[thirdparty/man-pages.git] / man7 / namespaces.7

.\" Copyright (c) 2013 by Michael Kerrisk <mtk.manpages@gmail.com>
.\" and Copyright (c) 2012 by Eric W. Biederman <ebiederm@xmission.com>
.\"
.\" %%%LICENSE_START(VERBATIM)
.\" Permission is granted to make and distribute verbatim copies of this
.\" manual provided the copyright notice and this permission notice are
.\" preserved on all copies.
.\"
.\" Permission is granted to copy and distribute modified versions of this
.\" manual under the conditions for verbatim copying, provided that the
.\" entire resulting derived work is distributed under the terms of a
.\" permission notice identical to this one.
.\"
.\" Since the Linux kernel and libraries are constantly changing, this
.\" manual page may be incorrect or out-of-date.  The author(s) assume no
.\" responsibility for errors or omissions, or for damages resulting from
.\" the use of the information contained herein.  The author(s) may not
.\" have taken the same level of care in the production of this manual,
.\" which is licensed free of charge, as they might when working
.\" professionally.
.\"
.\" Formatted or processed versions of this manual, if unaccompanied by
.\" the source, must acknowledge the copyright and authors of this work.
.\" %%%LICENSE_END
.\"
.\"
.TH NAMESPACES 7 2016-07-17 "Linux" "Linux Programmer's Manual"
.SH NAME
namespaces \- overview of Linux namespaces
.SH DESCRIPTION
A namespace wraps a global system resource in an abstraction that
makes it appear to the processes within the namespace that they
have their own isolated instance of the global resource.
Changes to the global resource are visible to other processes
that are members of the namespace, but are invisible to other processes.
One use of namespaces is to implement containers.

Linux provides the following namespaces:
.TS
lB lB lB
l lB l.
Namespace	Constant	Isolates
Cgroup	CLONE_NEWCGROUP	Cgroup root directory
IPC	CLONE_NEWIPC	System V IPC, POSIX message queues
Network	CLONE_NEWNET	Network devices, stacks, ports, etc.
Mount	CLONE_NEWNS	Mount points
PID	CLONE_NEWPID	Process IDs
User	CLONE_NEWUSER	User and group IDs
UTS	CLONE_NEWUTS	Hostname and NIS domain name
.TE

This page describes the various namespaces and the associated
.I /proc
files, and summarizes the APIs for working with namespaces.
.\"
.\" ==================== The namespaces API ====================
.\"
.SS The namespaces API
As well as various
.I /proc
files described below,
the namespaces API includes the following system calls:
.TP
.BR clone (2)
The
.BR clone (2)
system call creates a new process.
If the
.I flags
argument of the call specifies one or more of the
.B CLONE_NEW*
flags listed below, then new namespaces are created for each flag,
and the child process is made a member of those namespaces.
(This system call also implements a number of features
unrelated to namespaces.)
.TP
.BR setns (2)
The
.BR setns (2)
system call allows the calling process to join an existing namespace.
The namespace to join is specified via a file descriptor that refers to
one of the
.IR /proc/[pid]/ns
files described below.
.TP
.BR unshare (2)
The
.BR unshare (2)
system call moves the calling process to a new namespace.
If the
.I flags
argument of the call specifies one or more of the
.B CLONE_NEW*
flags listed below, then new namespaces are created for each flag,
and the calling process is made a member of those namespaces.
(This system call also implements a number of features
unrelated to namespaces.)
.PP
Creation of new namespaces using
.BR clone (2)
and
.BR unshare (2)
in most cases requires the
.BR CAP_SYS_ADMIN
capability.
User namespaces are the exception: since Linux 3.8,
no privilege is required to create a user namespace.
.\"
.\" ==================== The /proc/[pid]/ns/ directory ====================
.\"
.SS The /proc/[pid]/ns/ directory
Each process has a
.IR /proc/[pid]/ns/
.\" See commit 6b4e306aa3dc94a0545eb9279475b1ab6209a31f
subdirectory containing one entry for each namespace that
supports being manipulated by
.BR setns (2):

.in +4n
.nf
$ \fBls \-l /proc/$$/ns\fP
total 0
lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 cgroup \-> cgroup:[4026531835]
lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 ipc \-> ipc:[4026531839]
lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 mnt \-> mnt:[4026531840]
lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 net \-> net:[4026531969]
lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 pid \-> pid:[4026531836]
lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 user \-> user:[4026531837]
lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 uts \-> uts:[4026531838]
.fi
.in

Bind mounting (see
.BR mount (2))
one of the files in this directory
to somewhere else in the filesystem keeps
the corresponding namespace of the process specified by
.I pid
alive even if all processes currently in the namespace terminate.

Opening one of the files in this directory
(or a file that is bind mounted to one of these files)
returns a file handle for
the corresponding namespace of the process specified by
.IR pid .
As long as this file descriptor remains open,
the namespace will remain alive,
even if all processes in the namespace terminate.
The file descriptor can be passed to
.BR setns (2).

In Linux 3.7 and earlier, these files were visible as hard links.
Since Linux 3.8,
.\" commit bf056bfa80596a5d14b26b17276a56a0dcb080e5
they appear as symbolic links.
If two processes are in the same namespace, then the inode numbers of their
.IR /proc/[pid]/ns/xxx
symbolic links will be the same; an application can check this using the
.I stat.st_ino
field returned by
.BR stat (2).
The content of this symbolic link is a string containing
the namespace type and inode number as in the following example:

.in +4n
.nf
$ \fBreadlink /proc/$$/ns/uts\fP
uts:[4026531838]
.fi
.in

The symbolic links in this subdirectory are as follows:
.TP
.IR /proc/[pid]/ns/cgroup " (since Linux 4.6)"
This file is a handle for the cgroup namespace of the process.
.TP
.IR /proc/[pid]/ns/ipc " (since Linux 3.0)"
This file is a handle for the IPC namespace of the process.
.TP
.IR /proc/[pid]/ns/mnt " (since Linux 3.8)"
.\" commit 8823c079ba7136dc1948d6f6dcb5f8022bde438e
This file is a handle for the mount namespace of the process.
.TP
.IR /proc/[pid]/ns/net " (since Linux 3.0)"
This file is a handle for the network namespace of the process.
.TP
.IR /proc/[pid]/ns/pid " (since Linux 3.8)"
.\" commit 57e8391d327609cbf12d843259c968b9e5c1838f
This file is a handle for the PID namespace of the process.
.TP
.IR /proc/[pid]/ns/user " (since Linux 3.8)"
.\" commit cde1975bc242f3e1072bde623ef378e547b73f91
This file is a handle for the user namespace of the process.
.TP
.IR /proc/[pid]/ns/uts " (since Linux 3.0)"
This file is a handle for the UTS namespace of the process.
.PP
Permission to dereference or read
.RB ( readlink (2))
these symbolic links is governed by a ptrace access mode
.B PTRACE_MODE_READ_FSCREDS
check; see
.BR ptrace (2).
.\"
.\" ==================== Cgroup namespaces ====================
.\"
.SS Cgroup namespaces (CLONE_NEWCGROUP)
See
.BR cgroup_namespaces (7).
.\"
.\" ==================== IPC namespaces ====================
.\"
.SS IPC namespaces (CLONE_NEWIPC)
IPC namespaces isolate certain IPC resources,
namely, System V IPC objects (see
.BR svipc (7))
and (since Linux 2.6.30)
.\" commit 7eafd7c74c3f2e67c27621b987b28397110d643f
.\" https://lwn.net/Articles/312232/
POSIX message queues (see
.BR mq_overview (7)).
The common characteristic of these IPC mechanisms is that IPC
objects are identified by mechanisms other than filesystem
pathnames.

Each IPC namespace has its own set of System V IPC identifiers and
its own POSIX message queue filesystem.
Objects created in an IPC namespace are visible to all other processes
that are members of that namespace,
but are not visible to processes in other IPC namespaces.

The following
.I /proc
interfaces are distinct in each IPC namespace:
.IP * 3
The POSIX message queue interfaces in
.IR /proc/sys/fs/mqueue .
.IP *
The System V IPC interfaces in
.IR /proc/sys/kernel ,
namely:
.IR msgmax ,
.IR msgmnb  ,
.IR msgmni ,
.IR sem ,
.IR shmall ,
.IR shmmax ,
.IR shmmni ,
and
.IR shm_rmid_forced .
.IP *
The System V IPC interfaces in
.IR /proc/sysvipc .
.PP
When an IPC namespace is destroyed
(i.e., when the last process that is a member of the namespace terminates),
all IPC objects in the namespace are automatically destroyed.

Use of IPC namespaces requires a kernel that is configured with the
.B CONFIG_IPC_NS
option.
.\"
.\" ==================== Network namespaces ====================
.\"
.SS Network namespaces (CLONE_NEWNET)
Network namespaces provide isolation of the system resources associated
with networking: network devices, IPv4 and IPv6 protocol stacks,
IP routing tables, firewalls, the
.I /proc/net
directory, the
.I /sys/class/net
directory, port numbers (sockets), and so on.
A physical network device can live in exactly one
network namespace.
A virtual network device ("veth") pair provides a pipe-like abstraction
.\" FIXME . Add pointer to veth(4) page when it is eventually completed
that can be used to create tunnels between network namespaces,
and can be used to create a bridge to a physical network device
in another namespace.

When a network namespace is freed
(i.e., when the last process in the namespace terminates),
its physical network devices are moved back to the
initial network namespace (not to the parent of the process).

Use of network namespaces requires a kernel that is configured with the
.B CONFIG_NET_NS
option.
.\"
.\" ==================== Mount namespaces ====================
.\"
.SS Mount namespaces (CLONE_NEWNS)
See
.BR mount_namespaces (7).
.\"
.\" ==================== PID namespaces ====================
.\"
.SS PID namespaces (CLONE_NEWPID)
See
.BR pid_namespaces (7).
.\"
.\" ==================== User namespaces ====================
.\"
.SS User namespaces (CLONE_NEWUSER)
See
.BR user_namespaces (7).
.\"
.\" ==================== UTS namespaces ====================
.\"
.SS UTS namespaces (CLONE_NEWUTS)
UTS namespaces provide isolation of two system identifiers:
the hostname and the NIS domain name.
These identifiers are set using
.BR sethostname (2)
and
.BR setdomainname (2),
and can be retrieved using
.BR uname (2),
.BR gethostname (2),
and
.BR getdomainname (2).

Use of UTS namespaces requires a kernel that is configured with the
.B CONFIG_UTS_NS
option.
.\"
.\" ============================================================
.\"
.SS Introspecting namespace relationships
Since Linux 4.9,
.\" commit bcac25a58bfc6bd79191ac5d7afb49bea96da8c9
.\" commit 6786741dbf99e44fb0c0ed85a37582b8a26f1c3b
.\" commit a7306ed8d94af729ecef8b6e37506a1c6fc14788
.\" commit 6ad92bf63e45f97e306da48cd1cbce6e4fef1e5d
two
.BR ioctl (2)
operations are provided to allow introspection of namespace relationships
(see
.BR user_namespaces (7)
and
.BR pid_namespaces (7)).
The form of the calls is:

    new_fd = ioctl(fd, request);

In each case,
.I fd
refers to a
.IR /proc/[pid]/ns/*
file.
Both operations return a new file descriptor on success.
.TP
.BR NS_GET_USERNS
Returns a file descriptor that refers to the owning user namespace
for the namespace referred to by
.IR fd .
.TP
.BR NS_GET_PARENT
Returns a file descriptor that refers to the parent namespace of
the namespace referred to by
.IR fd .
This operation is valid only for hierarchical namespaces
(i.e., PID and user namespaces).
For user namespaces,
.BR NS_GET_PARENT
is synonymous with
.BR NS_GET_USERNS .
.PP
The new file descriptor returned by these operations is opened with the
.BR O_RDONLY
and
.BR O_CLOEXEC
(close-on-exec; see
.BR fcntl (2)) flags.
.PP
By applying
.BR fstat (2)
to the returned file descriptor, one obtains a
.I stat
structure whose
.I st_ino
(inode number) field identifies the owning/parent namespace.
This inode number can be matched with the inode number of another
.IR /proc/[pid]/ns/{pid,user}
file to determine whether that is the owning/parent namespace.

Either of these
.BR ioctl (2)
operations can fail with the following errors:
.TP
.B EPERM
The requested namespace is outside of the caller's namespace scope.
This error can occur if, for example, the owning user namespace is an
ancestor of the caller's current user namespace.
It can also occur on attempts to obtain the parent of the initial
user or PID namespace.
.TP
.B ENOTTY
The operation is not supported by this kernel version.
.PP
Additionally, the
.B NS_GET_PARENT
operation can fail with the following error:
.TP
.B EINVAL
.I fd
refers to a nonhierarchical namespace.
.PP
See the EXAMPLE section for an example of the use of these operations.
.SH CONFORMING TO
Namespaces are a Linux-specific feature.
.SH EXAMPLE
For one example,
.BR user_namespaces (7).

The example shown below uses the
.BR ioctl (2)
operations described above to perform simple
introspection of namespace relationships.
The following shell sessions show various examples of the use
of this program.

Trying to get the parent of the initial user namespace fails,
for the reasons explained earlier:

.nf
.in +4n
$ \fB./ns_introspect /proc/self/ns/user p\fP
The parent namespace is outside your namespace scope
.in
.fi

Create a process running
.BR sleep (1)
that resides in new user and UTS namespaces,
and show that new UTS namespace is associated with the new user namespace:

.nf
.in +4n
$ \fBunshare \-Uu sleep 1000 &\fP
[1] 23235
$ \fB./ns_introspect /proc/23235/ns/uts\fP
Inode number of owning user namespace is: 4026532448
$ \fBreadlink /proc/23235/ns/user \fP
user:[4026532448]
.in
.fi

Then show that the parent of the new user namespace in the preceding
example is the initial user namespace:

.nf
.in +4n
$ \fBreadlink /proc/self/ns/user\fP
user:[4026531837]
$ \fB./ns_introspect /proc/23235/ns/user\fP
Inode number of owning user namespace is: 4026531837
.in
.fi

Start a shell in a new user namespace, and show that from within
this shell, the parent user namespace can't be discovered.
Similarly, the UTS namespace
(which is associated with the initial user namespace)
can't be discovered.

.nf
.in +4n
$ \fBPS1="sh2$ " unshare \-U bash\fP
sh2$ \fB./ns_introspect /proc/self/ns/user p\fP
The parent namespace is outside your namespace scope
sh2$ \fB./ns_introspect /proc/self/ns/uts u\fP
The owning user namespace is outside your namespace scope
.in
.fi
.SS Program source
\&
.nf
/* ns_introspect.c

   Licensed under GNU General Public License v2 or later
*/
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/ioctl.h>
#include <string.h>
#include <errno.h>

#ifndef NS_GET_USERNS
#define NSIO    0xb7
#define NS_GET_USERNS   _IO(NSIO, 0x1)
#define NS_GET_PARENT   _IO(NSIO, 0x2)
#endif

int
main(int argc, char *argv[])
{
    int fd, userns_fd, parent_fd;
    struct stat sb;

    if (argc < 2) {
        fprintf(stderr, "Usage: %s /proc/[pid]/ns/[file] [p|u]\\n",
                argv[0]);
        fprintf(stderr, "\\nDisplay the result of one or both "
                "of NS_GET_USERNS (u) or NS_GET_PARENT (p)\\n"
                "for the specified /proc/[pid]/ns/[file]. If neither "
                "\(aqp\(aq nor \(aqu\(aq is specified,\\n"
                "NS_GET_USERNS is the default.\\n");
        exit(EXIT_FAILURE);
    }

    /* Obtain a file descriptor for the \(aqns\(aq file specified
       in argv[1] */

    fd = open(argv[1], O_RDONLY);
    if (fd == \-1) {
        perror("open");
        exit(EXIT_FAILURE);
    }

    /* Obtain a file descriptor for the owning user namespace and
       then obtain and display the inode number of that namespace */

    if (argc < 3 || strchr(argv[2], \(aqu\(aq)) {
        userns_fd = ioctl(fd, NS_GET_USERNS);

        if (userns_fd == \-1) {
            if (errno == EPERM)
                printf("The owning user namespace is outside "
                        "your namespace scope\\n");
            else
               perror("ioctl\-NS_GET_USERNS");
            exit(EXIT_FAILURE);
         }

        if (fstat(userns_fd, &sb) == \-1) {
            perror("fstat\-userns");
            exit(EXIT_FAILURE);
        }
        printf("Inode number of owning user namespace is: %ld\\n",
                (long) sb.st_ino);

        close(userns_fd);
    }

    /* Obtain a file descriptor for the parent namespace and
       then obtain and display the inode number of that namespace */

    if (argc > 2 && strchr(argv[2], \(aqp\(aq)) {
        parent_fd = ioctl(fd, NS_GET_PARENT);

        if (parent_fd == \-1) {
            if (errno == EINVAL)
                printf("Can\(aq get parent namespace of a "
                        "nonhierarchical namespace\\n");
            else if (errno == EPERM)
                printf("The parent namespace is outside "
                        "your namespace scope\\n");
            else
                perror("ioctl\-NS_GET_PARENT");
            exit(EXIT_FAILURE);
        }

        if (fstat(parent_fd, &sb) == \-1) {
            perror("fstat\-parentns");
            exit(EXIT_FAILURE);
        }
        printf("Inode number of parent namespace is: %ld\\n",
                (long) sb.st_ino);

        close(parent_fd);
    }

    exit(EXIT_SUCCESS);
}
.fi
.SH SEE ALSO
.BR nsenter (1),
.BR readlink (1),
.BR unshare (1),
.BR clone (2),
.BR setns (2),
.BR unshare (2),
.BR proc (5),
.BR capabilities (7),
.BR cgroup_namespaces (7),
.BR cgroups (7),
.BR credentials (7),
.BR pid_namespaces (7),
.BR user_namespaces (7),
.BR lsns (8),
.BR switch_root (8)
Commit	Line	Data
	1	.\" Copyright (c) 2013 by Michael Kerrisk <mtk.manpages@gmail.com>
	2	.\" and Copyright (c) 2012 by Eric W. Biederman <ebiederm@xmission.com>
	3	.\"
	4	.\" %%%LICENSE_START(VERBATIM)
	5	.\" Permission is granted to make and distribute verbatim copies of this
	6	.\" manual provided the copyright notice and this permission notice are
	7	.\" preserved on all copies.
	8	.\"
	9	.\" Permission is granted to copy and distribute modified versions of this
	10	.\" manual under the conditions for verbatim copying, provided that the
	11	.\" entire resulting derived work is distributed under the terms of a
	12	.\" permission notice identical to this one.
	13	.\"
	14	.\" Since the Linux kernel and libraries are constantly changing, this
	15	.\" manual page may be incorrect or out-of-date. The author(s) assume no
	16	.\" responsibility for errors or omissions, or for damages resulting from
	17	.\" the use of the information contained herein. The author(s) may not
	18	.\" have taken the same level of care in the production of this manual,
	19	.\" which is licensed free of charge, as they might when working
	20	.\" professionally.
	21	.\"
	22	.\" Formatted or processed versions of this manual, if unaccompanied by
	23	.\" the source, must acknowledge the copyright and authors of this work.
	24	.\" %%%LICENSE_END
	25	.\"
	26	.\"
	27	.TH NAMESPACES 7 2016-07-17 "Linux" "Linux Programmer's Manual"
	28	.SH NAME
	29	namespaces \- overview of Linux namespaces
	30	.SH DESCRIPTION
	31	A namespace wraps a global system resource in an abstraction that
	32	makes it appear to the processes within the namespace that they
	33	have their own isolated instance of the global resource.
	34	Changes to the global resource are visible to other processes
	35	that are members of the namespace, but are invisible to other processes.
	36	One use of namespaces is to implement containers.
	37
	38	Linux provides the following namespaces:
	39	.TS
	40	lB lB lB
	41	l lB l.
	42	Namespace Constant Isolates
	43	Cgroup CLONE_NEWCGROUP Cgroup root directory
	44	IPC CLONE_NEWIPC System V IPC, POSIX message queues
	45	Network CLONE_NEWNET Network devices, stacks, ports, etc.
	46	Mount CLONE_NEWNS Mount points
	47	PID CLONE_NEWPID Process IDs
	48	User CLONE_NEWUSER User and group IDs
	49	UTS CLONE_NEWUTS Hostname and NIS domain name
	50	.TE
	51
	52	This page describes the various namespaces and the associated
	53	.I /proc
	54	files, and summarizes the APIs for working with namespaces.
	55	.\"
	56	.\" ==================== The namespaces API ====================
	57	.\"
	58	.SS The namespaces API
	59	As well as various
	60	.I /proc
	61	files described below,
	62	the namespaces API includes the following system calls:
	63	.TP
	64	.BR clone (2)
	65	The
	66	.BR clone (2)
	67	system call creates a new process.
	68	If the
	69	.I flags
	70	argument of the call specifies one or more of the
	71	.B CLONE_NEW*
	72	flags listed below, then new namespaces are created for each flag,
	73	and the child process is made a member of those namespaces.
	74	(This system call also implements a number of features
	75	unrelated to namespaces.)
	76	.TP
	77	.BR setns (2)
	78	The
	79	.BR setns (2)
	80	system call allows the calling process to join an existing namespace.
	81	The namespace to join is specified via a file descriptor that refers to
	82	one of the
	83	.IR /proc/[pid]/ns
	84	files described below.
	85	.TP
	86	.BR unshare (2)
	87	The
	88	.BR unshare (2)
	89	system call moves the calling process to a new namespace.
	90	If the
	91	.I flags
	92	argument of the call specifies one or more of the
	93	.B CLONE_NEW*
	94	flags listed below, then new namespaces are created for each flag,
	95	and the calling process is made a member of those namespaces.
	96	(This system call also implements a number of features
	97	unrelated to namespaces.)
	98	.PP
	99	Creation of new namespaces using
	100	.BR clone (2)
	101	and
	102	.BR unshare (2)
	103	in most cases requires the
	104	.BR CAP_SYS_ADMIN
	105	capability.
	106	User namespaces are the exception: since Linux 3.8,
	107	no privilege is required to create a user namespace.
	108	.\"
	109	.\" ==================== The /proc/[pid]/ns/ directory ====================
	110	.\"
	111	.SS The /proc/[pid]/ns/ directory
	112	Each process has a
	113	.IR /proc/[pid]/ns/
	114	.\" See commit 6b4e306aa3dc94a0545eb9279475b1ab6209a31f
	115	subdirectory containing one entry for each namespace that
	116	supports being manipulated by
	117	.BR setns (2):
	118
	119	.in +4n
	120	.nf
	121	$ \fBls \-l /proc/$$/ns\fP
	122	total 0
	123	lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 cgroup \-> cgroup:[4026531835]
	124	lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 ipc \-> ipc:[4026531839]
	125	lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 mnt \-> mnt:[4026531840]
	126	lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 net \-> net:[4026531969]
	127	lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 pid \-> pid:[4026531836]
	128	lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 user \-> user:[4026531837]
	129	lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 uts \-> uts:[4026531838]
	130	.fi
	131	.in
	132
	133	Bind mounting (see
	134	.BR mount (2))
	135	one of the files in this directory
	136	to somewhere else in the filesystem keeps
	137	the corresponding namespace of the process specified by
	138	.I pid
	139	alive even if all processes currently in the namespace terminate.
	140
	141	Opening one of the files in this directory
	142	(or a file that is bind mounted to one of these files)
	143	returns a file handle for
	144	the corresponding namespace of the process specified by
	145	.IR pid .
	146	As long as this file descriptor remains open,
	147	the namespace will remain alive,
	148	even if all processes in the namespace terminate.
	149	The file descriptor can be passed to
	150	.BR setns (2).
	151
	152	In Linux 3.7 and earlier, these files were visible as hard links.
	153	Since Linux 3.8,
	154	.\" commit bf056bfa80596a5d14b26b17276a56a0dcb080e5
	155	they appear as symbolic links.
	156	If two processes are in the same namespace, then the inode numbers of their
	157	.IR /proc/[pid]/ns/xxx
	158	symbolic links will be the same; an application can check this using the
	159	.I stat.st_ino
	160	field returned by
	161	.BR stat (2).
	162	The content of this symbolic link is a string containing
	163	the namespace type and inode number as in the following example:
	164
	165	.in +4n
	166	.nf
	167	$ \fBreadlink /proc/$$/ns/uts\fP
	168	uts:[4026531838]
	169	.fi
	170	.in
	171
	172	The symbolic links in this subdirectory are as follows:
	173	.TP
	174	.IR /proc/[pid]/ns/cgroup " (since Linux 4.6)"
	175	This file is a handle for the cgroup namespace of the process.
	176	.TP
	177	.IR /proc/[pid]/ns/ipc " (since Linux 3.0)"
	178	This file is a handle for the IPC namespace of the process.
	179	.TP
	180	.IR /proc/[pid]/ns/mnt " (since Linux 3.8)"
	181	.\" commit 8823c079ba7136dc1948d6f6dcb5f8022bde438e
	182	This file is a handle for the mount namespace of the process.
	183	.TP
	184	.IR /proc/[pid]/ns/net " (since Linux 3.0)"
	185	This file is a handle for the network namespace of the process.
	186	.TP
	187	.IR /proc/[pid]/ns/pid " (since Linux 3.8)"
	188	.\" commit 57e8391d327609cbf12d843259c968b9e5c1838f
	189	This file is a handle for the PID namespace of the process.
	190	.TP
	191	.IR /proc/[pid]/ns/user " (since Linux 3.8)"
	192	.\" commit cde1975bc242f3e1072bde623ef378e547b73f91
	193	This file is a handle for the user namespace of the process.
	194	.TP
	195	.IR /proc/[pid]/ns/uts " (since Linux 3.0)"
	196	This file is a handle for the UTS namespace of the process.
	197	.PP
	198	Permission to dereference or read
	199	.RB ( readlink (2))
	200	these symbolic links is governed by a ptrace access mode
	201	.B PTRACE_MODE_READ_FSCREDS
	202	check; see
	203	.BR ptrace (2).
	204	.\"
	205	.\" ==================== Cgroup namespaces ====================
	206	.\"
	207	.SS Cgroup namespaces (CLONE_NEWCGROUP)
	208	See
	209	.BR cgroup_namespaces (7).
	210	.\"
	211	.\" ==================== IPC namespaces ====================
	212	.\"
	213	.SS IPC namespaces (CLONE_NEWIPC)
	214	IPC namespaces isolate certain IPC resources,
	215	namely, System V IPC objects (see
	216	.BR svipc (7))
	217	and (since Linux 2.6.30)
	218	.\" commit 7eafd7c74c3f2e67c27621b987b28397110d643f
	219	.\" https://lwn.net/Articles/312232/
	220	POSIX message queues (see
	221	.BR mq_overview (7)).
	222	The common characteristic of these IPC mechanisms is that IPC
	223	objects are identified by mechanisms other than filesystem
	224	pathnames.
	225
	226	Each IPC namespace has its own set of System V IPC identifiers and
	227	its own POSIX message queue filesystem.
	228	Objects created in an IPC namespace are visible to all other processes
	229	that are members of that namespace,
	230	but are not visible to processes in other IPC namespaces.
	231
	232	The following
	233	.I /proc
	234	interfaces are distinct in each IPC namespace:
	235	.IP * 3
	236	The POSIX message queue interfaces in
	237	.IR /proc/sys/fs/mqueue .
	238	.IP *
	239	The System V IPC interfaces in
	240	.IR /proc/sys/kernel ,
	241	namely:
	242	.IR msgmax ,
	243	.IR msgmnb ,
	244	.IR msgmni ,
	245	.IR sem ,
	246	.IR shmall ,
	247	.IR shmmax ,
	248	.IR shmmni ,
	249	and
	250	.IR shm_rmid_forced .
	251	.IP *
	252	The System V IPC interfaces in
	253	.IR /proc/sysvipc .
	254	.PP
	255	When an IPC namespace is destroyed
	256	(i.e., when the last process that is a member of the namespace terminates),
	257	all IPC objects in the namespace are automatically destroyed.
	258
	259	Use of IPC namespaces requires a kernel that is configured with the
	260	.B CONFIG_IPC_NS
	261	option.
	262	.\"
	263	.\" ==================== Network namespaces ====================
	264	.\"
	265	.SS Network namespaces (CLONE_NEWNET)
	266	Network namespaces provide isolation of the system resources associated
	267	with networking: network devices, IPv4 and IPv6 protocol stacks,
	268	IP routing tables, firewalls, the
	269	.I /proc/net
	270	directory, the
	271	.I /sys/class/net
	272	directory, port numbers (sockets), and so on.
	273	A physical network device can live in exactly one
	274	network namespace.
	275	A virtual network device ("veth") pair provides a pipe-like abstraction
	276	.\" FIXME . Add pointer to veth(4) page when it is eventually completed
	277	that can be used to create tunnels between network namespaces,
	278	and can be used to create a bridge to a physical network device
	279	in another namespace.
	280
	281	When a network namespace is freed
	282	(i.e., when the last process in the namespace terminates),
	283	its physical network devices are moved back to the
	284	initial network namespace (not to the parent of the process).
	285
	286	Use of network namespaces requires a kernel that is configured with the
	287	.B CONFIG_NET_NS
	288	option.
	289	.\"
	290	.\" ==================== Mount namespaces ====================
	291	.\"
	292	.SS Mount namespaces (CLONE_NEWNS)
	293	See
	294	.BR mount_namespaces (7).
	295	.\"
	296	.\" ==================== PID namespaces ====================
	297	.\"
	298	.SS PID namespaces (CLONE_NEWPID)
	299	See
	300	.BR pid_namespaces (7).
	301	.\"
	302	.\" ==================== User namespaces ====================
	303	.\"
	304	.SS User namespaces (CLONE_NEWUSER)
	305	See
	306	.BR user_namespaces (7).
	307	.\"
	308	.\" ==================== UTS namespaces ====================
	309	.\"
	310	.SS UTS namespaces (CLONE_NEWUTS)
	311	UTS namespaces provide isolation of two system identifiers:
	312	the hostname and the NIS domain name.
	313	These identifiers are set using
	314	.BR sethostname (2)
	315	and
	316	.BR setdomainname (2),
	317	and can be retrieved using
	318	.BR uname (2),
	319	.BR gethostname (2),
	320	and
	321	.BR getdomainname (2).
	322
	323	Use of UTS namespaces requires a kernel that is configured with the
	324	.B CONFIG_UTS_NS
	325	option.
	326	.\"
	327	.\" ============================================================
	328	.\"
	329	.SS Introspecting namespace relationships
	330	Since Linux 4.9,
	331	.\" commit bcac25a58bfc6bd79191ac5d7afb49bea96da8c9
	332	.\" commit 6786741dbf99e44fb0c0ed85a37582b8a26f1c3b
	333	.\" commit a7306ed8d94af729ecef8b6e37506a1c6fc14788
	334	.\" commit 6ad92bf63e45f97e306da48cd1cbce6e4fef1e5d
	335	two
	336	.BR ioctl (2)
	337	operations are provided to allow introspection of namespace relationships
	338	(see
	339	.BR user_namespaces (7)
	340	and
	341	.BR pid_namespaces (7)).
	342	The form of the calls is:
	343
	344	new_fd = ioctl(fd, request);
	345
	346	In each case,
	347	.I fd
	348	refers to a
	349	.IR /proc/[pid]/ns/*
	350	file.
	351	Both operations return a new file descriptor on success.
	352	.TP
	353	.BR NS_GET_USERNS
	354	Returns a file descriptor that refers to the owning user namespace
	355	for the namespace referred to by
	356	.IR fd .
	357	.TP
	358	.BR NS_GET_PARENT
	359	Returns a file descriptor that refers to the parent namespace of
	360	the namespace referred to by
	361	.IR fd .
	362	This operation is valid only for hierarchical namespaces
	363	(i.e., PID and user namespaces).
	364	For user namespaces,
	365	.BR NS_GET_PARENT
	366	is synonymous with
	367	.BR NS_GET_USERNS .
	368	.PP
	369	The new file descriptor returned by these operations is opened with the
	370	.BR O_RDONLY
	371	and
	372	.BR O_CLOEXEC
	373	(close-on-exec; see
	374	.BR fcntl (2)) flags.
	375	.PP
	376	By applying
	377	.BR fstat (2)
	378	to the returned file descriptor, one obtains a
	379	.I stat
	380	structure whose
	381	.I st_ino
	382	(inode number) field identifies the owning/parent namespace.
	383	This inode number can be matched with the inode number of another
	384	.IR /proc/[pid]/ns/{pid,user}
	385	file to determine whether that is the owning/parent namespace.
	386
	387	Either of these
	388	.BR ioctl (2)
	389	operations can fail with the following errors:
	390	.TP
	391	.B EPERM
	392	The requested namespace is outside of the caller's namespace scope.
	393	This error can occur if, for example, the owning user namespace is an
	394	ancestor of the caller's current user namespace.
	395	It can also occur on attempts to obtain the parent of the initial
	396	user or PID namespace.
	397	.TP
	398	.B ENOTTY
	399	The operation is not supported by this kernel version.
	400	.PP
	401	Additionally, the
	402	.B NS_GET_PARENT
	403	operation can fail with the following error:
	404	.TP
	405	.B EINVAL
	406	.I fd
	407	refers to a nonhierarchical namespace.
	408	.PP
	409	See the EXAMPLE section for an example of the use of these operations.
	410	.SH CONFORMING TO
	411	Namespaces are a Linux-specific feature.
	412	.SH EXAMPLE
	413	For one example,
	414	.BR user_namespaces (7).
	415
	416	The example shown below uses the
	417	.BR ioctl (2)
	418	operations described above to perform simple
	419	introspection of namespace relationships.
	420	The following shell sessions show various examples of the use
	421	of this program.
	422
	423	Trying to get the parent of the initial user namespace fails,
	424	for the reasons explained earlier:
	425
	426	.nf
	427	.in +4n
	428	$ \fB./ns_introspect /proc/self/ns/user p\fP
	429	The parent namespace is outside your namespace scope
	430	.in
	431	.fi
	432
	433	Create a process running
	434	.BR sleep (1)
	435	that resides in new user and UTS namespaces,
	436	and show that new UTS namespace is associated with the new user namespace:
	437
	438	.nf
	439	.in +4n
	440	$ \fBunshare \-Uu sleep 1000 &\fP
	441	[1] 23235
	442	$ \fB./ns_introspect /proc/23235/ns/uts\fP
	443	Inode number of owning user namespace is: 4026532448
	444	$ \fBreadlink /proc/23235/ns/user \fP
	445	user:[4026532448]
	446	.in
	447	.fi
	448
	449	Then show that the parent of the new user namespace in the preceding
	450	example is the initial user namespace:
	451
	452	.nf
	453	.in +4n
	454	$ \fBreadlink /proc/self/ns/user\fP
	455	user:[4026531837]
	456	$ \fB./ns_introspect /proc/23235/ns/user\fP
	457	Inode number of owning user namespace is: 4026531837
	458	.in
	459	.fi
	460
	461	Start a shell in a new user namespace, and show that from within
	462	this shell, the parent user namespace can't be discovered.
	463	Similarly, the UTS namespace
	464	(which is associated with the initial user namespace)
	465	can't be discovered.
	466
	467	.nf
	468	.in +4n
	469	$ \fBPS1="sh2$ " unshare \-U bash\fP
	470	sh2$ \fB./ns_introspect /proc/self/ns/user p\fP
	471	The parent namespace is outside your namespace scope
	472	sh2$ \fB./ns_introspect /proc/self/ns/uts u\fP
	473	The owning user namespace is outside your namespace scope
	474	.in
	475	.fi
	476	.SS Program source
	477	\&
	478	.nf
	479	/* ns_introspect.c
	480
	481	Licensed under GNU General Public License v2 or later
	482	*/
	483	#include <stdlib.h>
	484	#include <unistd.h>
	485	#include <stdio.h>
	486	#include <sys/stat.h>
	487	#include <fcntl.h>
	488	#include <sys/ioctl.h>
	489	#include <string.h>
	490	#include <errno.h>
	491
	492	#ifndef NS_GET_USERNS
	493	#define NSIO 0xb7
	494	#define NS_GET_USERNS _IO(NSIO, 0x1)
	495	#define NS_GET_PARENT _IO(NSIO, 0x2)
	496	#endif
	497
	498	int
	499	main(int argc, char *argv[])
	500	{
	501	int fd, userns_fd, parent_fd;
	502	struct stat sb;
	503
	504	if (argc < 2) {
	505	fprintf(stderr, "Usage: %s /proc/[pid]/ns/[file] [p\|u]\\n",
	506	argv[0]);
	507	fprintf(stderr, "\\nDisplay the result of one or both "
	508	"of NS_GET_USERNS (u) or NS_GET_PARENT (p)\\n"
	509	"for the specified /proc/[pid]/ns/[file]. If neither "
	510	"\(aqp\(aq nor \(aqu\(aq is specified,\\n"
	511	"NS_GET_USERNS is the default.\\n");
	512	exit(EXIT_FAILURE);
	513	}
	514
	515	/* Obtain a file descriptor for the \(aqns\(aq file specified
	516	in argv[1] */
	517
	518	fd = open(argv[1], O_RDONLY);
	519	if (fd == \-1) {
	520	perror("open");
	521	exit(EXIT_FAILURE);
	522	}
	523
	524	/* Obtain a file descriptor for the owning user namespace and
	525	then obtain and display the inode number of that namespace */
	526
	527	if (argc < 3 \|\| strchr(argv[2], \(aqu\(aq)) {
	528	userns_fd = ioctl(fd, NS_GET_USERNS);
	529
	530	if (userns_fd == \-1) {
	531	if (errno == EPERM)
	532	printf("The owning user namespace is outside "
	533	"your namespace scope\\n");
	534	else
	535	perror("ioctl\-NS_GET_USERNS");
	536	exit(EXIT_FAILURE);
	537	}
	538
	539	if (fstat(userns_fd, &sb) == \-1) {
	540	perror("fstat\-userns");
	541	exit(EXIT_FAILURE);
	542	}
	543	printf("Inode number of owning user namespace is: %ld\\n",
	544	(long) sb.st_ino);
	545
	546	close(userns_fd);
	547	}
	548
	549	/* Obtain a file descriptor for the parent namespace and
	550	then obtain and display the inode number of that namespace */
	551
	552	if (argc > 2 && strchr(argv[2], \(aqp\(aq)) {
	553	parent_fd = ioctl(fd, NS_GET_PARENT);
	554
	555	if (parent_fd == \-1) {
	556	if (errno == EINVAL)
	557	printf("Can\(aq get parent namespace of a "
	558	"nonhierarchical namespace\\n");
	559	else if (errno == EPERM)
	560	printf("The parent namespace is outside "
	561	"your namespace scope\\n");
	562	else
	563	perror("ioctl\-NS_GET_PARENT");
	564	exit(EXIT_FAILURE);
	565	}
	566
	567	if (fstat(parent_fd, &sb) == \-1) {
	568	perror("fstat\-parentns");
	569	exit(EXIT_FAILURE);
	570	}
	571	printf("Inode number of parent namespace is: %ld\\n",
	572	(long) sb.st_ino);
	573
	574	close(parent_fd);
	575	}
	576
	577	exit(EXIT_SUCCESS);
	578	}
	579	.fi
	580	.SH SEE ALSO
	581	.BR nsenter (1),
	582	.BR readlink (1),
	583	.BR unshare (1),
	584	.BR clone (2),
	585	.BR setns (2),
	586	.BR unshare (2),
	587	.BR proc (5),
	588	.BR capabilities (7),
	589	.BR cgroup_namespaces (7),
	590	.BR cgroups (7),
	591	.BR credentials (7),
	592	.BR pid_namespaces (7),
	593	.BR user_namespaces (7),
	594	.BR lsns (8),
	595	.BR switch_root (8)