]>
Commit | Line | Data |
---|---|---|
87ec43b6 | 1 | .TH NSENTER 1 "June 2013" "util-linux" "User Commands" |
f8aa8e94 EB |
2 | .SH NAME |
3 | nsenter \- run program with namespaces of other processes | |
4 | .SH SYNOPSIS | |
5 | .B nsenter | |
cf8e0bae | 6 | [options] |
dde08a87 BS |
7 | .RI [ program |
8 | .RI [ arguments ]] | |
f8aa8e94 | 9 | .SH DESCRIPTION |
1e3832bf | 10 | Enters the namespaces of one or more other processes and then executes the specified |
0f0b5823 KZ |
11 | \fIprogram\fP. If \fIprogram\fP is not given, then ``${SHELL}'' is run (default: /bin\:/sh). |
12 | .PP | |
13 | Enterable namespaces are: | |
f8aa8e94 | 14 | .TP |
08e86f4c | 15 | .B mount namespace |
894efece MK |
16 | Mounting and unmounting filesystems will not affect the rest of the system, |
17 | except for filesystems which are explicitly marked as shared (with | |
dde08a87 BS |
18 | \fBmount --make-\:shared\fP; see \fI/proc\:/self\:/mountinfo\fP for the |
19 | \fBshared\fP flag). | |
894efece MK |
20 | For further details, see |
21 | .BR mount_namespaces (7) | |
22 | and the discussion of the | |
0bb7e904 | 23 | .B CLONE_NEWNS |
894efece MK |
24 | flag in |
25 | .BR clone (2). | |
f8aa8e94 | 26 | .TP |
08e86f4c | 27 | .B UTS namespace |
dde08a87 | 28 | Setting hostname or domainname will not affect the rest of the system. |
894efece | 29 | For further details, see |
6b2388d3 | 30 | .BR uts_namespaces (7) |
894efece | 31 | and the discussion of the |
0bb7e904 | 32 | .B CLONE_NEWUTS |
894efece MK |
33 | flag in |
34 | .BR clone (2). | |
f8aa8e94 | 35 | .TP |
08e86f4c | 36 | .B IPC namespace |
170a8e4a MK |
37 | The process will have an independent namespace for POSIX message queues |
38 | as well as System V message queues, | |
dde08a87 | 39 | semaphore sets and shared memory segments. |
894efece | 40 | For further details, see |
6b2388d3 | 41 | .BR ipc_namespaces (7) |
894efece | 42 | and the discussion of the |
0bb7e904 | 43 | .B CLONE_NEWIPC |
894efece MK |
44 | flag in |
45 | .BR clone (2). | |
f8aa8e94 | 46 | .TP |
08e86f4c | 47 | .B network namespace |
dde08a87 BS |
48 | The process will have independent IPv4 and IPv6 stacks, IP routing tables, |
49 | firewall rules, the | |
08e86f4c SK |
50 | .I /proc\:/net |
51 | and | |
52 | .I /sys\:/class\:/net | |
dde08a87 | 53 | directory trees, sockets, etc. |
894efece | 54 | For further details, see |
6b2388d3 | 55 | .BR network_namespaces (7) |
894efece | 56 | and the discussion of the |
0bb7e904 | 57 | .B CLONE_NEWNET |
894efece MK |
58 | flag in |
59 | .BR clone (2). | |
08e86f4c | 60 | .TP |
1e3832bf | 61 | .B PID namespace |
dde08a87 | 62 | Children will have a set of PID to process mappings separate from the |
1e3832bf | 63 | .B nsenter |
32ff1494 SK |
64 | process. |
65 | .B nsenter | |
66 | will fork by default if changing the PID namespace, so that the new program | |
67 | and its children share the same PID namespace and are visible to each other. | |
68 | If \fB\-\-no\-fork\fP is used, the new program will be exec'ed without forking. | |
894efece MK |
69 | For further details, see |
70 | .BR pid_namespaces (7) | |
71 | and | |
72 | the discussion of the | |
0bb7e904 | 73 | .B CLONE_NEWPID |
894efece | 74 | flag in |
32ff1494 | 75 | .BR clone (2). |
f8aa8e94 | 76 | .TP |
08e86f4c | 77 | .B user namespace |
dde08a87 | 78 | The process will have a distinct set of UIDs, GIDs and capabilities. |
894efece MK |
79 | For further details, see |
80 | .BR user_namespaces (7) | |
81 | and the discussion of the | |
0bb7e904 | 82 | .B CLONE_NEWUSER |
894efece MK |
83 | flag in |
84 | .BR clone (2). | |
f8aa8e94 | 85 | .TP |
f9e7b66d SH |
86 | .B cgroup namespace |
87 | The process will have a virtualized view of \fI/proc\:/self\:/cgroup\fP, and new | |
88 | cgroup mounts will be rooted at the namespace cgroup root. | |
894efece MK |
89 | For further details, see |
90 | .BR cgroup_namespaces (7) | |
91 | and the discussion of the | |
0bb7e904 | 92 | .B CLONE_NEWCGROUP |
894efece MK |
93 | flag in |
94 | .BR clone (2). | |
f9e7b66d | 95 | .TP |
7f1f0584 AR |
96 | .B time namespace |
97 | The process can have a distinct view of | |
98 | .B CLOCK_MONOTONIC | |
99 | and/or | |
100 | .B CLOCK_BOOTTIME | |
101 | which can be changed using \fI/proc/self/timens_offsets\fP. | |
c89aadb7 MK |
102 | For further details, see |
103 | .BR time_namespaces (7). | |
7f1f0584 | 104 | .TP |
dde08a87 | 105 | See \fBclone\fP(2) for the exact semantics of the flags. |
f8aa8e94 | 106 | .SH OPTIONS |
4b298f61 MK |
107 | Various of the options below that relate to namespaces take an optional |
108 | .I file | |
109 | argument. | |
110 | This should be one of the | |
0bb7e904 | 111 | .I /proc/[pid]/ns/* |
4b298f61 MK |
112 | files described in |
113 | .BR namespaces (7). | |
08e86f4c | 114 | .TP |
974cc006 KZ |
115 | \fB\-a\fR, \fB\-\-all\fR |
116 | Enter all namespaces of the target process by the default | |
0bb7e904 | 117 | .I /proc/[pid]/ns/* |
974cc006 | 118 | namespace paths. The default paths to the target process namespaces may be |
eb024893 | 119 | overwritten by namespace specific options (e.g., --all --mount=[path]). |
974cc006 KZ |
120 | |
121 | The user namespace will be ignored if the same as the caller's current user | |
122 | namespace. It prevents a caller that has dropped capabilities from regaining | |
123 | those capabilities via a call to setns(). See | |
124 | .BR setns (2) | |
125 | for more details. | |
126 | .TP | |
08e86f4c SK |
127 | \fB\-t\fR, \fB\-\-target\fR \fIpid\fP |
128 | Specify a target process to get contexts from. The paths to the contexts | |
129 | specified by | |
130 | .I pid | |
131 | are: | |
132 | .RS | |
133 | .PD 0 | |
134 | .IP "" 20 | |
135 | .TP | |
136 | /proc/\fIpid\fR/ns/mnt | |
137 | the mount namespace | |
138 | .TP | |
139 | /proc/\fIpid\fR/ns/uts | |
1e3832bf | 140 | the UTS namespace |
08e86f4c SK |
141 | .TP |
142 | /proc/\fIpid\fR/ns/ipc | |
1e3832bf | 143 | the IPC namespace |
08e86f4c SK |
144 | .TP |
145 | /proc/\fIpid\fR/ns/net | |
1e3832bf | 146 | the network namespace |
08e86f4c SK |
147 | .TP |
148 | /proc/\fIpid\fR/ns/pid | |
1e3832bf | 149 | the PID namespace |
08e86f4c SK |
150 | .TP |
151 | /proc/\fIpid\fR/ns/user | |
152 | the user namespace | |
153 | .TP | |
f9e7b66d SH |
154 | /proc/\fIpid\fR/ns/cgroup |
155 | the cgroup namespace | |
156 | .TP | |
7f1f0584 AR |
157 | /proc/\fIpid\fR/ns/time |
158 | the time namespace | |
159 | .TP | |
08e86f4c SK |
160 | /proc/\fIpid\fR/root |
161 | the root directory | |
162 | .TP | |
1e3832bf | 163 | /proc/\fIpid\fR/cwd |
08e86f4c SK |
164 | the working directory respectively |
165 | .PD | |
166 | .RE | |
167 | .TP | |
dde08a87 BS |
168 | \fB\-m\fR, \fB\-\-mount\fR[=\fIfile\fR] |
169 | Enter the mount namespace. If no file is specified, enter the mount namespace | |
ff88fc3b MK |
170 | of the target process. |
171 | If | |
172 | .I file | |
173 | is specified, enter the mount namespace | |
174 | specified by | |
175 | .IR file . | |
08e86f4c | 176 | .TP |
dde08a87 BS |
177 | \fB\-u\fR, \fB\-\-uts\fR[=\fIfile\fR] |
178 | Enter the UTS namespace. If no file is specified, enter the UTS namespace of | |
ff88fc3b MK |
179 | the target process. |
180 | If | |
181 | .I file | |
182 | is specified, enter the UTS namespace specified by | |
183 | .IR file . | |
08e86f4c | 184 | .TP |
dde08a87 BS |
185 | \fB\-i\fR, \fB\-\-ipc\fR[=\fIfile\fR] |
186 | Enter the IPC namespace. If no file is specified, enter the IPC namespace of | |
ff88fc3b MK |
187 | the target process. |
188 | If | |
189 | .I file | |
190 | is specified, enter the IPC namespace specified by | |
191 | .IR file . | |
08e86f4c | 192 | .TP |
dde08a87 BS |
193 | \fB\-n\fR, \fB\-\-net\fR[=\fIfile\fR] |
194 | Enter the network namespace. If no file is specified, enter the network | |
ff88fc3b MK |
195 | namespace of the target process. |
196 | If | |
197 | .I file | |
198 | is specified, enter the network namespace specified by | |
199 | .IR file . | |
08e86f4c | 200 | .TP |
dde08a87 BS |
201 | \fB\-p\fR, \fB\-\-pid\fR[=\fIfile\fR] |
202 | Enter the PID namespace. If no file is specified, enter the PID namespace of | |
ff88fc3b MK |
203 | the target process. |
204 | If | |
205 | .I file | |
206 | is specified, enter the PID namespace specified by | |
207 | .IR file . | |
08e86f4c | 208 | .TP |
dde08a87 BS |
209 | \fB\-U\fR, \fB\-\-user\fR[=\fIfile\fR] |
210 | Enter the user namespace. If no file is specified, enter the user namespace of | |
ff88fc3b MK |
211 | the target process. |
212 | If | |
213 | .I file | |
214 | is specified, enter the user namespace specified by | |
215 | .IR file . | |
91f20582 | 216 | See also the \fB\-\-setuid\fR and \fB\-\-setgid\fR options. |
6b9e5bf6 | 217 | .TP |
f9e7b66d SH |
218 | \fB\-C\fR, \fB\-\-cgroup\fR[=\fIfile\fR] |
219 | Enter the cgroup namespace. If no file is specified, enter the cgroup namespace of | |
ff88fc3b MK |
220 | the target process. |
221 | If | |
222 | .I file | |
223 | is specified, enter the cgroup namespace specified by | |
224 | .IR file . | |
f9e7b66d | 225 | .TP |
7f1f0584 AR |
226 | \fB\-T\fR, \fB\-\-time\fR[=\fIfile\fR] |
227 | Enter the time namespace. If no file is specified, enter the time namespace of | |
228 | the target process. | |
229 | If | |
230 | .I file | |
231 | is specified, enter the time namespace specified by | |
232 | .IR file . | |
233 | .TP | |
6b9e5bf6 | 234 | \fB\-G\fR, \fB\-\-setgid\fR \fIgid\fR |
47f42c1d KZ |
235 | Set the group ID which will be used in the entered namespace and drop |
236 | supplementary groups. | |
237 | .BR nsenter (1) | |
238 | always sets GID for user namespaces, the default is 0. | |
6b9e5bf6 RW |
239 | .TP |
240 | \fB\-S\fR, \fB\-\-setuid\fR \fIuid\fR | |
47f42c1d KZ |
241 | Set the user ID which will be used in the entered namespace. |
242 | .BR nsenter (1) | |
243 | always sets UID for user namespaces, the default is 0. | |
08e86f4c | 244 | .TP |
b06c1ca6 | 245 | \fB\-\-preserve\-credentials\fR |
e99a6626 KZ |
246 | Don't modify UID and GID when enter user namespace. The default is to |
247 | drops supplementary groups and sets GID and UID to 0. | |
248 | .TP | |
dde08a87 BS |
249 | \fB\-r\fR, \fB\-\-root\fR[=\fIdirectory\fR] |
250 | Set the root directory. If no directory is specified, set the root directory to | |
251 | the root directory of the target process. If directory is specified, set the | |
08e86f4c SK |
252 | root directory to the specified directory. |
253 | .TP | |
dde08a87 BS |
254 | \fB\-w\fR, \fB\-\-wd\fR[=\fIdirectory\fR] |
255 | Set the working directory. If no directory is specified, set the working | |
08e86f4c | 256 | directory to the working directory of the target process. If directory is |
dde08a87 | 257 | specified, set the working directory to the specified directory. |
08e86f4c | 258 | .TP |
b06c1ca6 | 259 | \fB\-F\fR, \fB\-\-no\-fork\fR |
dde08a87 BS |
260 | Do not fork before exec'ing the specified program. By default, when entering a |
261 | PID namespace, \fBnsenter\fP calls \fBfork\fP before calling \fBexec\fP so that | |
262 | any children will also be in the newly entered PID namespace. | |
08e86f4c | 263 | .TP |
355ee3b8 KZ |
264 | \fB\-Z\fR, \fB\-\-follow\-context\fR |
265 | Set the SELinux security context used for executing a new process according to | |
266 | already running process specified by \fB\-\-target\fR PID. (The util-linux has | |
267 | to be compiled with SELinux support otherwise the option is unavailable.) | |
268 | .TP | |
08e86f4c SK |
269 | \fB\-V\fR, \fB\-\-version\fR |
270 | Display version information and exit. | |
271 | .TP | |
272 | \fB\-h\fR, \fB\-\-help\fR | |
b4362b6f | 273 | Display help text and exit. |
355ee3b8 KZ |
274 | .SH AUTHORS |
275 | .UR biederm@xmission.com | |
08e86f4c | 276 | Eric Biederman |
355ee3b8 KZ |
277 | .UE |
278 | .br | |
279 | .UR kzak@redhat.com | |
280 | Karel Zak | |
281 | .UE | |
ade04bb8 MK |
282 | .SH SEE ALSO |
283 | .BR clone (2), | |
284 | .BR setns (2), | |
285 | .BR namespaces (7) | |
f8aa8e94 EB |
286 | .SH AVAILABILITY |
287 | The nsenter command is part of the util-linux package and is available from | |
d673b74e | 288 | .UR https://\:www.kernel.org\:/pub\:/linux\:/utils\:/util-linux/ |
08e86f4c SK |
289 | Linux Kernel Archive |
290 | .UE . |