[thirdparty/util-linux.git] / sys-utils / nsenter.1

.TH NSENTER 1 "June 2013" "util-linux" "User Commands"
.SH NAME
nsenter \- run program with namespaces of other processes
.SH SYNOPSIS
.B nsenter
[options]
.RI [ program
.RI [ arguments ]]
.SH DESCRIPTION
Enters the namespaces of one or more other processes and then executes the specified
\fIprogram\fP. If \fIprogram\fP is not given, then ``${SHELL}'' is run (default: /bin\:/sh).
.PP
Enterable namespaces are:
.TP
.B mount namespace
Mounting and unmounting filesystems will not affect the rest of the system,
except for filesystems which are explicitly marked as shared (with
\fBmount --make-\:shared\fP; see \fI/proc\:/self\:/mountinfo\fP for the
\fBshared\fP flag).
For further details, see
.BR mount_namespaces (7)
and the discussion of the
.BR CLONE_NEWNS
flag in
.BR clone (2).
.TP
.B UTS namespace
Setting hostname or domainname will not affect the rest of the system.
For further details, see
.BR namespaces (7)
and the discussion of the
.BR CLONE_NEWUTS
flag in
.BR clone (2).
.TP
.B IPC namespace
The process will have an independent namespace for POSIX message queues
as well as System V message queues,
semaphore sets and shared memory segments.
For further details, see
.BR namespaces (7)
and the discussion of the
.BR CLONE_NEWIPC
flag in
.BR clone (2).
.TP
.B network namespace
The process will have independent IPv4 and IPv6 stacks, IP routing tables,
firewall rules, the
.I /proc\:/net
and
.I /sys\:/class\:/net
directory trees, sockets, etc.
For further details, see
.BR namespaces (7)
and the discussion of the
.BR CLONE_NEWNET
flag in
.BR clone (2).
.TP
.B PID namespace
Children will have a set of PID to process mappings separate from the
.B nsenter
process
For further details, see
.BR pid_namespaces (7)
and
the discussion of the
.BR CLONE_NEWPID
flag in
.B nsenter
will fork by default if changing the PID namespace, so that the new program
and its children share the same PID namespace and are visible to each other.
If \fB\-\-no\-fork\fP is used, the new program will be exec'ed without forking.
.TP
.B user namespace
The process will have a distinct set of UIDs, GIDs and capabilities.
For further details, see
.BR user_namespaces (7)
and the discussion of the
.BR CLONE_NEWUSER
flag in
.BR clone (2).
.TP
.B cgroup namespace
The process will have a virtualized view of \fI/proc\:/self\:/cgroup\fP, and new
cgroup mounts will be rooted at the namespace cgroup root.
For further details, see
.BR cgroup_namespaces (7)
and the discussion of the
.BR CLONE_NEWCGROUP
flag in
.BR clone (2).
.TP
See \fBclone\fP(2) for the exact semantics of the flags.
.SH OPTIONS
Various of the options below that relate to namespaces take an optional
.I file
argument.
This should be one of the
.IR /proc/[pid]/ns/*
files described in
.BR namespaces (7).
.TP
\fB\-a\fR, \fB\-\-all\fR
Enter all namespaces of the target process by the default
.IR /proc/[pid]/ns/*
namespace paths. The default paths to the target process namespaces may be
overwritten by namespace specific options (e.g. --all --mount=[path]).

The user namespace will be ignored if the same as the caller's current user
namespace. It prevents a caller that has dropped capabilities from regaining
those capabilities via a call to setns().  See
.BR setns (2)
for more details.
.TP
\fB\-t\fR, \fB\-\-target\fR \fIpid\fP
Specify a target process to get contexts from.  The paths to the contexts
specified by
.I pid
are:
.RS
.PD 0
.IP "" 20
.TP
/proc/\fIpid\fR/ns/mnt
the mount namespace
.TP
/proc/\fIpid\fR/ns/uts
the UTS namespace
.TP
/proc/\fIpid\fR/ns/ipc
the IPC namespace
.TP
/proc/\fIpid\fR/ns/net
the network namespace
.TP
/proc/\fIpid\fR/ns/pid
the PID namespace
.TP
/proc/\fIpid\fR/ns/user
the user namespace
.TP
/proc/\fIpid\fR/ns/cgroup
the cgroup namespace
.TP
/proc/\fIpid\fR/root
the root directory
.TP
/proc/\fIpid\fR/cwd
the working directory respectively
.PD
.RE
.TP
\fB\-m\fR, \fB\-\-mount\fR[=\fIfile\fR]
Enter the mount namespace.  If no file is specified, enter the mount namespace
of the target process.
If
.I file
is specified, enter the mount namespace
specified by
.IR file .
.TP
\fB\-u\fR, \fB\-\-uts\fR[=\fIfile\fR]
Enter the UTS namespace.  If no file is specified, enter the UTS namespace of
the target process.
If
.I file
is specified, enter the UTS namespace specified by
.IR file .
.TP
\fB\-i\fR, \fB\-\-ipc\fR[=\fIfile\fR]
Enter the IPC namespace.  If no file is specified, enter the IPC namespace of
the target process.
If
.I file
is specified, enter the IPC namespace specified by
.IR file .
.TP
\fB\-n\fR, \fB\-\-net\fR[=\fIfile\fR]
Enter the network namespace.  If no file is specified, enter the network
namespace of the target process.
If
.I file
is specified, enter the network namespace specified by
.IR file .
.TP
\fB\-p\fR, \fB\-\-pid\fR[=\fIfile\fR]
Enter the PID namespace.  If no file is specified, enter the PID namespace of
the target process.
If
.I file
is specified, enter the PID namespace specified by
.IR file .
.TP
\fB\-U\fR, \fB\-\-user\fR[=\fIfile\fR]
Enter the user namespace.  If no file is specified, enter the user namespace of
the target process.
If
.I file
is specified, enter the user namespace specified by
.IR file .
See also the \fB\-\-setuid\fR and \fB\-\-setgid\fR options.
.TP
\fB\-C\fR, \fB\-\-cgroup\fR[=\fIfile\fR]
Enter the cgroup namespace.  If no file is specified, enter the cgroup namespace of
the target process.
If
.I file
is specified, enter the cgroup namespace specified by
.IR file .
.TP
\fB\-G\fR, \fB\-\-setgid\fR \fIgid\fR
Set the group ID which will be used in the entered namespace and drop
supplementary groups.
.BR nsenter (1)
always sets GID for user namespaces, the default is 0.
.TP
\fB\-S\fR, \fB\-\-setuid\fR \fIuid\fR
Set the user ID which will be used in the entered namespace.
.BR nsenter (1)
always sets UID for user namespaces, the default is 0.
.TP
\fB\-\-preserve\-credentials\fR
Don't modify UID and GID when enter user namespace. The default is to
drops supplementary groups and sets GID and UID to 0.
.TP
\fB\-r\fR, \fB\-\-root\fR[=\fIdirectory\fR]
Set the root directory.  If no directory is specified, set the root directory to
the root directory of the target process.  If directory is specified, set the
root directory to the specified directory.
.TP
\fB\-w\fR, \fB\-\-wd\fR[=\fIdirectory\fR]
Set the working directory.  If no directory is specified, set the working
directory to the working directory of the target process.  If directory is
specified, set the working directory to the specified directory.
.TP
\fB\-F\fR, \fB\-\-no\-fork\fR
Do not fork before exec'ing the specified program.  By default, when entering a
PID namespace, \fBnsenter\fP calls \fBfork\fP before calling \fBexec\fP so that
any children will also be in the newly entered PID namespace.
.TP
\fB\-Z\fR, \fB\-\-follow\-context\fR
Set the SELinux security context used for executing a new process according to
already running process specified by \fB\-\-target\fR PID. (The util-linux has
to be compiled with SELinux support otherwise the option is unavailable.)
.TP
\fB\-V\fR, \fB\-\-version\fR
Display version information and exit.
.TP
\fB\-h\fR, \fB\-\-help\fR
Display help text and exit.
.SH SEE ALSO
.BR clone (2),
.BR setns (2),
.BR namespaces (7)
.SH AUTHORS
.UR biederm@xmission.com
Eric Biederman
.UE
.br
.UR kzak@redhat.com
Karel Zak
.UE
.SH AVAILABILITY
The nsenter command is part of the util-linux package and is available from
.UR https://\:www.kernel.org\:/pub\:/linux\:/utils\:/util-linux/
Linux Kernel Archive
.UE .
Commit	Line	Data
87ec43b6	1	.TH NSENTER 1 "June 2013" "util-linux" "User Commands"
f8aa8e94 EB	2	.SH NAME
	3	nsenter \- run program with namespaces of other processes
	4	.SH SYNOPSIS
	5	.B nsenter
cf8e0bae	6	[options]
dde08a87 BS	7	.RI [ program
dde08a87 BS	8	.RI [ arguments ]]
f8aa8e94	9	.SH DESCRIPTION
1e3832bf	10	Enters the namespaces of one or more other processes and then executes the specified
0f0b5823 KZ	11	\fIprogram\fP. If \fIprogram\fP is not given, then ``${SHELL}'' is run (default: /bin\:/sh).
	12	.PP
	13	Enterable namespaces are:
f8aa8e94	14	.TP
08e86f4c	15	.B mount namespace
894efece MK	16	Mounting and unmounting filesystems will not affect the rest of the system,
894efece MK	17	except for filesystems which are explicitly marked as shared (with
dde08a87 BS	18	\fBmount --make-\:shared\fP; see \fI/proc\:/self\:/mountinfo\fP for the
dde08a87 BS	19	\fBshared\fP flag).
894efece MK	20	For further details, see
	21	.BR mount_namespaces (7)
	22	and the discussion of the
	23	.BR CLONE_NEWNS
	24	flag in
	25	.BR clone (2).
f8aa8e94	26	.TP
08e86f4c	27	.B UTS namespace
dde08a87	28	Setting hostname or domainname will not affect the rest of the system.
894efece MK	29	For further details, see
	30	.BR namespaces (7)
	31	and the discussion of the
	32	.BR CLONE_NEWUTS
	33	flag in
	34	.BR clone (2).
f8aa8e94	35	.TP
08e86f4c	36	.B IPC namespace
170a8e4a MK	37	The process will have an independent namespace for POSIX message queues
170a8e4a MK	38	as well as System V message queues,
dde08a87	39	semaphore sets and shared memory segments.
894efece MK	40	For further details, see
	41	.BR namespaces (7)
	42	and the discussion of the
	43	.BR CLONE_NEWIPC
	44	flag in
	45	.BR clone (2).
f8aa8e94	46	.TP
08e86f4c	47	.B network namespace
dde08a87 BS	48	The process will have independent IPv4 and IPv6 stacks, IP routing tables,
dde08a87 BS	49	firewall rules, the
08e86f4c SK	50	.I /proc\:/net
	51	and
	52	.I /sys\:/class\:/net
dde08a87	53	directory trees, sockets, etc.
894efece MK	54	For further details, see
	55	.BR namespaces (7)
	56	and the discussion of the
	57	.BR CLONE_NEWNET
	58	flag in
	59	.BR clone (2).
08e86f4c	60	.TP
1e3832bf	61	.B PID namespace
dde08a87	62	Children will have a set of PID to process mappings separate from the
1e3832bf ZJS	63	.B nsenter
1e3832bf ZJS	64	process
894efece MK	65	For further details, see
	66	.BR pid_namespaces (7)
	67	and
	68	the discussion of the
	69	.BR CLONE_NEWPID
	70	flag in
1e3832bf ZJS	71	.B nsenter
	72	will fork by default if changing the PID namespace, so that the new program
	73	and its children share the same PID namespace and are visible to each other.
dde08a87	74	If \fB\-\-no\-fork\fP is used, the new program will be exec'ed without forking.
f8aa8e94	75	.TP
08e86f4c	76	.B user namespace
dde08a87	77	The process will have a distinct set of UIDs, GIDs and capabilities.
894efece MK	78	For further details, see
	79	.BR user_namespaces (7)
	80	and the discussion of the
	81	.BR CLONE_NEWUSER
	82	flag in
	83	.BR clone (2).
f8aa8e94	84	.TP
f9e7b66d SH	85	.B cgroup namespace
	86	The process will have a virtualized view of \fI/proc\:/self\:/cgroup\fP, and new
	87	cgroup mounts will be rooted at the namespace cgroup root.
894efece MK	88	For further details, see
	89	.BR cgroup_namespaces (7)
	90	and the discussion of the
	91	.BR CLONE_NEWCGROUP
	92	flag in
	93	.BR clone (2).
f9e7b66d	94	.TP
dde08a87	95	See \fBclone\fP(2) for the exact semantics of the flags.
f8aa8e94	96	.SH OPTIONS
4b298f61 MK	97	Various of the options below that relate to namespaces take an optional
	98	.I file
	99	argument.
	100	This should be one of the
	101	.IR /proc/[pid]/ns/*
	102	files described in
	103	.BR namespaces (7).
08e86f4c	104	.TP
974cc006 KZ	105	\fB\-a\fR, \fB\-\-all\fR
	106	Enter all namespaces of the target process by the default
	107	.IR /proc/[pid]/ns/*
	108	namespace paths. The default paths to the target process namespaces may be
	109	overwritten by namespace specific options (e.g. --all --mount=[path]).
	110
	111	The user namespace will be ignored if the same as the caller's current user
	112	namespace. It prevents a caller that has dropped capabilities from regaining
	113	those capabilities via a call to setns(). See
	114	.BR setns (2)
	115	for more details.
	116	.TP
08e86f4c SK	117	\fB\-t\fR, \fB\-\-target\fR \fIpid\fP
	118	Specify a target process to get contexts from. The paths to the contexts
	119	specified by
	120	.I pid
	121	are:
	122	.RS
	123	.PD 0
	124	.IP "" 20
	125	.TP
	126	/proc/\fIpid\fR/ns/mnt
	127	the mount namespace
	128	.TP
	129	/proc/\fIpid\fR/ns/uts
1e3832bf	130	the UTS namespace
08e86f4c SK	131	.TP
08e86f4c SK	132	/proc/\fIpid\fR/ns/ipc
1e3832bf	133	the IPC namespace
08e86f4c SK	134	.TP
08e86f4c SK	135	/proc/\fIpid\fR/ns/net
1e3832bf	136	the network namespace
08e86f4c SK	137	.TP
08e86f4c SK	138	/proc/\fIpid\fR/ns/pid
1e3832bf	139	the PID namespace
08e86f4c SK	140	.TP
	141	/proc/\fIpid\fR/ns/user
	142	the user namespace
	143	.TP
f9e7b66d SH	144	/proc/\fIpid\fR/ns/cgroup
	145	the cgroup namespace
	146	.TP
08e86f4c SK	147	/proc/\fIpid\fR/root
	148	the root directory
	149	.TP
1e3832bf	150	/proc/\fIpid\fR/cwd
08e86f4c SK	151	the working directory respectively
	152	.PD
	153	.RE
	154	.TP
dde08a87 BS	155	\fB\-m\fR, \fB\-\-mount\fR[=\fIfile\fR]
dde08a87 BS	156	Enter the mount namespace. If no file is specified, enter the mount namespace
ff88fc3b MK	157	of the target process.
	158	If
	159	.I file
	160	is specified, enter the mount namespace
	161	specified by
	162	.IR file .
08e86f4c	163	.TP
dde08a87 BS	164	\fB\-u\fR, \fB\-\-uts\fR[=\fIfile\fR]
dde08a87 BS	165	Enter the UTS namespace. If no file is specified, enter the UTS namespace of
ff88fc3b MK	166	the target process.
	167	If
	168	.I file
	169	is specified, enter the UTS namespace specified by
	170	.IR file .
08e86f4c	171	.TP
dde08a87 BS	172	\fB\-i\fR, \fB\-\-ipc\fR[=\fIfile\fR]
dde08a87 BS	173	Enter the IPC namespace. If no file is specified, enter the IPC namespace of
ff88fc3b MK	174	the target process.
	175	If
	176	.I file
	177	is specified, enter the IPC namespace specified by
	178	.IR file .
08e86f4c	179	.TP
dde08a87 BS	180	\fB\-n\fR, \fB\-\-net\fR[=\fIfile\fR]
dde08a87 BS	181	Enter the network namespace. If no file is specified, enter the network
ff88fc3b MK	182	namespace of the target process.
	183	If
	184	.I file
	185	is specified, enter the network namespace specified by
	186	.IR file .
08e86f4c	187	.TP
dde08a87 BS	188	\fB\-p\fR, \fB\-\-pid\fR[=\fIfile\fR]
dde08a87 BS	189	Enter the PID namespace. If no file is specified, enter the PID namespace of
ff88fc3b MK	190	the target process.
	191	If
	192	.I file
	193	is specified, enter the PID namespace specified by
	194	.IR file .
08e86f4c	195	.TP
dde08a87 BS	196	\fB\-U\fR, \fB\-\-user\fR[=\fIfile\fR]
dde08a87 BS	197	Enter the user namespace. If no file is specified, enter the user namespace of
ff88fc3b MK	198	the target process.
	199	If
	200	.I file
	201	is specified, enter the user namespace specified by
	202	.IR file .
91f20582	203	See also the \fB\-\-setuid\fR and \fB\-\-setgid\fR options.
6b9e5bf6	204	.TP
f9e7b66d SH	205	\fB\-C\fR, \fB\-\-cgroup\fR[=\fIfile\fR]
f9e7b66d SH	206	Enter the cgroup namespace. If no file is specified, enter the cgroup namespace of
ff88fc3b MK	207	the target process.
	208	If
	209	.I file
	210	is specified, enter the cgroup namespace specified by
	211	.IR file .
f9e7b66d	212	.TP
6b9e5bf6	213	\fB\-G\fR, \fB\-\-setgid\fR \fIgid\fR
47f42c1d KZ	214	Set the group ID which will be used in the entered namespace and drop
	215	supplementary groups.
	216	.BR nsenter (1)
	217	always sets GID for user namespaces, the default is 0.
6b9e5bf6 RW	218	.TP
6b9e5bf6 RW	219	\fB\-S\fR, \fB\-\-setuid\fR \fIuid\fR
47f42c1d KZ	220	Set the user ID which will be used in the entered namespace.
	221	.BR nsenter (1)
	222	always sets UID for user namespaces, the default is 0.
08e86f4c	223	.TP
b06c1ca6	224	\fB\-\-preserve\-credentials\fR
e99a6626 KZ	225	Don't modify UID and GID when enter user namespace. The default is to
	226	drops supplementary groups and sets GID and UID to 0.
	227	.TP
dde08a87 BS	228	\fB\-r\fR, \fB\-\-root\fR[=\fIdirectory\fR]
	229	Set the root directory. If no directory is specified, set the root directory to
	230	the root directory of the target process. If directory is specified, set the
08e86f4c SK	231	root directory to the specified directory.
08e86f4c SK	232	.TP
dde08a87 BS	233	\fB\-w\fR, \fB\-\-wd\fR[=\fIdirectory\fR]
dde08a87 BS	234	Set the working directory. If no directory is specified, set the working
08e86f4c	235	directory to the working directory of the target process. If directory is
dde08a87	236	specified, set the working directory to the specified directory.
08e86f4c	237	.TP
b06c1ca6	238	\fB\-F\fR, \fB\-\-no\-fork\fR
dde08a87 BS	239	Do not fork before exec'ing the specified program. By default, when entering a
	240	PID namespace, \fBnsenter\fP calls \fBfork\fP before calling \fBexec\fP so that
	241	any children will also be in the newly entered PID namespace.
08e86f4c	242	.TP
355ee3b8 KZ	243	\fB\-Z\fR, \fB\-\-follow\-context\fR
	244	Set the SELinux security context used for executing a new process according to
	245	already running process specified by \fB\-\-target\fR PID. (The util-linux has
	246	to be compiled with SELinux support otherwise the option is unavailable.)
	247	.TP
08e86f4c SK	248	\fB\-V\fR, \fB\-\-version\fR
	249	Display version information and exit.
	250	.TP
	251	\fB\-h\fR, \fB\-\-help\fR
b4362b6f	252	Display help text and exit.
f8aa8e94	253	.SH SEE ALSO
f053ff1e	254	.BR clone (2),
4a3f0735 MK	255	.BR setns (2),
4a3f0735 MK	256	.BR namespaces (7)
355ee3b8 KZ	257	.SH AUTHORS
355ee3b8 KZ	258	.UR biederm@xmission.com
08e86f4c	259	Eric Biederman
355ee3b8 KZ	260	.UE
	261	.br
	262	.UR kzak@redhat.com
	263	Karel Zak
	264	.UE
f8aa8e94 EB	265	.SH AVAILABILITY
f8aa8e94 EB	266	The nsenter command is part of the util-linux package and is available from
d673b74e	267	.UR https://\:www.kernel.org\:/pub\:/linux\:/utils\:/util-linux/
08e86f4c SK	268	Linux Kernel Archive
08e86f4c SK	269	.UE .