[thirdparty/util-linux.git] / sys-utils / nsenter.1

.TH NSENTER 1 "June 2013" "util-linux" "User Commands"
.SH NAME
nsenter \- run program with namespaces of other processes
.SH SYNOPSIS
.B nsenter
[options]
.RI [ program
.RI [ arguments ]]
.SH DESCRIPTION
Enters the namespaces of one or more other processes and then executes the specified
program.  Enterable namespaces are:
.TP
.B mount namespace
Mounting and unmounting filesystems will not affect the rest of the system,
except for filesystems which are explicitly marked as shared (with
\fBmount --make-\:shared\fP; see \fI/proc\:/self\:/mountinfo\fP for the
\fBshared\fP flag).
For further details, see
.BR mount_namespaces (7)
and the discussion of the
.BR CLONE_NEWNS
flag in
.BR clone (2).
.TP
.B UTS namespace
Setting hostname or domainname will not affect the rest of the system.
For further details, see
.BR namespaces (7)
and the discussion of the
.BR CLONE_NEWUTS
flag in
.BR clone (2).
.TP
.B IPC namespace
The process will have an independent namespace for POSIX message queues
as well as System V message queues,
semaphore sets and shared memory segments.
For further details, see
.BR namespaces (7)
and the discussion of the
.BR CLONE_NEWIPC
flag in
.BR clone (2).
.TP
.B network namespace
The process will have independent IPv4 and IPv6 stacks, IP routing tables,
firewall rules, the
.I /proc\:/net
and
.I /sys\:/class\:/net
directory trees, sockets, etc.
For further details, see
.BR namespaces (7)
and the discussion of the
.BR CLONE_NEWNET
flag in
.BR clone (2).
.TP
.B PID namespace
Children will have a set of PID to process mappings separate from the
.B nsenter
process
For further details, see
.BR pid_namespaces (7)
and
the discussion of the
.BR CLONE_NEWPID
flag in
.B nsenter
will fork by default if changing the PID namespace, so that the new program
and its children share the same PID namespace and are visible to each other.
If \fB\-\-no\-fork\fP is used, the new program will be exec'ed without forking.
.TP
.B user namespace
The process will have a distinct set of UIDs, GIDs and capabilities.
For further details, see
.BR user_namespaces (7)
and the discussion of the
.BR CLONE_NEWUSER
flag in
.BR clone (2).
.TP
.B cgroup namespace
The process will have a virtualized view of \fI/proc\:/self\:/cgroup\fP, and new
cgroup mounts will be rooted at the namespace cgroup root.
For further details, see
.BR cgroup_namespaces (7)
and the discussion of the
.BR CLONE_NEWCGROUP
flag in
.BR clone (2).
.TP
See \fBclone\fP(2) for the exact semantics of the flags.
.TP
If \fIprogram\fP is not given, then ``${SHELL}'' is run (default: /bin\:/sh).

.SH OPTIONS
Various of the options below that relate to namespaces take an optional
.I file
argument.
This should be one of the
.IR /proc/[pid]/ns/*
files described in
.BR namespaces (7).
.TP
\fB\-t\fR, \fB\-\-target\fR \fIpid\fP
Specify a target process to get contexts from.  The paths to the contexts
specified by
.I pid
are:
.RS
.PD 0
.IP "" 20
.TP
/proc/\fIpid\fR/ns/mnt
the mount namespace
.TP
/proc/\fIpid\fR/ns/uts
the UTS namespace
.TP
/proc/\fIpid\fR/ns/ipc
the IPC namespace
.TP
/proc/\fIpid\fR/ns/net
the network namespace
.TP
/proc/\fIpid\fR/ns/pid
the PID namespace
.TP
/proc/\fIpid\fR/ns/user
the user namespace
.TP
/proc/\fIpid\fR/ns/cgroup
the cgroup namespace
.TP
/proc/\fIpid\fR/root
the root directory
.TP
/proc/\fIpid\fR/cwd
the working directory respectively
.PD
.RE
.TP
\fB\-m\fR, \fB\-\-mount\fR[=\fIfile\fR]
Enter the mount namespace.  If no file is specified, enter the mount namespace
of the target process.
If
.I file
is specified, enter the mount namespace
specified by
.IR file .
.TP
\fB\-u\fR, \fB\-\-uts\fR[=\fIfile\fR]
Enter the UTS namespace.  If no file is specified, enter the UTS namespace of
the target process.
If
.I file
is specified, enter the UTS namespace specified by
.IR file .
.TP
\fB\-i\fR, \fB\-\-ipc\fR[=\fIfile\fR]
Enter the IPC namespace.  If no file is specified, enter the IPC namespace of
the target process.
If
.I file
is specified, enter the IPC namespace specified by
.IR file .
.TP
\fB\-n\fR, \fB\-\-net\fR[=\fIfile\fR]
Enter the network namespace.  If no file is specified, enter the network
namespace of the target process.
If
.I file
is specified, enter the network namespace specified by
.IR file .
.TP
\fB\-p\fR, \fB\-\-pid\fR[=\fIfile\fR]
Enter the PID namespace.  If no file is specified, enter the PID namespace of
the target process.
If
.I file
is specified, enter the PID namespace specified by
.IR file .
.TP
\fB\-U\fR, \fB\-\-user\fR[=\fIfile\fR]
Enter the user namespace.  If no file is specified, enter the user namespace of
the target process.
If
.I file
is specified, enter the user namespace specified by
.IR file .
See also the \fB\-\-setuid\fR and \fB\-\-setgid\fR options.
.TP
\fB\-C\fR, \fB\-\-cgroup\fR[=\fIfile\fR]
Enter the cgroup namespace.  If no file is specified, enter the cgroup namespace of
the target process.
If
.I file
is specified, enter the cgroup namespace specified by
.IR file .
.TP
\fB\-G\fR, \fB\-\-setgid\fR \fIgid\fR
Set the group ID which will be used in the entered namespace and drop
supplementary groups.
.BR nsenter (1)
always sets GID for user namespaces, the default is 0.
.TP
\fB\-S\fR, \fB\-\-setuid\fR \fIuid\fR
Set the user ID which will be used in the entered namespace.
.BR nsenter (1)
always sets UID for user namespaces, the default is 0.
.TP
\fB\-\-preserve\-credentials\fR
Don't modify UID and GID when enter user namespace. The default is to
drops supplementary groups and sets GID and UID to 0.
.TP
\fB\-r\fR, \fB\-\-root\fR[=\fIdirectory\fR]
Set the root directory.  If no directory is specified, set the root directory to
the root directory of the target process.  If directory is specified, set the
root directory to the specified directory.
.TP
\fB\-w\fR, \fB\-\-wd\fR[=\fIdirectory\fR]
Set the working directory.  If no directory is specified, set the working
directory to the working directory of the target process.  If directory is
specified, set the working directory to the specified directory.
.TP
\fB\-F\fR, \fB\-\-no\-fork\fR
Do not fork before exec'ing the specified program.  By default, when entering a
PID namespace, \fBnsenter\fP calls \fBfork\fP before calling \fBexec\fP so that
any children will also be in the newly entered PID namespace.
.TP
\fB\-Z\fR, \fB\-\-follow\-context\fR
Set the SELinux security context used for executing a new process according to
already running process specified by \fB\-\-target\fR PID. (The util-linux has
to be compiled with SELinux support otherwise the option is unavailable.)
.TP
\fB\-V\fR, \fB\-\-version\fR
Display version information and exit.
.TP
\fB\-h\fR, \fB\-\-help\fR
Display help text and exit.
.SH SEE ALSO
.BR clone (2),
.BR setns (2),
.BR namespaces (7)
.SH AUTHORS
.UR biederm@xmission.com
Eric Biederman
.UE
.br
.UR kzak@redhat.com
Karel Zak
.UE
.SH AVAILABILITY
The nsenter command is part of the util-linux package and is available from
.UR ftp://\:ftp.kernel.org\:/pub\:/linux\:/utils\:/util-linux/
Linux Kernel Archive
.UE .
Commit	Line	Data
87ec43b6	1	.TH NSENTER 1 "June 2013" "util-linux" "User Commands"
f8aa8e94 EB	2	.SH NAME
	3	nsenter \- run program with namespaces of other processes
	4	.SH SYNOPSIS
	5	.B nsenter
cf8e0bae	6	[options]
dde08a87 BS	7	.RI [ program
dde08a87 BS	8	.RI [ arguments ]]
f8aa8e94	9	.SH DESCRIPTION
1e3832bf	10	Enters the namespaces of one or more other processes and then executes the specified
08e86f4c	11	program. Enterable namespaces are:
f8aa8e94	12	.TP
08e86f4c	13	.B mount namespace
894efece MK	14	Mounting and unmounting filesystems will not affect the rest of the system,
894efece MK	15	except for filesystems which are explicitly marked as shared (with
dde08a87 BS	16	\fBmount --make-\:shared\fP; see \fI/proc\:/self\:/mountinfo\fP for the
dde08a87 BS	17	\fBshared\fP flag).
894efece MK	18	For further details, see
	19	.BR mount_namespaces (7)
	20	and the discussion of the
	21	.BR CLONE_NEWNS
	22	flag in
	23	.BR clone (2).
f8aa8e94	24	.TP
08e86f4c	25	.B UTS namespace
dde08a87	26	Setting hostname or domainname will not affect the rest of the system.
894efece MK	27	For further details, see
	28	.BR namespaces (7)
	29	and the discussion of the
	30	.BR CLONE_NEWUTS
	31	flag in
	32	.BR clone (2).
f8aa8e94	33	.TP
08e86f4c	34	.B IPC namespace
170a8e4a MK	35	The process will have an independent namespace for POSIX message queues
170a8e4a MK	36	as well as System V message queues,
dde08a87	37	semaphore sets and shared memory segments.
894efece MK	38	For further details, see
	39	.BR namespaces (7)
	40	and the discussion of the
	41	.BR CLONE_NEWIPC
	42	flag in
	43	.BR clone (2).
f8aa8e94	44	.TP
08e86f4c	45	.B network namespace
dde08a87 BS	46	The process will have independent IPv4 and IPv6 stacks, IP routing tables,
dde08a87 BS	47	firewall rules, the
08e86f4c SK	48	.I /proc\:/net
	49	and
	50	.I /sys\:/class\:/net
dde08a87	51	directory trees, sockets, etc.
894efece MK	52	For further details, see
	53	.BR namespaces (7)
	54	and the discussion of the
	55	.BR CLONE_NEWNET
	56	flag in
	57	.BR clone (2).
08e86f4c	58	.TP
1e3832bf	59	.B PID namespace
dde08a87	60	Children will have a set of PID to process mappings separate from the
1e3832bf ZJS	61	.B nsenter
1e3832bf ZJS	62	process
894efece MK	63	For further details, see
	64	.BR pid_namespaces (7)
	65	and
	66	the discussion of the
	67	.BR CLONE_NEWPID
	68	flag in
1e3832bf ZJS	69	.B nsenter
	70	will fork by default if changing the PID namespace, so that the new program
	71	and its children share the same PID namespace and are visible to each other.
dde08a87	72	If \fB\-\-no\-fork\fP is used, the new program will be exec'ed without forking.
f8aa8e94	73	.TP
08e86f4c	74	.B user namespace
dde08a87	75	The process will have a distinct set of UIDs, GIDs and capabilities.
894efece MK	76	For further details, see
	77	.BR user_namespaces (7)
	78	and the discussion of the
	79	.BR CLONE_NEWUSER
	80	flag in
	81	.BR clone (2).
f8aa8e94	82	.TP
f9e7b66d SH	83	.B cgroup namespace
	84	The process will have a virtualized view of \fI/proc\:/self\:/cgroup\fP, and new
	85	cgroup mounts will be rooted at the namespace cgroup root.
894efece MK	86	For further details, see
	87	.BR cgroup_namespaces (7)
	88	and the discussion of the
	89	.BR CLONE_NEWCGROUP
	90	flag in
	91	.BR clone (2).
f9e7b66d	92	.TP
dde08a87	93	See \fBclone\fP(2) for the exact semantics of the flags.
57580694	94	.TP
dde08a87	95	If \fIprogram\fP is not given, then ``${SHELL}'' is run (default: /bin\:/sh).
57580694	96
f8aa8e94	97	.SH OPTIONS
4b298f61 MK	98	Various of the options below that relate to namespaces take an optional
	99	.I file
	100	argument.
	101	This should be one of the
	102	.IR /proc/[pid]/ns/*
	103	files described in
	104	.BR namespaces (7).
08e86f4c SK	105	.TP
	106	\fB\-t\fR, \fB\-\-target\fR \fIpid\fP
	107	Specify a target process to get contexts from. The paths to the contexts
	108	specified by
	109	.I pid
	110	are:
	111	.RS
	112	.PD 0
	113	.IP "" 20
	114	.TP
	115	/proc/\fIpid\fR/ns/mnt
	116	the mount namespace
	117	.TP
	118	/proc/\fIpid\fR/ns/uts
1e3832bf	119	the UTS namespace
08e86f4c SK	120	.TP
08e86f4c SK	121	/proc/\fIpid\fR/ns/ipc
1e3832bf	122	the IPC namespace
08e86f4c SK	123	.TP
08e86f4c SK	124	/proc/\fIpid\fR/ns/net
1e3832bf	125	the network namespace
08e86f4c SK	126	.TP
08e86f4c SK	127	/proc/\fIpid\fR/ns/pid
1e3832bf	128	the PID namespace
08e86f4c SK	129	.TP
	130	/proc/\fIpid\fR/ns/user
	131	the user namespace
	132	.TP
f9e7b66d SH	133	/proc/\fIpid\fR/ns/cgroup
	134	the cgroup namespace
	135	.TP
08e86f4c SK	136	/proc/\fIpid\fR/root
	137	the root directory
	138	.TP
1e3832bf	139	/proc/\fIpid\fR/cwd
08e86f4c SK	140	the working directory respectively
	141	.PD
	142	.RE
	143	.TP
dde08a87 BS	144	\fB\-m\fR, \fB\-\-mount\fR[=\fIfile\fR]
dde08a87 BS	145	Enter the mount namespace. If no file is specified, enter the mount namespace
ff88fc3b MK	146	of the target process.
	147	If
	148	.I file
	149	is specified, enter the mount namespace
	150	specified by
	151	.IR file .
08e86f4c	152	.TP
dde08a87 BS	153	\fB\-u\fR, \fB\-\-uts\fR[=\fIfile\fR]
dde08a87 BS	154	Enter the UTS namespace. If no file is specified, enter the UTS namespace of
ff88fc3b MK	155	the target process.
	156	If
	157	.I file
	158	is specified, enter the UTS namespace specified by
	159	.IR file .
08e86f4c	160	.TP
dde08a87 BS	161	\fB\-i\fR, \fB\-\-ipc\fR[=\fIfile\fR]
dde08a87 BS	162	Enter the IPC namespace. If no file is specified, enter the IPC namespace of
ff88fc3b MK	163	the target process.
	164	If
	165	.I file
	166	is specified, enter the IPC namespace specified by
	167	.IR file .
08e86f4c	168	.TP
dde08a87 BS	169	\fB\-n\fR, \fB\-\-net\fR[=\fIfile\fR]
dde08a87 BS	170	Enter the network namespace. If no file is specified, enter the network
ff88fc3b MK	171	namespace of the target process.
	172	If
	173	.I file
	174	is specified, enter the network namespace specified by
	175	.IR file .
08e86f4c	176	.TP
dde08a87 BS	177	\fB\-p\fR, \fB\-\-pid\fR[=\fIfile\fR]
dde08a87 BS	178	Enter the PID namespace. If no file is specified, enter the PID namespace of
ff88fc3b MK	179	the target process.
	180	If
	181	.I file
	182	is specified, enter the PID namespace specified by
	183	.IR file .
08e86f4c	184	.TP
dde08a87 BS	185	\fB\-U\fR, \fB\-\-user\fR[=\fIfile\fR]
dde08a87 BS	186	Enter the user namespace. If no file is specified, enter the user namespace of
ff88fc3b MK	187	the target process.
	188	If
	189	.I file
	190	is specified, enter the user namespace specified by
	191	.IR file .
91f20582	192	See also the \fB\-\-setuid\fR and \fB\-\-setgid\fR options.
6b9e5bf6	193	.TP
f9e7b66d SH	194	\fB\-C\fR, \fB\-\-cgroup\fR[=\fIfile\fR]
f9e7b66d SH	195	Enter the cgroup namespace. If no file is specified, enter the cgroup namespace of
ff88fc3b MK	196	the target process.
	197	If
	198	.I file
	199	is specified, enter the cgroup namespace specified by
	200	.IR file .
f9e7b66d	201	.TP
6b9e5bf6	202	\fB\-G\fR, \fB\-\-setgid\fR \fIgid\fR
47f42c1d KZ	203	Set the group ID which will be used in the entered namespace and drop
	204	supplementary groups.
	205	.BR nsenter (1)
	206	always sets GID for user namespaces, the default is 0.
6b9e5bf6 RW	207	.TP
6b9e5bf6 RW	208	\fB\-S\fR, \fB\-\-setuid\fR \fIuid\fR
47f42c1d KZ	209	Set the user ID which will be used in the entered namespace.
	210	.BR nsenter (1)
	211	always sets UID for user namespaces, the default is 0.
08e86f4c	212	.TP
b06c1ca6	213	\fB\-\-preserve\-credentials\fR
e99a6626 KZ	214	Don't modify UID and GID when enter user namespace. The default is to
	215	drops supplementary groups and sets GID and UID to 0.
	216	.TP
dde08a87 BS	217	\fB\-r\fR, \fB\-\-root\fR[=\fIdirectory\fR]
	218	Set the root directory. If no directory is specified, set the root directory to
	219	the root directory of the target process. If directory is specified, set the
08e86f4c SK	220	root directory to the specified directory.
08e86f4c SK	221	.TP
dde08a87 BS	222	\fB\-w\fR, \fB\-\-wd\fR[=\fIdirectory\fR]
dde08a87 BS	223	Set the working directory. If no directory is specified, set the working
08e86f4c	224	directory to the working directory of the target process. If directory is
dde08a87	225	specified, set the working directory to the specified directory.
08e86f4c	226	.TP
b06c1ca6	227	\fB\-F\fR, \fB\-\-no\-fork\fR
dde08a87 BS	228	Do not fork before exec'ing the specified program. By default, when entering a
	229	PID namespace, \fBnsenter\fP calls \fBfork\fP before calling \fBexec\fP so that
	230	any children will also be in the newly entered PID namespace.
08e86f4c	231	.TP
355ee3b8 KZ	232	\fB\-Z\fR, \fB\-\-follow\-context\fR
	233	Set the SELinux security context used for executing a new process according to
	234	already running process specified by \fB\-\-target\fR PID. (The util-linux has
	235	to be compiled with SELinux support otherwise the option is unavailable.)
	236	.TP
08e86f4c SK	237	\fB\-V\fR, \fB\-\-version\fR
	238	Display version information and exit.
	239	.TP
	240	\fB\-h\fR, \fB\-\-help\fR
b4362b6f	241	Display help text and exit.
f8aa8e94	242	.SH SEE ALSO
f053ff1e	243	.BR clone (2),
4a3f0735 MK	244	.BR setns (2),
4a3f0735 MK	245	.BR namespaces (7)
355ee3b8 KZ	246	.SH AUTHORS
355ee3b8 KZ	247	.UR biederm@xmission.com
08e86f4c	248	Eric Biederman
355ee3b8 KZ	249	.UE
	250	.br
	251	.UR kzak@redhat.com
	252	Karel Zak
	253	.UE
f8aa8e94 EB	254	.SH AVAILABILITY
f8aa8e94 EB	255	The nsenter command is part of the util-linux package and is available from
08e86f4c SK	256	.UR ftp://\:ftp.kernel.org\:/pub\:/linux\:/utils\:/util-linux/
	257	Linux Kernel Archive
	258	.UE .