1UNSHARE(1)                       User Commands                      UNSHARE(1)
2
3
4

NAME

6       unshare - run program with some namespaces unshared from parent
7

SYNOPSIS

9       unshare [options] program [arguments]
10

DESCRIPTION

12       Unshares the indicated namespaces from the parent process and then exe‐
13       cutes the specified program.  The namespaces to be unshared  are  indi‐
14       cated via options.  Unshareable namespaces are:
15
16       mount namespace
17              Mounting  and unmounting filesystems will not affect the rest of
18              the system (CLONE_NEWNS flag), except for filesystems which  are
19              explicitly  marked  as  shared  (with  mount  --make-shared; see
20              /proc/self/mountinfo or findmnt -o+PROPAGATION  for  the  shared
21              flags).
22
23              unshare  automatically  sets  propagation  to private in the new
24              mount namespace to make sure that the new  namespace  is  really
25              unshared. This feature is possible to disable by option --propa‐
26              gation unchanged.  Note that private is the kernel default.
27
28       UTS namespace
29              Setting hostname or domainname will not affect the rest  of  the
30              system.  (CLONE_NEWUTS flag)
31
32       IPC namespace
33              The process will have an independent namespace for System V mes‐
34              sage  queues,  semaphore  sets  and  shared   memory   segments.
35              (CLONE_NEWIPC flag)
36
37       network namespace
38              The process will have independent IPv4 and IPv6 stacks, IP rout‐
39              ing tables, firewall rules,  the  /proc/net  and  /sys/class/net
40              directory trees, sockets, etc.  (CLONE_NEWNET flag)
41
42       pid namespace
43              Children  will  have  a  distinct set of PID to process mappings
44              from their parent.  (CLONE_NEWPID flag)
45
46       user namespace
47              The process will have a distinct set of UIDs, GIDs and capabili‐
48              ties.  (CLONE_NEWUSER flag)
49
50       See clone(2) for the exact semantics of the flags.
51

OPTIONS

53       -i, --ipc
54              Unshare the IPC namespace.
55
56       -m, --mount
57              Unshare the mount namespace.
58
59       -n, --net
60              Unshare the network namespace.
61
62       -p, --pid
63              Unshare the pid namespace.  See also the --fork and --mount-proc
64              options.
65
66       -u, --uts
67              Unshare the UTS namespace.
68
69       -U, --user
70              Unshare the user namespace.
71
72       -f, --fork
73              Fork the specified program as a child process of unshare  rather
74              than  running  it  directly.  This is useful when creating a new
75              pid namespace.
76
77       --mount-proc[=mountpoint]
78              Just before running the program, mount the  proc  filesystem  at
79              mountpoint  (default  is /proc).  This is useful when creating a
80              new pid namespace.  It also implies creating a new mount  names‐
81              pace since the /proc mount would otherwise mess up existing pro‐
82              grams on the system.  The  new  proc  filesystem  is  explicitly
83              mounted as private (by MS_PRIVATE|MS_REC).
84
85       -r, --map-root-user
86              Run  the program only after the current effective user and group
87              IDs have been mapped to the superuser UID and GID in  the  newly
88              created  user namespace.  This makes it possible to conveniently
89              gain capabilities needed to manage various aspects of the  newly
90              created  namespaces  (such as configuring interfaces in the net‐
91              work namespace or mounting filesystems in the  mount  namespace)
92              even  when  run unprivileged.  As a mere convenience feature, it
93              does not support more sophisticated use cases, such  as  mapping
94              multiple  ranges  of  UIDs and GIDs.  This option implies --set‐
95              groups=deny.
96
97       --propagation private|shared|slave|unchanged
98              Recursively sets mount propagation flag in the new mount  names‐
99              pace.  The  default  is  to set the propagation to private, this
100              feature is  possible  to  disable  by  unchanged  argument.  The
101              options  is  silently  ignored when mount namespace (--mount) is
102              not requested.
103
104       --setgroups allow|deny
105              Allow or deny setgroups(2) syscall in user namespaces.
106
107              setgroups(2) is only callable with CAP_SETGID and CAP_SETGID  in
108              a user namespace (since Linux 3.19) does not give you permission
109              to call setgroups(2) until after GID map has been set.  The  GID
110              map is writable by root when setgroups(2) is enabled and GID map
111              becomes writable by unprivileged processes when setgroups(2)  is
112              permanently disabled.
113
114       -V, --version
115              Display version information and exit.
116
117       -h, --help
118              Display help text and exit.
119

EXAMPLES

121       # unshare --fork --pid --mount-proc readlink /proc/self
122       1
123              Establish  a  PID  namespace,  ensure  we're PID 1 in it against
124              newly mounted procfs instance.
125
126       $ unshare --map-root-user --user sh -c whoami
127       root
128              Establish a user namespace as an unprivileged user with  a  root
129              user within it.
130

SEE ALSO

132       unshare(2), clone(2), mount(8)
133

BUGS

135       None known so far.
136

AUTHOR

138       Mikhail Gusarov <dottedmag@dottedmag.net>
139

AVAILABILITY

141       The  unshare command is part of the util-linux package and is available
142       from ftp://ftp.kernel.org/pub/linux/utils/util-linux/.
143
144
145
146util-linux                         July 2014                        UNSHARE(1)
Impressum