[thirdparty/util-linux.git] / sys-utils / unshare.1

.\" Process this file with
.\" groff -man -Tascii lscpu.1
.\"
.TH UNSHARE 1 "July 2013" "util-linux" "User Commands"
.SH NAME
unshare \- run program with some namespaces unshared from parent
.SH SYNOPSIS
.B unshare
.RI [ options ]
.I program
.RI [ arguments ]
.SH DESCRIPTION
Unshares the indicated namespaces from the parent process and then executes
the specified program.  The namespaces to be unshared are indicated via
options.  Unshareable namespaces are:
.TP
.BR "mount namespace"
Mounting and unmounting filesystems will not affect the rest of the system
(\fBCLONE_NEWNS\fP flag), except for filesystems which are explicitly marked as
shared (with \fBmount --make-shared\fP; see \fI/proc/self/mountinfo\fP for the
\fBshared\fP flags).

It's recommended to use \fBmount --make-rprivate\fP or \fBmount --make-rslave\fP
after \fBunshare --mount\fP to make sure that mountpoints in the new namespace
are really unshared from parental namespace.
.TP
.BR "UTS namespace"
Setting hostname or domainname will not affect the rest of the system.
(\fBCLONE_NEWUTS\fP flag)
.TP
.BR "IPC namespace"
The process will have an independent namespace for System V message queues,
semaphore sets and shared memory segments.  (\fBCLONE_NEWIPC\fP flag)
.TP
.BR "network namespace"
The process will have independent IPv4 and IPv6 stacks, IP routing tables,
firewall rules, the \fI/proc/net\fP and \fI/sys/class/net\fP directory trees,
sockets, etc.  (\fBCLONE_NEWNET\fP flag)
.TP
.BR "pid namespace"
Children will have a distinct set of PID to process mappings from their parent.
(\fBCLONE_NEWPID\fP flag)
.TP
.BR "user namespace"
The process will have a distinct set of UIDs, GIDs and capabilities.
(\fBCLONE_NEWUSER\fP flag)
.PP
See \fBclone\fR(2) for the exact semantics of the flags.
.SH OPTIONS
.TP
.BR \-h , " \-\-help"
Display help text and exit.
.TP
.BR \-i , " \-\-ipc"
Unshare the IPC namespace.
.TP
.BR \-m , " \-\-mount"
Unshare the mount namespace.
.TP
.BR \-n , " \-\-net"
Unshare the network namespace.
.TP
.BR \-p , " \-\-pid"
Unshare the pid namespace.
See also the \fB--fork\fP and \fB--mount-proc\fP options.
.TP
.BR \-u , " \-\-uts"
Unshare the UTS namespace.
.TP
.BR \-U , " \-\-user"
Unshare the user namespace.
.TP
.BR \-f , " \-\-fork"
Fork the specified \fIprogram\fR as a child process of \fBunshare\fR rather than
running it directly.  This is useful when creating a new pid namespace.
.TP
.BR \-\-mount-proc "[=\fImountpoint\fP]"
Just before running the program, mount the proc filesystem at the \fImountpoint\fP
(default is /proc).  This is useful when creating a new pid namespace.  It also
implies creating a new mount namespace since the /proc mount would otherwise
mess up existing programs on the system. The new proc filesystem is explicitly
mounted as private (by MS_PRIVATE|MS_REC).
.SH SEE ALSO
.BR unshare (2),
.BR clone (2),
.BR mount (8)
.SH BUGS
None known so far.
.SH AUTHOR
Mikhail Gusarov <dottedmag@dottedmag.net>
.SH AVAILABILITY
The unshare command is part of the util-linux package and is available from
ftp://ftp.kernel.org/pub/linux/utils/util-linux/.
Commit	Line	Data
4205f1fd MG	1	.\" Process this file with
	2	.\" groff -man -Tascii lscpu.1
	3	.\"
87ec43b6	4	.TH UNSHARE 1 "July 2013" "util-linux" "User Commands"
4205f1fd	5	.SH NAME
ef6acdb8	6	unshare \- run program with some namespaces unshared from parent
4205f1fd MG	7	.SH SYNOPSIS
4205f1fd MG	8	.B unshare
87ec43b6	9	.RI [ options ]
dde08a87	10	.I program
4205f1fd MG	11	.RI [ arguments ]
4205f1fd MG	12	.SH DESCRIPTION
dde08a87	13	Unshares the indicated namespaces from the parent process and then executes
87ec43b6 BS	14	the specified program. The namespaces to be unshared are indicated via
87ec43b6 BS	15	options. Unshareable namespaces are:
4205f1fd MG	16	.TP
4205f1fd MG	17	.BR "mount namespace"
dde08a87	18	Mounting and unmounting filesystems will not affect the rest of the system
bc87f885	19	(\fBCLONE_NEWNS\fP flag), except for filesystems which are explicitly marked as
dde08a87 BS	20	shared (with \fBmount --make-shared\fP; see \fI/proc/self/mountinfo\fP for the
dde08a87 BS	21	\fBshared\fP flags).
c07f86e7 KZ	22
	23	It's recommended to use \fBmount --make-rprivate\fP or \fBmount --make-rslave\fP
	24	after \fBunshare --mount\fP to make sure that mountpoints in the new namespace
	25	are really unshared from parental namespace.
4205f1fd MG	26	.TP
4205f1fd MG	27	.BR "UTS namespace"
dde08a87 BS	28	Setting hostname or domainname will not affect the rest of the system.
dde08a87 BS	29	(\fBCLONE_NEWUTS\fP flag)
4205f1fd MG	30	.TP
4205f1fd MG	31	.BR "IPC namespace"
dde08a87 BS	32	The process will have an independent namespace for System V message queues,
dde08a87 BS	33	semaphore sets and shared memory segments. (\fBCLONE_NEWIPC\fP flag)
4205f1fd MG	34	.TP
4205f1fd MG	35	.BR "network namespace"
dde08a87 BS	36	The process will have independent IPv4 and IPv6 stacks, IP routing tables,
	37	firewall rules, the \fI/proc/net\fP and \fI/sys/class/net\fP directory trees,
	38	sockets, etc. (\fBCLONE_NEWNET\fP flag)
4205f1fd	39	.TP
bc7f9b95	40	.BR "pid namespace"
dde08a87 BS	41	Children will have a distinct set of PID to process mappings from their parent.
dde08a87 BS	42	(\fBCLONE_NEWPID\fP flag)
bc7f9b95 EB	43	.TP
bc7f9b95 EB	44	.BR "user namespace"
dde08a87 BS	45	The process will have a distinct set of UIDs, GIDs and capabilities.
dde08a87 BS	46	(\fBCLONE_NEWUSER\fP flag)
e41e0f95	47	.PP
dde08a87	48	See \fBclone\fR(2) for the exact semantics of the flags.
4205f1fd MG	49	.SH OPTIONS
	50	.TP
	51	.BR \-h , " \-\-help"
b4362b6f	52	Display help text and exit.
4205f1fd	53	.TP
ef6acdb8	54	.BR \-i , " \-\-ipc"
dde08a87 BS	55	Unshare the IPC namespace.
	56	.TP
	57	.BR \-m , " \-\-mount"
	58	Unshare the mount namespace.
4205f1fd	59	.TP
ef6acdb8 KZ	60	.BR \-n , " \-\-net"
ef6acdb8 KZ	61	Unshare the network namespace.
bc7f9b95 EB	62	.TP
bc7f9b95 EB	63	.BR \-p , " \-\-pid"
87ec43b6 BS	64	Unshare the pid namespace.
87ec43b6 BS	65	See also the \fB--fork\fP and \fB--mount-proc\fP options.
bc7f9b95	66	.TP
dde08a87 BS	67	.BR \-u , " \-\-uts"
	68	Unshare the UTS namespace.
	69	.TP
bc7f9b95 EB	70	.BR \-U , " \-\-user"
bc7f9b95 EB	71	Unshare the user namespace.
5088ec33 MF	72	.TP
5088ec33 MF	73	.BR \-f , " \-\-fork"
87ec43b6 BS	74	Fork the specified \fIprogram\fR as a child process of \fBunshare\fR rather than
87ec43b6 BS	75	running it directly. This is useful when creating a new pid namespace.
6728ca10	76	.TP
87ec43b6	77	.BR \-\-mount-proc "[=\fImountpoint\fP]"
6728ca10 KZ	78	Just before running the program, mount the proc filesystem at the \fImountpoint\fP
	79	(default is /proc). This is useful when creating a new pid namespace. It also
	80	implies creating a new mount namespace since the /proc mount would otherwise
c07f86e7 KZ	81	mess up existing programs on the system. The new proc filesystem is explicitly
c07f86e7 KZ	82	mounted as private (by MS_PRIVATE\|MS_REC).
4205f1fd	83	.SH SEE ALSO
8323d9fd	84	.BR unshare (2),
c07f86e7 KZ	85	.BR clone (2),
c07f86e7 KZ	86	.BR mount (8)
4205f1fd MG	87	.SH BUGS
4205f1fd MG	88	None known so far.
ef6acdb8	89	.SH AUTHOR
4205f1fd MG	90	Mikhail Gusarov <dottedmag@dottedmag.net>
4205f1fd MG	91	.SH AVAILABILITY
601d12fb KZ	92	The unshare command is part of the util-linux package and is available from
601d12fb KZ	93	ftp://ftp.kernel.org/pub/linux/utils/util-linux/.