]>
Commit | Line | Data |
---|---|---|
4205f1fd MG |
1 | .\" Process this file with |
2 | .\" groff -man -Tascii lscpu.1 | |
3 | .\" | |
cf8e0bae | 4 | .TH UNSHARE 1 "July 2014" "util-linux" "User Commands" |
4205f1fd | 5 | .SH NAME |
ef6acdb8 | 6 | unshare \- run program with some namespaces unshared from parent |
4205f1fd MG |
7 | .SH SYNOPSIS |
8 | .B unshare | |
cf8e0bae | 9 | [options] |
dde08a87 | 10 | .I program |
4205f1fd MG |
11 | .RI [ arguments ] |
12 | .SH DESCRIPTION | |
dde08a87 | 13 | Unshares the indicated namespaces from the parent process and then executes |
cf8e0bae | 14 | the specified \fIprogram\fR. The namespaces to be unshared are indicated via |
87ec43b6 | 15 | options. Unshareable namespaces are: |
4205f1fd MG |
16 | .TP |
17 | .BR "mount namespace" | |
dde08a87 | 18 | Mounting and unmounting filesystems will not affect the rest of the system |
bc87f885 | 19 | (\fBCLONE_NEWNS\fP flag), except for filesystems which are explicitly marked as |
dde08a87 BS |
20 | shared (with \fBmount --make-shared\fP; see \fI/proc/self/mountinfo\fP for the |
21 | \fBshared\fP flags). | |
cf8e0bae | 22 | .sp |
c07f86e7 KZ |
23 | It's recommended to use \fBmount --make-rprivate\fP or \fBmount --make-rslave\fP |
24 | after \fBunshare --mount\fP to make sure that mountpoints in the new namespace | |
cf8e0bae | 25 | are really unshared from the parental namespace. |
4205f1fd MG |
26 | .TP |
27 | .BR "UTS namespace" | |
dde08a87 BS |
28 | Setting hostname or domainname will not affect the rest of the system. |
29 | (\fBCLONE_NEWUTS\fP flag) | |
4205f1fd MG |
30 | .TP |
31 | .BR "IPC namespace" | |
dde08a87 BS |
32 | The process will have an independent namespace for System V message queues, |
33 | semaphore sets and shared memory segments. (\fBCLONE_NEWIPC\fP flag) | |
4205f1fd MG |
34 | .TP |
35 | .BR "network namespace" | |
dde08a87 BS |
36 | The process will have independent IPv4 and IPv6 stacks, IP routing tables, |
37 | firewall rules, the \fI/proc/net\fP and \fI/sys/class/net\fP directory trees, | |
38 | sockets, etc. (\fBCLONE_NEWNET\fP flag) | |
4205f1fd | 39 | .TP |
bc7f9b95 | 40 | .BR "pid namespace" |
dde08a87 BS |
41 | Children will have a distinct set of PID to process mappings from their parent. |
42 | (\fBCLONE_NEWPID\fP flag) | |
bc7f9b95 EB |
43 | .TP |
44 | .BR "user namespace" | |
dde08a87 BS |
45 | The process will have a distinct set of UIDs, GIDs and capabilities. |
46 | (\fBCLONE_NEWUSER\fP flag) | |
e41e0f95 | 47 | .PP |
dde08a87 | 48 | See \fBclone\fR(2) for the exact semantics of the flags. |
4205f1fd MG |
49 | .SH OPTIONS |
50 | .TP | |
ef6acdb8 | 51 | .BR \-i , " \-\-ipc" |
dde08a87 BS |
52 | Unshare the IPC namespace. |
53 | .TP | |
54 | .BR \-m , " \-\-mount" | |
55 | Unshare the mount namespace. | |
4205f1fd | 56 | .TP |
ef6acdb8 KZ |
57 | .BR \-n , " \-\-net" |
58 | Unshare the network namespace. | |
bc7f9b95 EB |
59 | .TP |
60 | .BR \-p , " \-\-pid" | |
87ec43b6 BS |
61 | Unshare the pid namespace. |
62 | See also the \fB--fork\fP and \fB--mount-proc\fP options. | |
bc7f9b95 | 63 | .TP |
dde08a87 BS |
64 | .BR \-u , " \-\-uts" |
65 | Unshare the UTS namespace. | |
66 | .TP | |
bc7f9b95 EB |
67 | .BR \-U , " \-\-user" |
68 | Unshare the user namespace. | |
5088ec33 MF |
69 | .TP |
70 | .BR \-f , " \-\-fork" | |
87ec43b6 BS |
71 | Fork the specified \fIprogram\fR as a child process of \fBunshare\fR rather than |
72 | running it directly. This is useful when creating a new pid namespace. | |
6728ca10 | 73 | .TP |
87ec43b6 | 74 | .BR \-\-mount-proc "[=\fImountpoint\fP]" |
cf8e0bae | 75 | Just before running the program, mount the proc filesystem at \fImountpoint\fP |
6728ca10 KZ |
76 | (default is /proc). This is useful when creating a new pid namespace. It also |
77 | implies creating a new mount namespace since the /proc mount would otherwise | |
cf8e0bae | 78 | mess up existing programs on the system. The new proc filesystem is explicitly |
c07f86e7 | 79 | mounted as private (by MS_PRIVATE|MS_REC). |
4da21e37 LR |
80 | .TP |
81 | .BR \-r , " \-\-map-root-user" | |
cf8e0bae BS |
82 | Run the program only after the current effective user and group IDs have been mapped to |
83 | the superuser UID and GID in the newly created user namespace. This makes it possible to | |
84 | conveniently gain capabilities needed to manage various aspects of the newly created | |
85 | namespaces (such as configuring interfaces in the network namespace or mounting filesystems in | |
86 | the mount namespace) even when run unprivileged. As a mere convenience feature, it does not support | |
4da21e37 | 87 | more sophisticated use cases, such as mapping multiple ranges of UIDs and GIDs. |
5e43af7e BS |
88 | .TP |
89 | .BR \-V , " \-\-version" | |
90 | Display version information and exit. | |
91 | .TP | |
92 | .BR \-h , " \-\-help" | |
93 | Display help text and exit. | |
4205f1fd | 94 | .SH SEE ALSO |
8323d9fd | 95 | .BR unshare (2), |
c07f86e7 KZ |
96 | .BR clone (2), |
97 | .BR mount (8) | |
4205f1fd MG |
98 | .SH BUGS |
99 | None known so far. | |
ef6acdb8 | 100 | .SH AUTHOR |
4205f1fd MG |
101 | Mikhail Gusarov <dottedmag@dottedmag.net> |
102 | .SH AVAILABILITY | |
601d12fb KZ |
103 | The unshare command is part of the util-linux package and is available from |
104 | ftp://ftp.kernel.org/pub/linux/utils/util-linux/. |