When a Debian task needs a separate root filesystem but not a full virtual machine, a chroot lets commands run against another Debian tree while still sharing the host kernel. That makes it useful for package tests, repair shells, and controlled command checks where host packages should not be changed.
The debootstrap tool creates the Debian base system in a target directory, writes the initial APT source configuration, and installs enough packages for the selected release to run. Using a release codename such as trixie is clearer than using stable when the directory is meant to be reused after Debian's stable release changes.
A chroot is not a security container, because processes still use the host kernel and privileged bind mounts can expose host devices. Build it under a dedicated path, mount only the pseudo-filesystems needed for the session, and unmount them before deleting or archiving the directory.
$ sudo apt update
$ sudo apt install debootstrap ca-certificates ##### snipped ##### Setting up debootstrap (1.0.141) ...
ca-certificates keeps HTTPS mirrors usable when the host package set is minimal.
$ CHROOT=/srv/chroot/debian-trixie
Use a release-specific path so multiple Debian chroots can coexist without relying on what stable points to later.
$ sudo mkdir -p "$CHROOT"
$ sudo debootstrap --variant=minbase trixie "$CHROOT" http://deb.debian.org/debian I: Retrieving InRelease I: Checking Release signature I: Valid Release signature I: Retrieving Packages ##### snipped ##### I: Base system installed successfully.
minbase creates a compact system with required packages and APT. Use –variant=buildd only when the chroot should start with Debian package-build tools.
$ sudo mount -t proc proc "$CHROOT/proc"
$ sudo mount -t sysfs sysfs "$CHROOT/sys"
$ sudo mount --bind /dev "$CHROOT/dev"
The /dev bind mount exposes host device nodes inside the chroot. Use it only while the chroot session is active, and unmount it before cleanup.
$ sudo chroot "$CHROOT" /usr/bin/apt update Hit:1 http://deb.debian.org/debian trixie InRelease Reading package lists... Done Building dependency tree... Done All packages are up to date.
$ sudo chroot "$CHROOT" /bin/bash
Packages installed from this shell are written under /srv/chroot/debian-trixie, not into the host filesystem.
Related: How to install a package on Debian with apt
# exit exit
$ sudo umount "$CHROOT/dev" $ sudo umount "$CHROOT/sys" $ sudo umount "$CHROOT/proc"
If an unmount reports that the target is busy, close shells and processes that are still using the chroot before retrying.