sys-utils/unshare.1 - pub/scm/linux/kernel/git/luto/util-linux-playground - Git at Google

 .TH UNSHARE 1 "July 2014" "util-linux" "User Commands"
 .SH NAME
 unshare \- run program with some namespaces unshared from parent
 .SH SYNOPSIS
 .B unshare
 [options]
 .I program
 .RI [ arguments ]
 .SH DESCRIPTION
 Unshares the indicated namespaces from the parent process and then executes
 the specified \fIprogram\fR.  The namespaces to be unshared are indicated via
 options.  Unshareable namespaces are:
 .TP
 .BR "mount namespace"
 Mounting and unmounting filesystems will not affect the rest of the system
 (\fBCLONE_NEWNS\fP flag), except for filesystems which are explicitly marked as
 shared (with \fBmount --make-shared\fP; see \fI/proc/self/mountinfo\fP for the
 \fBshared\fP flags).
 .sp
 It's recommended to use \fBmount --make-rprivate\fP or \fBmount --make-rslave\fP
 after \fBunshare --mount\fP to make sure that mountpoints in the new namespace
 are really unshared from the parental namespace.
 .TP
 .BR "UTS namespace"
 Setting hostname or domainname will not affect the rest of the system.
 (\fBCLONE_NEWUTS\fP flag)
 .TP
 .BR "IPC namespace"
 The process will have an independent namespace for System V message queues,
 semaphore sets and shared memory segments.  (\fBCLONE_NEWIPC\fP flag)
 .TP
 .BR "network namespace"
 The process will have independent IPv4 and IPv6 stacks, IP routing tables,
 firewall rules, the \fI/proc/net\fP and \fI/sys/class/net\fP directory trees,
 sockets, etc.  (\fBCLONE_NEWNET\fP flag)
 .TP
 .BR "pid namespace"
 Children will have a distinct set of PID to process mappings from their parent.
 (\fBCLONE_NEWPID\fP flag)
 .TP
 .BR "user namespace"
 The process will have a distinct set of UIDs, GIDs and capabilities.
 (\fBCLONE_NEWUSER\fP flag)
 .PP
 See \fBclone\fR(2) for the exact semantics of the flags.
 .SH OPTIONS
 .TP
 .BR \-i , " \-\-ipc"
 Unshare the IPC namespace.
 .TP
 .BR \-m , " \-\-mount"
 Unshare the mount namespace.
 .TP
 .BR \-n , " \-\-net"
 Unshare the network namespace.
 .TP
 .BR \-p , " \-\-pid"
 Unshare the pid namespace.
 See also the \fB--fork\fP and \fB--mount-proc\fP options.
 .TP
 .BR \-u , " \-\-uts"
 Unshare the UTS namespace.
 .TP
 .BR \-U , " \-\-user"
 Unshare the user namespace.
 .TP
 .BR \-f , " \-\-fork"
 Fork the specified \fIprogram\fR as a child process of \fBunshare\fR rather than
 running it directly.  This is useful when creating a new pid namespace.
 .TP
 .BR \-\-mount\-proc "[=\fImountpoint\fP]"
 Just before running the program, mount the proc filesystem at \fImountpoint\fP
 (default is /proc).  This is useful when creating a new pid namespace.  It also
 implies creating a new mount namespace since the /proc mount would otherwise
 mess up existing programs on the system.  The new proc filesystem is explicitly
 mounted as private (by MS_PRIVATE|MS_REC).
 .TP
 .BR \-r , " \-\-map\-root\-user"
 Run the program only after the current effective user and group IDs have been mapped to
 the superuser UID and GID in the newly created user namespace.  This makes it possible to
 conveniently gain capabilities needed to manage various aspects of the newly created
 namespaces (such as configuring interfaces in the network namespace or mounting filesystems in
 the mount namespace) even when run unprivileged.  As a mere convenience feature, it does not support
 more sophisticated use cases, such as mapping multiple ranges of UIDs and GIDs.
 This option implies --setgroups=deny.
 .TP
 .BR \-s , " \-\-setgroups \fIallow|deny\fP"
 Allow or deny
 .BR setgroups (2)
 syscall in user namespaces.

 .BR setgroups(2)
 is only callable with CAP_SETGID and CAP_SETGID in a user
 namespace (since Linux 3.19) does not give you permission to call setgroups(2)
 until after GID map has been set. The GID map is writable by root when
 .BR setgroups(2)
 is enabled and GID map becomes writable by unprivileged processes when
 .BR setgroups(2)
 is permanently disabled.
 .TP
 .BR \-V , " \-\-version"
 Display version information and exit.
 .TP
 .BR \-h , " \-\-help"
 Display help text and exit.
 .SH EXAMPLES
 .TP
 .B # unshare --fork --pid --mount-proc readlink /proc/self
 .TQ
 1
 .br
 Establish a PID namespace, ensure we're PID 1 in it against newly mounted
 procfs instance.
 .TP
 .B $ unshare --map-root-user --user sh -c whoami
 .TQ
 root
 .br
 Establish a user namespace as an unprivileged user with a root user within it.
 .SH SEE ALSO
 .BR unshare (2),
 .BR clone (2),
 .BR mount (8)
 .SH BUGS
 None known so far.
 .SH AUTHOR
 Mikhail Gusarov <dottedmag@dottedmag.net>
 .SH AVAILABILITY
 The unshare command is part of the util-linux package and is available from
 ftp://ftp.kernel.org/pub/linux/utils/util-linux/.
	.TH UNSHARE 1 "July 2014" "util-linux" "User Commands"
	.SH NAME
	unshare \- run program with some namespaces unshared from parent
	.SH SYNOPSIS
	.B unshare
	[options]
	.I program
	.RI [ arguments ]
	.SH DESCRIPTION
	Unshares the indicated namespaces from the parent process and then executes
	the specified \fIprogram\fR. The namespaces to be unshared are indicated via
	options. Unshareable namespaces are:
	.TP
	.BR "mount namespace"
	Mounting and unmounting filesystems will not affect the rest of the system
	(\fBCLONE_NEWNS\fP flag), except for filesystems which are explicitly marked as
	shared (with \fBmount --make-shared\fP; see \fI/proc/self/mountinfo\fP for the
	\fBshared\fP flags).
	.sp
	It's recommended to use \fBmount --make-rprivate\fP or \fBmount --make-rslave\fP
	after \fBunshare --mount\fP to make sure that mountpoints in the new namespace
	are really unshared from the parental namespace.
	.TP
	.BR "UTS namespace"
	Setting hostname or domainname will not affect the rest of the system.
	(\fBCLONE_NEWUTS\fP flag)
	.TP
	.BR "IPC namespace"
	The process will have an independent namespace for System V message queues,
	semaphore sets and shared memory segments. (\fBCLONE_NEWIPC\fP flag)
	.TP
	.BR "network namespace"
	The process will have independent IPv4 and IPv6 stacks, IP routing tables,
	firewall rules, the \fI/proc/net\fP and \fI/sys/class/net\fP directory trees,
	sockets, etc. (\fBCLONE_NEWNET\fP flag)
	.TP
	.BR "pid namespace"
	Children will have a distinct set of PID to process mappings from their parent.
	(\fBCLONE_NEWPID\fP flag)
	.TP
	.BR "user namespace"
	The process will have a distinct set of UIDs, GIDs and capabilities.
	(\fBCLONE_NEWUSER\fP flag)
	.PP
	See \fBclone\fR(2) for the exact semantics of the flags.
	.SH OPTIONS
	.TP
	.BR \-i , " \-\-ipc"
	Unshare the IPC namespace.
	.TP
	.BR \-m , " \-\-mount"
	Unshare the mount namespace.
	.TP
	.BR \-n , " \-\-net"
	Unshare the network namespace.
	.TP
	.BR \-p , " \-\-pid"
	Unshare the pid namespace.
	See also the \fB--fork\fP and \fB--mount-proc\fP options.
	.TP
	.BR \-u , " \-\-uts"
	Unshare the UTS namespace.
	.TP
	.BR \-U , " \-\-user"
	Unshare the user namespace.
	.TP
	.BR \-f , " \-\-fork"
	Fork the specified \fIprogram\fR as a child process of \fBunshare\fR rather than
	running it directly. This is useful when creating a new pid namespace.
	.TP
	.BR \-\-mount\-proc "[=\fImountpoint\fP]"
	Just before running the program, mount the proc filesystem at \fImountpoint\fP
	(default is /proc). This is useful when creating a new pid namespace. It also
	implies creating a new mount namespace since the /proc mount would otherwise
	mess up existing programs on the system. The new proc filesystem is explicitly
	mounted as private (by MS_PRIVATE\|MS_REC).
	.TP
	.BR \-r , " \-\-map\-root\-user"
	Run the program only after the current effective user and group IDs have been mapped to
	the superuser UID and GID in the newly created user namespace. This makes it possible to
	conveniently gain capabilities needed to manage various aspects of the newly created
	namespaces (such as configuring interfaces in the network namespace or mounting filesystems in
	the mount namespace) even when run unprivileged. As a mere convenience feature, it does not support
	more sophisticated use cases, such as mapping multiple ranges of UIDs and GIDs.
	This option implies --setgroups=deny.
	.TP
	.BR \-s , " \-\-setgroups \fIallow\|deny\fP"
	Allow or deny
	.BR setgroups (2)
	syscall in user namespaces.

	.BR setgroups(2)
	is only callable with CAP_SETGID and CAP_SETGID in a user
	namespace (since Linux 3.19) does not give you permission to call setgroups(2)
	until after GID map has been set. The GID map is writable by root when
	.BR setgroups(2)
	is enabled and GID map becomes writable by unprivileged processes when
	.BR setgroups(2)
	is permanently disabled.
	.TP
	.BR \-V , " \-\-version"
	Display version information and exit.
	.TP
	.BR \-h , " \-\-help"
	Display help text and exit.
	.SH EXAMPLES
	.TP
	.B # unshare --fork --pid --mount-proc readlink /proc/self
	.TQ
	1
	.br
	Establish a PID namespace, ensure we're PID 1 in it against newly mounted
	procfs instance.
	.TP
	.B $ unshare --map-root-user --user sh -c whoami
	.TQ
	root
	.br
	Establish a user namespace as an unprivileged user with a root user within it.
	.SH SEE ALSO
	.BR unshare (2),
	.BR clone (2),
	.BR mount (8)
	.SH BUGS
	None known so far.
	.SH AUTHOR
	Mikhail Gusarov <dottedmag@dottedmag.net>
	.SH AVAILABILITY
	The unshare command is part of the util-linux package and is available from
	ftp://ftp.kernel.org/pub/linux/utils/util-linux/.