Open Source Software

unshare(1)



NAME

   unshare - run program with some namespaces unshared from parent

SYNOPSIS

   unshare [options] program [arguments]

DESCRIPTION

   Unshares  the  indicated  namespaces  from  the parent process and then
   executes the specified program.

   The namespaces can optionally  be  made  persistent  by  bind  mounting
   /proc/pid/ns/type   files   to  a  filesystem  path  and  entered  with
   nsenter(1) even  after  the  program  terminates.   Once  a  persistent
   namespace  is  no  longer needed, it can be unpersisted with umount(8).
   See the EXAMPLES section for more details.

   The namespaces to be unshared are indicated via  options.   Unshareable
   namespaces are:

   mount namespace
          Mounting  and unmounting filesystems will not affect the rest of
          the system (CLONE_NEWNS flag), except for filesystems which  are
          explicitly  marked  as  shared  (with  mount  --make-shared; see
          /proc/self/mountinfo or findmnt -o+PROPAGATION  for  the  shared
          flags).

          unshare   since   util-linux  version  2.27  automatically  sets
          propagation to private in a new mount  namespace  to  make  sure
          that  the  new  namespace  is really unshared.  It's possible to
          disable this feature with option --propagation unchanged.   Note
          that private is the kernel default.

   UTS namespace
          Setting  hostname  or domainname will not affect the rest of the
          system.  (CLONE_NEWUTS flag)

   IPC namespace
          The process will have an  independent  namespace  for  System  V
          message  queues,  semaphore  sets  and  shared  memory segments.
          (CLONE_NEWIPC flag)

   network namespace
          The process will have  independent  IPv4  and  IPv6  stacks,  IP
          routing tables, firewall rules, the /proc/net and /sys/class/net
          directory trees, sockets, etc.  (CLONE_NEWNET flag)

   pid namespace
          Children will have a distinct  set  of  PID-to-process  mappings
          from their parent.  (CLONE_NEWPID flag)

   cgroup namespace
          The  process  will have a virtualized view of /proc/self/cgroup,
          and new cgroup mounts will be rooted  at  the  namespace  cgroup
          root.  (CLONE_NEWCGROUP flag)

   user namespace
          The  process  will  have  a  distinct  set  of  UIDs,  GIDs  and
          capabilities.  (CLONE_NEWUSER flag)

   See clone(2) for the exact semantics of the flags.

OPTIONS

   -i, --ipc[=file]
          Unshare the  IPC  namespace.   If  file  is  specified,  then  a
          persistent namespace is created by a bind mount.

   -m, --mount[=file]
          Unshare  the  mount  namespace.   If  file  is specified, then a
          persistent namespace is created by a bind mount.  Note that file
          has  to be located on a filesystem with the propagation flag set
          to private.  Use the command  findmnt  -o+PROPAGATION  when  not
          sure about the current setting.  See also the examples below.

   -n, --net[=file]
          Unshare  the  network  namespace.   If file is specified, then a
          persistent namespace is created by a bind mount.

   -p, --pid[=file]
          Unshare the PID namespace.  If file is specified then persistent
          namespace  is  created by a bind mount.  See also the --fork and
          --mount-proc options.

   -u, --uts[=file]
          Unshare the  UTS  namespace.   If  file  is  specified,  then  a
          persistent namespace is created by a bind mount.

   -U, --user[=file]
          Unshare  the  user  namespace.   If  file  is  specified, then a
          persistent namespace is created by a bind mount.

   -C, --cgroup[=file]
          Unshare  the  cgroup  namespace.  If  file  is  specified   then
          persistent namespace is created by bind mount.

   -f, --fork
          Fork  the specified program as a child process of unshare rather
          than running it directly.  This is useful when  creating  a  new
          PID namespace.

   --mount-proc[=mountpoint]
          Just  before  running  the program, mount the proc filesystem at
          mountpoint (default is /proc).  This is useful when  creating  a
          new  PID  namespace.   It  also  implies  creating  a  new mount
          namespace since the /proc mount would otherwise mess up existing
          programs  on  the system.  The new proc filesystem is explicitly
          mounted as private (with MS_PRIVATE|MS_REC).

   -r, --map-root-user
          Run the program only after the current effective user and  group
          IDs  have  been mapped to the superuser UID and GID in the newly
          created user namespace.  This makes it possible to  conveniently
          gain  capabilities needed to manage various aspects of the newly
          created  namespaces  (such  as  configuring  interfaces  in  the
          network   namespace   or   mounting  filesystems  in  the  mount
          namespace) even when run unprivileged.  As  a  mere  convenience
          feature,  it does not support more sophisticated use cases, such
          as mapping multiple  ranges  of  UIDs  and  GIDs.   This  option
          implies --setgroups=deny.

   --propagation private|shared|slave|unchanged
          Recursively  set  the  mount  propagation  flag in the new mount
          namespace.  The default is to set the  propagation  to  private.
          It  is  possible  to  disable  this  feature  with  the argument
          unchanged.  The  option  is  silently  ignored  when  the  mount
          namespace (--mount) is not requested.

   --setgroups allow|deny
          Allow or deny the setgroups(2) syscall in a user namespace.

          To  be  able  to  call setgroups(2), the calling process must at
          least  have  CAP_SETGID.   But  since  Linux  3.19   a   further
          restriction   applies:  the  kernel  gives  permission  to  call
          setgroups(2) only after the GID map (/proc/pid/gid_map) has been
          set.   The  GID  map  is  writable  by root when setgroups(2) is
          enabled (i.e. allow, the  default),  and  the  GID  map  becomes
          writable   by   unprivileged   processes  when  setgroups(2)  is
          permanently disabled (with deny).

   -V, --version
          Display version information and exit.

   -h, --help
          Display help text and exit.

EXAMPLES

   # unshare --fork --pid --mount-proc readlink /proc/self
   1
          Establish a PID namespace, ensure we're PID 1 in  it  against  a
          newly mounted procfs instance.

   $ unshare --map-root-user --user sh -c whoami
   root
          Establish  a  user namespace as an unprivileged user with a root
          user within it.

   # touch /root/uts-ns
   # unshare --uts=/root/uts-ns hostname FOO
   # nsenter --uts=/root/uts-ns hostname
   FOO
   # umount /root/uts-ns
          Establish a persistent UTS namespace, and modify  the  hostname.
          The  namespace  is  then entered with nsenter.  The namespace is
          destroyed by unmounting the bind reference.

   # mount --bind /root/namespaces /root/namespaces
   # mount --make-private /root/namespaces
   # touch /root/namespaces/mnt
   # unshare --mount=/root/namespaces/mnt
          Establish a persistent mount namespace referenced  by  the  bind
          mount  /root/namespaces/mnt.   This  example  shows  a  portable
          solution, because it makes sure that the bind mount  is  created
          on a shared filesystem.

SEE ALSO

   unshare(2), clone(2), mount(8)

AUTHORS

   Mikhail Gusarov dottedmag@dottedmag.net
   Karel Zak kzak@redhat.com

AVAILABILITY

   The  unshare command is part of the util-linux package and is available
   from ftp://ftp.kernel.org/pub/linux/utils/util-linux/.



Free and Open Source Software


Free Software Video

Useful Programs

Free Online Courses

Open Opportunity

Open Business