]>
Commit | Line | Data |
---|---|---|
87ec43b6 | 1 | .TH NSENTER 1 "June 2013" "util-linux" "User Commands" |
f8aa8e94 EB |
2 | .SH NAME |
3 | nsenter \- run program with namespaces of other processes | |
4 | .SH SYNOPSIS | |
5 | .B nsenter | |
cf8e0bae | 6 | [options] |
dde08a87 BS |
7 | .RI [ program |
8 | .RI [ arguments ]] | |
f8aa8e94 | 9 | .SH DESCRIPTION |
1e3832bf | 10 | Enters the namespaces of one or more other processes and then executes the specified |
0f0b5823 KZ |
11 | \fIprogram\fP. If \fIprogram\fP is not given, then ``${SHELL}'' is run (default: /bin\:/sh). |
12 | .PP | |
13 | Enterable namespaces are: | |
f8aa8e94 | 14 | .TP |
08e86f4c | 15 | .B mount namespace |
894efece MK |
16 | Mounting and unmounting filesystems will not affect the rest of the system, |
17 | except for filesystems which are explicitly marked as shared (with | |
dde08a87 BS |
18 | \fBmount --make-\:shared\fP; see \fI/proc\:/self\:/mountinfo\fP for the |
19 | \fBshared\fP flag). | |
894efece MK |
20 | For further details, see |
21 | .BR mount_namespaces (7) | |
22 | and the discussion of the | |
23 | .BR CLONE_NEWNS | |
24 | flag in | |
25 | .BR clone (2). | |
f8aa8e94 | 26 | .TP |
08e86f4c | 27 | .B UTS namespace |
dde08a87 | 28 | Setting hostname or domainname will not affect the rest of the system. |
894efece MK |
29 | For further details, see |
30 | .BR namespaces (7) | |
31 | and the discussion of the | |
32 | .BR CLONE_NEWUTS | |
33 | flag in | |
34 | .BR clone (2). | |
f8aa8e94 | 35 | .TP |
08e86f4c | 36 | .B IPC namespace |
170a8e4a MK |
37 | The process will have an independent namespace for POSIX message queues |
38 | as well as System V message queues, | |
dde08a87 | 39 | semaphore sets and shared memory segments. |
894efece MK |
40 | For further details, see |
41 | .BR namespaces (7) | |
42 | and the discussion of the | |
43 | .BR CLONE_NEWIPC | |
44 | flag in | |
45 | .BR clone (2). | |
f8aa8e94 | 46 | .TP |
08e86f4c | 47 | .B network namespace |
dde08a87 BS |
48 | The process will have independent IPv4 and IPv6 stacks, IP routing tables, |
49 | firewall rules, the | |
08e86f4c SK |
50 | .I /proc\:/net |
51 | and | |
52 | .I /sys\:/class\:/net | |
dde08a87 | 53 | directory trees, sockets, etc. |
894efece MK |
54 | For further details, see |
55 | .BR namespaces (7) | |
56 | and the discussion of the | |
57 | .BR CLONE_NEWNET | |
58 | flag in | |
59 | .BR clone (2). | |
08e86f4c | 60 | .TP |
1e3832bf | 61 | .B PID namespace |
dde08a87 | 62 | Children will have a set of PID to process mappings separate from the |
1e3832bf ZJS |
63 | .B nsenter |
64 | process | |
894efece MK |
65 | For further details, see |
66 | .BR pid_namespaces (7) | |
67 | and | |
68 | the discussion of the | |
69 | .BR CLONE_NEWPID | |
70 | flag in | |
1e3832bf ZJS |
71 | .B nsenter |
72 | will fork by default if changing the PID namespace, so that the new program | |
73 | and its children share the same PID namespace and are visible to each other. | |
dde08a87 | 74 | If \fB\-\-no\-fork\fP is used, the new program will be exec'ed without forking. |
f8aa8e94 | 75 | .TP |
08e86f4c | 76 | .B user namespace |
dde08a87 | 77 | The process will have a distinct set of UIDs, GIDs and capabilities. |
894efece MK |
78 | For further details, see |
79 | .BR user_namespaces (7) | |
80 | and the discussion of the | |
81 | .BR CLONE_NEWUSER | |
82 | flag in | |
83 | .BR clone (2). | |
f8aa8e94 | 84 | .TP |
f9e7b66d SH |
85 | .B cgroup namespace |
86 | The process will have a virtualized view of \fI/proc\:/self\:/cgroup\fP, and new | |
87 | cgroup mounts will be rooted at the namespace cgroup root. | |
894efece MK |
88 | For further details, see |
89 | .BR cgroup_namespaces (7) | |
90 | and the discussion of the | |
91 | .BR CLONE_NEWCGROUP | |
92 | flag in | |
93 | .BR clone (2). | |
f9e7b66d | 94 | .TP |
dde08a87 | 95 | See \fBclone\fP(2) for the exact semantics of the flags. |
f8aa8e94 | 96 | .SH OPTIONS |
4b298f61 MK |
97 | Various of the options below that relate to namespaces take an optional |
98 | .I file | |
99 | argument. | |
100 | This should be one of the | |
101 | .IR /proc/[pid]/ns/* | |
102 | files described in | |
103 | .BR namespaces (7). | |
08e86f4c | 104 | .TP |
974cc006 KZ |
105 | \fB\-a\fR, \fB\-\-all\fR |
106 | Enter all namespaces of the target process by the default | |
107 | .IR /proc/[pid]/ns/* | |
108 | namespace paths. The default paths to the target process namespaces may be | |
109 | overwritten by namespace specific options (e.g. --all --mount=[path]). | |
110 | ||
111 | The user namespace will be ignored if the same as the caller's current user | |
112 | namespace. It prevents a caller that has dropped capabilities from regaining | |
113 | those capabilities via a call to setns(). See | |
114 | .BR setns (2) | |
115 | for more details. | |
116 | .TP | |
08e86f4c SK |
117 | \fB\-t\fR, \fB\-\-target\fR \fIpid\fP |
118 | Specify a target process to get contexts from. The paths to the contexts | |
119 | specified by | |
120 | .I pid | |
121 | are: | |
122 | .RS | |
123 | .PD 0 | |
124 | .IP "" 20 | |
125 | .TP | |
126 | /proc/\fIpid\fR/ns/mnt | |
127 | the mount namespace | |
128 | .TP | |
129 | /proc/\fIpid\fR/ns/uts | |
1e3832bf | 130 | the UTS namespace |
08e86f4c SK |
131 | .TP |
132 | /proc/\fIpid\fR/ns/ipc | |
1e3832bf | 133 | the IPC namespace |
08e86f4c SK |
134 | .TP |
135 | /proc/\fIpid\fR/ns/net | |
1e3832bf | 136 | the network namespace |
08e86f4c SK |
137 | .TP |
138 | /proc/\fIpid\fR/ns/pid | |
1e3832bf | 139 | the PID namespace |
08e86f4c SK |
140 | .TP |
141 | /proc/\fIpid\fR/ns/user | |
142 | the user namespace | |
143 | .TP | |
f9e7b66d SH |
144 | /proc/\fIpid\fR/ns/cgroup |
145 | the cgroup namespace | |
146 | .TP | |
08e86f4c SK |
147 | /proc/\fIpid\fR/root |
148 | the root directory | |
149 | .TP | |
1e3832bf | 150 | /proc/\fIpid\fR/cwd |
08e86f4c SK |
151 | the working directory respectively |
152 | .PD | |
153 | .RE | |
154 | .TP | |
dde08a87 BS |
155 | \fB\-m\fR, \fB\-\-mount\fR[=\fIfile\fR] |
156 | Enter the mount namespace. If no file is specified, enter the mount namespace | |
ff88fc3b MK |
157 | of the target process. |
158 | If | |
159 | .I file | |
160 | is specified, enter the mount namespace | |
161 | specified by | |
162 | .IR file . | |
08e86f4c | 163 | .TP |
dde08a87 BS |
164 | \fB\-u\fR, \fB\-\-uts\fR[=\fIfile\fR] |
165 | Enter the UTS namespace. If no file is specified, enter the UTS namespace of | |
ff88fc3b MK |
166 | the target process. |
167 | If | |
168 | .I file | |
169 | is specified, enter the UTS namespace specified by | |
170 | .IR file . | |
08e86f4c | 171 | .TP |
dde08a87 BS |
172 | \fB\-i\fR, \fB\-\-ipc\fR[=\fIfile\fR] |
173 | Enter the IPC namespace. If no file is specified, enter the IPC namespace of | |
ff88fc3b MK |
174 | the target process. |
175 | If | |
176 | .I file | |
177 | is specified, enter the IPC namespace specified by | |
178 | .IR file . | |
08e86f4c | 179 | .TP |
dde08a87 BS |
180 | \fB\-n\fR, \fB\-\-net\fR[=\fIfile\fR] |
181 | Enter the network namespace. If no file is specified, enter the network | |
ff88fc3b MK |
182 | namespace of the target process. |
183 | If | |
184 | .I file | |
185 | is specified, enter the network namespace specified by | |
186 | .IR file . | |
08e86f4c | 187 | .TP |
dde08a87 BS |
188 | \fB\-p\fR, \fB\-\-pid\fR[=\fIfile\fR] |
189 | Enter the PID namespace. If no file is specified, enter the PID namespace of | |
ff88fc3b MK |
190 | the target process. |
191 | If | |
192 | .I file | |
193 | is specified, enter the PID namespace specified by | |
194 | .IR file . | |
08e86f4c | 195 | .TP |
dde08a87 BS |
196 | \fB\-U\fR, \fB\-\-user\fR[=\fIfile\fR] |
197 | Enter the user namespace. If no file is specified, enter the user namespace of | |
ff88fc3b MK |
198 | the target process. |
199 | If | |
200 | .I file | |
201 | is specified, enter the user namespace specified by | |
202 | .IR file . | |
91f20582 | 203 | See also the \fB\-\-setuid\fR and \fB\-\-setgid\fR options. |
6b9e5bf6 | 204 | .TP |
f9e7b66d SH |
205 | \fB\-C\fR, \fB\-\-cgroup\fR[=\fIfile\fR] |
206 | Enter the cgroup namespace. If no file is specified, enter the cgroup namespace of | |
ff88fc3b MK |
207 | the target process. |
208 | If | |
209 | .I file | |
210 | is specified, enter the cgroup namespace specified by | |
211 | .IR file . | |
f9e7b66d | 212 | .TP |
6b9e5bf6 | 213 | \fB\-G\fR, \fB\-\-setgid\fR \fIgid\fR |
47f42c1d KZ |
214 | Set the group ID which will be used in the entered namespace and drop |
215 | supplementary groups. | |
216 | .BR nsenter (1) | |
217 | always sets GID for user namespaces, the default is 0. | |
6b9e5bf6 RW |
218 | .TP |
219 | \fB\-S\fR, \fB\-\-setuid\fR \fIuid\fR | |
47f42c1d KZ |
220 | Set the user ID which will be used in the entered namespace. |
221 | .BR nsenter (1) | |
222 | always sets UID for user namespaces, the default is 0. | |
08e86f4c | 223 | .TP |
b06c1ca6 | 224 | \fB\-\-preserve\-credentials\fR |
e99a6626 KZ |
225 | Don't modify UID and GID when enter user namespace. The default is to |
226 | drops supplementary groups and sets GID and UID to 0. | |
227 | .TP | |
dde08a87 BS |
228 | \fB\-r\fR, \fB\-\-root\fR[=\fIdirectory\fR] |
229 | Set the root directory. If no directory is specified, set the root directory to | |
230 | the root directory of the target process. If directory is specified, set the | |
08e86f4c SK |
231 | root directory to the specified directory. |
232 | .TP | |
dde08a87 BS |
233 | \fB\-w\fR, \fB\-\-wd\fR[=\fIdirectory\fR] |
234 | Set the working directory. If no directory is specified, set the working | |
08e86f4c | 235 | directory to the working directory of the target process. If directory is |
dde08a87 | 236 | specified, set the working directory to the specified directory. |
08e86f4c | 237 | .TP |
b06c1ca6 | 238 | \fB\-F\fR, \fB\-\-no\-fork\fR |
dde08a87 BS |
239 | Do not fork before exec'ing the specified program. By default, when entering a |
240 | PID namespace, \fBnsenter\fP calls \fBfork\fP before calling \fBexec\fP so that | |
241 | any children will also be in the newly entered PID namespace. | |
08e86f4c | 242 | .TP |
355ee3b8 KZ |
243 | \fB\-Z\fR, \fB\-\-follow\-context\fR |
244 | Set the SELinux security context used for executing a new process according to | |
245 | already running process specified by \fB\-\-target\fR PID. (The util-linux has | |
246 | to be compiled with SELinux support otherwise the option is unavailable.) | |
247 | .TP | |
08e86f4c SK |
248 | \fB\-V\fR, \fB\-\-version\fR |
249 | Display version information and exit. | |
250 | .TP | |
251 | \fB\-h\fR, \fB\-\-help\fR | |
b4362b6f | 252 | Display help text and exit. |
f8aa8e94 | 253 | .SH SEE ALSO |
f053ff1e | 254 | .BR clone (2), |
4a3f0735 MK |
255 | .BR setns (2), |
256 | .BR namespaces (7) | |
355ee3b8 KZ |
257 | .SH AUTHORS |
258 | .UR biederm@xmission.com | |
08e86f4c | 259 | Eric Biederman |
355ee3b8 KZ |
260 | .UE |
261 | .br | |
262 | .UR kzak@redhat.com | |
263 | Karel Zak | |
264 | .UE | |
f8aa8e94 EB |
265 | .SH AVAILABILITY |
266 | The nsenter command is part of the util-linux package and is available from | |
d673b74e | 267 | .UR https://\:www.kernel.org\:/pub\:/linux\:/utils\:/util-linux/ |
08e86f4c SK |
268 | Linux Kernel Archive |
269 | .UE . |