]>
Commit | Line | Data |
---|---|---|
87ec43b6 | 1 | .TH NSENTER 1 "June 2013" "util-linux" "User Commands" |
f8aa8e94 EB |
2 | .SH NAME |
3 | nsenter \- run program with namespaces of other processes | |
4 | .SH SYNOPSIS | |
5 | .B nsenter | |
cf8e0bae | 6 | [options] |
dde08a87 BS |
7 | .RI [ program |
8 | .RI [ arguments ]] | |
f8aa8e94 | 9 | .SH DESCRIPTION |
1e3832bf | 10 | Enters the namespaces of one or more other processes and then executes the specified |
0f0b5823 KZ |
11 | \fIprogram\fP. If \fIprogram\fP is not given, then ``${SHELL}'' is run (default: /bin\:/sh). |
12 | .PP | |
13 | Enterable namespaces are: | |
f8aa8e94 | 14 | .TP |
08e86f4c | 15 | .B mount namespace |
894efece MK |
16 | Mounting and unmounting filesystems will not affect the rest of the system, |
17 | except for filesystems which are explicitly marked as shared (with | |
dde08a87 BS |
18 | \fBmount --make-\:shared\fP; see \fI/proc\:/self\:/mountinfo\fP for the |
19 | \fBshared\fP flag). | |
894efece MK |
20 | For further details, see |
21 | .BR mount_namespaces (7) | |
22 | and the discussion of the | |
0bb7e904 | 23 | .B CLONE_NEWNS |
894efece MK |
24 | flag in |
25 | .BR clone (2). | |
f8aa8e94 | 26 | .TP |
08e86f4c | 27 | .B UTS namespace |
dde08a87 | 28 | Setting hostname or domainname will not affect the rest of the system. |
894efece | 29 | For further details, see |
6ff4b156 | 30 | .BR uts_namespaces (7). |
f8aa8e94 | 31 | .TP |
08e86f4c | 32 | .B IPC namespace |
170a8e4a MK |
33 | The process will have an independent namespace for POSIX message queues |
34 | as well as System V message queues, | |
dde08a87 | 35 | semaphore sets and shared memory segments. |
894efece | 36 | For further details, see |
6ff4b156 | 37 | .BR ipc_namespaces (7). |
f8aa8e94 | 38 | .TP |
08e86f4c | 39 | .B network namespace |
dde08a87 BS |
40 | The process will have independent IPv4 and IPv6 stacks, IP routing tables, |
41 | firewall rules, the | |
08e86f4c SK |
42 | .I /proc\:/net |
43 | and | |
44 | .I /sys\:/class\:/net | |
dde08a87 | 45 | directory trees, sockets, etc. |
894efece | 46 | For further details, see |
6ff4b156 | 47 | .BR network_namespaces (7). |
08e86f4c | 48 | .TP |
1e3832bf | 49 | .B PID namespace |
dde08a87 | 50 | Children will have a set of PID to process mappings separate from the |
1e3832bf | 51 | .B nsenter |
32ff1494 SK |
52 | process. |
53 | .B nsenter | |
54 | will fork by default if changing the PID namespace, so that the new program | |
55 | and its children share the same PID namespace and are visible to each other. | |
56 | If \fB\-\-no\-fork\fP is used, the new program will be exec'ed without forking. | |
894efece | 57 | For further details, see |
6ff4b156 | 58 | .BR pid_namespaces (7). |
f8aa8e94 | 59 | .TP |
08e86f4c | 60 | .B user namespace |
dde08a87 | 61 | The process will have a distinct set of UIDs, GIDs and capabilities. |
894efece | 62 | For further details, see |
6ff4b156 | 63 | .BR user_namespaces (7). |
f8aa8e94 | 64 | .TP |
f9e7b66d SH |
65 | .B cgroup namespace |
66 | The process will have a virtualized view of \fI/proc\:/self\:/cgroup\fP, and new | |
67 | cgroup mounts will be rooted at the namespace cgroup root. | |
894efece | 68 | For further details, see |
6ff4b156 | 69 | .BR cgroup_namespaces (7). |
f9e7b66d | 70 | .TP |
7f1f0584 AR |
71 | .B time namespace |
72 | The process can have a distinct view of | |
73 | .B CLOCK_MONOTONIC | |
74 | and/or | |
75 | .B CLOCK_BOOTTIME | |
76 | which can be changed using \fI/proc/self/timens_offsets\fP. | |
c89aadb7 MK |
77 | For further details, see |
78 | .BR time_namespaces (7). | |
f8aa8e94 | 79 | .SH OPTIONS |
4b298f61 MK |
80 | Various of the options below that relate to namespaces take an optional |
81 | .I file | |
82 | argument. | |
83 | This should be one of the | |
0bb7e904 | 84 | .I /proc/[pid]/ns/* |
4b298f61 MK |
85 | files described in |
86 | .BR namespaces (7). | |
08e86f4c | 87 | .TP |
974cc006 KZ |
88 | \fB\-a\fR, \fB\-\-all\fR |
89 | Enter all namespaces of the target process by the default | |
0bb7e904 | 90 | .I /proc/[pid]/ns/* |
974cc006 | 91 | namespace paths. The default paths to the target process namespaces may be |
eb024893 | 92 | overwritten by namespace specific options (e.g., --all --mount=[path]). |
974cc006 KZ |
93 | |
94 | The user namespace will be ignored if the same as the caller's current user | |
95 | namespace. It prevents a caller that has dropped capabilities from regaining | |
96 | those capabilities via a call to setns(). See | |
97 | .BR setns (2) | |
98 | for more details. | |
99 | .TP | |
08e86f4c SK |
100 | \fB\-t\fR, \fB\-\-target\fR \fIpid\fP |
101 | Specify a target process to get contexts from. The paths to the contexts | |
102 | specified by | |
103 | .I pid | |
104 | are: | |
105 | .RS | |
106 | .PD 0 | |
107 | .IP "" 20 | |
108 | .TP | |
109 | /proc/\fIpid\fR/ns/mnt | |
110 | the mount namespace | |
111 | .TP | |
112 | /proc/\fIpid\fR/ns/uts | |
1e3832bf | 113 | the UTS namespace |
08e86f4c SK |
114 | .TP |
115 | /proc/\fIpid\fR/ns/ipc | |
1e3832bf | 116 | the IPC namespace |
08e86f4c SK |
117 | .TP |
118 | /proc/\fIpid\fR/ns/net | |
1e3832bf | 119 | the network namespace |
08e86f4c SK |
120 | .TP |
121 | /proc/\fIpid\fR/ns/pid | |
1e3832bf | 122 | the PID namespace |
08e86f4c SK |
123 | .TP |
124 | /proc/\fIpid\fR/ns/user | |
125 | the user namespace | |
126 | .TP | |
f9e7b66d SH |
127 | /proc/\fIpid\fR/ns/cgroup |
128 | the cgroup namespace | |
129 | .TP | |
7f1f0584 AR |
130 | /proc/\fIpid\fR/ns/time |
131 | the time namespace | |
132 | .TP | |
08e86f4c SK |
133 | /proc/\fIpid\fR/root |
134 | the root directory | |
135 | .TP | |
1e3832bf | 136 | /proc/\fIpid\fR/cwd |
08e86f4c SK |
137 | the working directory respectively |
138 | .PD | |
139 | .RE | |
140 | .TP | |
dde08a87 BS |
141 | \fB\-m\fR, \fB\-\-mount\fR[=\fIfile\fR] |
142 | Enter the mount namespace. If no file is specified, enter the mount namespace | |
ff88fc3b MK |
143 | of the target process. |
144 | If | |
145 | .I file | |
146 | is specified, enter the mount namespace | |
147 | specified by | |
148 | .IR file . | |
08e86f4c | 149 | .TP |
dde08a87 BS |
150 | \fB\-u\fR, \fB\-\-uts\fR[=\fIfile\fR] |
151 | Enter the UTS namespace. If no file is specified, enter the UTS namespace of | |
ff88fc3b MK |
152 | the target process. |
153 | If | |
154 | .I file | |
155 | is specified, enter the UTS namespace specified by | |
156 | .IR file . | |
08e86f4c | 157 | .TP |
dde08a87 BS |
158 | \fB\-i\fR, \fB\-\-ipc\fR[=\fIfile\fR] |
159 | Enter the IPC namespace. If no file is specified, enter the IPC namespace of | |
ff88fc3b MK |
160 | the target process. |
161 | If | |
162 | .I file | |
163 | is specified, enter the IPC namespace specified by | |
164 | .IR file . | |
08e86f4c | 165 | .TP |
dde08a87 BS |
166 | \fB\-n\fR, \fB\-\-net\fR[=\fIfile\fR] |
167 | Enter the network namespace. If no file is specified, enter the network | |
ff88fc3b MK |
168 | namespace of the target process. |
169 | If | |
170 | .I file | |
171 | is specified, enter the network namespace specified by | |
172 | .IR file . | |
08e86f4c | 173 | .TP |
dde08a87 BS |
174 | \fB\-p\fR, \fB\-\-pid\fR[=\fIfile\fR] |
175 | Enter the PID namespace. If no file is specified, enter the PID namespace of | |
ff88fc3b MK |
176 | the target process. |
177 | If | |
178 | .I file | |
179 | is specified, enter the PID namespace specified by | |
180 | .IR file . | |
08e86f4c | 181 | .TP |
dde08a87 BS |
182 | \fB\-U\fR, \fB\-\-user\fR[=\fIfile\fR] |
183 | Enter the user namespace. If no file is specified, enter the user namespace of | |
ff88fc3b MK |
184 | the target process. |
185 | If | |
186 | .I file | |
187 | is specified, enter the user namespace specified by | |
188 | .IR file . | |
91f20582 | 189 | See also the \fB\-\-setuid\fR and \fB\-\-setgid\fR options. |
6b9e5bf6 | 190 | .TP |
f9e7b66d SH |
191 | \fB\-C\fR, \fB\-\-cgroup\fR[=\fIfile\fR] |
192 | Enter the cgroup namespace. If no file is specified, enter the cgroup namespace of | |
ff88fc3b MK |
193 | the target process. |
194 | If | |
195 | .I file | |
196 | is specified, enter the cgroup namespace specified by | |
197 | .IR file . | |
f9e7b66d | 198 | .TP |
7f1f0584 AR |
199 | \fB\-T\fR, \fB\-\-time\fR[=\fIfile\fR] |
200 | Enter the time namespace. If no file is specified, enter the time namespace of | |
201 | the target process. | |
202 | If | |
203 | .I file | |
204 | is specified, enter the time namespace specified by | |
205 | .IR file . | |
206 | .TP | |
6b9e5bf6 | 207 | \fB\-G\fR, \fB\-\-setgid\fR \fIgid\fR |
47f42c1d KZ |
208 | Set the group ID which will be used in the entered namespace and drop |
209 | supplementary groups. | |
210 | .BR nsenter (1) | |
211 | always sets GID for user namespaces, the default is 0. | |
6b9e5bf6 RW |
212 | .TP |
213 | \fB\-S\fR, \fB\-\-setuid\fR \fIuid\fR | |
47f42c1d KZ |
214 | Set the user ID which will be used in the entered namespace. |
215 | .BR nsenter (1) | |
216 | always sets UID for user namespaces, the default is 0. | |
08e86f4c | 217 | .TP |
b06c1ca6 | 218 | \fB\-\-preserve\-credentials\fR |
e99a6626 KZ |
219 | Don't modify UID and GID when enter user namespace. The default is to |
220 | drops supplementary groups and sets GID and UID to 0. | |
221 | .TP | |
dde08a87 BS |
222 | \fB\-r\fR, \fB\-\-root\fR[=\fIdirectory\fR] |
223 | Set the root directory. If no directory is specified, set the root directory to | |
224 | the root directory of the target process. If directory is specified, set the | |
08e86f4c SK |
225 | root directory to the specified directory. |
226 | .TP | |
dde08a87 BS |
227 | \fB\-w\fR, \fB\-\-wd\fR[=\fIdirectory\fR] |
228 | Set the working directory. If no directory is specified, set the working | |
08e86f4c | 229 | directory to the working directory of the target process. If directory is |
dde08a87 | 230 | specified, set the working directory to the specified directory. |
08e86f4c | 231 | .TP |
b06c1ca6 | 232 | \fB\-F\fR, \fB\-\-no\-fork\fR |
dde08a87 BS |
233 | Do not fork before exec'ing the specified program. By default, when entering a |
234 | PID namespace, \fBnsenter\fP calls \fBfork\fP before calling \fBexec\fP so that | |
235 | any children will also be in the newly entered PID namespace. | |
08e86f4c | 236 | .TP |
355ee3b8 KZ |
237 | \fB\-Z\fR, \fB\-\-follow\-context\fR |
238 | Set the SELinux security context used for executing a new process according to | |
239 | already running process specified by \fB\-\-target\fR PID. (The util-linux has | |
240 | to be compiled with SELinux support otherwise the option is unavailable.) | |
241 | .TP | |
08e86f4c SK |
242 | \fB\-V\fR, \fB\-\-version\fR |
243 | Display version information and exit. | |
244 | .TP | |
245 | \fB\-h\fR, \fB\-\-help\fR | |
b4362b6f | 246 | Display help text and exit. |
355ee3b8 KZ |
247 | .SH AUTHORS |
248 | .UR biederm@xmission.com | |
08e86f4c | 249 | Eric Biederman |
355ee3b8 KZ |
250 | .UE |
251 | .br | |
252 | .UR kzak@redhat.com | |
253 | Karel Zak | |
254 | .UE | |
ade04bb8 MK |
255 | .SH SEE ALSO |
256 | .BR clone (2), | |
257 | .BR setns (2), | |
258 | .BR namespaces (7) | |
f8aa8e94 EB |
259 | .SH AVAILABILITY |
260 | The nsenter command is part of the util-linux package and is available from | |
d673b74e | 261 | .UR https://\:www.kernel.org\:/pub\:/linux\:/utils\:/util-linux/ |
08e86f4c SK |
262 | Linux Kernel Archive |
263 | .UE . |