Post by Mantas MikulÄnas
Does debootstrap actually create a passwordless root account?
No, it creates a system with all system accounts locked (including
root, daemon, bin, www-data, etc.) and no non-system accounts. There is
no single correct answer for how a Debian system's users should be set
up, so debootstrap defers the decision to you.
If you want to log in via a getty (as opposed to just running commands
inside the chroot/container without booting it, which is perhaps a
more common use of debootstrap), then you will have to set or clear the
root account's password or create a non-root account.
In recent versions, a truly minimal Debian chroot/container (debootstrap
--variant=minbase) doesn't have an init system like systemd or sysvinit,
so it *can't* be booted in the normal way. The larger "standard system"
produced by debootstrap without --variant includes all packages with
Priority >= standard, including systemd for modern releases or sysvinit
for old releases, and can be booted.
$ zcat minbase.tar.gz | tar -xO ./etc/passwd | grep root
$ zcat minbase.tar.gz | tar -xO ./etc/shadow | grep root