bind /sys ~/chroot/sys
 sudo mount -o bind,ro,remount /sys ~/chroot/sys
 sudo mount -o bind /dev ~/chroot/dev
 sudo mount -o bind,ro,remount /dev ~/chroot/dev
 sudo mount -o bind /dev/v4l ~/chroot/dev/v4l
 sudo mount -t tmpfs -o nodev,nosuid,noexec shm $CHROOT_PATH/dev/shm

Enter the chroot and create a user:

 sudo chroot ~/chroot
 useradd -G audio,video <username>

Then run Skype as your newly created user:

 sudo chroot ~/chroot /bin/su - <username> -c /usr/bin/skype

Dungeon Crawl (Stone Soup) on Arch

Once the Arch system is laid down (to ~/chroot/root.x86_64 in this example), install the game:

 sudo arch-chroot ~/chroot/root.x86_64
 [chroot]# pacman -Syu crawl-tiles

Then exit the chroot and run it with this command:

 sudo arch-chroot ~/chroot/root.x86_64 /bin/su -c 'DISPLAY=:0 crawl-tiles'

A separate user can also be created to run the game, if preferred.


Docker method

Read the Docker page to install it. Then clone the repository, as shown below. It will automate the process of pulling all the dependencies, and PaX marks it for the hardened kernel. The advantage of this container is that it is ready-to-use and has stripped down many of the /usr/bin executables. The downside is that is unstable.

git clone

Follow the instructions in the

Chroot method

The Chroot method the preferred method; it doesn't have the black screen bug and is more stable. Just translate the Dockerfile instructions into native sh (Bourne shell). The trick again is to run Spotify as root with sudo inside the chroot – not as regular user.

Use sudo aplay -l to verify that the soundcard is detected. When you use either this or the Docker method, which relies on ALSA, there could be a conflict depending on who grabs the sound card. Stop all browsers or programs using the sound device outside of the chroot or the docker image so that Spotify can use it.

I did some translation. You may need to make changes.

To update, just delete it and call again. You will still need the Arch Linux bootstrap image. Extract the image. Next, copy and paste the code shown below into root.x86_64; chmod +x Then, run sudo arch-chroot root.x86_64. Then, run ./

Contents of

# Copyright (c) 2018 Orson Teodoro <> # # Permission is hereby granted, free of charge, to any person obtaining a copy # of this software and associated documentation files (the "Software"), to deal # in the Software without restriction, including without limitation the rights # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell # copies of the Software, and to permit persons to whom the Software is # furnished to do so, subject to the following conditions: # # The above copyright notice and this permission notice shall be included in all # copies or substantial portions of the Software. # # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE # SOFTWARE. pacman --noconfirm -Syu pacman --noconfirm -S base-devel pacman --noconfirm -S xorg-server pacman --noconfirm -S shadow pacman --noconfirm -S sudo pacman --noconfirm -S git chmod 0660 /etc/sudoers sed -i -e 's|# %wheel ALL=(ALL) NOPASSWD: ALL|%wheel ALL=(ALL) NOPASSWD: ALL\nspotify ALL=(ALL:ALL) NOPASSWD:ALL\n|g' /etc/sudoers || return 1 chmod 0440 /etc/sudoers echo "Creating user spotify" useradd -m spotify echo "Deleting password for spotify" passwd -d spotify gpasswd -a spotify users gpasswd -a spotify audio gpasswd -a spotify video gpasswd -a spotify wheel echo "switching to spotify nix account" su spotify cd /home/spotify mkdir aur cd aur cd /home/spotify/aur git clone cd /home/spotify/aur/spotify sudo -u spotify makepkg --noconfirm -si cd /home/spotify/aur/ git clone cd /home/spotify/aur/paxctl sudo -u spotify makepkg --noconfirm -si #for grsecurity kernels like Alpine sudo paxctl -C /usr/share/spotify/spotify sudo paxctl -z /usr/share/spotify/spotify sudo paxctl -m /usr/share/spotify/spotify sudo pacman --noconfirm -S alsa-lib sudo pacman --noconfirm -S alsa-utils #confirm that the sound card(s) shows up sudo aplay -l sudo spotify

To make this easier, create a launcher script:

Contents of

!/bin/bash DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" cd $DIR sudo arch-chroot -u spotify root.x86_64 /bin/sh -c "sudo spotify"

If it shows (spotify:4): Gtk-WARNING **: cannot open display: :0.0 Before running Spotify try:

 xhost +local:

You could insert it at the very top in the above wrapper script.

You may want to look at this script to learn how to lock it down by removing the unnecessary cruft in your chroot collections that may be abused.