[thirdparty/man-pages.git] / man2 / setns.2

.\" Copyright (C) 2011, Eric Biederman <ebiederm@xmission.com>
.\" and Copyright (C) 2011, 2012, Michael Kerrisk <mtk.manpages@gamil.com>
.\" Licensed under the GPLv2
.\"
.TH SETNS 2 2013-01-01 "Linux" "Linux Programmer's Manual"
.SH NAME
setns \- reassociate thread with a namespace
.SH SYNOPSIS
.nf
.BR "#define _GNU_SOURCE" "             /* See feature_test_macros(7) */"
.B #include <sched.h>
.sp
.BI "int setns(int " fd ", int " nstype );
.fi
.SH DESCRIPTION
Given a file descriptor referring to a namespace,
reassociate the calling thread with that namespace.

The
.I fd
argument is a file descriptor referring to one of the namespace entries in a
.I /proc/[pid]/ns/
directory; see
.BR proc (5)
for further information on
.IR /proc/[pid]/ns/ .
The calling thread will be reassociated with the corresponding namespace,
subject to any constraints imposed by the
.I nstype
argument.

The
.I nstype
argument specifies which type of namespace
the calling thread may be reassociated with.
This argument can have one of the following values:
.TP
.BR 0
Allow any type of namespace to be joined.
.TP
.BR CLONE_NEWIPC
.I fd
must refer to an IPC namespace.
.TP
.BR CLONE_NEWNET
.I fd
must refer to a network namespace.
.TP
.BR CLONE_NEWUTS
.I fd
must refer to a UTS namespace.
.PP
Specifying
.I nstype
as 0 suffices if the caller knows (or does not care)
what type of namespace is referred to by
.IR fd .
Specifying a nonzero value for
.I nstype
is useful if the caller does not know what type of namespace is referred to by
.IR fd
and wants to ensure that the namespace is of a particular type.
(The caller might not know the type of the namespace referred to by
.IR fd
if the file descriptor was opened by another process and, for example,
passed to the caller via a UNIX domain socket.)
.SH RETURN VALUE
On success,
.IR setns ()
returns 0.
On failure, \-1 is returned and
.I errno
is set to indicate the error.
.SH ERRORS
.TP
.B EBADF
.I fd
is not a valid file descriptor.
.TP
.B EINVAL
.I fd
refers to a namespace whose type does not match that specified in
.IR nstype ,
or there is problem with reassociating the
the thread with the specified namespace.
.TP
.B ENOMEM
Cannot allocate sufficient memory to change the specified namespace.
.TP
.B EPERM
The calling thread did not have the required privilege
.RB ( CAP_SYS_ADMIN )
for this operation.
.SH VERSIONS
The
.BR setns ()
system call first appeared in Linux in kernel 3.0;
library support was added to glibc in version 2.14.
.SH CONFORMING TO
The
.BR setns ()
system call is Linux-specific.
.SH NOTES
Not all of the attributes that can be shared when
a new thread is created using
.BR clone (2)
can be changed using
.BR setns ().
.SH EXAMPLE
The program below takes two or more arguments.
The first argument specifies the pathname of a namespace file in an existing
.I /proc/[pid]/ns/
directory.
The remaining arguments specify a command and its arguments.
The program opens the namespace file, joins that namespace using
.BR setns (),
and executes the specified command inside that namespace.

The following shell session demonstrates the use of this program
(compiled as a binary named
.IR ns_exec )
in conjunction with the
.BR CLONE_NEWUTS
example program in the
.BR clone (2)
man page (complied as a binary named
.IR newuts ).

We begin by executing the example program in
.BR clone (2)
in the background.
That program creates a child in a separate UTS namespace.
The child changes the hostname in its namespace,
and then both processes display the hostnames in their UTS namespaces,
so that we can see that they are different.

.nf
.in +4n
$ \fBsu\fP                   # Need privilege for namespace operations
Password:
# \fB./newuts bizarro &\fP
[1] 3549
clone() returned 3550
uts.nodename in child:  bizarro
uts.nodename in parent: antero
# \fBuname -n\fP             # Verify hostname in the shell
antero
.in
.fi

We then run the program shown below,
using it to execute a shell.
Inside that shell, we verify that the hostname is the one
set by the child created by the first program:

.nf
.in +4n
# \fB./ns_exec /proc/3550/ns/uts /bin/bash\fP
# \fBuname -n\fP             # Executed in shell started by ns_exec
bizarro
.in
.fi
.SS Program source
.nf
#define _GNU_SOURCE
#include <fcntl.h>
#include <sched.h>
#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>

#define errExit(msg)    do { perror(msg); exit(EXIT_FAILURE); \\
                        } while (0)

int
main(int argc, char *argv[])
{
    int fd;

    if (argc < 3) {
        fprintf(stderr, "%s /proc/PID/ns/FILE cmd args...\\n", argv[0]);
        exit(EXIT_FAILURE);
    }

    fd = open(argv[1], O_RDONLY);   /* Get descriptor for namespace */
    if (fd == \-1)
        errExit("open");

    if (setns(fd, 0) == \-1)         /* Join that namespace */
        errExit("setns");

    execvp(argv[2], &argv[2]);      /* Execute a command in namespace */
    errExit("execvp");
}
.fi
.SH SEE ALSO
.BR clone (2),
.BR fork (2),
.BR vfork (2),
.BR proc (5),
.BR unix (7)
Commit	Line	Data
dfa22c8b	1	.\" Copyright (C) 2011, Eric Biederman <ebiederm@xmission.com>
8d41e607	2	.\" and Copyright (C) 2011, 2012, Michael Kerrisk <mtk.manpages@gamil.com>
dfa22c8b EB	3	.\" Licensed under the GPLv2
dfa22c8b EB	4	.\"
8d41e607	5	.TH SETNS 2 2013-01-01 "Linux" "Linux Programmer's Manual"
dfa22c8b	6	.SH NAME
7aa166c5	7	setns \- reassociate thread with a namespace
dfa22c8b EB	8	.SH SYNOPSIS
	9	.nf
	10	.BR "#define _GNU_SOURCE" " /* See feature_test_macros(7) */"
	11	.B #include <sched.h>
	12	.sp
	13	.BI "int setns(int " fd ", int " nstype );
	14	.fi
	15	.SH DESCRIPTION
c07ad242	16	Given a file descriptor referring to a namespace,
7aa166c5	17	reassociate the calling thread with that namespace.
dfa22c8b	18
92dcb220 MK	19	The
	20	.I fd
	21	argument is a file descriptor referring to one of the namespace entries in a
	22	.I /proc/[pid]/ns/
	23	directory; see
	24	.BR proc (5)
c409c4ff	25	for further information on
92dcb220	26	.IR /proc/[pid]/ns/ .
7aa166c5	27	The calling thread will be reassociated with the corresponding namespace,
92dcb220 MK	28	subject to any constraints imposed by the
	29	.I nstype
	30	argument.
	31
dfa22c8b EB	32	The
dfa22c8b EB	33	.I nstype
c07ad242	34	argument specifies which type of namespace
7aa166c5	35	the calling thread may be reassociated with.
4e1e208d	36	This argument can have one of the following values:
dfa22c8b EB	37	.TP
dfa22c8b EB	38	.BR 0
92dcb220	39	Allow any type of namespace to be joined.
dfa22c8b EB	40	.TP
dfa22c8b EB	41	.BR CLONE_NEWIPC
92dcb220 MK	42	.I fd
92dcb220 MK	43	must refer to an IPC namespace.
dfa22c8b EB	44	.TP
dfa22c8b EB	45	.BR CLONE_NEWNET
92dcb220 MK	46	.I fd
92dcb220 MK	47	must refer to a network namespace.
dfa22c8b EB	48	.TP
dfa22c8b EB	49	.BR CLONE_NEWUTS
92dcb220 MK	50	.I fd
92dcb220 MK	51	must refer to a UTS namespace.
dfa22c8b	52	.PP
92dcb220 MK	53	Specifying
	54	.I nstype
	55	as 0 suffices if the caller knows (or does not care)
	56	what type of namespace is referred to by
	57	.IR fd .
	58	Specifying a nonzero value for
	59	.I nstype
	60	is useful if the caller does not know what type of namespace is referred to by
	61	.IR fd
	62	and wants to ensure that the namespace is of a particular type.
	63	(The caller might not know the type of the namespace referred to by
	64	.IR fd
	65	if the file descriptor was opened by another process and, for example,
	66	passed to the caller via a UNIX domain socket.)
dfa22c8b	67	.SH RETURN VALUE
92dcb220 MK	68	On success,
	69	.IR setns ()
	70	returns 0.
dfa22c8b EB	71	On failure, \-1 is returned and
	72	.I errno
	73	is set to indicate the error.
	74	.SH ERRORS
	75	.TP
dfa22c8b	76	.B EBADF
c07ad242 MK	77	.I fd
c07ad242 MK	78	is not a valid file descriptor.
dfa22c8b EB	79	.TP
dfa22c8b EB	80	.B EINVAL
92dcb220 MK	81	.I fd
92dcb220 MK	82	refers to a namespace whose type does not match that specified in
7aa166c5 MK	83	.IR nstype ,
	84	or there is problem with reassociating the
	85	the thread with the specified namespace.
dfa22c8b EB	86	.TP
	87	.B ENOMEM
	88	Cannot allocate sufficient memory to change the specified namespace.
dfa22c8b EB	89	.TP
dfa22c8b EB	90	.B EPERM
c409c4ff	91	The calling thread did not have the required privilege
63b6ef41 MK	92	.RB ( CAP_SYS_ADMIN )
63b6ef41 MK	93	for this operation.
dfa22c8b EB	94	.SH VERSIONS
	95	The
	96	.BR setns ()
c95b6ae1 MK	97	system call first appeared in Linux in kernel 3.0;
c95b6ae1 MK	98	library support was added to glibc in version 2.14.
dfa22c8b EB	99	.SH CONFORMING TO
	100	The
	101	.BR setns ()
	102	system call is Linux-specific.
	103	.SH NOTES
7aa166c5 MK	104	Not all of the attributes that can be shared when
7aa166c5 MK	105	a new thread is created using
dfa22c8b EB	106	.BR clone (2)
	107	can be changed using
	108	.BR setns ().
8d41e607 MK	109	.SH EXAMPLE
	110	The program below takes two or more arguments.
	111	The first argument specifies the pathname of a namespace file in an existing
	112	.I /proc/[pid]/ns/
	113	directory.
	114	The remaining arguments specify a command and its arguments.
	115	The program opens the namespace file, joins that namespace using
	116	.BR setns (),
	117	and executes the specified command inside that namespace.
	118
	119	The following shell session demonstrates the use of this program
	120	(compiled as a binary named
a1ce9159	121	.IR ns_exec )
8d41e607 MK	122	in conjunction with the
	123	.BR CLONE_NEWUTS
	124	example program in the
	125	.BR clone (2)
	126	man page (complied as a binary named
	127	.IR newuts ).
	128
	129	We begin by executing the example program in
	130	.BR clone (2)
	131	in the background.
	132	That program creates a child in a separate UTS namespace.
51ebe080	133	The child changes the hostname in its namespace,
8d41e607 MK	134	and then both processes display the hostnames in their UTS namespaces,
	135	so that we can see that they are different.
	136
	137	.nf
	138	.in +4n
	139	$ \fBsu\fP # Need privilege for namespace operations
9f1b9726	140	Password:
8d41e607 MK	141	# \fB./newuts bizarro &\fP
	142	[1] 3549
	143	clone() returned 3550
	144	uts.nodename in child: bizarro
	145	uts.nodename in parent: antero
	146	# \fBuname -n\fP # Verify hostname in the shell
	147	antero
	148	.in
	149	.fi
	150
	151	We then run the program shown below,
	152	using it to execute a shell.
	153	Inside that shell, we verify that the hostname is the one
	154	set by the child created by the first program:
	155
	156	.nf
	157	.in +4n
a1ce9159 MK	158	# \fB./ns_exec /proc/3550/ns/uts /bin/bash\fP
a1ce9159 MK	159	# \fBuname -n\fP # Executed in shell started by ns_exec
8d41e607 MK	160	bizarro
	161	.in
	162	.fi
8d41e607 MK	163	.SS Program source
	164	.nf
	165	#define _GNU_SOURCE
	166	#include <fcntl.h>
	167	#include <sched.h>
	168	#include <unistd.h>
	169	#include <stdlib.h>
	170	#include <stdio.h>
	171
	172	#define errExit(msg) do { perror(msg); exit(EXIT_FAILURE); \\
	173	} while (0)
	174
	175	int
	176	main(int argc, char *argv[])
	177	{
	178	int fd;
	179
	180	if (argc < 3) {
	181	fprintf(stderr, "%s /proc/PID/ns/FILE cmd args...\\n", argv[0]);
	182	exit(EXIT_FAILURE);
	183	}
	184
	185	fd = open(argv[1], O_RDONLY); /* Get descriptor for namespace */
	186	if (fd == \-1)
	187	errExit("open");
	188
	189	if (setns(fd, 0) == \-1) /* Join that namespace */
	190	errExit("setns");
	191
	192	execvp(argv[2], &argv[2]); /* Execute a command in namespace */
	193	errExit("execvp");
	194	}
	195	.fi
dfa22c8b EB	196	.SH SEE ALSO
	197	.BR clone (2),
	198	.BR fork (2),
b93a34b5	199	.BR vfork (2),
92dcb220 MK	200	.BR proc (5),
92dcb220 MK	201	.BR unix (7)