[thirdparty/util-linux.git] / sys-utils / unshare.1

.TH UNSHARE 1 "February 2016" "util-linux" "User Commands"
.SH NAME
unshare \- run program with some namespaces unshared from parent
.SH SYNOPSIS
.B unshare
[options]
.I program
.RI [ arguments ]
.SH DESCRIPTION
Unshares the indicated namespaces from the parent process and then executes
the specified \fIprogram\fR.
.PP
The namespaces can optionally be made persistent by bind mounting
/proc/\fIpid\fR/ns/\fItype\fR files to a filesystem path and entered with
.BR \%nsenter (1)
even after the \fIprogram\fR terminates.
Once a persistent \%namespace is no longer needed, it can be unpersisted with
.BR umount (8).
See the \fBEXAMPLES\fR section for more details.
.PP
The namespaces to be unshared are indicated via options.  Unshareable namespaces are:
.TP
.BR "mount namespace"
Mounting and unmounting filesystems will not affect the rest of the system,
except for filesystems which are explicitly marked as
shared (with \fBmount --make-shared\fP; see \fI/proc/self/mountinfo\fP or
\fBfindmnt -o+PROPAGATION\fP for the \fBshared\fP flags).
For further details, see
.BR mount_namespaces (7)
and the discussion of the
.BR CLONE_NEWNS
flag in
.BR clone (2).
.sp
.B unshare
since util-linux version 2.27 automatically sets propagation to \fBprivate\fP
in a new mount namespace to make sure that the new namespace is really
unshared.  It's possible to disable this feature with option
\fB\-\-propagation unchanged\fP.
Note that \fBprivate\fP is the kernel default.
.TP
.BR "UTS namespace"
Setting hostname or domainname will not affect the rest of the system.
For further details, see
.BR namespaces (7)
and the discussion of the
.BR CLONE_NEWUTS
flag in
.BR clone (2).
.TP
.BR "IPC namespace"
The process will have an independent namespace for POSIX message queues
as well as System V \%message queues,
semaphore sets and shared memory segments.
For further details, see
.BR namespaces (7)
and the discussion of the
.BR CLONE_NEWIPC
flag in
.BR clone (2).
.TP
.BR "network namespace"
The process will have independent IPv4 and IPv6 stacks, IP routing tables,
firewall rules, the \fI/proc/net\fP and \fI/sys/class/net\fP directory trees,
sockets, etc.
For further details, see
.BR namespaces (7)
and the discussion of the
.BR CLONE_NEWNET
flag in
.BR clone (2).
.TP
.BR "pid namespace"
Children will have a distinct set of PID-to-process mappings from their parent.
For further details, see
.BR pid_namespaces (7)
and
the discussion of the
.BR CLONE_NEWPID
flag in
.BR clone (2).
.TP
.BR "cgroup namespace"
The process will have a virtualized view of \fI/proc\:/self\:/cgroup\fP, and new
cgroup mounts will be rooted at the namespace cgroup root.
For further details, see
.BR cgroup_namespaces (7)
and the discussion of the
.BR CLONE_NEWCGROUP
flag in
.BR clone (2).
.TP
.BR "user namespace"
The process will have a distinct set of UIDs, GIDs and capabilities.
For further details, see
.BR user_namespaces (7)
and the discussion of the
.BR CLONE_NEWUSER
flag in
.BR clone (2).
.SH OPTIONS
.TP
.BR \-i , " \-\-ipc" [ =\fIfile ]
Unshare the IPC namespace.  If \fIfile\fP is specified, then a persistent
namespace is created by a bind mount.
.TP
.BR \-m , " \-\-mount" [ =\fIfile ]
Unshare the mount namespace.  If \fIfile\fP is specified, then a persistent
namespace is created by a bind mount.
Note that \fIfile\fP has to be located on a filesystem with the propagation
flag set to \fBprivate\fP.  Use the command \fBfindmnt -o+PROPAGATION\fP
when not sure about the current setting.  See also the examples below.
.TP
.BR \-n , " \-\-net" [ =\fIfile ]
Unshare the network namespace.  If \fIfile\fP is specified, then a persistent
namespace is created by a bind mount.
.TP
.BR \-p , " \-\-pid" [ =\fIfile ]
Unshare the PID namespace.  If \fIfile\fP is specified then persistent
namespace is created by a bind mount.  See also the \fB--fork\fP and
\fB--mount-proc\fP options.
.TP
.BR \-u , " \-\-uts" [ =\fIfile ]
Unshare the UTS namespace.  If \fIfile\fP is specified, then a persistent
namespace is created by a bind mount.
.TP
.BR \-U , " \-\-user" [ =\fIfile ]
Unshare the user namespace.  If \fIfile\fP is specified, then a persistent
namespace is created by a bind mount.
.TP
.BR \-C , " \-\-cgroup"[=\fIfile\fP]
Unshare the cgroup namespace. If \fIfile\fP is specified then persistent namespace is created
by bind mount.
.TP
.BR \-f , " \-\-fork"
Fork the specified \fIprogram\fR as a child process of \fBunshare\fR rather than
running it directly.  This is useful when creating a new PID namespace.
.TP
.BR \-\-mount\-proc [ =\fImountpoint ]
Just before running the program, mount the proc filesystem at \fImountpoint\fP
(default is /proc).  This is useful when creating a new PID namespace.  It also
implies creating a new mount namespace since the /proc mount would otherwise
mess up existing programs on the system.  The new proc filesystem is explicitly
mounted as private (with MS_PRIVATE|MS_REC).
.TP
.BR \-r , " \-\-map\-root\-user"
Run the program only after the current effective user and group IDs have been mapped to
the superuser UID and GID in the newly created user namespace.  This makes it possible to
conveniently gain capabilities needed to manage various aspects of the newly created
namespaces (such as configuring interfaces in the network namespace or mounting filesystems in
the mount namespace) even when run unprivileged.  As a mere convenience feature, it does not support
more sophisticated use cases, such as mapping multiple ranges of UIDs and GIDs.
This option implies \fB--setgroups=deny\fR.
.TP
.BR "\-\-propagation private" | shared | slave | unchanged
Recursively set the mount propagation flag in the new mount namespace.  The default
is to set the propagation to \fIprivate\fP.  It is possible to disable this feature
with the argument \fBunchanged\fR.  The option is silently ignored when the mount
namespace (\fB\-\-mount\fP) is not requested.
.TP
.BR "\-\-setgroups allow" | deny
Allow or deny the
.BR setgroups (2)
syscall in a user namespace.
.sp
To be able to call
.BR setgroups (2),
the calling process must at least have CAP_SETGID.
But since Linux 3.19 a further restriction applies:
the kernel gives permission to call
.BR \%setgroups (2)
only after the GID map (\fB/proc/\fIpid\fB/gid_map\fR) has been set.
The GID map is writable by root when
.BR \%setgroups (2)
is enabled (i.e. \fBallow\fR, the default), and
the GID map becomes writable by unprivileged processes when
.BR \%setgroups (2)
is permanently disabled (with \fBdeny\fR).
.TP
.BR \-V , " \-\-version"
Display version information and exit.
.TP
.BR \-h , " \-\-help"
Display help text and exit.
.SH EXAMPLES
.TP
.B # unshare --fork --pid --mount-proc readlink /proc/self
.TQ
1
.br
Establish a PID namespace, ensure we're PID 1 in it against a newly mounted
procfs instance.
.TP
.B $ unshare --map-root-user --user sh -c whoami
.TQ
root
.br
Establish a user namespace as an unprivileged user with a root user within it.
.TP
.B # touch /root/uts-ns
.TQ
.B # unshare --uts=/root/uts-ns hostname FOO
.TQ
.B # nsenter --uts=/root/uts-ns hostname
.TQ
FOO
.TQ
.B # umount /root/uts-ns
.br
Establish a persistent UTS namespace, and modify the hostname.  The namespace
is then entered with \fBnsenter\fR.  The namespace is destroyed by unmounting
the bind reference.
.TP
.B # mount --bind /root/namespaces /root/namespaces
.TQ
.B # mount --make-private /root/namespaces
.TQ
.B # touch /root/namespaces/mnt
.TQ
.B # unshare --mount=/root/namespaces/mnt
.br
Establish a persistent mount namespace referenced by the bind mount
/root/namespaces/mnt.  This example shows a portable solution, because it
makes sure that the bind mount is created on a shared filesystem.

.SH SEE ALSO
.BR clone (2),
.BR unshare (2),
.BR namespaces (7),
.BR mount (8)
.SH AUTHORS
.UR dottedmag@dottedmag.net
Mikhail Gusarov
.UE
.br
.UR kzak@redhat.com
Karel Zak
.UE
.SH AVAILABILITY
The unshare command is part of the util-linux package and is available from
ftp://ftp.kernel.org/pub/linux/utils/util-linux/.
Commit	Line	Data
de0f3763	1	.TH UNSHARE 1 "February 2016" "util-linux" "User Commands"
4205f1fd	2	.SH NAME
ef6acdb8	3	unshare \- run program with some namespaces unshared from parent
4205f1fd MG	4	.SH SYNOPSIS
4205f1fd MG	5	.B unshare
cf8e0bae	6	[options]
dde08a87	7	.I program
4205f1fd MG	8	.RI [ arguments ]
4205f1fd MG	9	.SH DESCRIPTION
dde08a87	10	Unshares the indicated namespaces from the parent process and then executes
0490a6ca KZ	11	the specified \fIprogram\fR.
0490a6ca KZ	12	.PP
de0f3763 BS	13	The namespaces can optionally be made persistent by bind mounting
	14	/proc/\fIpid\fR/ns/\fItype\fR files to a filesystem path and entered with
	15	.BR \%nsenter (1)
	16	even after the \fIprogram\fR terminates.
	17	Once a persistent \%namespace is no longer needed, it can be unpersisted with
0490a6ca	18	.BR umount (8).
de0f3763	19	See the \fBEXAMPLES\fR section for more details.
0490a6ca KZ	20	.PP
0490a6ca KZ	21	The namespaces to be unshared are indicated via options. Unshareable namespaces are:
4205f1fd MG	22	.TP
4205f1fd MG	23	.BR "mount namespace"
f85b9777 MK	24	Mounting and unmounting filesystems will not affect the rest of the system,
f85b9777 MK	25	except for filesystems which are explicitly marked as
f0f22e9c KZ	26	shared (with \fBmount --make-shared\fP; see \fI/proc/self/mountinfo\fP or
f0f22e9c KZ	27	\fBfindmnt -o+PROPAGATION\fP for the \fBshared\fP flags).
f85b9777 MK	28	For further details, see
	29	.BR mount_namespaces (7)
	30	and the discussion of the
	31	.BR CLONE_NEWNS
	32	flag in
	33	.BR clone (2).
cf8e0bae	34	.sp
f0f22e9c KZ	35	.B unshare
f0f22e9c KZ	36	since util-linux version 2.27 automatically sets propagation to \fBprivate\fP
de0f3763 BS	37	in a new mount namespace to make sure that the new namespace is really
	38	unshared. It's possible to disable this feature with option
	39	\fB\-\-propagation unchanged\fP.
f0f22e9c	40	Note that \fBprivate\fP is the kernel default.
4205f1fd MG	41	.TP
4205f1fd MG	42	.BR "UTS namespace"
dde08a87	43	Setting hostname or domainname will not affect the rest of the system.
f85b9777 MK	44	For further details, see
	45	.BR namespaces (7)
	46	and the discussion of the
	47	.BR CLONE_NEWUTS
	48	flag in
	49	.BR clone (2).
4205f1fd MG	50	.TP
4205f1fd MG	51	.BR "IPC namespace"
170a8e4a MK	52	The process will have an independent namespace for POSIX message queues
170a8e4a MK	53	as well as System V \%message queues,
f85b9777 MK	54	semaphore sets and shared memory segments.
	55	For further details, see
	56	.BR namespaces (7)
	57	and the discussion of the
	58	.BR CLONE_NEWIPC
	59	flag in
	60	.BR clone (2).
4205f1fd MG	61	.TP
4205f1fd MG	62	.BR "network namespace"
dde08a87 BS	63	The process will have independent IPv4 and IPv6 stacks, IP routing tables,
dde08a87 BS	64	firewall rules, the \fI/proc/net\fP and \fI/sys/class/net\fP directory trees,
f85b9777 MK	65	sockets, etc.
	66	For further details, see
	67	.BR namespaces (7)
	68	and the discussion of the
	69	.BR CLONE_NEWNET
	70	flag in
	71	.BR clone (2).
4205f1fd	72	.TP
bc7f9b95	73	.BR "pid namespace"
de0f3763	74	Children will have a distinct set of PID-to-process mappings from their parent.
f85b9777 MK	75	For further details, see
	76	.BR pid_namespaces (7)
	77	and
	78	the discussion of the
	79	.BR CLONE_NEWPID
	80	flag in
	81	.BR clone (2).
bc7f9b95	82	.TP
f9e7b66d SH	83	.BR "cgroup namespace"
	84	The process will have a virtualized view of \fI/proc\:/self\:/cgroup\fP, and new
	85	cgroup mounts will be rooted at the namespace cgroup root.
f85b9777 MK	86	For further details, see
	87	.BR cgroup_namespaces (7)
	88	and the discussion of the
	89	.BR CLONE_NEWCGROUP
	90	flag in
	91	.BR clone (2).
f9e7b66d	92	.TP
bc7f9b95	93	.BR "user namespace"
dde08a87	94	The process will have a distinct set of UIDs, GIDs and capabilities.
f85b9777 MK	95	For further details, see
	96	.BR user_namespaces (7)
	97	and the discussion of the
	98	.BR CLONE_NEWUSER
	99	flag in
	100	.BR clone (2).
4205f1fd MG	101	.SH OPTIONS
4205f1fd MG	102	.TP
de0f3763 BS	103	.BR \-i , " \-\-ipc" [ =\fIfile ]
	104	Unshare the IPC namespace. If \fIfile\fP is specified, then a persistent
	105	namespace is created by a bind mount.
dde08a87	106	.TP
de0f3763 BS	107	.BR \-m , " \-\-mount" [ =\fIfile ]
	108	Unshare the mount namespace. If \fIfile\fP is specified, then a persistent
	109	namespace is created by a bind mount.
	110	Note that \fIfile\fP has to be located on a filesystem with the propagation
	111	flag set to \fBprivate\fP. Use the command \fBfindmnt -o+PROPAGATION\fP
	112	when not sure about the current setting. See also the examples below.
4205f1fd	113	.TP
de0f3763 BS	114	.BR \-n , " \-\-net" [ =\fIfile ]
	115	Unshare the network namespace. If \fIfile\fP is specified, then a persistent
	116	namespace is created by a bind mount.
bc7f9b95	117	.TP
de0f3763 BS	118	.BR \-p , " \-\-pid" [ =\fIfile ]
	119	Unshare the PID namespace. If \fIfile\fP is specified then persistent
	120	namespace is created by a bind mount. See also the \fB--fork\fP and
	121	\fB--mount-proc\fP options.
bc7f9b95	122	.TP
de0f3763 BS	123	.BR \-u , " \-\-uts" [ =\fIfile ]
	124	Unshare the UTS namespace. If \fIfile\fP is specified, then a persistent
	125	namespace is created by a bind mount.
dde08a87	126	.TP
de0f3763 BS	127	.BR \-U , " \-\-user" [ =\fIfile ]
	128	Unshare the user namespace. If \fIfile\fP is specified, then a persistent
	129	namespace is created by a bind mount.
5088ec33	130	.TP
f9e7b66d SH	131	.BR \-C , " \-\-cgroup"[=\fIfile\fP]
	132	Unshare the cgroup namespace. If \fIfile\fP is specified then persistent namespace is created
	133	by bind mount.
	134	.TP
5088ec33	135	.BR \-f , " \-\-fork"
87ec43b6	136	Fork the specified \fIprogram\fR as a child process of \fBunshare\fR rather than
de0f3763	137	running it directly. This is useful when creating a new PID namespace.
6728ca10	138	.TP
de0f3763	139	.BR \-\-mount\-proc [ =\fImountpoint ]
cf8e0bae	140	Just before running the program, mount the proc filesystem at \fImountpoint\fP
de0f3763	141	(default is /proc). This is useful when creating a new PID namespace. It also
6728ca10	142	implies creating a new mount namespace since the /proc mount would otherwise
cf8e0bae	143	mess up existing programs on the system. The new proc filesystem is explicitly
de0f3763	144	mounted as private (with MS_PRIVATE\|MS_REC).
4da21e37	145	.TP
b06c1ca6	146	.BR \-r , " \-\-map\-root\-user"
cf8e0bae BS	147	Run the program only after the current effective user and group IDs have been mapped to
	148	the superuser UID and GID in the newly created user namespace. This makes it possible to
	149	conveniently gain capabilities needed to manage various aspects of the newly created
	150	namespaces (such as configuring interfaces in the network namespace or mounting filesystems in
	151	the mount namespace) even when run unprivileged. As a mere convenience feature, it does not support
4da21e37	152	more sophisticated use cases, such as mapping multiple ranges of UIDs and GIDs.
de0f3763	153	This option implies \fB--setgroups=deny\fR.
fbceefde	154	.TP
de0f3763 BS	155	.BR "\-\-propagation private" \| shared \| slave \| unchanged
	156	Recursively set the mount propagation flag in the new mount namespace. The default
	157	is to set the propagation to \fIprivate\fP. It is possible to disable this feature
	158	with the argument \fBunchanged\fR. The option is silently ignored when the mount
	159	namespace (\fB\-\-mount\fP) is not requested.
f0f22e9c	160	.TP
de0f3763 BS	161	.BR "\-\-setgroups allow" \| deny
de0f3763 BS	162	Allow or deny the
fbceefde	163	.BR setgroups (2)
afaf3103 BS	164	syscall in a user namespace.
	165	.sp
	166	To be able to call
	167	.BR setgroups (2),
	168	the calling process must at least have CAP_SETGID.
	169	But since Linux 3.19 a further restriction applies:
	170	the kernel gives permission to call
	171	.BR \%setgroups (2)
	172	only after the GID map (\fB/proc/\fIpid\fB/gid_map\fR) has been set.
	173	The GID map is writable by root when
	174	.BR \%setgroups (2)
	175	is enabled (i.e. \fBallow\fR, the default), and
	176	the GID map becomes writable by unprivileged processes when
	177	.BR \%setgroups (2)
	178	is permanently disabled (with \fBdeny\fR).
5e43af7e BS	179	.TP
	180	.BR \-V , " \-\-version"
	181	Display version information and exit.
	182	.TP
	183	.BR \-h , " \-\-help"
	184	Display help text and exit.
69a7761b LR	185	.SH EXAMPLES
	186	.TP
	187	.B # unshare --fork --pid --mount-proc readlink /proc/self
	188	.TQ
	189	1
	190	.br
de0f3763	191	Establish a PID namespace, ensure we're PID 1 in it against a newly mounted
69a7761b LR	192	procfs instance.
	193	.TP
	194	.B $ unshare --map-root-user --user sh -c whoami
	195	.TQ
	196	root
	197	.br
	198	Establish a user namespace as an unprivileged user with a root user within it.
0490a6ca	199	.TP
0490a6ca KZ	200	.B # touch /root/uts-ns
0490a6ca KZ	201	.TQ
100a3ab5	202	.B # unshare --uts=/root/uts-ns hostname FOO
0490a6ca KZ	203	.TQ
	204	.B # nsenter --uts=/root/uts-ns hostname
	205	.TQ
	206	FOO
	207	.TQ
	208	.B # umount /root/uts-ns
	209	.br
de0f3763 BS	210	Establish a persistent UTS namespace, and modify the hostname. The namespace
	211	is then entered with \fBnsenter\fR. The namespace is destroyed by unmounting
	212	the bind reference.
249fc8fe	213	.TP
249fc8fe KZ	214	.B # mount --bind /root/namespaces /root/namespaces
249fc8fe KZ	215	.TQ
de0f3763	216	.B # mount --make-private /root/namespaces
249fc8fe	217	.TQ
de0f3763	218	.B # touch /root/namespaces/mnt
249fc8fe	219	.TQ
99b3fb9e	220	.B # unshare --mount=/root/namespaces/mnt
249fc8fe KZ	221	.br
249fc8fe KZ	222	Establish a persistent mount namespace referenced by the bind mount
de0f3763 BS	223	/root/namespaces/mnt. This example shows a portable solution, because it
de0f3763 BS	224	makes sure that the bind mount is created on a shared filesystem.
249fc8fe	225
4205f1fd	226	.SH SEE ALSO
c07f86e7	227	.BR clone (2),
f053ff1e	228	.BR unshare (2),
4a3f0735	229	.BR namespaces (7),
c07f86e7	230	.BR mount (8)
0490a6ca KZ	231	.SH AUTHORS
	232	.UR dottedmag@dottedmag.net
	233	Mikhail Gusarov
	234	.UE
	235	.br
	236	.UR kzak@redhat.com
	237	Karel Zak
	238	.UE
4205f1fd	239	.SH AVAILABILITY
601d12fb KZ	240	The unshare command is part of the util-linux package and is available from
601d12fb KZ	241	ftp://ftp.kernel.org/pub/linux/utils/util-linux/.