270 lines
7.3 KiB
Groff
270 lines
7.3 KiB
Groff
.TH NSENTER 1 "June 2013" "util-linux" "User Commands"
|
|
.SH NAME
|
|
nsenter \- run program with namespaces of other processes
|
|
.SH SYNOPSIS
|
|
.B nsenter
|
|
[options]
|
|
.RI [ program
|
|
.RI [ arguments ]]
|
|
.SH DESCRIPTION
|
|
Enters the namespaces of one or more other processes and then executes the specified
|
|
\fIprogram\fP. If \fIprogram\fP is not given, then ``${SHELL}'' is run (default: /bin\:/sh).
|
|
.PP
|
|
Enterable namespaces are:
|
|
.TP
|
|
.B mount namespace
|
|
Mounting and unmounting filesystems will not affect the rest of the system,
|
|
except for filesystems which are explicitly marked as shared (with
|
|
\fBmount --make-\:shared\fP; see \fI/proc\:/self\:/mountinfo\fP for the
|
|
\fBshared\fP flag).
|
|
For further details, see
|
|
.BR mount_namespaces (7)
|
|
and the discussion of the
|
|
.BR CLONE_NEWNS
|
|
flag in
|
|
.BR clone (2).
|
|
.TP
|
|
.B UTS namespace
|
|
Setting hostname or domainname will not affect the rest of the system.
|
|
For further details, see
|
|
.BR namespaces (7)
|
|
and the discussion of the
|
|
.BR CLONE_NEWUTS
|
|
flag in
|
|
.BR clone (2).
|
|
.TP
|
|
.B IPC namespace
|
|
The process will have an independent namespace for POSIX message queues
|
|
as well as System V message queues,
|
|
semaphore sets and shared memory segments.
|
|
For further details, see
|
|
.BR namespaces (7)
|
|
and the discussion of the
|
|
.BR CLONE_NEWIPC
|
|
flag in
|
|
.BR clone (2).
|
|
.TP
|
|
.B network namespace
|
|
The process will have independent IPv4 and IPv6 stacks, IP routing tables,
|
|
firewall rules, the
|
|
.I /proc\:/net
|
|
and
|
|
.I /sys\:/class\:/net
|
|
directory trees, sockets, etc.
|
|
For further details, see
|
|
.BR namespaces (7)
|
|
and the discussion of the
|
|
.BR CLONE_NEWNET
|
|
flag in
|
|
.BR clone (2).
|
|
.TP
|
|
.B PID namespace
|
|
Children will have a set of PID to process mappings separate from the
|
|
.B nsenter
|
|
process
|
|
For further details, see
|
|
.BR pid_namespaces (7)
|
|
and
|
|
the discussion of the
|
|
.BR CLONE_NEWPID
|
|
flag in
|
|
.B nsenter
|
|
will fork by default if changing the PID namespace, so that the new program
|
|
and its children share the same PID namespace and are visible to each other.
|
|
If \fB\-\-no\-fork\fP is used, the new program will be exec'ed without forking.
|
|
.TP
|
|
.B user namespace
|
|
The process will have a distinct set of UIDs, GIDs and capabilities.
|
|
For further details, see
|
|
.BR user_namespaces (7)
|
|
and the discussion of the
|
|
.BR CLONE_NEWUSER
|
|
flag in
|
|
.BR clone (2).
|
|
.TP
|
|
.B cgroup namespace
|
|
The process will have a virtualized view of \fI/proc\:/self\:/cgroup\fP, and new
|
|
cgroup mounts will be rooted at the namespace cgroup root.
|
|
For further details, see
|
|
.BR cgroup_namespaces (7)
|
|
and the discussion of the
|
|
.BR CLONE_NEWCGROUP
|
|
flag in
|
|
.BR clone (2).
|
|
.TP
|
|
See \fBclone\fP(2) for the exact semantics of the flags.
|
|
.SH OPTIONS
|
|
Various of the options below that relate to namespaces take an optional
|
|
.I file
|
|
argument.
|
|
This should be one of the
|
|
.IR /proc/[pid]/ns/*
|
|
files described in
|
|
.BR namespaces (7).
|
|
.TP
|
|
\fB\-a\fR, \fB\-\-all\fR
|
|
Enter all namespaces of the target process by the default
|
|
.IR /proc/[pid]/ns/*
|
|
namespace paths. The default paths to the target process namespaces may be
|
|
overwritten by namespace specific options (e.g. --all --mount=[path]).
|
|
|
|
The user namespace will be ignored if the same as the caller's current user
|
|
namespace. It prevents a caller that has dropped capabilities from regaining
|
|
those capabilities via a call to setns(). See
|
|
.BR setns (2)
|
|
for more details.
|
|
.TP
|
|
\fB\-t\fR, \fB\-\-target\fR \fIpid\fP
|
|
Specify a target process to get contexts from. The paths to the contexts
|
|
specified by
|
|
.I pid
|
|
are:
|
|
.RS
|
|
.PD 0
|
|
.IP "" 20
|
|
.TP
|
|
/proc/\fIpid\fR/ns/mnt
|
|
the mount namespace
|
|
.TP
|
|
/proc/\fIpid\fR/ns/uts
|
|
the UTS namespace
|
|
.TP
|
|
/proc/\fIpid\fR/ns/ipc
|
|
the IPC namespace
|
|
.TP
|
|
/proc/\fIpid\fR/ns/net
|
|
the network namespace
|
|
.TP
|
|
/proc/\fIpid\fR/ns/pid
|
|
the PID namespace
|
|
.TP
|
|
/proc/\fIpid\fR/ns/user
|
|
the user namespace
|
|
.TP
|
|
/proc/\fIpid\fR/ns/cgroup
|
|
the cgroup namespace
|
|
.TP
|
|
/proc/\fIpid\fR/root
|
|
the root directory
|
|
.TP
|
|
/proc/\fIpid\fR/cwd
|
|
the working directory respectively
|
|
.PD
|
|
.RE
|
|
.TP
|
|
\fB\-m\fR, \fB\-\-mount\fR[=\fIfile\fR]
|
|
Enter the mount namespace. If no file is specified, enter the mount namespace
|
|
of the target process.
|
|
If
|
|
.I file
|
|
is specified, enter the mount namespace
|
|
specified by
|
|
.IR file .
|
|
.TP
|
|
\fB\-u\fR, \fB\-\-uts\fR[=\fIfile\fR]
|
|
Enter the UTS namespace. If no file is specified, enter the UTS namespace of
|
|
the target process.
|
|
If
|
|
.I file
|
|
is specified, enter the UTS namespace specified by
|
|
.IR file .
|
|
.TP
|
|
\fB\-i\fR, \fB\-\-ipc\fR[=\fIfile\fR]
|
|
Enter the IPC namespace. If no file is specified, enter the IPC namespace of
|
|
the target process.
|
|
If
|
|
.I file
|
|
is specified, enter the IPC namespace specified by
|
|
.IR file .
|
|
.TP
|
|
\fB\-n\fR, \fB\-\-net\fR[=\fIfile\fR]
|
|
Enter the network namespace. If no file is specified, enter the network
|
|
namespace of the target process.
|
|
If
|
|
.I file
|
|
is specified, enter the network namespace specified by
|
|
.IR file .
|
|
.TP
|
|
\fB\-p\fR, \fB\-\-pid\fR[=\fIfile\fR]
|
|
Enter the PID namespace. If no file is specified, enter the PID namespace of
|
|
the target process.
|
|
If
|
|
.I file
|
|
is specified, enter the PID namespace specified by
|
|
.IR file .
|
|
.TP
|
|
\fB\-U\fR, \fB\-\-user\fR[=\fIfile\fR]
|
|
Enter the user namespace. If no file is specified, enter the user namespace of
|
|
the target process.
|
|
If
|
|
.I file
|
|
is specified, enter the user namespace specified by
|
|
.IR file .
|
|
See also the \fB\-\-setuid\fR and \fB\-\-setgid\fR options.
|
|
.TP
|
|
\fB\-C\fR, \fB\-\-cgroup\fR[=\fIfile\fR]
|
|
Enter the cgroup namespace. If no file is specified, enter the cgroup namespace of
|
|
the target process.
|
|
If
|
|
.I file
|
|
is specified, enter the cgroup namespace specified by
|
|
.IR file .
|
|
.TP
|
|
\fB\-G\fR, \fB\-\-setgid\fR \fIgid\fR
|
|
Set the group ID which will be used in the entered namespace and drop
|
|
supplementary groups.
|
|
.BR nsenter (1)
|
|
always sets GID for user namespaces, the default is 0.
|
|
.TP
|
|
\fB\-S\fR, \fB\-\-setuid\fR \fIuid\fR
|
|
Set the user ID which will be used in the entered namespace.
|
|
.BR nsenter (1)
|
|
always sets UID for user namespaces, the default is 0.
|
|
.TP
|
|
\fB\-\-preserve\-credentials\fR
|
|
Don't modify UID and GID when enter user namespace. The default is to
|
|
drops supplementary groups and sets GID and UID to 0.
|
|
.TP
|
|
\fB\-r\fR, \fB\-\-root\fR[=\fIdirectory\fR]
|
|
Set the root directory. If no directory is specified, set the root directory to
|
|
the root directory of the target process. If directory is specified, set the
|
|
root directory to the specified directory.
|
|
.TP
|
|
\fB\-w\fR, \fB\-\-wd\fR[=\fIdirectory\fR]
|
|
Set the working directory. If no directory is specified, set the working
|
|
directory to the working directory of the target process. If directory is
|
|
specified, set the working directory to the specified directory.
|
|
.TP
|
|
\fB\-F\fR, \fB\-\-no\-fork\fR
|
|
Do not fork before exec'ing the specified program. By default, when entering a
|
|
PID namespace, \fBnsenter\fP calls \fBfork\fP before calling \fBexec\fP so that
|
|
any children will also be in the newly entered PID namespace.
|
|
.TP
|
|
\fB\-Z\fR, \fB\-\-follow\-context\fR
|
|
Set the SELinux security context used for executing a new process according to
|
|
already running process specified by \fB\-\-target\fR PID. (The util-linux has
|
|
to be compiled with SELinux support otherwise the option is unavailable.)
|
|
.TP
|
|
\fB\-V\fR, \fB\-\-version\fR
|
|
Display version information and exit.
|
|
.TP
|
|
\fB\-h\fR, \fB\-\-help\fR
|
|
Display help text and exit.
|
|
.SH SEE ALSO
|
|
.BR clone (2),
|
|
.BR setns (2),
|
|
.BR namespaces (7)
|
|
.SH AUTHORS
|
|
.UR biederm@xmission.com
|
|
Eric Biederman
|
|
.UE
|
|
.br
|
|
.UR kzak@redhat.com
|
|
Karel Zak
|
|
.UE
|
|
.SH AVAILABILITY
|
|
The nsenter command is part of the util-linux package and is available from
|
|
.UR https://\:www.kernel.org\:/pub\:/linux\:/utils\:/util-linux/
|
|
Linux Kernel Archive
|
|
.UE .
|