namespaces.7: wfix

[thirdparty/man-pages.git] / man7 / namespaces.7

.\" Copyright (c) 2013 by Michael Kerrisk <mtk.manpages@gmail.com>
.\" and Copyright (c) 2012 by Eric W. Biederman <ebiederm@xmission.com>
.\"
.\" %%%LICENSE_START(VERBATIM)
.\" Permission is granted to make and distribute verbatim copies of this
.\" manual provided the copyright notice and this permission notice are
.\" preserved on all copies.
.\"
.\" Permission is granted to copy and distribute modified versions of this
.\" manual under the conditions for verbatim copying, provided that the
.\" entire resulting derived work is distributed under the terms of a
.\" permission notice identical to this one.
.\"
.\" Since the Linux kernel and libraries are constantly changing, this
.\" manual page may be incorrect or out-of-date.  The author(s) assume no
.\" responsibility for errors or omissions, or for damages resulting from
.\" the use of the information contained herein.  The author(s) may not
.\" have taken the same level of care in the production of this manual,
.\" which is licensed free of charge, as they might when working
.\" professionally.
.\"
.\" Formatted or processed versions of this manual, if unaccompanied by
.\" the source, must acknowledge the copyright and authors of this work.
.\" %%%LICENSE_END
.\"
.\"
.TH NAMESPACES 7 2016-12-12 "Linux" "Linux Programmer's Manual"
.SH NAME
namespaces \- overview of Linux namespaces
.SH DESCRIPTION
A namespace wraps a global system resource in an abstraction that
makes it appear to the processes within the namespace that they
have their own isolated instance of the global resource.
Changes to the global resource are visible to other processes
that are members of the namespace, but are invisible to other processes.
One use of namespaces is to implement containers.

Linux provides the following namespaces:
.TS
lB lB lB
l lB l.
Namespace       Constant        Isolates
Cgroup  CLONE_NEWCGROUP Cgroup root directory
IPC     CLONE_NEWIPC    System V IPC, POSIX message queues
Network CLONE_NEWNET    Network devices, stacks, ports, etc.
Mount   CLONE_NEWNS     Mount points
PID     CLONE_NEWPID    Process IDs
User    CLONE_NEWUSER   User and group IDs
UTS     CLONE_NEWUTS    Hostname and NIS domain name
.TE

This page describes the various namespaces and the associated
.I /proc
files, and summarizes the APIs for working with namespaces.
.\"
.\" ==================== The namespaces API ====================
.\"
.SS The namespaces API
As well as various
.I /proc
files described below,
the namespaces API includes the following system calls:
.TP
.BR clone (2)
The
.BR clone (2)
system call creates a new process.
If the
.I flags
argument of the call specifies one or more of the
.B CLONE_NEW*
flags listed below, then new namespaces are created for each flag,
and the child process is made a member of those namespaces.
(This system call also implements a number of features
unrelated to namespaces.)
.TP
.BR setns (2)
The
.BR setns (2)
system call allows the calling process to join an existing namespace.
The namespace to join is specified via a file descriptor that refers to
one of the
.IR /proc/[pid]/ns
files described below.
.TP
.BR unshare (2)
The
.BR unshare (2)
system call moves the calling process to a new namespace.
If the
.I flags
argument of the call specifies one or more of the
.B CLONE_NEW*
flags listed below, then new namespaces are created for each flag,
and the calling process is made a member of those namespaces.
(This system call also implements a number of features
unrelated to namespaces.)
.PP
Creation of new namespaces using
.BR clone (2)
and
.BR unshare (2)
in most cases requires the
.BR CAP_SYS_ADMIN
capability.
User namespaces are the exception: since Linux 3.8,
no privilege is required to create a user namespace.
.\"
.\" ==================== The /proc/[pid]/ns/ directory ====================
.\"
.SS The /proc/[pid]/ns/ directory
Each process has a
.IR /proc/[pid]/ns/
.\" See commit 6b4e306aa3dc94a0545eb9279475b1ab6209a31f
subdirectory containing one entry for each namespace that
supports being manipulated by
.BR setns (2):

.in +4n
.nf
$ \fBls \-l /proc/$$/ns\fP
total 0
lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 cgroup \-> cgroup:[4026531835]
lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 ipc \-> ipc:[4026531839]
lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 mnt \-> mnt:[4026531840]
lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 net \-> net:[4026531969]
lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 pid \-> pid:[4026531836]
lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 user \-> user:[4026531837]
lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 uts \-> uts:[4026531838]
.fi
.in

Bind mounting (see
.BR mount (2))
one of the files in this directory
to somewhere else in the filesystem keeps
the corresponding namespace of the process specified by
.I pid
alive even if all processes currently in the namespace terminate.

Opening one of the files in this directory
(or a file that is bind mounted to one of these files)
returns a file handle for
the corresponding namespace of the process specified by
.IR pid .
As long as this file descriptor remains open,
the namespace will remain alive,
even if all processes in the namespace terminate.
The file descriptor can be passed to
.BR setns (2).

In Linux 3.7 and earlier, these files were visible as hard links.
Since Linux 3.8,
.\" commit bf056bfa80596a5d14b26b17276a56a0dcb080e5
they appear as symbolic links.
If two processes are in the same namespace, then the inode numbers of their
.IR /proc/[pid]/ns/xxx
symbolic links will be the same; an application can check this using the
.I stat.st_ino
field returned by
.BR stat (2).
The content of this symbolic link is a string containing
the namespace type and inode number as in the following example:

.in +4n
.nf
$ \fBreadlink /proc/$$/ns/uts\fP
uts:[4026531838]
.fi
.in

The symbolic links in this subdirectory are as follows:
.TP
.IR /proc/[pid]/ns/cgroup " (since Linux 4.6)"
This file is a handle for the cgroup namespace of the process.
.TP
.IR /proc/[pid]/ns/ipc " (since Linux 3.0)"
This file is a handle for the IPC namespace of the process.
.TP
.IR /proc/[pid]/ns/mnt " (since Linux 3.8)"
.\" commit 8823c079ba7136dc1948d6f6dcb5f8022bde438e
This file is a handle for the mount namespace of the process.
.TP
.IR /proc/[pid]/ns/net " (since Linux 3.0)"
This file is a handle for the network namespace of the process.
.TP
.IR /proc/[pid]/ns/pid " (since Linux 3.8)"
.\" commit 57e8391d327609cbf12d843259c968b9e5c1838f
This file is a handle for the PID namespace of the process.
.TP
.IR /proc/[pid]/ns/user " (since Linux 3.8)"
.\" commit cde1975bc242f3e1072bde623ef378e547b73f91
This file is a handle for the user namespace of the process.
.TP
.IR /proc/[pid]/ns/uts " (since Linux 3.0)"
This file is a handle for the UTS namespace of the process.
.PP
Permission to dereference or read
.RB ( readlink (2))
these symbolic links is governed by a ptrace access mode
.B PTRACE_MODE_READ_FSCREDS
check; see
.BR ptrace (2).
.\"
.\" ==================== Cgroup namespaces ====================
.\"
.SS Cgroup namespaces (CLONE_NEWCGROUP)
See
.BR cgroup_namespaces (7).
.\"
.\" ==================== IPC namespaces ====================
.\"
.SS IPC namespaces (CLONE_NEWIPC)
IPC namespaces isolate certain IPC resources,
namely, System V IPC objects (see
.BR svipc (7))
and (since Linux 2.6.30)
.\" commit 7eafd7c74c3f2e67c27621b987b28397110d643f
.\" https://lwn.net/Articles/312232/
POSIX message queues (see
.BR mq_overview (7)).
The common characteristic of these IPC mechanisms is that IPC
objects are identified by mechanisms other than filesystem
pathnames.

Each IPC namespace has its own set of System V IPC identifiers and
its own POSIX message queue filesystem.
Objects created in an IPC namespace are visible to all other processes
that are members of that namespace,
but are not visible to processes in other IPC namespaces.

The following
.I /proc
interfaces are distinct in each IPC namespace:
.IP * 3
The POSIX message queue interfaces in
.IR /proc/sys/fs/mqueue .
.IP *
The System V IPC interfaces in
.IR /proc/sys/kernel ,
namely:
.IR msgmax ,
.IR msgmnb  ,
.IR msgmni ,
.IR sem ,
.IR shmall ,
.IR shmmax ,
.IR shmmni ,
and
.IR shm_rmid_forced .
.IP *
The System V IPC interfaces in
.IR /proc/sysvipc .
.PP
When an IPC namespace is destroyed
(i.e., when the last process that is a member of the namespace terminates),
all IPC objects in the namespace are automatically destroyed.

Use of IPC namespaces requires a kernel that is configured with the
.B CONFIG_IPC_NS
option.
.\"
.\" ==================== Network namespaces ====================
.\"
.SS Network namespaces (CLONE_NEWNET)
Network namespaces provide isolation of the system resources associated
with networking: network devices, IPv4 and IPv6 protocol stacks,
IP routing tables, firewalls, the
.I /proc/net
directory, the
.I /sys/class/net
directory, port numbers (sockets), and so on.
A physical network device can live in exactly one
network namespace.
A virtual network device ("veth") pair provides a pipe-like abstraction
.\" FIXME . Add pointer to veth(4) page when it is eventually completed
that can be used to create tunnels between network namespaces,
and can be used to create a bridge to a physical network device
in another namespace.

When a network namespace is freed
(i.e., when the last process in the namespace terminates),
its physical network devices are moved back to the
initial network namespace (not to the parent of the process).

Use of network namespaces requires a kernel that is configured with the
.B CONFIG_NET_NS
option.
.\"
.\" ==================== Mount namespaces ====================
.\"
.SS Mount namespaces (CLONE_NEWNS)
See
.BR mount_namespaces (7).
.\"
.\" ==================== PID namespaces ====================
.\"
.SS PID namespaces (CLONE_NEWPID)
See
.BR pid_namespaces (7).
.\"
.\" ==================== User namespaces ====================
.\"
.SS User namespaces (CLONE_NEWUSER)
See
.BR user_namespaces (7).
.\"
.\" ==================== UTS namespaces ====================
.\"
.SS UTS namespaces (CLONE_NEWUTS)
UTS namespaces provide isolation of two system identifiers:
the hostname and the NIS domain name.
These identifiers are set using
.BR sethostname (2)
and
.BR setdomainname (2),
and can be retrieved using
.BR uname (2),
.BR gethostname (2),
and
.BR getdomainname (2).

Use of UTS namespaces requires a kernel that is configured with the
.B CONFIG_UTS_NS
option.
.\"
.\" ============================================================
.\"
.SS Discovering namespace relationships
Since Linux 4.9,
.\" commit bcac25a58bfc6bd79191ac5d7afb49bea96da8c9
.\" commit 6786741dbf99e44fb0c0ed85a37582b8a26f1c3b
.\" commit a7306ed8d94af729ecef8b6e37506a1c6fc14788
.\" commit 6ad92bf63e45f97e306da48cd1cbce6e4fef1e5d
two
.BR ioctl (2)
operations are provided to allow discovery of namespace relationships
(see
.BR user_namespaces (7)
and
.BR pid_namespaces (7)).
The form of the calls is:

    new_fd = ioctl(fd, request);

In each case,
.I fd
refers to a
.IR /proc/[pid]/ns/*
file.
Both operations return a new file descriptor on success.
.TP
.BR NS_GET_USERNS
Returns a file descriptor that refers to the owning user namespace
for the namespace referred to by
.IR fd .
.TP
.BR NS_GET_PARENT
Returns a file descriptor that refers to the parent namespace of
the namespace referred to by
.IR fd .
This operation is valid only for hierarchical namespaces
(i.e., PID and user namespaces).
For user namespaces,
.BR NS_GET_PARENT
is synonymous with
.BR NS_GET_USERNS .
.PP
The new file descriptor returned by these operations is opened with the
.BR O_RDONLY
and
.BR O_CLOEXEC
(close-on-exec; see
.BR fcntl (2))
flags.
.PP
By applying
.BR fstat (2)
to the returned file descriptor, one obtains a
.I stat
structure whose
.I st_dev
(resident device) and
.I st_ino
(inode number) fields together identify the owning/parent namespace.
This inode number can be matched with the inode number of another
.IR /proc/[pid]/ns/{pid,user}
file to determine whether that is the owning/parent namespace.

Either of these
.BR ioctl (2)
operations can fail with the following errors:
.TP
.B EPERM
The requested namespace is outside of the caller's namespace scope.
This error can occur if, for example, the owning user namespace is an
ancestor of the caller's current user namespace.
It can also occur on attempts to obtain the parent of the initial
user or PID namespace.
.TP
.B ENOTTY
The operation is not supported by this kernel version.
.PP
Additionally, the
.B NS_GET_PARENT
operation can fail with the following error:
.TP
.B EINVAL
.I fd
refers to a nonhierarchical namespace.
.PP
See the EXAMPLE section for an example of the use of these operations.
.SH CONFORMING TO
Namespaces are a Linux-specific feature.
.SH EXAMPLE
For one example,
.BR user_namespaces (7).

The example shown below uses the
.BR ioctl (2)
operations described above to perform simple
discovery of namespace relationships.
The following shell sessions show various examples of the use
of this program.

Trying to get the parent of the initial user namespace fails,
since it has no parent:

.nf
.in +4n
$ \fB./ns_introspect /proc/self/ns/user p\fP
The parent namespace is outside your namespace scope
.in
.fi

Create a process running
.BR sleep (1)
that resides in new user and UTS namespaces,
and show that the new UTS namespace is associated with the new user namespace:

.nf
.in +4n
$ \fBunshare \-Uu sleep 1000 &\fP
[1] 23235
$ \fB./ns_introspect /proc/23235/ns/uts u\fP
Device/Inode of owning user namespace is: [0,3] / 4026532448
$ \fBreadlink /proc/23235/ns/user \fP
user:[4026532448]
.in
.fi

Then show that the parent of the new user namespace in the preceding
example is the initial user namespace:

.nf
.in +4n
$ \fBreadlink /proc/self/ns/user\fP
user:[4026531837]
$ \fB./ns_introspect /proc/23235/ns/user p\fP
Device/Inode of parent namespace is: [0,3] / 4026531837
.in
.fi

Start a shell in a new user namespace, and show that from within
this shell, the parent user namespace can't be discovered.
Similarly, the UTS namespace
(which is associated with the initial user namespace)
can't be discovered.

.nf
.in +4n
$ \fBPS1="sh2$ " unshare \-U bash\fP
sh2$ \fB./ns_introspect /proc/self/ns/user p\fP
The parent namespace is outside your namespace scope
sh2$ \fB./ns_introspect /proc/self/ns/uts u\fP
The owning user namespace is outside your namespace scope
.in
.fi
.SS Program source
\&
.nf
/* ns_introspect.c

   Licensed under the GNU General Public License v2 or later.
*/
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <fcntl.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/ioctl.h>
#include <errno.h>
#include <sys/sysmacros.h>

#ifndef NS_GET_USERNS
#define NSIO    0xb7
#define NS_GET_USERNS   _IO(NSIO, 0x1)
#define NS_GET_PARENT   _IO(NSIO, 0x2)
#endif

int
main(int argc, char *argv[])
{
    int fd, userns_fd, parent_fd;
    struct stat sb;

    if (argc < 2) {
        fprintf(stderr, "Usage: %s /proc/[pid]/ns/[file] [p|u]\\n",
                argv[0]);
        fprintf(stderr, "\\nDisplay the result of one or both "
                "of NS_GET_USERNS (u) or NS_GET_PARENT (p)\\n"
                "for the specified /proc/[pid]/ns/[file]. If neither "
                "\(aqp\(aq nor \(aqu\(aq is specified,\\n"
                "NS_GET_USERNS is the default.\\n");
        exit(EXIT_FAILURE);
    }

    /* Obtain a file descriptor for the \(aqns\(aq file specified
       in argv[1] */

    fd = open(argv[1], O_RDONLY);
    if (fd == \-1) {
        perror("open");
        exit(EXIT_FAILURE);
    }

    /* Obtain a file descriptor for the owning user namespace and
       then obtain and display the inode number of that namespace */

    if (argc < 3 || strchr(argv[2], \(aqu\(aq)) {
        userns_fd = ioctl(fd, NS_GET_USERNS);

        if (userns_fd == \-1) {
            if (errno == EPERM)
                printf("The owning user namespace is outside "
                        "your namespace scope\\n");
            else
               perror("ioctl\-NS_GET_USERNS");
            exit(EXIT_FAILURE);
         }

        if (fstat(userns_fd, &sb) == \-1) {
            perror("fstat\-userns");
            exit(EXIT_FAILURE);
        }
        printf("Device/Inode of owning user namespace is: "
                "[%lx,%lx] / %ld\\n",
                (long) major(sb.st_dev), (long) minor(sb.st_dev),
                (long) sb.st_ino);

        close(userns_fd);
    }

    /* Obtain a file descriptor for the parent namespace and
       then obtain and display the inode number of that namespace */

    if (argc > 2 && strchr(argv[2], \(aqp\(aq)) {
        parent_fd = ioctl(fd, NS_GET_PARENT);

        if (parent_fd == \-1) {
            if (errno == EINVAL)
                printf("Can\(aq get parent namespace of a "
                        "nonhierarchical namespace\\n");
            else if (errno == EPERM)
                printf("The parent namespace is outside "
                        "your namespace scope\\n");
            else
                perror("ioctl\-NS_GET_PARENT");
            exit(EXIT_FAILURE);
        }

        if (fstat(parent_fd, &sb) == \-1) {
            perror("fstat\-parentns");
            exit(EXIT_FAILURE);
        }
        printf("Device/Inode of parent namespace is: [%lx,%lx] / %ld\\n",
                (long) major(sb.st_dev), (long) minor(sb.st_dev),
                (long) sb.st_ino);

        close(parent_fd);
    }

    exit(EXIT_SUCCESS);
}
.fi
.SH SEE ALSO
.BR nsenter (1),
.BR readlink (1),
.BR unshare (1),
.BR clone (2),
.BR setns (2),
.BR unshare (2),
.BR proc (5),
.BR capabilities (7),
.BR cgroup_namespaces (7),
.BR cgroups (7),
.BR credentials (7),
.BR pid_namespaces (7),
.BR user_namespaces (7),
.BR lsns (8),
.BR switch_root (8)