[thirdparty/util-linux.git] / sys-utils / unshare.1

.TH UNSHARE 1 "February 2016" "util-linux" "User Commands"
.SH NAME
unshare \- run program with some namespaces unshared from parent
.SH SYNOPSIS
.B unshare
[options]
.RI [ program
.RI [ arguments ]]
.SH DESCRIPTION
Unshares the indicated namespaces from the parent process and then executes
the specified \fIprogram\fR. If \fIprogram\fR is not given, then ``${SHELL}'' is
run (default: /bin/sh).
.PP
The namespaces can optionally be made persistent by bind mounting
/proc/\fIpid\fR/ns/\fItype\fR files to a filesystem path and entered with
.BR \%nsenter (1)
even after the \fIprogram\fR terminates (except PID namespaces where
permanently running init process is required).
Once a persistent \%namespace is no longer needed, it can be unpersisted with
.BR umount (8).
See the \fBEXAMPLES\fR section for more details.
.PP
The namespaces to be unshared are indicated via options.  Unshareable namespaces are:
.TP
.BR "mount namespace"
Mounting and unmounting filesystems will not affect the rest of the system,
except for filesystems which are explicitly marked as
shared (with \fBmount --make-shared\fP; see \fI/proc/self/mountinfo\fP or
\fBfindmnt -o+PROPAGATION\fP for the \fBshared\fP flags).
For further details, see
.BR mount_namespaces (7)
and the discussion of the
.BR CLONE_NEWNS
flag in
.BR clone (2).
.sp
.B unshare
since util-linux version 2.27 automatically sets propagation to \fBprivate\fP
in a new mount namespace to make sure that the new namespace is really
unshared.  It's possible to disable this feature with option
\fB\-\-propagation unchanged\fP.
Note that \fBprivate\fP is the kernel default.
.TP
.BR "UTS namespace"
Setting hostname or domainname will not affect the rest of the system.
For further details, see
.BR namespaces (7)
and the discussion of the
.BR CLONE_NEWUTS
flag in
.BR clone (2).
.TP
.BR "IPC namespace"
The process will have an independent namespace for POSIX message queues
as well as System V \%message queues,
semaphore sets and shared memory segments.
For further details, see
.BR namespaces (7)
and the discussion of the
.BR CLONE_NEWIPC
flag in
.BR clone (2).
.TP
.BR "network namespace"
The process will have independent IPv4 and IPv6 stacks, IP routing tables,
firewall rules, the \fI/proc/net\fP and \fI/sys/class/net\fP directory trees,
sockets, etc.
For further details, see
.BR namespaces (7)
and the discussion of the
.BR CLONE_NEWNET
flag in
.BR clone (2).
.TP
.BR "PID namespace"
Children will have a distinct set of PID-to-process mappings from their parent.
For further details, see
.BR pid_namespaces (7)
and
the discussion of the
.BR CLONE_NEWPID
flag in
.BR clone (2).
.TP
.BR "cgroup namespace"
The process will have a virtualized view of \fI/proc\:/self\:/cgroup\fP, and new
cgroup mounts will be rooted at the namespace cgroup root.
For further details, see
.BR cgroup_namespaces (7)
and the discussion of the
.BR CLONE_NEWCGROUP
flag in
.BR clone (2).
.TP
.BR "user namespace"
The process will have a distinct set of UIDs, GIDs and capabilities.
For further details, see
.BR user_namespaces (7)
and the discussion of the
.BR CLONE_NEWUSER
flag in
.BR clone (2).
.SH OPTIONS
.TP
.BR \-i , " \-\-ipc" [ =\fIfile ]
Unshare the IPC namespace.  If \fIfile\fP is specified, then a persistent
namespace is created by a bind mount.
.TP
.BR \-m , " \-\-mount" [ =\fIfile ]
Unshare the mount namespace.  If \fIfile\fP is specified, then a persistent
namespace is created by a bind mount.
Note that \fIfile\fP has to be located on a filesystem with the propagation
flag set to \fBprivate\fP.  Use the command \fBfindmnt -o+PROPAGATION\fP
when not sure about the current setting.  See also the examples below.
.TP
.BR \-n , " \-\-net" [ =\fIfile ]
Unshare the network namespace.  If \fIfile\fP is specified, then a persistent
namespace is created by a bind mount.
.TP
.BR \-p , " \-\-pid" [ =\fIfile ]
Unshare the PID namespace.  If \fIfile\fP is specified then persistent
namespace is created by a bind mount.  See also the \fB--fork\fP and
\fB--mount-proc\fP options.
.TP
.BR \-u , " \-\-uts" [ =\fIfile ]
Unshare the UTS namespace.  If \fIfile\fP is specified, then a persistent
namespace is created by a bind mount.
.TP
.BR \-U , " \-\-user" [ =\fIfile ]
Unshare the user namespace.  If \fIfile\fP is specified, then a persistent
namespace is created by a bind mount.
.TP
.BR \-C , " \-\-cgroup"[=\fIfile\fP]
Unshare the cgroup namespace. If \fIfile\fP is specified then persistent namespace is created
by bind mount.
.TP
.BR \-f , " \-\-fork"
Fork the specified \fIprogram\fR as a child process of \fBunshare\fR rather than
running it directly.  This is useful when creating a new PID namespace.
.TP
.BR \-\-kill\-child
When \fBunshare\fR terminates, have \fBSIGKILL\fR be sent to the forked child process.
Combined with \fB--pid\fR this allows for an easy and realiable killing of the entire
process tree below \fBunshare\fR.
This option implies \fB--fork\fR.
.TP
.BR \-\-mount\-proc [ =\fImountpoint ]
Just before running the program, mount the proc filesystem at \fImountpoint\fP
(default is /proc).  This is useful when creating a new PID namespace.  It also
implies creating a new mount namespace since the /proc mount would otherwise
mess up existing programs on the system.  The new proc filesystem is explicitly
mounted as private (with MS_PRIVATE|MS_REC).
.TP
.BR \-r , " \-\-map\-root\-user"
Run the program only after the current effective user and group IDs have been mapped to
the superuser UID and GID in the newly created user namespace.  This makes it possible to
conveniently gain capabilities needed to manage various aspects of the newly created
namespaces (such as configuring interfaces in the network namespace or mounting filesystems in
the mount namespace) even when run unprivileged.  As a mere convenience feature, it does not support
more sophisticated use cases, such as mapping multiple ranges of UIDs and GIDs.
This option implies \fB--setgroups=deny\fR.
.TP
.BR "\-\-propagation private" | shared | slave | unchanged
Recursively set the mount propagation flag in the new mount namespace.  The default
is to set the propagation to \fIprivate\fP.  It is possible to disable this feature
with the argument \fBunchanged\fR.  The option is silently ignored when the mount
namespace (\fB\-\-mount\fP) is not requested.
.TP
.BR "\-\-setgroups allow" | deny
Allow or deny the
.BR setgroups (2)
system call in a user namespace.
.sp
To be able to call
.BR setgroups (2),
the calling process must at least have CAP_SETGID.
But since Linux 3.19 a further restriction applies:
the kernel gives permission to call
.BR \%setgroups (2)
only after the GID map (\fB/proc/\fIpid\fB/gid_map\fR) has been set.
The GID map is writable by root when
.BR \%setgroups (2)
is enabled (i.e. \fBallow\fR, the default), and
the GID map becomes writable by unprivileged processes when
.BR \%setgroups (2)
is permanently disabled (with \fBdeny\fR).
.TP
.BR \-V , " \-\-version"
Display version information and exit.
.TP
.BR \-h , " \-\-help"
Display help text and exit.
.SH NOTES
The proc and sysfs filesystems mounting as root in a user namespace have to be
restricted so that a less privileged user can not get more access to sensitive
files that a more privileged user made unavailable. In short the rule for proc
and sysfs is as close to a bind mount as possible.
.SH EXAMPLES
.TP
.B # unshare --fork --pid --mount-proc readlink /proc/self
.TQ
1
.br
Establish a PID namespace, ensure we're PID 1 in it against a newly mounted
procfs instance.
.TP
.B $ unshare --map-root-user --user sh -c whoami
.TQ
root
.br
Establish a user namespace as an unprivileged user with a root user within it.
.TP
.B # touch /root/uts-ns
.TQ
.B # unshare --uts=/root/uts-ns hostname FOO
.TQ
.B # nsenter --uts=/root/uts-ns hostname
.TQ
FOO
.TQ
.B # umount /root/uts-ns
.br
Establish a persistent UTS namespace, and modify the hostname.  The namespace
is then entered with \fBnsenter\fR.  The namespace is destroyed by unmounting
the bind reference.
.TP
.B # mount --bind /root/namespaces /root/namespaces
.TQ
.B # mount --make-private /root/namespaces
.TQ
.B # touch /root/namespaces/mnt
.TQ
.B # unshare --mount=/root/namespaces/mnt
.br
Establish a persistent mount namespace referenced by the bind mount
/root/namespaces/mnt.  This example shows a portable solution, because it
makes sure that the bind mount is created on a shared filesystem.
.TP
.B # unshare -pf --kill-child -- bash -c "(sleep 999 &) && sleep 1000" &
.TQ
.B # pid=$!
.TQ
.B # kill $pid
.br
Reliable killing of subprocesses of the \fIprogram\fR.
When \fBunshare\fR gets killed, everything below it gets killed as well.
Without it, the children of \fIprogram\fR would have orphaned and
been re-parented to PID 1.

.SH SEE ALSO
.BR clone (2),
.BR unshare (2),
.BR namespaces (7),
.BR mount (8)
.SH AUTHORS
.UR dottedmag@dottedmag.net
Mikhail Gusarov
.UE
.br
.UR kzak@redhat.com
Karel Zak
.UE
.SH AVAILABILITY
The unshare command is part of the util-linux package and is available from
https://www.kernel.org/pub/linux/utils/util-linux/.
Commit	Line	Data
de0f3763	1	.TH UNSHARE 1 "February 2016" "util-linux" "User Commands"
4205f1fd	2	.SH NAME
ef6acdb8	3	unshare \- run program with some namespaces unshared from parent
4205f1fd MG	4	.SH SYNOPSIS
4205f1fd MG	5	.B unshare
cf8e0bae	6	[options]
b5672517 KZ	7	.RI [ program
b5672517 KZ	8	.RI [ arguments ]]
4205f1fd	9	.SH DESCRIPTION
dde08a87	10	Unshares the indicated namespaces from the parent process and then executes
b5672517 KZ	11	the specified \fIprogram\fR. If \fIprogram\fR is not given, then ``${SHELL}'' is
b5672517 KZ	12	run (default: /bin/sh).
0490a6ca	13	.PP
de0f3763 BS	14	The namespaces can optionally be made persistent by bind mounting
	15	/proc/\fIpid\fR/ns/\fItype\fR files to a filesystem path and entered with
	16	.BR \%nsenter (1)
ca538975 KZ	17	even after the \fIprogram\fR terminates (except PID namespaces where
ca538975 KZ	18	permanently running init process is required).
de0f3763	19	Once a persistent \%namespace is no longer needed, it can be unpersisted with
0490a6ca	20	.BR umount (8).
de0f3763	21	See the \fBEXAMPLES\fR section for more details.
0490a6ca KZ	22	.PP
0490a6ca KZ	23	The namespaces to be unshared are indicated via options. Unshareable namespaces are:
4205f1fd MG	24	.TP
4205f1fd MG	25	.BR "mount namespace"
f85b9777 MK	26	Mounting and unmounting filesystems will not affect the rest of the system,
f85b9777 MK	27	except for filesystems which are explicitly marked as
f0f22e9c KZ	28	shared (with \fBmount --make-shared\fP; see \fI/proc/self/mountinfo\fP or
f0f22e9c KZ	29	\fBfindmnt -o+PROPAGATION\fP for the \fBshared\fP flags).
f85b9777 MK	30	For further details, see
	31	.BR mount_namespaces (7)
	32	and the discussion of the
	33	.BR CLONE_NEWNS
	34	flag in
	35	.BR clone (2).
cf8e0bae	36	.sp
f0f22e9c KZ	37	.B unshare
f0f22e9c KZ	38	since util-linux version 2.27 automatically sets propagation to \fBprivate\fP
de0f3763 BS	39	in a new mount namespace to make sure that the new namespace is really
	40	unshared. It's possible to disable this feature with option
	41	\fB\-\-propagation unchanged\fP.
f0f22e9c	42	Note that \fBprivate\fP is the kernel default.
4205f1fd MG	43	.TP
4205f1fd MG	44	.BR "UTS namespace"
dde08a87	45	Setting hostname or domainname will not affect the rest of the system.
f85b9777 MK	46	For further details, see
	47	.BR namespaces (7)
	48	and the discussion of the
	49	.BR CLONE_NEWUTS
	50	flag in
	51	.BR clone (2).
4205f1fd MG	52	.TP
4205f1fd MG	53	.BR "IPC namespace"
170a8e4a MK	54	The process will have an independent namespace for POSIX message queues
170a8e4a MK	55	as well as System V \%message queues,
f85b9777 MK	56	semaphore sets and shared memory segments.
	57	For further details, see
	58	.BR namespaces (7)
	59	and the discussion of the
	60	.BR CLONE_NEWIPC
	61	flag in
	62	.BR clone (2).
4205f1fd MG	63	.TP
4205f1fd MG	64	.BR "network namespace"
dde08a87 BS	65	The process will have independent IPv4 and IPv6 stacks, IP routing tables,
dde08a87 BS	66	firewall rules, the \fI/proc/net\fP and \fI/sys/class/net\fP directory trees,
f85b9777 MK	67	sockets, etc.
	68	For further details, see
	69	.BR namespaces (7)
	70	and the discussion of the
	71	.BR CLONE_NEWNET
	72	flag in
	73	.BR clone (2).
4205f1fd	74	.TP
2085ba6c	75	.BR "PID namespace"
de0f3763	76	Children will have a distinct set of PID-to-process mappings from their parent.
f85b9777 MK	77	For further details, see
	78	.BR pid_namespaces (7)
	79	and
	80	the discussion of the
	81	.BR CLONE_NEWPID
	82	flag in
	83	.BR clone (2).
bc7f9b95	84	.TP
f9e7b66d SH	85	.BR "cgroup namespace"
	86	The process will have a virtualized view of \fI/proc\:/self\:/cgroup\fP, and new
	87	cgroup mounts will be rooted at the namespace cgroup root.
f85b9777 MK	88	For further details, see
	89	.BR cgroup_namespaces (7)
	90	and the discussion of the
	91	.BR CLONE_NEWCGROUP
	92	flag in
	93	.BR clone (2).
f9e7b66d	94	.TP
bc7f9b95	95	.BR "user namespace"
dde08a87	96	The process will have a distinct set of UIDs, GIDs and capabilities.
f85b9777 MK	97	For further details, see
	98	.BR user_namespaces (7)
	99	and the discussion of the
	100	.BR CLONE_NEWUSER
	101	flag in
	102	.BR clone (2).
4205f1fd MG	103	.SH OPTIONS
4205f1fd MG	104	.TP
de0f3763 BS	105	.BR \-i , " \-\-ipc" [ =\fIfile ]
	106	Unshare the IPC namespace. If \fIfile\fP is specified, then a persistent
	107	namespace is created by a bind mount.
dde08a87	108	.TP
de0f3763 BS	109	.BR \-m , " \-\-mount" [ =\fIfile ]
	110	Unshare the mount namespace. If \fIfile\fP is specified, then a persistent
	111	namespace is created by a bind mount.
	112	Note that \fIfile\fP has to be located on a filesystem with the propagation
	113	flag set to \fBprivate\fP. Use the command \fBfindmnt -o+PROPAGATION\fP
	114	when not sure about the current setting. See also the examples below.
4205f1fd	115	.TP
de0f3763 BS	116	.BR \-n , " \-\-net" [ =\fIfile ]
	117	Unshare the network namespace. If \fIfile\fP is specified, then a persistent
	118	namespace is created by a bind mount.
bc7f9b95	119	.TP
de0f3763 BS	120	.BR \-p , " \-\-pid" [ =\fIfile ]
	121	Unshare the PID namespace. If \fIfile\fP is specified then persistent
	122	namespace is created by a bind mount. See also the \fB--fork\fP and
	123	\fB--mount-proc\fP options.
bc7f9b95	124	.TP
de0f3763 BS	125	.BR \-u , " \-\-uts" [ =\fIfile ]
	126	Unshare the UTS namespace. If \fIfile\fP is specified, then a persistent
	127	namespace is created by a bind mount.
dde08a87	128	.TP
de0f3763 BS	129	.BR \-U , " \-\-user" [ =\fIfile ]
	130	Unshare the user namespace. If \fIfile\fP is specified, then a persistent
	131	namespace is created by a bind mount.
5088ec33	132	.TP
f9e7b66d SH	133	.BR \-C , " \-\-cgroup"[=\fIfile\fP]
	134	Unshare the cgroup namespace. If \fIfile\fP is specified then persistent namespace is created
	135	by bind mount.
	136	.TP
5088ec33	137	.BR \-f , " \-\-fork"
87ec43b6	138	Fork the specified \fIprogram\fR as a child process of \fBunshare\fR rather than
de0f3763	139	running it directly. This is useful when creating a new PID namespace.
6728ca10	140	.TP
8e8f0fa5 NH	141	.BR \-\-kill\-child
	142	When \fBunshare\fR terminates, have \fBSIGKILL\fR be sent to the forked child process.
	143	Combined with \fB--pid\fR this allows for an easy and realiable killing of the entire
	144	process tree below \fBunshare\fR.
	145	This option implies \fB--fork\fR.
	146	.TP
de0f3763	147	.BR \-\-mount\-proc [ =\fImountpoint ]
cf8e0bae	148	Just before running the program, mount the proc filesystem at \fImountpoint\fP
de0f3763	149	(default is /proc). This is useful when creating a new PID namespace. It also
6728ca10	150	implies creating a new mount namespace since the /proc mount would otherwise
cf8e0bae	151	mess up existing programs on the system. The new proc filesystem is explicitly
de0f3763	152	mounted as private (with MS_PRIVATE\|MS_REC).
4da21e37	153	.TP
b06c1ca6	154	.BR \-r , " \-\-map\-root\-user"
cf8e0bae BS	155	Run the program only after the current effective user and group IDs have been mapped to
	156	the superuser UID and GID in the newly created user namespace. This makes it possible to
	157	conveniently gain capabilities needed to manage various aspects of the newly created
	158	namespaces (such as configuring interfaces in the network namespace or mounting filesystems in
	159	the mount namespace) even when run unprivileged. As a mere convenience feature, it does not support
4da21e37	160	more sophisticated use cases, such as mapping multiple ranges of UIDs and GIDs.
de0f3763	161	This option implies \fB--setgroups=deny\fR.
fbceefde	162	.TP
de0f3763 BS	163	.BR "\-\-propagation private" \| shared \| slave \| unchanged
	164	Recursively set the mount propagation flag in the new mount namespace. The default
	165	is to set the propagation to \fIprivate\fP. It is possible to disable this feature
	166	with the argument \fBunchanged\fR. The option is silently ignored when the mount
	167	namespace (\fB\-\-mount\fP) is not requested.
f0f22e9c	168	.TP
de0f3763 BS	169	.BR "\-\-setgroups allow" \| deny
de0f3763 BS	170	Allow or deny the
fbceefde	171	.BR setgroups (2)
3be5d977	172	system call in a user namespace.
afaf3103 BS	173	.sp
	174	To be able to call
	175	.BR setgroups (2),
	176	the calling process must at least have CAP_SETGID.
	177	But since Linux 3.19 a further restriction applies:
	178	the kernel gives permission to call
	179	.BR \%setgroups (2)
	180	only after the GID map (\fB/proc/\fIpid\fB/gid_map\fR) has been set.
	181	The GID map is writable by root when
	182	.BR \%setgroups (2)
	183	is enabled (i.e. \fBallow\fR, the default), and
	184	the GID map becomes writable by unprivileged processes when
	185	.BR \%setgroups (2)
	186	is permanently disabled (with \fBdeny\fR).
5e43af7e BS	187	.TP
	188	.BR \-V , " \-\-version"
	189	Display version information and exit.
	190	.TP
	191	.BR \-h , " \-\-help"
	192	Display help text and exit.
86b6d7f4 KZ	193	.SH NOTES
	194	The proc and sysfs filesystems mounting as root in a user namespace have to be
	195	restricted so that a less privileged user can not get more access to sensitive
	196	files that a more privileged user made unavailable. In short the rule for proc
	197	and sysfs is as close to a bind mount as possible.
69a7761b LR	198	.SH EXAMPLES
	199	.TP
	200	.B # unshare --fork --pid --mount-proc readlink /proc/self
	201	.TQ
	202	1
	203	.br
de0f3763	204	Establish a PID namespace, ensure we're PID 1 in it against a newly mounted
69a7761b LR	205	procfs instance.
	206	.TP
	207	.B $ unshare --map-root-user --user sh -c whoami
	208	.TQ
	209	root
	210	.br
	211	Establish a user namespace as an unprivileged user with a root user within it.
0490a6ca	212	.TP
0490a6ca KZ	213	.B # touch /root/uts-ns
0490a6ca KZ	214	.TQ
100a3ab5	215	.B # unshare --uts=/root/uts-ns hostname FOO
0490a6ca KZ	216	.TQ
	217	.B # nsenter --uts=/root/uts-ns hostname
	218	.TQ
	219	FOO
	220	.TQ
	221	.B # umount /root/uts-ns
	222	.br
de0f3763 BS	223	Establish a persistent UTS namespace, and modify the hostname. The namespace
	224	is then entered with \fBnsenter\fR. The namespace is destroyed by unmounting
	225	the bind reference.
249fc8fe	226	.TP
249fc8fe KZ	227	.B # mount --bind /root/namespaces /root/namespaces
249fc8fe KZ	228	.TQ
de0f3763	229	.B # mount --make-private /root/namespaces
249fc8fe	230	.TQ
de0f3763	231	.B # touch /root/namespaces/mnt
249fc8fe	232	.TQ
99b3fb9e	233	.B # unshare --mount=/root/namespaces/mnt
249fc8fe KZ	234	.br
249fc8fe KZ	235	Establish a persistent mount namespace referenced by the bind mount
de0f3763 BS	236	/root/namespaces/mnt. This example shows a portable solution, because it
de0f3763 BS	237	makes sure that the bind mount is created on a shared filesystem.
8e8f0fa5 NH	238	.TP
	239	.B # unshare -pf --kill-child -- bash -c "(sleep 999 &) && sleep 1000" &
	240	.TQ
	241	.B # pid=$!
	242	.TQ
	243	.B # kill $pid
	244	.br
	245	Reliable killing of subprocesses of the \fIprogram\fR.
	246	When \fBunshare\fR gets killed, everything below it gets killed as well.
	247	Without it, the children of \fIprogram\fR would have orphaned and
	248	been re-parented to PID 1.
249fc8fe	249
4205f1fd	250	.SH SEE ALSO
c07f86e7	251	.BR clone (2),
f053ff1e	252	.BR unshare (2),
4a3f0735	253	.BR namespaces (7),
c07f86e7	254	.BR mount (8)
0490a6ca KZ	255	.SH AUTHORS
	256	.UR dottedmag@dottedmag.net
	257	Mikhail Gusarov
	258	.UE
	259	.br
	260	.UR kzak@redhat.com
	261	Karel Zak
	262	.UE
4205f1fd	263	.SH AVAILABILITY
601d12fb	264	The unshare command is part of the util-linux package and is available from
d673b74e	265	https://www.kernel.org/pub/linux/utils/util-linux/.