[thirdparty/util-linux.git] / sys-utils / unshare.1

.TH UNSHARE 1 "February 2016" "util-linux" "User Commands"
.SH NAME
unshare \- run program with some namespaces unshared from parent
.SH SYNOPSIS
.B unshare
[options]
.RI [ program
.RI [ arguments ]]
.SH DESCRIPTION
Unshares the indicated namespaces from the parent process and then executes
the specified \fIprogram\fR. If \fIprogram\fR is not given, then ``${SHELL}'' is
run (default: /bin/sh).
.PP
The namespaces can optionally be made persistent by bind mounting
/proc/\fIpid\fR/ns/\fItype\fR files to a filesystem path and entered with
.BR \%nsenter (1)
even after the \fIprogram\fR terminates (except PID namespaces where
permanently running init process is required).
Once a persistent \%namespace is no longer needed, it can be unpersisted with
.BR umount (8).
See the \fBEXAMPLES\fR section for more details.
.PP
The namespaces to be unshared are indicated via options.  Unshareable namespaces are:
.TP
.B mount namespace
Mounting and unmounting filesystems will not affect the rest of the system,
except for filesystems which are explicitly marked as
shared (with \fBmount --make-shared\fP; see \fI/proc/self/mountinfo\fP or
\fBfindmnt -o+PROPAGATION\fP for the \fBshared\fP flags).
For further details, see
.BR mount_namespaces (7)
and the discussion of the
.B CLONE_NEWNS
flag in
.BR clone (2).
.sp
.B unshare
since util-linux version 2.27 automatically sets propagation to \fBprivate\fP
in a new mount namespace to make sure that the new namespace is really
unshared.  It's possible to disable this feature with option
\fB\-\-propagation unchanged\fP.
Note that \fBprivate\fP is the kernel default.
.TP
.B UTS namespace
Setting hostname or domainname will not affect the rest of the system.
For further details, see
.BR namespaces (7)
and the discussion of the
.B CLONE_NEWUTS
flag in
.BR clone (2).
.TP
.B IPC namespace
The process will have an independent namespace for POSIX message queues
as well as System V \%message queues,
semaphore sets and shared memory segments.
For further details, see
.BR namespaces (7)
and the discussion of the
.B CLONE_NEWIPC
flag in
.BR clone (2).
.TP
.B network namespace
The process will have independent IPv4 and IPv6 stacks, IP routing tables,
firewall rules, the \fI/proc/net\fP and \fI/sys/class/net\fP directory trees,
sockets, etc.
For further details, see
.BR namespaces (7)
and the discussion of the
.B CLONE_NEWNET
flag in
.BR clone (2).
.TP
.B PID namespace
Children will have a distinct set of PID-to-process mappings from their parent.
For further details, see
.BR pid_namespaces (7)
and
the discussion of the
.B CLONE_NEWPID
flag in
.BR clone (2).
.TP
.B cgroup namespace
The process will have a virtualized view of \fI/proc\:/self\:/cgroup\fP, and new
cgroup mounts will be rooted at the namespace cgroup root.
For further details, see
.BR cgroup_namespaces (7)
and the discussion of the
.B CLONE_NEWCGROUP
flag in
.BR clone (2).
.TP
.B user namespace
The process will have a distinct set of UIDs, GIDs and capabilities.
For further details, see
.BR user_namespaces (7)
and the discussion of the
.B CLONE_NEWUSER
flag in
.BR clone (2).
.SH OPTIONS
.TP
.BR \-i , " \-\-ipc" [ =\fIfile ]
Unshare the IPC namespace.  If \fIfile\fP is specified, then a persistent
namespace is created by a bind mount.
.TP
.BR \-m , " \-\-mount" [ =\fIfile ]
Unshare the mount namespace.  If \fIfile\fP is specified, then a persistent
namespace is created by a bind mount.
Note that \fIfile\fP has to be located on a filesystem with the propagation
flag set to \fBprivate\fP.  Use the command \fBfindmnt -o+PROPAGATION\fP
when not sure about the current setting.  See also the examples below.
.TP
.BR \-n , " \-\-net" [ =\fIfile ]
Unshare the network namespace.  If \fIfile\fP is specified, then a persistent
namespace is created by a bind mount.
.TP
.BR \-p , " \-\-pid" [ =\fIfile ]
Unshare the PID namespace.  If \fIfile\fP is specified then persistent
namespace is created by a bind mount.  See also the \fB--fork\fP and
\fB--mount-proc\fP options.
.TP
.BR \-u , " \-\-uts" [ =\fIfile ]
Unshare the UTS namespace.  If \fIfile\fP is specified, then a persistent
namespace is created by a bind mount.
.TP
.BR \-U , " \-\-user" [ =\fIfile ]
Unshare the user namespace.  If \fIfile\fP is specified, then a persistent
namespace is created by a bind mount.
.TP
.BR \-C , " \-\-cgroup"[=\fIfile\fP]
Unshare the cgroup namespace. If \fIfile\fP is specified then persistent namespace is created
by bind mount.
.TP
.BR \-f , " \-\-fork"
Fork the specified \fIprogram\fR as a child process of \fBunshare\fR rather than
running it directly.  This is useful when creating a new PID namespace.
.TP
.BR \-\-kill\-child [ =\fIsigname ]
When \fBunshare\fR terminates, have \fIsigname\fP be sent to the forked child process.
Combined with \fB--pid\fR this allows for an easy and reliable killing of the entire
process tree below \fBunshare\fR.
If not given, \fIsigname\fP defaults to \fBSIGKILL\fR.
This option implies \fB--fork\fR.
.TP
.BR \-\-mount\-proc [ =\fImountpoint ]
Just before running the program, mount the proc filesystem at \fImountpoint\fP
(default is /proc).  This is useful when creating a new PID namespace.  It also
implies creating a new mount namespace since the /proc mount would otherwise
mess up existing programs on the system.  The new proc filesystem is explicitly
mounted as private (with MS_PRIVATE|MS_REC).
.TP
.BR \-r , " \-\-map\-root\-user"
Run the program only after the current effective user and group IDs have been mapped to
the superuser UID and GID in the newly created user namespace.  This makes it possible to
conveniently gain capabilities needed to manage various aspects of the newly created
namespaces (such as configuring interfaces in the network namespace or mounting filesystems in
the mount namespace) even when run unprivileged.  As a mere convenience feature, it does not support
more sophisticated use cases, such as mapping multiple ranges of UIDs and GIDs.
This option implies \fB--setgroups=deny\fR.
.TP
.BR "\-\-propagation private" | shared | slave | unchanged
Recursively set the mount propagation flag in the new mount namespace.  The default
is to set the propagation to \fIprivate\fP.  It is possible to disable this feature
with the argument \fBunchanged\fR.  The option is silently ignored when the mount
namespace (\fB\-\-mount\fP) is not requested.
.TP
.BR "\-\-setgroups allow" | deny
Allow or deny the
.BR setgroups (2)
system call in a user namespace.
.sp
To be able to call
.BR setgroups (2),
the calling process must at least have CAP_SETGID.
But since Linux 3.19 a further restriction applies:
the kernel gives permission to call
.BR \%setgroups (2)
only after the GID map (\fB/proc/\fIpid\fB/gid_map\fR) has been set.
The GID map is writable by root when
.BR \%setgroups (2)
is enabled (i.e. \fBallow\fR, the default), and
the GID map becomes writable by unprivileged processes when
.BR \%setgroups (2)
is permanently disabled (with \fBdeny\fR).
.TP
.BR \-V , " \-\-version"
Display version information and exit.
.TP
.BR \-h , " \-\-help"
Display help text and exit.
.SH NOTES
The proc and sysfs filesystems mounting as root in a user namespace have to be
restricted so that a less privileged user can not get more access to sensitive
files that a more privileged user made unavailable. In short the rule for proc
and sysfs is as close to a bind mount as possible.
.SH EXAMPLES
.TP
.B # unshare --fork --pid --mount-proc readlink /proc/self
.TQ
1
.br
Establish a PID namespace, ensure we're PID 1 in it against a newly mounted
procfs instance.
.TP
.B $ unshare --map-root-user --user sh -c whoami
.TQ
root
.br
Establish a user namespace as an unprivileged user with a root user within it.
.TP
.B # touch /root/uts-ns
.TQ
.B # unshare --uts=/root/uts-ns hostname FOO
.TQ
.B # nsenter --uts=/root/uts-ns hostname
.TQ
FOO
.TQ
.B # umount /root/uts-ns
.br
Establish a persistent UTS namespace, and modify the hostname.  The namespace
is then entered with \fBnsenter\fR.  The namespace is destroyed by unmounting
the bind reference.
.TP
.B # mount --bind /root/namespaces /root/namespaces
.TQ
.B # mount --make-private /root/namespaces
.TQ
.B # touch /root/namespaces/mnt
.TQ
.B # unshare --mount=/root/namespaces/mnt
.br
Establish a persistent mount namespace referenced by the bind mount
/root/namespaces/mnt.  This example shows a portable solution, because it
makes sure that the bind mount is created on a shared filesystem.
.TP
.B # unshare -pf --kill-child -- bash -c "(sleep 999 &) && sleep 1000" &
.TQ
.B # pid=$!
.TQ
.B # kill $pid
.br
Reliable killing of subprocesses of the \fIprogram\fR.
When \fBunshare\fR gets killed, everything below it gets killed as well.
Without it, the children of \fIprogram\fR would have orphaned and
been re-parented to PID 1.

.SH SEE ALSO
.BR clone (2),
.BR unshare (2),
.BR namespaces (7),
.BR mount (8)
.SH AUTHORS
.UR dottedmag@dottedmag.net
Mikhail Gusarov
.UE
.br
.UR kzak@redhat.com
Karel Zak
.UE
.SH AVAILABILITY
The unshare command is part of the util-linux package and is available from
https://www.kernel.org/pub/linux/utils/util-linux/.
Commit	Line	Data
de0f3763	1	.TH UNSHARE 1 "February 2016" "util-linux" "User Commands"
4205f1fd	2	.SH NAME
ef6acdb8	3	unshare \- run program with some namespaces unshared from parent
4205f1fd MG	4	.SH SYNOPSIS
4205f1fd MG	5	.B unshare
cf8e0bae	6	[options]
b5672517 KZ	7	.RI [ program
b5672517 KZ	8	.RI [ arguments ]]
4205f1fd	9	.SH DESCRIPTION
dde08a87	10	Unshares the indicated namespaces from the parent process and then executes
b5672517 KZ	11	the specified \fIprogram\fR. If \fIprogram\fR is not given, then ``${SHELL}'' is
b5672517 KZ	12	run (default: /bin/sh).
0490a6ca	13	.PP
de0f3763 BS	14	The namespaces can optionally be made persistent by bind mounting
	15	/proc/\fIpid\fR/ns/\fItype\fR files to a filesystem path and entered with
	16	.BR \%nsenter (1)
ca538975 KZ	17	even after the \fIprogram\fR terminates (except PID namespaces where
ca538975 KZ	18	permanently running init process is required).
de0f3763	19	Once a persistent \%namespace is no longer needed, it can be unpersisted with
0490a6ca	20	.BR umount (8).
de0f3763	21	See the \fBEXAMPLES\fR section for more details.
0490a6ca KZ	22	.PP
0490a6ca KZ	23	The namespaces to be unshared are indicated via options. Unshareable namespaces are:
4205f1fd	24	.TP
0bb7e904	25	.B mount namespace
f85b9777 MK	26	Mounting and unmounting filesystems will not affect the rest of the system,
f85b9777 MK	27	except for filesystems which are explicitly marked as
f0f22e9c KZ	28	shared (with \fBmount --make-shared\fP; see \fI/proc/self/mountinfo\fP or
f0f22e9c KZ	29	\fBfindmnt -o+PROPAGATION\fP for the \fBshared\fP flags).
f85b9777 MK	30	For further details, see
	31	.BR mount_namespaces (7)
	32	and the discussion of the
0bb7e904	33	.B CLONE_NEWNS
f85b9777 MK	34	flag in
f85b9777 MK	35	.BR clone (2).
cf8e0bae	36	.sp
f0f22e9c KZ	37	.B unshare
f0f22e9c KZ	38	since util-linux version 2.27 automatically sets propagation to \fBprivate\fP
de0f3763 BS	39	in a new mount namespace to make sure that the new namespace is really
	40	unshared. It's possible to disable this feature with option
	41	\fB\-\-propagation unchanged\fP.
f0f22e9c	42	Note that \fBprivate\fP is the kernel default.
4205f1fd	43	.TP
0bb7e904	44	.B UTS namespace
dde08a87	45	Setting hostname or domainname will not affect the rest of the system.
f85b9777 MK	46	For further details, see
	47	.BR namespaces (7)
	48	and the discussion of the
0bb7e904	49	.B CLONE_NEWUTS
f85b9777 MK	50	flag in
f85b9777 MK	51	.BR clone (2).
4205f1fd	52	.TP
0bb7e904	53	.B IPC namespace
170a8e4a MK	54	The process will have an independent namespace for POSIX message queues
170a8e4a MK	55	as well as System V \%message queues,
f85b9777 MK	56	semaphore sets and shared memory segments.
	57	For further details, see
	58	.BR namespaces (7)
	59	and the discussion of the
0bb7e904	60	.B CLONE_NEWIPC
f85b9777 MK	61	flag in
f85b9777 MK	62	.BR clone (2).
4205f1fd	63	.TP
0bb7e904	64	.B network namespace
dde08a87 BS	65	The process will have independent IPv4 and IPv6 stacks, IP routing tables,
dde08a87 BS	66	firewall rules, the \fI/proc/net\fP and \fI/sys/class/net\fP directory trees,
f85b9777 MK	67	sockets, etc.
	68	For further details, see
	69	.BR namespaces (7)
	70	and the discussion of the
0bb7e904	71	.B CLONE_NEWNET
f85b9777 MK	72	flag in
f85b9777 MK	73	.BR clone (2).
4205f1fd	74	.TP
0bb7e904	75	.B PID namespace
de0f3763	76	Children will have a distinct set of PID-to-process mappings from their parent.
f85b9777 MK	77	For further details, see
	78	.BR pid_namespaces (7)
	79	and
	80	the discussion of the
0bb7e904	81	.B CLONE_NEWPID
f85b9777 MK	82	flag in
f85b9777 MK	83	.BR clone (2).
bc7f9b95	84	.TP
0bb7e904	85	.B cgroup namespace
f9e7b66d SH	86	The process will have a virtualized view of \fI/proc\:/self\:/cgroup\fP, and new
f9e7b66d SH	87	cgroup mounts will be rooted at the namespace cgroup root.
f85b9777 MK	88	For further details, see
	89	.BR cgroup_namespaces (7)
	90	and the discussion of the
0bb7e904	91	.B CLONE_NEWCGROUP
f85b9777 MK	92	flag in
f85b9777 MK	93	.BR clone (2).
f9e7b66d	94	.TP
0bb7e904	95	.B user namespace
dde08a87	96	The process will have a distinct set of UIDs, GIDs and capabilities.
f85b9777 MK	97	For further details, see
	98	.BR user_namespaces (7)
	99	and the discussion of the
0bb7e904	100	.B CLONE_NEWUSER
f85b9777 MK	101	flag in
f85b9777 MK	102	.BR clone (2).
4205f1fd MG	103	.SH OPTIONS
4205f1fd MG	104	.TP
de0f3763 BS	105	.BR \-i , " \-\-ipc" [ =\fIfile ]
	106	Unshare the IPC namespace. If \fIfile\fP is specified, then a persistent
	107	namespace is created by a bind mount.
dde08a87	108	.TP
de0f3763 BS	109	.BR \-m , " \-\-mount" [ =\fIfile ]
	110	Unshare the mount namespace. If \fIfile\fP is specified, then a persistent
	111	namespace is created by a bind mount.
	112	Note that \fIfile\fP has to be located on a filesystem with the propagation
	113	flag set to \fBprivate\fP. Use the command \fBfindmnt -o+PROPAGATION\fP
	114	when not sure about the current setting. See also the examples below.
4205f1fd	115	.TP
de0f3763 BS	116	.BR \-n , " \-\-net" [ =\fIfile ]
	117	Unshare the network namespace. If \fIfile\fP is specified, then a persistent
	118	namespace is created by a bind mount.
bc7f9b95	119	.TP
de0f3763 BS	120	.BR \-p , " \-\-pid" [ =\fIfile ]
	121	Unshare the PID namespace. If \fIfile\fP is specified then persistent
	122	namespace is created by a bind mount. See also the \fB--fork\fP and
	123	\fB--mount-proc\fP options.
bc7f9b95	124	.TP
de0f3763 BS	125	.BR \-u , " \-\-uts" [ =\fIfile ]
	126	Unshare the UTS namespace. If \fIfile\fP is specified, then a persistent
	127	namespace is created by a bind mount.
dde08a87	128	.TP
de0f3763 BS	129	.BR \-U , " \-\-user" [ =\fIfile ]
	130	Unshare the user namespace. If \fIfile\fP is specified, then a persistent
	131	namespace is created by a bind mount.
5088ec33	132	.TP
f9e7b66d SH	133	.BR \-C , " \-\-cgroup"[=\fIfile\fP]
	134	Unshare the cgroup namespace. If \fIfile\fP is specified then persistent namespace is created
	135	by bind mount.
	136	.TP
5088ec33	137	.BR \-f , " \-\-fork"
87ec43b6	138	Fork the specified \fIprogram\fR as a child process of \fBunshare\fR rather than
de0f3763	139	running it directly. This is useful when creating a new PID namespace.
6728ca10	140	.TP
8b39a17c NH	141	.BR \-\-kill\-child [ =\fIsigname ]
8b39a17c NH	142	When \fBunshare\fR terminates, have \fIsigname\fP be sent to the forked child process.
7cd784d0	143	Combined with \fB--pid\fR this allows for an easy and reliable killing of the entire
8e8f0fa5	144	process tree below \fBunshare\fR.
8b39a17c	145	If not given, \fIsigname\fP defaults to \fBSIGKILL\fR.
8e8f0fa5 NH	146	This option implies \fB--fork\fR.
8e8f0fa5 NH	147	.TP
de0f3763	148	.BR \-\-mount\-proc [ =\fImountpoint ]
cf8e0bae	149	Just before running the program, mount the proc filesystem at \fImountpoint\fP
de0f3763	150	(default is /proc). This is useful when creating a new PID namespace. It also
6728ca10	151	implies creating a new mount namespace since the /proc mount would otherwise
cf8e0bae	152	mess up existing programs on the system. The new proc filesystem is explicitly
de0f3763	153	mounted as private (with MS_PRIVATE\|MS_REC).
4da21e37	154	.TP
b06c1ca6	155	.BR \-r , " \-\-map\-root\-user"
cf8e0bae BS	156	Run the program only after the current effective user and group IDs have been mapped to
	157	the superuser UID and GID in the newly created user namespace. This makes it possible to
	158	conveniently gain capabilities needed to manage various aspects of the newly created
	159	namespaces (such as configuring interfaces in the network namespace or mounting filesystems in
	160	the mount namespace) even when run unprivileged. As a mere convenience feature, it does not support
4da21e37	161	more sophisticated use cases, such as mapping multiple ranges of UIDs and GIDs.
de0f3763	162	This option implies \fB--setgroups=deny\fR.
fbceefde	163	.TP
de0f3763 BS	164	.BR "\-\-propagation private" \| shared \| slave \| unchanged
	165	Recursively set the mount propagation flag in the new mount namespace. The default
	166	is to set the propagation to \fIprivate\fP. It is possible to disable this feature
	167	with the argument \fBunchanged\fR. The option is silently ignored when the mount
	168	namespace (\fB\-\-mount\fP) is not requested.
f0f22e9c	169	.TP
de0f3763 BS	170	.BR "\-\-setgroups allow" \| deny
de0f3763 BS	171	Allow or deny the
fbceefde	172	.BR setgroups (2)
3be5d977	173	system call in a user namespace.
afaf3103 BS	174	.sp
	175	To be able to call
	176	.BR setgroups (2),
	177	the calling process must at least have CAP_SETGID.
	178	But since Linux 3.19 a further restriction applies:
	179	the kernel gives permission to call
	180	.BR \%setgroups (2)
	181	only after the GID map (\fB/proc/\fIpid\fB/gid_map\fR) has been set.
	182	The GID map is writable by root when
	183	.BR \%setgroups (2)
	184	is enabled (i.e. \fBallow\fR, the default), and
	185	the GID map becomes writable by unprivileged processes when
	186	.BR \%setgroups (2)
	187	is permanently disabled (with \fBdeny\fR).
5e43af7e BS	188	.TP
	189	.BR \-V , " \-\-version"
	190	Display version information and exit.
	191	.TP
	192	.BR \-h , " \-\-help"
	193	Display help text and exit.
86b6d7f4 KZ	194	.SH NOTES
	195	The proc and sysfs filesystems mounting as root in a user namespace have to be
	196	restricted so that a less privileged user can not get more access to sensitive
	197	files that a more privileged user made unavailable. In short the rule for proc
	198	and sysfs is as close to a bind mount as possible.
69a7761b LR	199	.SH EXAMPLES
	200	.TP
	201	.B # unshare --fork --pid --mount-proc readlink /proc/self
	202	.TQ
	203	1
	204	.br
de0f3763	205	Establish a PID namespace, ensure we're PID 1 in it against a newly mounted
69a7761b LR	206	procfs instance.
	207	.TP
	208	.B $ unshare --map-root-user --user sh -c whoami
	209	.TQ
	210	root
	211	.br
	212	Establish a user namespace as an unprivileged user with a root user within it.
0490a6ca	213	.TP
0490a6ca KZ	214	.B # touch /root/uts-ns
0490a6ca KZ	215	.TQ
100a3ab5	216	.B # unshare --uts=/root/uts-ns hostname FOO
0490a6ca KZ	217	.TQ
	218	.B # nsenter --uts=/root/uts-ns hostname
	219	.TQ
	220	FOO
	221	.TQ
	222	.B # umount /root/uts-ns
	223	.br
de0f3763 BS	224	Establish a persistent UTS namespace, and modify the hostname. The namespace
	225	is then entered with \fBnsenter\fR. The namespace is destroyed by unmounting
	226	the bind reference.
249fc8fe	227	.TP
249fc8fe KZ	228	.B # mount --bind /root/namespaces /root/namespaces
249fc8fe KZ	229	.TQ
de0f3763	230	.B # mount --make-private /root/namespaces
249fc8fe	231	.TQ
de0f3763	232	.B # touch /root/namespaces/mnt
249fc8fe	233	.TQ
99b3fb9e	234	.B # unshare --mount=/root/namespaces/mnt
249fc8fe KZ	235	.br
249fc8fe KZ	236	Establish a persistent mount namespace referenced by the bind mount
de0f3763 BS	237	/root/namespaces/mnt. This example shows a portable solution, because it
de0f3763 BS	238	makes sure that the bind mount is created on a shared filesystem.
8e8f0fa5 NH	239	.TP
	240	.B # unshare -pf --kill-child -- bash -c "(sleep 999 &) && sleep 1000" &
	241	.TQ
	242	.B # pid=$!
	243	.TQ
	244	.B # kill $pid
	245	.br
	246	Reliable killing of subprocesses of the \fIprogram\fR.
	247	When \fBunshare\fR gets killed, everything below it gets killed as well.
	248	Without it, the children of \fIprogram\fR would have orphaned and
	249	been re-parented to PID 1.
249fc8fe	250
4205f1fd	251	.SH SEE ALSO
c07f86e7	252	.BR clone (2),
f053ff1e	253	.BR unshare (2),
4a3f0735	254	.BR namespaces (7),
c07f86e7	255	.BR mount (8)
0490a6ca KZ	256	.SH AUTHORS
	257	.UR dottedmag@dottedmag.net
	258	Mikhail Gusarov
	259	.UE
	260	.br
	261	.UR kzak@redhat.com
	262	Karel Zak
	263	.UE
4205f1fd	264	.SH AVAILABILITY
601d12fb	265	The unshare command is part of the util-linux package and is available from
d673b74e	266	https://www.kernel.org/pub/linux/utils/util-linux/.