[thirdparty/util-linux.git] / sys-utils / nsenter.1

.TH NSENTER 1 "June 2013" "util-linux" "User Commands"
.SH NAME
nsenter \- run program with namespaces of other processes
.SH SYNOPSIS
.B nsenter
[options]
.RI [ program
.RI [ arguments ]]
.SH DESCRIPTION
Enters the namespaces of one or more other processes and then executes the specified
program.  Enterable namespaces are:
.TP
.B mount namespace
Mounting and unmounting filesystems will not affect the rest of the system
.RB ( CLONE_\:NEWNS
flag), except for filesystems which are explicitly marked as shared (with
\fBmount --make-\:shared\fP; see \fI/proc\:/self\:/mountinfo\fP for the
\fBshared\fP flag).
.TP
.B UTS namespace
Setting hostname or domainname will not affect the rest of the system.
.RB ( CLONE_\:NEWUTS
flag)
.TP
.B IPC namespace
The process will have an independent namespace for System V message queues,
semaphore sets and shared memory segments.
.RB ( CLONE_\:NEWIPC
flag)
.TP
.B network namespace
The process will have independent IPv4 and IPv6 stacks, IP routing tables,
firewall rules, the
.I /proc\:/net
and
.I /sys\:/class\:/net
directory trees, sockets, etc.
.RB ( CLONE_\:NEWNET
flag)
.TP
.B PID namespace
Children will have a set of PID to process mappings separate from the
.B nsenter
process
.RB ( CLONE_\:NEWPID
flag).
.B nsenter
will fork by default if changing the PID namespace, so that the new program
and its children share the same PID namespace and are visible to each other.
If \fB\-\-no\-fork\fP is used, the new program will be exec'ed without forking.
.TP
.B user namespace
The process will have a distinct set of UIDs, GIDs and capabilities.
.RB ( CLONE_\:NEWUSER
flag)
.TP
.B cgroup namespace
The process will have a virtualized view of \fI/proc\:/self\:/cgroup\fP, and new
cgroup mounts will be rooted at the namespace cgroup root.
.RB ( CLONE_\:NEWCGROUP
flag)
.TP
See \fBclone\fP(2) for the exact semantics of the flags.
.TP
If \fIprogram\fP is not given, then ``${SHELL}'' is run (default: /bin\:/sh).

.SH OPTIONS
.TP
\fB\-t\fR, \fB\-\-target\fR \fIpid\fP
Specify a target process to get contexts from.  The paths to the contexts
specified by
.I pid
are:
.RS
.PD 0
.IP "" 20
.TP
/proc/\fIpid\fR/ns/mnt
the mount namespace
.TP
/proc/\fIpid\fR/ns/uts
the UTS namespace
.TP
/proc/\fIpid\fR/ns/ipc
the IPC namespace
.TP
/proc/\fIpid\fR/ns/net
the network namespace
.TP
/proc/\fIpid\fR/ns/pid
the PID namespace
.TP
/proc/\fIpid\fR/ns/user
the user namespace
.TP
/proc/\fIpid\fR/ns/cgroup
the cgroup namespace
.TP
/proc/\fIpid\fR/root
the root directory
.TP
/proc/\fIpid\fR/cwd
the working directory respectively
.PD
.RE
.TP
\fB\-m\fR, \fB\-\-mount\fR[=\fIfile\fR]
Enter the mount namespace.  If no file is specified, enter the mount namespace
of the target process.  If file is specified, enter the mount namespace
specified by file.
.TP
\fB\-u\fR, \fB\-\-uts\fR[=\fIfile\fR]
Enter the UTS namespace.  If no file is specified, enter the UTS namespace of
the target process.  If file is specified, enter the UTS namespace specified by
file.
.TP
\fB\-i\fR, \fB\-\-ipc\fR[=\fIfile\fR]
Enter the IPC namespace.  If no file is specified, enter the IPC namespace of
the target process.  If file is specified, enter the IPC namespace specified by
file.
.TP
\fB\-n\fR, \fB\-\-net\fR[=\fIfile\fR]
Enter the network namespace.  If no file is specified, enter the network
namespace of the target process.  If file is specified, enter the network
namespace specified by file.
.TP
\fB\-p\fR, \fB\-\-pid\fR[=\fIfile\fR]
Enter the PID namespace.  If no file is specified, enter the PID namespace of
the target process.  If file is specified, enter the PID namespace specified by
file.
.TP
\fB\-U\fR, \fB\-\-user\fR[=\fIfile\fR]
Enter the user namespace.  If no file is specified, enter the user namespace of
the target process.  If file is specified, enter the user namespace specified by
file.  See also the \fB\-\-setuid\fR and \fB\-\-setgid\fR options.
.TP
\fB\-C\fR, \fB\-\-cgroup\fR[=\fIfile\fR]
Enter the cgroup namespace.  If no file is specified, enter the cgroup namespace of
the target process.  If file is specified, enter the cgroup namespace specified by
file.
.TP
\fB\-G\fR, \fB\-\-setgid\fR \fIgid\fR
Set the group ID which will be used in the entered namespace and drop
supplementary groups.
.BR nsenter (1)
always sets GID for user namespaces, the default is 0.
.TP
\fB\-S\fR, \fB\-\-setuid\fR \fIuid\fR
Set the user ID which will be used in the entered namespace.
.BR nsenter (1)
always sets UID for user namespaces, the default is 0.
.TP
\fB\-\-preserve\-credentials\fR
Don't modify UID and GID when enter user namespace. The default is to
drops supplementary groups and sets GID and UID to 0.
.TP
\fB\-r\fR, \fB\-\-root\fR[=\fIdirectory\fR]
Set the root directory.  If no directory is specified, set the root directory to
the root directory of the target process.  If directory is specified, set the
root directory to the specified directory.
.TP
\fB\-w\fR, \fB\-\-wd\fR[=\fIdirectory\fR]
Set the working directory.  If no directory is specified, set the working
directory to the working directory of the target process.  If directory is
specified, set the working directory to the specified directory.
.TP
\fB\-F\fR, \fB\-\-no\-fork\fR
Do not fork before exec'ing the specified program.  By default, when entering a
PID namespace, \fBnsenter\fP calls \fBfork\fP before calling \fBexec\fP so that
any children will also be in the newly entered PID namespace.
.TP
\fB\-Z\fR, \fB\-\-follow\-context\fR
Set the SELinux security context used for executing a new process according to
already running process specified by \fB\-\-target\fR PID. (The util-linux has
to be compiled with SELinux support otherwise the option is unavailable.)
.TP
\fB\-V\fR, \fB\-\-version\fR
Display version information and exit.
.TP
\fB\-h\fR, \fB\-\-help\fR
Display help text and exit.
.SH SEE ALSO
.BR clone (2),
.BR setns (2)
.SH AUTHORS
.UR biederm@xmission.com
Eric Biederman
.UE
.br
.UR kzak@redhat.com
Karel Zak
.UE
.SH AVAILABILITY
The nsenter command is part of the util-linux package and is available from
.UR ftp://\:ftp.kernel.org\:/pub\:/linux\:/utils\:/util-linux/
Linux Kernel Archive
.UE .
Commit	Line	Data
87ec43b6	1	.TH NSENTER 1 "June 2013" "util-linux" "User Commands"
f8aa8e94 EB	2	.SH NAME
	3	nsenter \- run program with namespaces of other processes
	4	.SH SYNOPSIS
	5	.B nsenter
cf8e0bae	6	[options]
dde08a87 BS	7	.RI [ program
dde08a87 BS	8	.RI [ arguments ]]
f8aa8e94	9	.SH DESCRIPTION
1e3832bf	10	Enters the namespaces of one or more other processes and then executes the specified
08e86f4c	11	program. Enterable namespaces are:
f8aa8e94	12	.TP
08e86f4c	13	.B mount namespace
dde08a87	14	Mounting and unmounting filesystems will not affect the rest of the system
08e86f4c	15	.RB ( CLONE_\:NEWNS
dde08a87 BS	16	flag), except for filesystems which are explicitly marked as shared (with
	17	\fBmount --make-\:shared\fP; see \fI/proc\:/self\:/mountinfo\fP for the
	18	\fBshared\fP flag).
f8aa8e94	19	.TP
08e86f4c	20	.B UTS namespace
dde08a87	21	Setting hostname or domainname will not affect the rest of the system.
08e86f4c	22	.RB ( CLONE_\:NEWUTS
dde08a87	23	flag)
f8aa8e94	24	.TP
08e86f4c	25	.B IPC namespace
dde08a87 BS	26	The process will have an independent namespace for System V message queues,
dde08a87 BS	27	semaphore sets and shared memory segments.
08e86f4c	28	.RB ( CLONE_\:NEWIPC
dde08a87	29	flag)
f8aa8e94	30	.TP
08e86f4c	31	.B network namespace
dde08a87 BS	32	The process will have independent IPv4 and IPv6 stacks, IP routing tables,
dde08a87 BS	33	firewall rules, the
08e86f4c SK	34	.I /proc\:/net
	35	and
	36	.I /sys\:/class\:/net
dde08a87	37	directory trees, sockets, etc.
08e86f4c	38	.RB ( CLONE_\:NEWNET
dde08a87	39	flag)
08e86f4c	40	.TP
1e3832bf	41	.B PID namespace
dde08a87	42	Children will have a set of PID to process mappings separate from the
1e3832bf ZJS	43	.B nsenter
1e3832bf ZJS	44	process
08e86f4c SK	45	.RB ( CLONE_\:NEWPID
08e86f4c SK	46	flag).
1e3832bf ZJS	47	.B nsenter
	48	will fork by default if changing the PID namespace, so that the new program
	49	and its children share the same PID namespace and are visible to each other.
dde08a87	50	If \fB\-\-no\-fork\fP is used, the new program will be exec'ed without forking.
f8aa8e94	51	.TP
08e86f4c	52	.B user namespace
dde08a87	53	The process will have a distinct set of UIDs, GIDs and capabilities.
08e86f4c	54	.RB ( CLONE_\:NEWUSER
dde08a87	55	flag)
f8aa8e94	56	.TP
f9e7b66d SH	57	.B cgroup namespace
	58	The process will have a virtualized view of \fI/proc\:/self\:/cgroup\fP, and new
	59	cgroup mounts will be rooted at the namespace cgroup root.
	60	.RB ( CLONE_\:NEWCGROUP
	61	flag)
	62	.TP
dde08a87	63	See \fBclone\fP(2) for the exact semantics of the flags.
57580694	64	.TP
dde08a87	65	If \fIprogram\fP is not given, then ``${SHELL}'' is run (default: /bin\:/sh).
57580694	66
f8aa8e94	67	.SH OPTIONS
08e86f4c SK	68	.TP
	69	\fB\-t\fR, \fB\-\-target\fR \fIpid\fP
	70	Specify a target process to get contexts from. The paths to the contexts
	71	specified by
	72	.I pid
	73	are:
	74	.RS
	75	.PD 0
	76	.IP "" 20
	77	.TP
	78	/proc/\fIpid\fR/ns/mnt
	79	the mount namespace
	80	.TP
	81	/proc/\fIpid\fR/ns/uts
1e3832bf	82	the UTS namespace
08e86f4c SK	83	.TP
08e86f4c SK	84	/proc/\fIpid\fR/ns/ipc
1e3832bf	85	the IPC namespace
08e86f4c SK	86	.TP
08e86f4c SK	87	/proc/\fIpid\fR/ns/net
1e3832bf	88	the network namespace
08e86f4c SK	89	.TP
08e86f4c SK	90	/proc/\fIpid\fR/ns/pid
1e3832bf	91	the PID namespace
08e86f4c SK	92	.TP
	93	/proc/\fIpid\fR/ns/user
	94	the user namespace
	95	.TP
f9e7b66d SH	96	/proc/\fIpid\fR/ns/cgroup
	97	the cgroup namespace
	98	.TP
08e86f4c SK	99	/proc/\fIpid\fR/root
	100	the root directory
	101	.TP
1e3832bf	102	/proc/\fIpid\fR/cwd
08e86f4c SK	103	the working directory respectively
	104	.PD
	105	.RE
	106	.TP
dde08a87 BS	107	\fB\-m\fR, \fB\-\-mount\fR[=\fIfile\fR]
	108	Enter the mount namespace. If no file is specified, enter the mount namespace
	109	of the target process. If file is specified, enter the mount namespace
08e86f4c SK	110	specified by file.
08e86f4c SK	111	.TP
dde08a87 BS	112	\fB\-u\fR, \fB\-\-uts\fR[=\fIfile\fR]
	113	Enter the UTS namespace. If no file is specified, enter the UTS namespace of
	114	the target process. If file is specified, enter the UTS namespace specified by
08e86f4c SK	115	file.
08e86f4c SK	116	.TP
dde08a87 BS	117	\fB\-i\fR, \fB\-\-ipc\fR[=\fIfile\fR]
	118	Enter the IPC namespace. If no file is specified, enter the IPC namespace of
	119	the target process. If file is specified, enter the IPC namespace specified by
08e86f4c SK	120	file.
08e86f4c SK	121	.TP
dde08a87 BS	122	\fB\-n\fR, \fB\-\-net\fR[=\fIfile\fR]
	123	Enter the network namespace. If no file is specified, enter the network
	124	namespace of the target process. If file is specified, enter the network
08e86f4c SK	125	namespace specified by file.
08e86f4c SK	126	.TP
dde08a87 BS	127	\fB\-p\fR, \fB\-\-pid\fR[=\fIfile\fR]
	128	Enter the PID namespace. If no file is specified, enter the PID namespace of
	129	the target process. If file is specified, enter the PID namespace specified by
08e86f4c SK	130	file.
08e86f4c SK	131	.TP
dde08a87 BS	132	\fB\-U\fR, \fB\-\-user\fR[=\fIfile\fR]
	133	Enter the user namespace. If no file is specified, enter the user namespace of
	134	the target process. If file is specified, enter the user namespace specified by
87ec43b6	135	file. See also the \fB\-\-setuid\fR and \fB\-\-setgid\fR options.
6b9e5bf6	136	.TP
f9e7b66d SH	137	\fB\-C\fR, \fB\-\-cgroup\fR[=\fIfile\fR]
	138	Enter the cgroup namespace. If no file is specified, enter the cgroup namespace of
	139	the target process. If file is specified, enter the cgroup namespace specified by
	140	file.
	141	.TP
6b9e5bf6	142	\fB\-G\fR, \fB\-\-setgid\fR \fIgid\fR
47f42c1d KZ	143	Set the group ID which will be used in the entered namespace and drop
	144	supplementary groups.
	145	.BR nsenter (1)
	146	always sets GID for user namespaces, the default is 0.
6b9e5bf6 RW	147	.TP
6b9e5bf6 RW	148	\fB\-S\fR, \fB\-\-setuid\fR \fIuid\fR
47f42c1d KZ	149	Set the user ID which will be used in the entered namespace.
	150	.BR nsenter (1)
	151	always sets UID for user namespaces, the default is 0.
08e86f4c	152	.TP
b06c1ca6	153	\fB\-\-preserve\-credentials\fR
e99a6626 KZ	154	Don't modify UID and GID when enter user namespace. The default is to
	155	drops supplementary groups and sets GID and UID to 0.
	156	.TP
dde08a87 BS	157	\fB\-r\fR, \fB\-\-root\fR[=\fIdirectory\fR]
	158	Set the root directory. If no directory is specified, set the root directory to
	159	the root directory of the target process. If directory is specified, set the
08e86f4c SK	160	root directory to the specified directory.
08e86f4c SK	161	.TP
dde08a87 BS	162	\fB\-w\fR, \fB\-\-wd\fR[=\fIdirectory\fR]
dde08a87 BS	163	Set the working directory. If no directory is specified, set the working
08e86f4c	164	directory to the working directory of the target process. If directory is
dde08a87	165	specified, set the working directory to the specified directory.
08e86f4c	166	.TP
b06c1ca6	167	\fB\-F\fR, \fB\-\-no\-fork\fR
dde08a87 BS	168	Do not fork before exec'ing the specified program. By default, when entering a
	169	PID namespace, \fBnsenter\fP calls \fBfork\fP before calling \fBexec\fP so that
	170	any children will also be in the newly entered PID namespace.
08e86f4c	171	.TP
355ee3b8 KZ	172	\fB\-Z\fR, \fB\-\-follow\-context\fR
	173	Set the SELinux security context used for executing a new process according to
	174	already running process specified by \fB\-\-target\fR PID. (The util-linux has
	175	to be compiled with SELinux support otherwise the option is unavailable.)
	176	.TP
08e86f4c SK	177	\fB\-V\fR, \fB\-\-version\fR
	178	Display version information and exit.
	179	.TP
	180	\fB\-h\fR, \fB\-\-help\fR
b4362b6f	181	Display help text and exit.
f8aa8e94	182	.SH SEE ALSO
f053ff1e MK	183	.BR clone (2),
f053ff1e MK	184	.BR setns (2)
355ee3b8 KZ	185	.SH AUTHORS
355ee3b8 KZ	186	.UR biederm@xmission.com
08e86f4c	187	Eric Biederman
355ee3b8 KZ	188	.UE
	189	.br
	190	.UR kzak@redhat.com
	191	Karel Zak
	192	.UE
f8aa8e94 EB	193	.SH AVAILABILITY
f8aa8e94 EB	194	The nsenter command is part of the util-linux package and is available from
08e86f4c SK	195	.UR ftp://\:ftp.kernel.org\:/pub\:/linux\:/utils\:/util-linux/
	196	Linux Kernel Archive
	197	.UE .