1UNSHARE(1) User Commands UNSHARE(1)
2
6 unshare - run program with some namespaces unshared from parent
7
9 unshare [options] [program [arguments]]
10
12 Unshares the indicated namespaces from the parent process and then exe‐
13 cutes the specified program. If program is not given, then ``${SHELL}''
14 is run (default: /bin/sh).
15 The namespaces can optionally be made persistent by bind mounting
17 /proc/pid/ns/type files to a filesystem path and entered with
18 nsenter(1) even after the program terminates (except PID namespaces
19 where permanently running init process is required). Once a persistent
20 namespace is no longer needed, it can be unpersisted with umount(8).
21 See the EXAMPLES section for more details.
22 The namespaces to be unshared are indicated via options. Unshareable
24 namespaces are:
25 mount namespace
27 Mounting and unmounting filesystems will not affect the rest of
28 the system, except for filesystems which are explicitly marked
29 as shared (with mount --make-shared; see /proc/self/mountinfo or
30 findmnt -o+PROPAGATION for the shared flags). For further
31 details, see mount_namespaces(7) and the discussion of the
32 CLONE_NEWNS flag in clone(2).
33 unshare since util-linux version 2.27 automatically sets propa‐
35 gation to private in a new mount namespace to make sure that the
36 new namespace is really unshared. It's possible to disable this
37 feature with option --propagation unchanged. Note that private
38 is the kernel default.
39 UTS namespace
41 Setting hostname or domainname will not affect the rest of the
42 system. For further details, see namespaces(7) and the discus‐
43 sion of the CLONE_NEWUTS flag in clone(2).
44 IPC namespace
46 The process will have an independent namespace for POSIX message
47 queues as well as System V message queues, semaphore sets and
48 shared memory segments. For further details, see namespaces(7)
49 and the discussion of the CLONE_NEWIPC flag in clone(2).
50 network namespace
52 The process will have independent IPv4 and IPv6 stacks, IP rout‐
53 ing tables, firewall rules, the /proc/net and /sys/class/net
54 directory trees, sockets, etc. For further details, see names‐
55 paces(7) and the discussion of the CLONE_NEWNET flag in
56 clone(2).
57 PID namespace
59 Children will have a distinct set of PID-to-process mappings
60 from their parent. For further details, see pid_namespaces(7)
61 and the discussion of the CLONE_NEWPID flag in clone(2).
62 cgroup namespace
64 The process will have a virtualized view of /proc/self/cgroup,
65 and new cgroup mounts will be rooted at the namespace cgroup
66 root. For further details, see cgroup_namespaces(7) and the
67 discussion of the CLONE_NEWCGROUP flag in clone(2).
68 user namespace
70 The process will have a distinct set of UIDs, GIDs and capabili‐
71 ties. For further details, see user_namespaces(7) and the dis‐
72 cussion of the CLONE_NEWUSER flag in clone(2).
73
75 -i, --ipc[=file]
76 Unshare the IPC namespace. If file is specified, then a persis‐
77 tent namespace is created by a bind mount.
78 -m, --mount[=file]
80 Unshare the mount namespace. If file is specified, then a per‐
81 sistent namespace is created by a bind mount. Note that file
82 has to be located on a filesystem with the propagation flag set
83 to private. Use the command findmnt -o+PROPAGATION when not
84 sure about the current setting. See also the examples below.
85 -n, --net[=file]
87 Unshare the network namespace. If file is specified, then a
88 persistent namespace is created by a bind mount.
89 -p, --pid[=file]
91 Unshare the PID namespace. If file is specified then persistent
92 namespace is created by a bind mount. See also the --fork and
93 --mount-proc options.
94 -u, --uts[=file]
96 Unshare the UTS namespace. If file is specified, then a persis‐
97 tent namespace is created by a bind mount.
98 -U, --user[=file]
100 Unshare the user namespace. If file is specified, then a per‐
101 sistent namespace is created by a bind mount.
102 -C, --cgroup[=file]
104 Unshare the cgroup namespace. If file is specified then persis‐
105 tent namespace is created by bind mount.
106 -f, --fork
108 Fork the specified program as a child process of unshare rather
109 than running it directly. This is useful when creating a new
110 PID namespace.
111 --keep-caps
113 When the --user option is given, ensure that capabilities
114 granted in the user namespace are preserved in the child
115 process.
116 --kill-child[=signame]
118 When unshare terminates, have signame be sent to the forked
119 child process. Combined with --pid this allows for an easy and
120 reliable killing of the entire process tree below unshare. If
121 not given, signame defaults to SIGKILL. This option implies
122 --fork.
123 --mount-proc[=mountpoint]
125 Just before running the program, mount the proc filesystem at
126 mountpoint (default is /proc). This is useful when creating a
127 new PID namespace. It also implies creating a new mount names‐
128 pace since the /proc mount would otherwise mess up existing pro‐
129 grams on the system. The new proc filesystem is explicitly
130 mounted as private (with MS_PRIVATE|MS_REC).
131 -r, --map-root-user
133 Run the program only after the current effective user and group
134 IDs have been mapped to the superuser UID and GID in the newly
135 created user namespace. This makes it possible to conveniently
136 gain capabilities needed to manage various aspects of the newly
137 created namespaces (such as configuring interfaces in the net‐
138 work namespace or mounting filesystems in the mount namespace)
139 even when run unprivileged. As a mere convenience feature, it
140 does not support more sophisticated use cases, such as mapping
141 multiple ranges of UIDs and GIDs. This option implies --set‐
142 groups=deny and --user.
143 -c, --map-current-user
145 Run the program only after the current effective user and group
146 IDs have been mapped to the same UID and GID in the newly cre‐
147 ated user namespace. This option implies --setgroups=deny and
148 --user.
149 --propagation private|shared|slave|unchanged
151 Recursively set the mount propagation flag in the new mount
152 namespace. The default is to set the propagation to private.
153 It is possible to disable this feature with the argument
154 unchanged. The option is silently ignored when the mount names‐
155 pace (--mount) is not requested.
156 --setgroups allow|deny
158 Allow or deny the setgroups(2) system call in a user namespace.
159 To be able to call setgroups(2), the calling process must at
161 least have CAP_SETGID. But since Linux 3.19 a further restric‐
162 tion applies: the kernel gives permission to call setgroups(2)
163 only after the GID map (/proc/pid/gid_map) has been set. The
164 GID map is writable by root when setgroups(2) is enabled (i.e.,
165 allow, the default), and the GID map becomes writable by unpriv‐
166 ileged processes when setgroups(2) is permanently disabled (with
167 deny).
168 -R,--root=dir
170 run the command with root directory set to dir.
171 -w,--wd=dir
173 change working directory to dir.
174 -S,--setuid uid
176 Set the user ID which will be used in the entered namespace.
177 -G,--setgid gid
179 Set the group ID which will be used in the entered namespace and
180 drop supplementary groups.
181 -V, --version
183 Display version information and exit.
184 -h, --help
186 Display help text and exit.
187
189 The proc and sysfs filesystems mounting as root in a user namespace
190 have to be restricted so that a less privileged user can not get more
191 access to sensitive files that a more privileged user made unavailable.
192 In short the rule for proc and sysfs is as close to a bind mount as
193 possible.
194
196 # unshare --fork --pid --mount-proc readlink /proc/self
197 1
198 Establish a PID namespace, ensure we're PID 1 in it against a
199 newly mounted procfs instance.
200 $ unshare --map-root-user --user sh -c whoami
202 root
203 Establish a user namespace as an unprivileged user with a root
204 user within it.
205 # touch /root/uts-ns
207 # unshare --uts=/root/uts-ns hostname FOO
208 # nsenter --uts=/root/uts-ns hostname
209 FOO
210 # umount /root/uts-ns
211 Establish a persistent UTS namespace, and modify the hostname.
212 The namespace is then entered with nsenter. The namespace is
213 destroyed by unmounting the bind reference.
214 # mount --bind /root/namespaces /root/namespaces
216 # mount --make-private /root/namespaces
217 # touch /root/namespaces/mnt
218 # unshare --mount=/root/namespaces/mnt
219 Establish a persistent mount namespace referenced by the bind
220 mount /root/namespaces/mnt. This example shows a portable solu‐
221 tion, because it makes sure that the bind mount is created on a
222 shared filesystem.
223 # unshare -pf --kill-child -- bash -c (sleep 999 &) && sleep 1000 &
225 # pid=$!
226 # kill $pid
227 Reliable killing of subprocesses of the program. When unshare
228 gets killed, everything below it gets killed as well. Without
229 it, the children of program would have orphaned and been re-par‐
230 ented to PID 1.
231
234 clone(2), unshare(2), namespaces(7), mount(8)
235
237 Mikhail Gusarov ⟨dottedmag@dottedmag.net⟩
238 Karel Zak ⟨kzak@redhat.com⟩
239
241 The unshare command is part of the util-linux package and is available
242 from https://www.kernel.org/pub/linux/utils/util-linux/.
243util-linux February 2016 UNSHARE(1)