| .TH NSENTER 1 "June 2013" "util-linux" "User Commands" |
| .SH NAME |
| nsenter \- run program with namespaces of other processes |
| .SH SYNOPSIS |
| .B nsenter |
| [options] |
| .RI [ program |
| .RI [ arguments ]] |
| .SH DESCRIPTION |
| Enters the namespaces of one or more other processes and then executes the specified |
| program. Enterable namespaces are: |
| .TP |
| .B mount namespace |
| Mounting and unmounting filesystems will not affect the rest of the system |
| .RB ( CLONE_\:NEWNS |
| flag), except for filesystems which are explicitly marked as shared (with |
| \fBmount --make-\:shared\fP; see \fI/proc\:/self\:/mountinfo\fP for the |
| \fBshared\fP flag). |
| .TP |
| .B UTS namespace |
| Setting hostname or domainname will not affect the rest of the system. |
| .RB ( CLONE_\:NEWUTS |
| flag) |
| .TP |
| .B IPC namespace |
| The process will have an independent namespace for System V message queues, |
| semaphore sets and shared memory segments. |
| .RB ( CLONE_\:NEWIPC |
| flag) |
| .TP |
| .B network namespace |
| The process will have independent IPv4 and IPv6 stacks, IP routing tables, |
| firewall rules, the |
| .I /proc\:/net |
| and |
| .I /sys\:/class\:/net |
| directory trees, sockets, etc. |
| .RB ( CLONE_\:NEWNET |
| flag) |
| .TP |
| .B PID namespace |
| Children will have a set of PID to process mappings separate from the |
| .B nsenter |
| process |
| .RB ( CLONE_\:NEWPID |
| flag). |
| .B nsenter |
| will fork by default if changing the PID namespace, so that the new program |
| and its children share the same PID namespace and are visible to each other. |
| If \fB\-\-no\-fork\fP is used, the new program will be exec'ed without forking. |
| .TP |
| .B user namespace |
| The process will have a distinct set of UIDs, GIDs and capabilities. |
| .RB ( CLONE_\:NEWUSER |
| flag) |
| .TP |
| See \fBclone\fP(2) for the exact semantics of the flags. |
| .TP |
| If \fIprogram\fP is not given, then ``${SHELL}'' is run (default: /bin\:/sh). |
| |
| .SH OPTIONS |
| .TP |
| \fB\-t\fR, \fB\-\-target\fR \fIpid\fP |
| Specify a target process to get contexts from. The paths to the contexts |
| specified by |
| .I pid |
| are: |
| .RS |
| .PD 0 |
| .IP "" 20 |
| .TP |
| /proc/\fIpid\fR/ns/mnt |
| the mount namespace |
| .TP |
| /proc/\fIpid\fR/ns/uts |
| the UTS namespace |
| .TP |
| /proc/\fIpid\fR/ns/ipc |
| the IPC namespace |
| .TP |
| /proc/\fIpid\fR/ns/net |
| the network namespace |
| .TP |
| /proc/\fIpid\fR/ns/pid |
| the PID namespace |
| .TP |
| /proc/\fIpid\fR/ns/user |
| the user namespace |
| .TP |
| /proc/\fIpid\fR/root |
| the root directory |
| .TP |
| /proc/\fIpid\fR/cwd |
| the working directory respectively |
| .PD |
| .RE |
| .TP |
| \fB\-m\fR, \fB\-\-mount\fR[=\fIfile\fR] |
| Enter the mount namespace. If no file is specified, enter the mount namespace |
| of the target process. If file is specified, enter the mount namespace |
| specified by file. |
| .TP |
| \fB\-u\fR, \fB\-\-uts\fR[=\fIfile\fR] |
| Enter the UTS namespace. If no file is specified, enter the UTS namespace of |
| the target process. If file is specified, enter the UTS namespace specified by |
| file. |
| .TP |
| \fB\-i\fR, \fB\-\-ipc\fR[=\fIfile\fR] |
| Enter the IPC namespace. If no file is specified, enter the IPC namespace of |
| the target process. If file is specified, enter the IPC namespace specified by |
| file. |
| .TP |
| \fB\-n\fR, \fB\-\-net\fR[=\fIfile\fR] |
| Enter the network namespace. If no file is specified, enter the network |
| namespace of the target process. If file is specified, enter the network |
| namespace specified by file. |
| .TP |
| \fB\-p\fR, \fB\-\-pid\fR[=\fIfile\fR] |
| Enter the PID namespace. If no file is specified, enter the PID namespace of |
| the target process. If file is specified, enter the PID namespace specified by |
| file. |
| .TP |
| \fB\-U\fR, \fB\-\-user\fR[=\fIfile\fR] |
| Enter the user namespace. If no file is specified, enter the user namespace of |
| the target process. If file is specified, enter the user namespace specified by |
| file. See also the \fB\-\-setuid\fR and \fB\-\-setgid\fR options. |
| .TP |
| \fB\-G\fR, \fB\-\-setgid\fR \fIgid\fR |
| Set the group ID which will be used in the entered namespace and drop |
| supplementary groups. |
| .BR nsenter (1) |
| always sets GID for user namespaces, the default is 0. |
| .TP |
| \fB\-S\fR, \fB\-\-setuid\fR \fIuid\fR |
| Set the user ID which will be used in the entered namespace. |
| .BR nsenter (1) |
| always sets UID for user namespaces, the default is 0. |
| .TP |
| \fB\-\-preserve\-credentials\fR |
| Don't modify UID and GID when enter user namespace. The default is to |
| drops supplementary groups and sets GID and UID to 0. |
| .TP |
| \fB\-r\fR, \fB\-\-root\fR[=\fIdirectory\fR] |
| Set the root directory. If no directory is specified, set the root directory to |
| the root directory of the target process. If directory is specified, set the |
| root directory to the specified directory. |
| .TP |
| \fB\-w\fR, \fB\-\-wd\fR[=\fIdirectory\fR] |
| Set the working directory. If no directory is specified, set the working |
| directory to the working directory of the target process. If directory is |
| specified, set the working directory to the specified directory. |
| .TP |
| \fB\-F\fR, \fB\-\-no\-fork\fR |
| Do not fork before exec'ing the specified program. By default, when entering a |
| PID namespace, \fBnsenter\fP calls \fBfork\fP before calling \fBexec\fP so that |
| any children will also be in the newly entered PID namespace. |
| .TP |
| \fB\-V\fR, \fB\-\-version\fR |
| Display version information and exit. |
| .TP |
| \fB\-h\fR, \fB\-\-help\fR |
| Display help text and exit. |
| .SH SEE ALSO |
| .BR setns (2), |
| .BR clone (2) |
| .SH AUTHOR |
| .MT ebiederm@xmission.com |
| Eric Biederman |
| .ME |
| .SH AVAILABILITY |
| The nsenter command is part of the util-linux package and is available from |
| .UR ftp://\:ftp.kernel.org\:/pub\:/linux\:/utils\:/util-linux/ |
| Linux Kernel Archive |
| .UE . |
