chroot is helpful in that you can sandbox the execution path and if someone manages to escape your
app that the amount of data they are going to discover is limited. For example if you have a config file
with URI, username and password stored in a file… if they manage to get access to the
they may not be able to open the file without the right tools… so for example do not put the
application in the
If you’re exposing a web-like service… you won’t be able to share ports across more than on service.
For example if this is a simple static page then you need to deploy a different port per application
and then add some sort of proxy like
haproxy which multiplexes ports 80 and 443 to the individual
services. That also means that the individual services should be attached to
localhost instead of
0.0.0.0. Leaving the proxy to bridge the external to internal.
If you need a dedicated IP (shared comon port) per
chroot then you really need a VM or a container.
Many modern Linus OS’ are using
systemd giving you access to
systemd-netorkd and so on. (
subjet for an upcoming)
chroot while similar is not to be confused with