1 .\" Copyright (C) 2000 by Werner Almesberger
2 .\" and Copyright (C) 2019 Michael Kerrisk <mtk.manpages@gmail.com>
4 .\" %%%LICENSE_START(GPL_NOVERSION_ONELINE)
5 .\" May be distributed under GPL
8 .\" Written 2000-02-23 by Werner Almesberger
9 .\" Modified 2004-06-17 Michael Kerrisk <mtk.manpages@gmail.com>
11 .TH PIVOT_ROOT 2 2019-08-02 "Linux" "Linux Programmer's Manual"
13 pivot_root \- change the root filesystem
15 .BI "int pivot_root(const char *" new_root ", const char *" put_old );
18 There is no glibc wrapper for this system call; see NOTES.
21 changes the root filesystem in the mount namespace of the calling process.
22 More precisely, it moves the root filesystem to the
23 directory \fIput_old\fP and makes \fInew_root\fP the new root filesystem.
24 The calling process must have the
26 capability in the user namespace that owns the caller's mount namespace.
29 may or may not change the current root and the current
30 working directory of any processes or threads that
31 use the old root directory and which are in
32 the same mount namespace as the caller of
36 should ensure that processes with root or current working directory
37 at the old root operate correctly in either case.
38 An easy way to ensure this is to change their
39 root and current working directory to \fInew_root\fP before invoking
43 may or may not affect the calling process's current working directory.
44 It is therefore recommended to call
45 \fBchdir("/")\fP immediately after
48 The paragraph above is intentionally vague because at the time when
50 was first implemented, it was unclear whether its affect
51 on other process's root and current working directories\(emand
52 the caller's current working directory\(emmight change in the future.
53 However, the behavior has remained consistent since this system call
54 was first implemented:
56 changes the root directory and the current working directory
57 of each process or thread in the same mount namespace to
59 if they point to the old root directory.
63 does not change the caller's current working directory
64 (unless it is on the old root directory),
65 and thus it should be followed by a
66 \fBchdir("/")\fP call.
68 The following restrictions apply:
75 \fIput_old\fP must not be on the same filesystem as
78 \fIput_old\fP must be at or underneath \fInew_root\fP;
79 that is, adding a nonnegative
80 number of \fI/..\fP to the string pointed to by \fIput_old\fP must yield
81 the same directory as \fInew_root\fP.
84 must be a mount point, but can't be
86 If it is not otherwise a mount point, it suffices to bind mount
90 can be a bind mounted directory on the current root filesystem.)
92 The propagation type of the parent mount of
94 and the parent mount of the current root directory must not be
98 is an existing mount point, its propagation type must not be
100 These restrictions ensure that
102 never propagates any changes to another mount namespace.
104 The current root directory must be a mount point.
106 On success, zero is returned.
107 On error, \-1 is returned, and
108 \fIerrno\fP is set appropriately.
111 may fail with any of the same errors as
113 Additionally, it may fail with the following errors:
116 .\" Reconfirmed that the following error occurs on Linux 5.0 by
117 .\" specifying 'new_root' as "/rootfs" and 'put_old' as
118 .\" "/rootfs/oldrootfs", and *not* bind mounting "/rootfs" on top of
119 .\" itself. Of course, this is an odd situation, since a later check
120 .\" in the kernel code will in any case yield EINVAL if 'new_root' is
121 .\" not a mount point. However, when the system call was first added,
122 .\" 'new_root' was not required to be a mount point. So, this
123 .\" error is nowadays probably just the result of crufty accumulation.
124 .\" This error can also occur if we bind mount "/" on top of itself
125 .\" and try to specify "/" as the 'new' (again, an odd situation). So,
126 .\" the EBUSY check in the kernel does still seem necessary to prevent
127 .\" that case. Furthermore, the "or put_old" piece is probably
128 .\" redundant text (although the check is in the kernel), since,
129 .\" in another check, 'put_old' is required to be under 'new_root'.
133 is on the current root filesystem.
134 (This error covers the pathological case where
141 is not a mount point.
144 \fIput_old\fP is not underneath \fInew_root\fP.
147 The current root directory is not a mount point
148 (because of an earlier
152 The current root is on the rootfs (initial ramfs) filesystem; see NOTES.
155 Either the mount point at
157 or the parent mount of that mount point,
163 is a mount point and has the propagation type
167 \fInew_root\fP or \fIput_old\fP is not a directory.
170 The calling process does not have the
175 was introduced in Linux 2.3.41.
178 is Linux-specific and hence is not portable.
180 Glibc does not provide a wrapper for this system call; call it using
183 A command-line interface for this system call is provided by
187 allows the caller to switch to a new root filesystem while at the same time
188 placing the old root mount at a location under
190 from where it can subsequently be unmounted.
191 (The fact that it moves all processes that have a root directory
192 or current working directory on the old root directory to the
193 new root frees the old root directory of users,
194 allowing the old root filesystem to be unmounted more easily.)
198 is during system startup, when the
199 system mounts a temporary root filesystem (e.g., an \fBinitrd\fP), then
200 mounts the real root filesystem, and eventually turns the latter into
201 the current root of all relevant processes or threads.
202 A modern use is to set up a root filesystem during
203 the creation of a container.
207 modifies process root and current working directories in the
208 manner noted in DESCRIPTION
209 is necessary in order to prevent kernel threads from keeping the old
210 root directory busy with their root and current working directory,
211 even if they never access
212 the filesystem in any way.
217 may be the same directory.
218 In particular, the following sequence allows a pivot-root operation
219 without needing to create and remove a temporary directory:
224 pivot_root(".", ".");
225 umount2(".", MNT_DETACH);
229 This sequence succeeds because the
231 call stacks the old root mount point
232 on top of the new root mount point at
234 At that point, the calling process's root directory and current
235 working directory refer to the new root mount point
237 During the subsequent
243 and then moves up the list of mounts stacked at
245 with the result that old root mount point is unmounted.
247 The rootfs (initial ramfs) cannot be
249 The recommended method of changing the root filesystem in this case is
250 to delete everything in rootfs, overmount rootfs with the new root, attach
251 .IR stdin / stdout / stderr
256 Helper programs for this process exist; see
260 .\" Would it be better, because simpler, to use unshare(2)
261 .\" rather than clone(2) in the example below?
263 The program below demonstrates the use of
265 inside a mount namespace that is created using
267 After pivoting to the root directory named in the program's
268 first command-line argument, the child created by
270 then executes the program named in the remaining command-line arguments.
272 We demonstrate the program by creating a directory that will serve as
273 the new root filesystem and placing a copy of the (statically linked)
275 executable in that directory.
279 $ \fBmkdir /tmp/rootfs\fP
280 $ \fBls \-id /tmp/rootfs\fP # Show inode number of new root directory
282 $ \fBcp $(which busybox) /tmp/rootfs\fP
283 $ \fBPS1='bbsh$ ' sudo ./pivot_root_demo /tmp/rootfs /busybox sh\fP
285 bbsh$ \fBbusybox ln busybox ln\fP
286 bbsh$ \fBln busybox echo\fP
287 bbsh$ \fBln busybox ls\fP
290 bbsh$ \fBls \-id /\fP # Compare with inode number above
292 bbsh$ \fBecho \(aqhello world\(aq\fP
300 /* pivot_root_demo.c */
307 #include <sys/wait.h>
308 #include <sys/syscall.h>
309 #include <sys/mount.h>
310 #include <sys/stat.h>
313 #define errExit(msg) do { perror(msg); exit(EXIT_FAILURE); \e
317 pivot_root(const char *new_root, const char *put_old)
319 return syscall(SYS_pivot_root, new_root, put_old);
322 #define STACK_SIZE (1024 * 1024)
324 static int /* Startup function for cloned child */
328 char *new_root = args[0];
329 const char *put_old = "/oldrootfs";
332 /* Ensure that \(aqnew_root\(aq and its parent mount don\(aqt have
333 shared propagation (which would cause pivot_root() to
334 return an error), and prevent propagation of mount
335 events to the initial mount namespace */
337 if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL) == 1)
338 errExit("mount\-MS_PRIVATE");
340 /* Ensure that \(aqnew_root\(aq is a mount point */
342 if (mount(new_root, new_root, NULL, MS_BIND, NULL) == \-1)
343 errExit("mount\-MS_BIND");
345 /* Create directory to which old root will be pivoted */
347 snprintf(path, sizeof(path), "%s/%s", new_root, put_old);
348 if (mkdir(path, 0777) == \-1)
351 /* And pivot the root filesystem */
353 if (pivot_root(new_root, path) == \-1)
354 errExit("pivot_root");
356 /* Switch the current working directory to "/" */
358 if (chdir("/") == \-1)
361 /* Unmount old root and remove mount point */
363 if (umount2(put_old, MNT_DETACH) == \-1)
365 if (rmdir(put_old) == \-1)
368 /* Execute the command specified in argv[1]... */
370 execv(args[1], &args[1]);
375 main(int argc, char *argv[])
377 /* Create a child process in a new mount namespace */
379 char *stack = malloc(STACK_SIZE);
383 if (clone(child, stack + STACK_SIZE,
384 CLONE_NEWNS | SIGCHLD, &argv[1]) == \-1)
387 /* Parent falls through to here; wait for child */
389 if (wait(NULL) == \-1)
401 .BR mount_namespaces (7),