[thirdparty/util-linux.git] / sys-utils / unshare.1

.TH UNSHARE 1 "July 2014" "util-linux" "User Commands"
.SH NAME
unshare \- run program with some namespaces unshared from parent
.SH SYNOPSIS
.B unshare
[options]
.I program
.RI [ arguments ]
.SH DESCRIPTION
Unshares the indicated namespaces from the parent process and then executes
the specified \fIprogram\fR.  The namespaces to be unshared are indicated via
options.  Unshareable namespaces are:
.TP
.BR "mount namespace"
Mounting and unmounting filesystems will not affect the rest of the system
(\fBCLONE_NEWNS\fP flag), except for filesystems which are explicitly marked as
shared (with \fBmount --make-shared\fP; see \fI/proc/self/mountinfo\fP for the
\fBshared\fP flags).
.sp
It's recommended to use \fBmount --make-rprivate\fP or \fBmount --make-rslave\fP
after \fBunshare --mount\fP to make sure that mountpoints in the new namespace
are really unshared from the parental namespace.
.TP
.BR "UTS namespace"
Setting hostname or domainname will not affect the rest of the system.
(\fBCLONE_NEWUTS\fP flag)
.TP
.BR "IPC namespace"
The process will have an independent namespace for System V message queues,
semaphore sets and shared memory segments.  (\fBCLONE_NEWIPC\fP flag)
.TP
.BR "network namespace"
The process will have independent IPv4 and IPv6 stacks, IP routing tables,
firewall rules, the \fI/proc/net\fP and \fI/sys/class/net\fP directory trees,
sockets, etc.  (\fBCLONE_NEWNET\fP flag)
.TP
.BR "pid namespace"
Children will have a distinct set of PID to process mappings from their parent.
(\fBCLONE_NEWPID\fP flag)
.TP
.BR "user namespace"
The process will have a distinct set of UIDs, GIDs and capabilities.
(\fBCLONE_NEWUSER\fP flag)
.PP
See \fBclone\fR(2) for the exact semantics of the flags.
.SH OPTIONS
.TP
.BR \-i , " \-\-ipc"
Unshare the IPC namespace.
.TP
.BR \-m , " \-\-mount"
Unshare the mount namespace.
.TP
.BR \-n , " \-\-net"
Unshare the network namespace.
.TP
.BR \-p , " \-\-pid"
Unshare the pid namespace.
See also the \fB--fork\fP and \fB--mount-proc\fP options.
.TP
.BR \-u , " \-\-uts"
Unshare the UTS namespace.
.TP
.BR \-U , " \-\-user"
Unshare the user namespace.
.TP
.BR \-f , " \-\-fork"
Fork the specified \fIprogram\fR as a child process of \fBunshare\fR rather than
running it directly.  This is useful when creating a new pid namespace.
.TP
.BR \-\-mount-proc "[=\fImountpoint\fP]"
Just before running the program, mount the proc filesystem at \fImountpoint\fP
(default is /proc).  This is useful when creating a new pid namespace.  It also
implies creating a new mount namespace since the /proc mount would otherwise
mess up existing programs on the system.  The new proc filesystem is explicitly
mounted as private (by MS_PRIVATE|MS_REC).
.TP
.BR \-r , " \-\-map-root-user"
Run the program only after the current effective user and group IDs have been mapped to
the superuser UID and GID in the newly created user namespace.  This makes it possible to
conveniently gain capabilities needed to manage various aspects of the newly created
namespaces (such as configuring interfaces in the network namespace or mounting filesystems in
the mount namespace) even when run unprivileged.  As a mere convenience feature, it does not support
more sophisticated use cases, such as mapping multiple ranges of UIDs and GIDs.
This option implies --setgroups=deny.
.TP
.BR \-s , " \-\-setgroups \fIallow|deny\fP"
Allow or deny
.BR setgroups (2)
syscall in user namespaces.

.BR setgroups(2)
is only callable with CAP_SETGID and CAP_SETGID in a user
namespace (since Linux 3.19) does not give you permission to call setgroups(2)
until after GID map has been set. The GID map is writable by root when
.BR setgroups(2)
is enabled and GID map becomes writable by unprivileged processes when
.BR setgroups(2)
is permamently disabled.
.TP
.BR \-V , " \-\-version"
Display version information and exit.
.TP
.BR \-h , " \-\-help"
Display help text and exit.
.SH SEE ALSO
.BR unshare (2),
.BR clone (2),
.BR mount (8)
.SH BUGS
None known so far.
.SH AUTHOR
Mikhail Gusarov <dottedmag@dottedmag.net>
.SH AVAILABILITY
The unshare command is part of the util-linux package and is available from
ftp://ftp.kernel.org/pub/linux/utils/util-linux/.
Commit	Line	Data
cf8e0bae	1	.TH UNSHARE 1 "July 2014" "util-linux" "User Commands"
4205f1fd	2	.SH NAME
ef6acdb8	3	unshare \- run program with some namespaces unshared from parent
4205f1fd MG	4	.SH SYNOPSIS
4205f1fd MG	5	.B unshare
cf8e0bae	6	[options]
dde08a87	7	.I program
4205f1fd MG	8	.RI [ arguments ]
4205f1fd MG	9	.SH DESCRIPTION
dde08a87	10	Unshares the indicated namespaces from the parent process and then executes
cf8e0bae	11	the specified \fIprogram\fR. The namespaces to be unshared are indicated via
87ec43b6	12	options. Unshareable namespaces are:
4205f1fd MG	13	.TP
4205f1fd MG	14	.BR "mount namespace"
dde08a87	15	Mounting and unmounting filesystems will not affect the rest of the system
bc87f885	16	(\fBCLONE_NEWNS\fP flag), except for filesystems which are explicitly marked as
dde08a87 BS	17	shared (with \fBmount --make-shared\fP; see \fI/proc/self/mountinfo\fP for the
dde08a87 BS	18	\fBshared\fP flags).
cf8e0bae	19	.sp
c07f86e7 KZ	20	It's recommended to use \fBmount --make-rprivate\fP or \fBmount --make-rslave\fP
c07f86e7 KZ	21	after \fBunshare --mount\fP to make sure that mountpoints in the new namespace
cf8e0bae	22	are really unshared from the parental namespace.
4205f1fd MG	23	.TP
4205f1fd MG	24	.BR "UTS namespace"
dde08a87 BS	25	Setting hostname or domainname will not affect the rest of the system.
dde08a87 BS	26	(\fBCLONE_NEWUTS\fP flag)
4205f1fd MG	27	.TP
4205f1fd MG	28	.BR "IPC namespace"
dde08a87 BS	29	The process will have an independent namespace for System V message queues,
dde08a87 BS	30	semaphore sets and shared memory segments. (\fBCLONE_NEWIPC\fP flag)
4205f1fd MG	31	.TP
4205f1fd MG	32	.BR "network namespace"
dde08a87 BS	33	The process will have independent IPv4 and IPv6 stacks, IP routing tables,
	34	firewall rules, the \fI/proc/net\fP and \fI/sys/class/net\fP directory trees,
	35	sockets, etc. (\fBCLONE_NEWNET\fP flag)
4205f1fd	36	.TP
bc7f9b95	37	.BR "pid namespace"
dde08a87 BS	38	Children will have a distinct set of PID to process mappings from their parent.
dde08a87 BS	39	(\fBCLONE_NEWPID\fP flag)
bc7f9b95 EB	40	.TP
bc7f9b95 EB	41	.BR "user namespace"
dde08a87 BS	42	The process will have a distinct set of UIDs, GIDs and capabilities.
dde08a87 BS	43	(\fBCLONE_NEWUSER\fP flag)
e41e0f95	44	.PP
dde08a87	45	See \fBclone\fR(2) for the exact semantics of the flags.
4205f1fd MG	46	.SH OPTIONS
4205f1fd MG	47	.TP
ef6acdb8	48	.BR \-i , " \-\-ipc"
dde08a87 BS	49	Unshare the IPC namespace.
	50	.TP
	51	.BR \-m , " \-\-mount"
	52	Unshare the mount namespace.
4205f1fd	53	.TP
ef6acdb8 KZ	54	.BR \-n , " \-\-net"
ef6acdb8 KZ	55	Unshare the network namespace.
bc7f9b95 EB	56	.TP
bc7f9b95 EB	57	.BR \-p , " \-\-pid"
87ec43b6 BS	58	Unshare the pid namespace.
87ec43b6 BS	59	See also the \fB--fork\fP and \fB--mount-proc\fP options.
bc7f9b95	60	.TP
dde08a87 BS	61	.BR \-u , " \-\-uts"
	62	Unshare the UTS namespace.
	63	.TP
bc7f9b95 EB	64	.BR \-U , " \-\-user"
bc7f9b95 EB	65	Unshare the user namespace.
5088ec33 MF	66	.TP
5088ec33 MF	67	.BR \-f , " \-\-fork"
87ec43b6 BS	68	Fork the specified \fIprogram\fR as a child process of \fBunshare\fR rather than
87ec43b6 BS	69	running it directly. This is useful when creating a new pid namespace.
6728ca10	70	.TP
87ec43b6	71	.BR \-\-mount-proc "[=\fImountpoint\fP]"
cf8e0bae	72	Just before running the program, mount the proc filesystem at \fImountpoint\fP
6728ca10 KZ	73	(default is /proc). This is useful when creating a new pid namespace. It also
6728ca10 KZ	74	implies creating a new mount namespace since the /proc mount would otherwise
cf8e0bae	75	mess up existing programs on the system. The new proc filesystem is explicitly
c07f86e7	76	mounted as private (by MS_PRIVATE\|MS_REC).
4da21e37 LR	77	.TP
4da21e37 LR	78	.BR \-r , " \-\-map-root-user"
cf8e0bae BS	79	Run the program only after the current effective user and group IDs have been mapped to
	80	the superuser UID and GID in the newly created user namespace. This makes it possible to
	81	conveniently gain capabilities needed to manage various aspects of the newly created
	82	namespaces (such as configuring interfaces in the network namespace or mounting filesystems in
	83	the mount namespace) even when run unprivileged. As a mere convenience feature, it does not support
4da21e37	84	more sophisticated use cases, such as mapping multiple ranges of UIDs and GIDs.
fbceefde KZ	85	This option implies --setgroups=deny.
	86	.TP
	87	.BR \-s , " \-\-setgroups \fIallow\|deny\fP"
	88	Allow or deny
	89	.BR setgroups (2)
	90	syscall in user namespaces.
	91
	92	.BR setgroups(2)
	93	is only callable with CAP_SETGID and CAP_SETGID in a user
	94	namespace (since Linux 3.19) does not give you permission to call setgroups(2)
	95	until after GID map has been set. The GID map is writable by root when
	96	.BR setgroups(2)
	97	is enabled and GID map becomes writable by unprivileged processes when
	98	.BR setgroups(2)
	99	is permamently disabled.
5e43af7e BS	100	.TP
	101	.BR \-V , " \-\-version"
	102	Display version information and exit.
	103	.TP
	104	.BR \-h , " \-\-help"
	105	Display help text and exit.
4205f1fd	106	.SH SEE ALSO
8323d9fd	107	.BR unshare (2),
c07f86e7 KZ	108	.BR clone (2),
c07f86e7 KZ	109	.BR mount (8)
4205f1fd MG	110	.SH BUGS
4205f1fd MG	111	None known so far.
ef6acdb8	112	.SH AUTHOR
4205f1fd MG	113	Mikhail Gusarov <dottedmag@dottedmag.net>
4205f1fd MG	114	.SH AVAILABILITY
601d12fb KZ	115	The unshare command is part of the util-linux package and is available from
601d12fb KZ	116	ftp://ftp.kernel.org/pub/linux/utils/util-linux/.