]>
Commit | Line | Data |
---|---|---|
87ec43b6 | 1 | .TH NSENTER 1 "June 2013" "util-linux" "User Commands" |
f8aa8e94 EB |
2 | .SH NAME |
3 | nsenter \- run program with namespaces of other processes | |
4 | .SH SYNOPSIS | |
5 | .B nsenter | |
cf8e0bae | 6 | [options] |
dde08a87 BS |
7 | .RI [ program |
8 | .RI [ arguments ]] | |
f8aa8e94 | 9 | .SH DESCRIPTION |
1e3832bf | 10 | Enters the namespaces of one or more other processes and then executes the specified |
08e86f4c | 11 | program. Enterable namespaces are: |
f8aa8e94 | 12 | .TP |
08e86f4c | 13 | .B mount namespace |
dde08a87 | 14 | Mounting and unmounting filesystems will not affect the rest of the system |
08e86f4c | 15 | .RB ( CLONE_\:NEWNS |
dde08a87 BS |
16 | flag), except for filesystems which are explicitly marked as shared (with |
17 | \fBmount --make-\:shared\fP; see \fI/proc\:/self\:/mountinfo\fP for the | |
18 | \fBshared\fP flag). | |
f8aa8e94 | 19 | .TP |
08e86f4c | 20 | .B UTS namespace |
dde08a87 | 21 | Setting hostname or domainname will not affect the rest of the system. |
08e86f4c | 22 | .RB ( CLONE_\:NEWUTS |
dde08a87 | 23 | flag) |
f8aa8e94 | 24 | .TP |
08e86f4c | 25 | .B IPC namespace |
dde08a87 BS |
26 | The process will have an independent namespace for System V message queues, |
27 | semaphore sets and shared memory segments. | |
08e86f4c | 28 | .RB ( CLONE_\:NEWIPC |
dde08a87 | 29 | flag) |
f8aa8e94 | 30 | .TP |
08e86f4c | 31 | .B network namespace |
dde08a87 BS |
32 | The process will have independent IPv4 and IPv6 stacks, IP routing tables, |
33 | firewall rules, the | |
08e86f4c SK |
34 | .I /proc\:/net |
35 | and | |
36 | .I /sys\:/class\:/net | |
dde08a87 | 37 | directory trees, sockets, etc. |
08e86f4c | 38 | .RB ( CLONE_\:NEWNET |
dde08a87 | 39 | flag) |
08e86f4c | 40 | .TP |
1e3832bf | 41 | .B PID namespace |
dde08a87 | 42 | Children will have a set of PID to process mappings separate from the |
1e3832bf ZJS |
43 | .B nsenter |
44 | process | |
08e86f4c SK |
45 | .RB ( CLONE_\:NEWPID |
46 | flag). | |
1e3832bf ZJS |
47 | .B nsenter |
48 | will fork by default if changing the PID namespace, so that the new program | |
49 | and its children share the same PID namespace and are visible to each other. | |
dde08a87 | 50 | If \fB\-\-no\-fork\fP is used, the new program will be exec'ed without forking. |
f8aa8e94 | 51 | .TP |
08e86f4c | 52 | .B user namespace |
dde08a87 | 53 | The process will have a distinct set of UIDs, GIDs and capabilities. |
08e86f4c | 54 | .RB ( CLONE_\:NEWUSER |
dde08a87 | 55 | flag) |
f8aa8e94 | 56 | .TP |
f9e7b66d SH |
57 | .B cgroup namespace |
58 | The process will have a virtualized view of \fI/proc\:/self\:/cgroup\fP, and new | |
59 | cgroup mounts will be rooted at the namespace cgroup root. | |
60 | .RB ( CLONE_\:NEWCGROUP | |
61 | flag) | |
62 | .TP | |
dde08a87 | 63 | See \fBclone\fP(2) for the exact semantics of the flags. |
57580694 | 64 | .TP |
dde08a87 | 65 | If \fIprogram\fP is not given, then ``${SHELL}'' is run (default: /bin\:/sh). |
57580694 | 66 | |
f8aa8e94 | 67 | .SH OPTIONS |
08e86f4c SK |
68 | .TP |
69 | \fB\-t\fR, \fB\-\-target\fR \fIpid\fP | |
70 | Specify a target process to get contexts from. The paths to the contexts | |
71 | specified by | |
72 | .I pid | |
73 | are: | |
74 | .RS | |
75 | .PD 0 | |
76 | .IP "" 20 | |
77 | .TP | |
78 | /proc/\fIpid\fR/ns/mnt | |
79 | the mount namespace | |
80 | .TP | |
81 | /proc/\fIpid\fR/ns/uts | |
1e3832bf | 82 | the UTS namespace |
08e86f4c SK |
83 | .TP |
84 | /proc/\fIpid\fR/ns/ipc | |
1e3832bf | 85 | the IPC namespace |
08e86f4c SK |
86 | .TP |
87 | /proc/\fIpid\fR/ns/net | |
1e3832bf | 88 | the network namespace |
08e86f4c SK |
89 | .TP |
90 | /proc/\fIpid\fR/ns/pid | |
1e3832bf | 91 | the PID namespace |
08e86f4c SK |
92 | .TP |
93 | /proc/\fIpid\fR/ns/user | |
94 | the user namespace | |
95 | .TP | |
f9e7b66d SH |
96 | /proc/\fIpid\fR/ns/cgroup |
97 | the cgroup namespace | |
98 | .TP | |
08e86f4c SK |
99 | /proc/\fIpid\fR/root |
100 | the root directory | |
101 | .TP | |
1e3832bf | 102 | /proc/\fIpid\fR/cwd |
08e86f4c SK |
103 | the working directory respectively |
104 | .PD | |
105 | .RE | |
106 | .TP | |
dde08a87 BS |
107 | \fB\-m\fR, \fB\-\-mount\fR[=\fIfile\fR] |
108 | Enter the mount namespace. If no file is specified, enter the mount namespace | |
109 | of the target process. If file is specified, enter the mount namespace | |
08e86f4c SK |
110 | specified by file. |
111 | .TP | |
dde08a87 BS |
112 | \fB\-u\fR, \fB\-\-uts\fR[=\fIfile\fR] |
113 | Enter the UTS namespace. If no file is specified, enter the UTS namespace of | |
114 | the target process. If file is specified, enter the UTS namespace specified by | |
08e86f4c SK |
115 | file. |
116 | .TP | |
dde08a87 BS |
117 | \fB\-i\fR, \fB\-\-ipc\fR[=\fIfile\fR] |
118 | Enter the IPC namespace. If no file is specified, enter the IPC namespace of | |
119 | the target process. If file is specified, enter the IPC namespace specified by | |
08e86f4c SK |
120 | file. |
121 | .TP | |
dde08a87 BS |
122 | \fB\-n\fR, \fB\-\-net\fR[=\fIfile\fR] |
123 | Enter the network namespace. If no file is specified, enter the network | |
124 | namespace of the target process. If file is specified, enter the network | |
08e86f4c SK |
125 | namespace specified by file. |
126 | .TP | |
dde08a87 BS |
127 | \fB\-p\fR, \fB\-\-pid\fR[=\fIfile\fR] |
128 | Enter the PID namespace. If no file is specified, enter the PID namespace of | |
129 | the target process. If file is specified, enter the PID namespace specified by | |
08e86f4c SK |
130 | file. |
131 | .TP | |
dde08a87 BS |
132 | \fB\-U\fR, \fB\-\-user\fR[=\fIfile\fR] |
133 | Enter the user namespace. If no file is specified, enter the user namespace of | |
134 | the target process. If file is specified, enter the user namespace specified by | |
87ec43b6 | 135 | file. See also the \fB\-\-setuid\fR and \fB\-\-setgid\fR options. |
6b9e5bf6 | 136 | .TP |
f9e7b66d SH |
137 | \fB\-C\fR, \fB\-\-cgroup\fR[=\fIfile\fR] |
138 | Enter the cgroup namespace. If no file is specified, enter the cgroup namespace of | |
139 | the target process. If file is specified, enter the cgroup namespace specified by | |
140 | file. | |
141 | .TP | |
6b9e5bf6 | 142 | \fB\-G\fR, \fB\-\-setgid\fR \fIgid\fR |
47f42c1d KZ |
143 | Set the group ID which will be used in the entered namespace and drop |
144 | supplementary groups. | |
145 | .BR nsenter (1) | |
146 | always sets GID for user namespaces, the default is 0. | |
6b9e5bf6 RW |
147 | .TP |
148 | \fB\-S\fR, \fB\-\-setuid\fR \fIuid\fR | |
47f42c1d KZ |
149 | Set the user ID which will be used in the entered namespace. |
150 | .BR nsenter (1) | |
151 | always sets UID for user namespaces, the default is 0. | |
08e86f4c | 152 | .TP |
b06c1ca6 | 153 | \fB\-\-preserve\-credentials\fR |
e99a6626 KZ |
154 | Don't modify UID and GID when enter user namespace. The default is to |
155 | drops supplementary groups and sets GID and UID to 0. | |
156 | .TP | |
dde08a87 BS |
157 | \fB\-r\fR, \fB\-\-root\fR[=\fIdirectory\fR] |
158 | Set the root directory. If no directory is specified, set the root directory to | |
159 | the root directory of the target process. If directory is specified, set the | |
08e86f4c SK |
160 | root directory to the specified directory. |
161 | .TP | |
dde08a87 BS |
162 | \fB\-w\fR, \fB\-\-wd\fR[=\fIdirectory\fR] |
163 | Set the working directory. If no directory is specified, set the working | |
08e86f4c | 164 | directory to the working directory of the target process. If directory is |
dde08a87 | 165 | specified, set the working directory to the specified directory. |
08e86f4c | 166 | .TP |
b06c1ca6 | 167 | \fB\-F\fR, \fB\-\-no\-fork\fR |
dde08a87 BS |
168 | Do not fork before exec'ing the specified program. By default, when entering a |
169 | PID namespace, \fBnsenter\fP calls \fBfork\fP before calling \fBexec\fP so that | |
170 | any children will also be in the newly entered PID namespace. | |
08e86f4c | 171 | .TP |
355ee3b8 KZ |
172 | \fB\-Z\fR, \fB\-\-follow\-context\fR |
173 | Set the SELinux security context used for executing a new process according to | |
174 | already running process specified by \fB\-\-target\fR PID. (The util-linux has | |
175 | to be compiled with SELinux support otherwise the option is unavailable.) | |
176 | .TP | |
08e86f4c SK |
177 | \fB\-V\fR, \fB\-\-version\fR |
178 | Display version information and exit. | |
179 | .TP | |
180 | \fB\-h\fR, \fB\-\-help\fR | |
b4362b6f | 181 | Display help text and exit. |
f8aa8e94 | 182 | .SH SEE ALSO |
f053ff1e MK |
183 | .BR clone (2), |
184 | .BR setns (2) | |
355ee3b8 KZ |
185 | .SH AUTHORS |
186 | .UR biederm@xmission.com | |
08e86f4c | 187 | Eric Biederman |
355ee3b8 KZ |
188 | .UE |
189 | .br | |
190 | .UR kzak@redhat.com | |
191 | Karel Zak | |
192 | .UE | |
f8aa8e94 EB |
193 | .SH AVAILABILITY |
194 | The nsenter command is part of the util-linux package and is available from | |
08e86f4c SK |
195 | .UR ftp://\:ftp.kernel.org\:/pub\:/linux\:/utils\:/util-linux/ |
196 | Linux Kernel Archive | |
197 | .UE . |