| .TH NSENTER 1 "June 2013" "util-linux" "User Commands" |
| .SH NAME |
| nsenter \- run program with namespaces of other processes |
| .SH SYNOPSIS |
| .B nsenter |
| [options] |
| .RI [ program |
| .RI [ arguments ]] |
| .SH DESCRIPTION |
| Enters the namespaces of one or more other processes and then executes the specified |
| \fIprogram\fP. If \fIprogram\fP is not given, then ``${SHELL}'' is run (default: /bin\:/sh). |
| .PP |
| Enterable namespaces are: |
| .TP |
| .B mount namespace |
| Mounting and unmounting filesystems will not affect the rest of the system, |
| except for filesystems which are explicitly marked as shared (with |
| \fBmount --make-\:shared\fP; see \fI/proc\:/self\:/mountinfo\fP for the |
| \fBshared\fP flag). |
| For further details, see |
| .BR mount_namespaces (7) |
| and the discussion of the |
| .BR CLONE_NEWNS |
| flag in |
| .BR clone (2). |
| .TP |
| .B UTS namespace |
| Setting hostname or domainname will not affect the rest of the system. |
| For further details, see |
| .BR namespaces (7) |
| and the discussion of the |
| .BR CLONE_NEWUTS |
| flag in |
| .BR clone (2). |
| .TP |
| .B IPC namespace |
| The process will have an independent namespace for POSIX message queues |
| as well as System V message queues, |
| semaphore sets and shared memory segments. |
| For further details, see |
| .BR namespaces (7) |
| and the discussion of the |
| .BR CLONE_NEWIPC |
| flag in |
| .BR clone (2). |
| .TP |
| .B network namespace |
| The process will have independent IPv4 and IPv6 stacks, IP routing tables, |
| firewall rules, the |
| .I /proc\:/net |
| and |
| .I /sys\:/class\:/net |
| directory trees, sockets, etc. |
| For further details, see |
| .BR namespaces (7) |
| and the discussion of the |
| .BR CLONE_NEWNET |
| flag in |
| .BR clone (2). |
| .TP |
| .B PID namespace |
| Children will have a set of PID to process mappings separate from the |
| .B nsenter |
| process |
| For further details, see |
| .BR pid_namespaces (7) |
| and |
| the discussion of the |
| .BR CLONE_NEWPID |
| flag in |
| .B nsenter |
| will fork by default if changing the PID namespace, so that the new program |
| and its children share the same PID namespace and are visible to each other. |
| If \fB\-\-no\-fork\fP is used, the new program will be exec'ed without forking. |
| .TP |
| .B user namespace |
| The process will have a distinct set of UIDs, GIDs and capabilities. |
| For further details, see |
| .BR user_namespaces (7) |
| and the discussion of the |
| .BR CLONE_NEWUSER |
| flag in |
| .BR clone (2). |
| .TP |
| .B cgroup namespace |
| The process will have a virtualized view of \fI/proc\:/self\:/cgroup\fP, and new |
| cgroup mounts will be rooted at the namespace cgroup root. |
| For further details, see |
| .BR cgroup_namespaces (7) |
| and the discussion of the |
| .BR CLONE_NEWCGROUP |
| flag in |
| .BR clone (2). |
| .TP |
| See \fBclone\fP(2) for the exact semantics of the flags. |
| .SH OPTIONS |
| Various of the options below that relate to namespaces take an optional |
| .I file |
| argument. |
| This should be one of the |
| .IR /proc/[pid]/ns/* |
| files described in |
| .BR namespaces (7). |
| .TP |
| \fB\-a\fR, \fB\-\-all\fR |
| Enter all namespaces of the target process by the default |
| .IR /proc/[pid]/ns/* |
| namespace paths. The default paths to the target process namespaces may be |
| overwritten by namespace specific options (e.g. --all --mount=[path]). |
| |
| The user namespace will be ignored if the same as the caller's current user |
| namespace. It prevents a caller that has dropped capabilities from regaining |
| those capabilities via a call to setns(). See |
| .BR setns (2) |
| for more details. |
| .TP |
| \fB\-t\fR, \fB\-\-target\fR \fIpid\fP |
| Specify a target process to get contexts from. The paths to the contexts |
| specified by |
| .I pid |
| are: |
| .RS |
| .PD 0 |
| .IP "" 20 |
| .TP |
| /proc/\fIpid\fR/ns/mnt |
| the mount namespace |
| .TP |
| /proc/\fIpid\fR/ns/uts |
| the UTS namespace |
| .TP |
| /proc/\fIpid\fR/ns/ipc |
| the IPC namespace |
| .TP |
| /proc/\fIpid\fR/ns/net |
| the network namespace |
| .TP |
| /proc/\fIpid\fR/ns/pid |
| the PID namespace |
| .TP |
| /proc/\fIpid\fR/ns/user |
| the user namespace |
| .TP |
| /proc/\fIpid\fR/ns/cgroup |
| the cgroup namespace |
| .TP |
| /proc/\fIpid\fR/root |
| the root directory |
| .TP |
| /proc/\fIpid\fR/cwd |
| the working directory respectively |
| .PD |
| .RE |
| .TP |
| \fB\-m\fR, \fB\-\-mount\fR[=\fIfile\fR] |
| Enter the mount namespace. If no file is specified, enter the mount namespace |
| of the target process. |
| If |
| .I file |
| is specified, enter the mount namespace |
| specified by |
| .IR file . |
| .TP |
| \fB\-u\fR, \fB\-\-uts\fR[=\fIfile\fR] |
| Enter the UTS namespace. If no file is specified, enter the UTS namespace of |
| the target process. |
| If |
| .I file |
| is specified, enter the UTS namespace specified by |
| .IR file . |
| .TP |
| \fB\-i\fR, \fB\-\-ipc\fR[=\fIfile\fR] |
| Enter the IPC namespace. If no file is specified, enter the IPC namespace of |
| the target process. |
| If |
| .I file |
| is specified, enter the IPC namespace specified by |
| .IR file . |
| .TP |
| \fB\-n\fR, \fB\-\-net\fR[=\fIfile\fR] |
| Enter the network namespace. If no file is specified, enter the network |
| namespace of the target process. |
| If |
| .I file |
| is specified, enter the network namespace specified by |
| .IR file . |
| .TP |
| \fB\-p\fR, \fB\-\-pid\fR[=\fIfile\fR] |
| Enter the PID namespace. If no file is specified, enter the PID namespace of |
| the target process. |
| If |
| .I file |
| is specified, enter the PID namespace specified by |
| .IR file . |
| .TP |
| \fB\-U\fR, \fB\-\-user\fR[=\fIfile\fR] |
| Enter the user namespace. If no file is specified, enter the user namespace of |
| the target process. |
| If |
| .I file |
| is specified, enter the user namespace specified by |
| .IR file . |
| See also the \fB\-\-setuid\fR and \fB\-\-setgid\fR options. |
| .TP |
| \fB\-C\fR, \fB\-\-cgroup\fR[=\fIfile\fR] |
| Enter the cgroup namespace. If no file is specified, enter the cgroup namespace of |
| the target process. |
| If |
| .I file |
| is specified, enter the cgroup namespace specified by |
| .IR file . |
| .TP |
| \fB\-G\fR, \fB\-\-setgid\fR \fIgid\fR |
| Set the group ID which will be used in the entered namespace and drop |
| supplementary groups. |
| .BR nsenter (1) |
| always sets GID for user namespaces, the default is 0. |
| .TP |
| \fB\-S\fR, \fB\-\-setuid\fR \fIuid\fR |
| Set the user ID which will be used in the entered namespace. |
| .BR nsenter (1) |
| always sets UID for user namespaces, the default is 0. |
| .TP |
| \fB\-\-preserve\-credentials\fR |
| Don't modify UID and GID when enter user namespace. The default is to |
| drops supplementary groups and sets GID and UID to 0. |
| .TP |
| \fB\-r\fR, \fB\-\-root\fR[=\fIdirectory\fR] |
| Set the root directory. If no directory is specified, set the root directory to |
| the root directory of the target process. If directory is specified, set the |
| root directory to the specified directory. |
| .TP |
| \fB\-w\fR, \fB\-\-wd\fR[=\fIdirectory\fR] |
| Set the working directory. If no directory is specified, set the working |
| directory to the working directory of the target process. If directory is |
| specified, set the working directory to the specified directory. |
| .TP |
| \fB\-F\fR, \fB\-\-no\-fork\fR |
| Do not fork before exec'ing the specified program. By default, when entering a |
| PID namespace, \fBnsenter\fP calls \fBfork\fP before calling \fBexec\fP so that |
| any children will also be in the newly entered PID namespace. |
| .TP |
| \fB\-Z\fR, \fB\-\-follow\-context\fR |
| Set the SELinux security context used for executing a new process according to |
| already running process specified by \fB\-\-target\fR PID. (The util-linux has |
| to be compiled with SELinux support otherwise the option is unavailable.) |
| .TP |
| \fB\-V\fR, \fB\-\-version\fR |
| Display version information and exit. |
| .TP |
| \fB\-h\fR, \fB\-\-help\fR |
| Display help text and exit. |
| .SH SEE ALSO |
| .BR clone (2), |
| .BR setns (2), |
| .BR namespaces (7) |
| .SH AUTHORS |
| .UR biederm@xmission.com |
| Eric Biederman |
| .UE |
| .br |
| .UR kzak@redhat.com |
| Karel Zak |
| .UE |
| .SH AVAILABILITY |
| The nsenter command is part of the util-linux package and is available from |
| .UR https://\:www.kernel.org\:/pub\:/linux\:/utils\:/util-linux/ |
| Linux Kernel Archive |
| .UE . |