]>
Commit | Line | Data |
---|---|---|
1 | .TH UNSHARE 1 "July 2014" "util-linux" "User Commands" | |
2 | .SH NAME | |
3 | unshare \- run program with some namespaces unshared from parent | |
4 | .SH SYNOPSIS | |
5 | .B unshare | |
6 | [options] | |
7 | .I program | |
8 | .RI [ arguments ] | |
9 | .SH DESCRIPTION | |
10 | Unshares the indicated namespaces from the parent process and then executes | |
11 | the specified \fIprogram\fR. The namespaces to be unshared are indicated via | |
12 | options. Unshareable namespaces are: | |
13 | .TP | |
14 | .BR "mount namespace" | |
15 | Mounting and unmounting filesystems will not affect the rest of the system | |
16 | (\fBCLONE_NEWNS\fP flag), except for filesystems which are explicitly marked as | |
17 | shared (with \fBmount --make-shared\fP; see \fI/proc/self/mountinfo\fP for the | |
18 | \fBshared\fP flags). | |
19 | .sp | |
20 | It's recommended to use \fBmount --make-rprivate\fP or \fBmount --make-rslave\fP | |
21 | after \fBunshare --mount\fP to make sure that mountpoints in the new namespace | |
22 | are really unshared from the parental namespace. | |
23 | .TP | |
24 | .BR "UTS namespace" | |
25 | Setting hostname or domainname will not affect the rest of the system. | |
26 | (\fBCLONE_NEWUTS\fP flag) | |
27 | .TP | |
28 | .BR "IPC namespace" | |
29 | The process will have an independent namespace for System V message queues, | |
30 | semaphore sets and shared memory segments. (\fBCLONE_NEWIPC\fP flag) | |
31 | .TP | |
32 | .BR "network namespace" | |
33 | The process will have independent IPv4 and IPv6 stacks, IP routing tables, | |
34 | firewall rules, the \fI/proc/net\fP and \fI/sys/class/net\fP directory trees, | |
35 | sockets, etc. (\fBCLONE_NEWNET\fP flag) | |
36 | .TP | |
37 | .BR "pid namespace" | |
38 | Children will have a distinct set of PID to process mappings from their parent. | |
39 | (\fBCLONE_NEWPID\fP flag) | |
40 | .TP | |
41 | .BR "user namespace" | |
42 | The process will have a distinct set of UIDs, GIDs and capabilities. | |
43 | (\fBCLONE_NEWUSER\fP flag) | |
44 | .PP | |
45 | See \fBclone\fR(2) for the exact semantics of the flags. | |
46 | .SH OPTIONS | |
47 | .TP | |
48 | .BR \-i , " \-\-ipc" | |
49 | Unshare the IPC namespace. | |
50 | .TP | |
51 | .BR \-m , " \-\-mount" | |
52 | Unshare the mount namespace. | |
53 | .TP | |
54 | .BR \-n , " \-\-net" | |
55 | Unshare the network namespace. | |
56 | .TP | |
57 | .BR \-p , " \-\-pid" | |
58 | Unshare the pid namespace. | |
59 | See also the \fB--fork\fP and \fB--mount-proc\fP options. | |
60 | .TP | |
61 | .BR \-u , " \-\-uts" | |
62 | Unshare the UTS namespace. | |
63 | .TP | |
64 | .BR \-U , " \-\-user" | |
65 | Unshare the user namespace. | |
66 | .TP | |
67 | .BR \-f , " \-\-fork" | |
68 | Fork the specified \fIprogram\fR as a child process of \fBunshare\fR rather than | |
69 | running it directly. This is useful when creating a new pid namespace. | |
70 | .TP | |
71 | .BR \-\-mount-proc "[=\fImountpoint\fP]" | |
72 | Just before running the program, mount the proc filesystem at \fImountpoint\fP | |
73 | (default is /proc). This is useful when creating a new pid namespace. It also | |
74 | implies creating a new mount namespace since the /proc mount would otherwise | |
75 | mess up existing programs on the system. The new proc filesystem is explicitly | |
76 | mounted as private (by MS_PRIVATE|MS_REC). | |
77 | .TP | |
78 | .BR \-r , " \-\-map-root-user" | |
79 | Run the program only after the current effective user and group IDs have been mapped to | |
80 | the superuser UID and GID in the newly created user namespace. This makes it possible to | |
81 | conveniently gain capabilities needed to manage various aspects of the newly created | |
82 | namespaces (such as configuring interfaces in the network namespace or mounting filesystems in | |
83 | the mount namespace) even when run unprivileged. As a mere convenience feature, it does not support | |
84 | more sophisticated use cases, such as mapping multiple ranges of UIDs and GIDs. | |
85 | This option implies --setgroups=deny. | |
86 | .TP | |
87 | .BR \-s , " \-\-setgroups \fIallow|deny\fP" | |
88 | Allow or deny | |
89 | .BR setgroups (2) | |
90 | syscall in user namespaces. | |
91 | ||
92 | .BR setgroups(2) | |
93 | is only callable with CAP_SETGID and CAP_SETGID in a user | |
94 | namespace (since Linux 3.19) does not give you permission to call setgroups(2) | |
95 | until after GID map has been set. The GID map is writable by root when | |
96 | .BR setgroups(2) | |
97 | is enabled and GID map becomes writable by unprivileged processes when | |
98 | .BR setgroups(2) | |
99 | is permamently disabled. | |
100 | .TP | |
101 | .BR \-V , " \-\-version" | |
102 | Display version information and exit. | |
103 | .TP | |
104 | .BR \-h , " \-\-help" | |
105 | Display help text and exit. | |
106 | .SH SEE ALSO | |
107 | .BR unshare (2), | |
108 | .BR clone (2), | |
109 | .BR mount (8) | |
110 | .SH BUGS | |
111 | None known so far. | |
112 | .SH AUTHOR | |
113 | Mikhail Gusarov <dottedmag@dottedmag.net> | |
114 | .SH AVAILABILITY | |
115 | The unshare command is part of the util-linux package and is available from | |
116 | ftp://ftp.kernel.org/pub/linux/utils/util-linux/. |