1NSENTER(1) User Commands NSENTER(1)
2
6 nsenter - run program with namespaces of other processes
7
9 nsenter [options] [program [arguments]]
10
12 Enters the namespaces of one or more other processes and then executes
13 the specified program. If program is not given, then ``${SHELL}'' is
14 run (default: /bin/sh).
15 Enterable namespaces are:
17 mount namespace
19 Mounting and unmounting filesystems will not affect the rest of
20 the system, except for filesystems which are explicitly marked
21 as shared (with mount --make-shared; see /proc/self/mountinfo
22 for the shared flag). For further details, see mount_names‐
23 paces(7) and the discussion of the CLONE_NEWNS flag in clone(2).
24 UTS namespace
26 Setting hostname or domainname will not affect the rest of the
27 system. For further details, see namespaces(7) and the discus‐
28 sion of the CLONE_NEWUTS flag in clone(2).
29 IPC namespace
31 The process will have an independent namespace for POSIX message
32 queues as well as System V message queues, semaphore sets and
33 shared memory segments. For further details, see namespaces(7)
34 and the discussion of the CLONE_NEWIPC flag in clone(2).
35 network namespace
37 The process will have independent IPv4 and IPv6 stacks, IP rout‐
38 ing tables, firewall rules, the /proc/net and /sys/class/net
39 directory trees, sockets, etc. For further details, see names‐
40 paces(7) and the discussion of the CLONE_NEWNET flag in
41 clone(2).
42 PID namespace
44 Children will have a set of PID to process mappings separate
45 from the nsenter process For further details, see pid_names‐
46 paces(7) and the discussion of the CLONE_NEWPID flag in nsenter
47 will fork by default if changing the PID namespace, so that the
48 new program and its children share the same PID namespace and
49 are visible to each other. If --no-fork is used, the new pro‐
50 gram will be exec'ed without forking.
51 user namespace
53 The process will have a distinct set of UIDs, GIDs and capabili‐
54 ties. For further details, see user_namespaces(7) and the dis‐
55 cussion of the CLONE_NEWUSER flag in clone(2).
56 cgroup namespace
58 The process will have a virtualized view of /proc/self/cgroup,
59 and new cgroup mounts will be rooted at the namespace cgroup
60 root. For further details, see cgroup_namespaces(7) and the
61 discussion of the CLONE_NEWCGROUP flag in clone(2).
62 See clone(2) for the exact semantics of the flags.
64
66 Various of the options below that relate to namespaces take an optional
67 file argument. This should be one of the /proc/[pid]/ns/* files
68 described in namespaces(7).
69 -a, --all
71 Enter all namespaces of the target process by the default
72 /proc/[pid]/ns/* namespace paths. The default paths to the tar‐
73 get process namespaces may be overwritten by namespace specific
74 options (e.g., --all --mount=[path]).
75 The user namespace will be ignored if the same as the caller's
77 current user namespace. It prevents a caller that has dropped
78 capabilities from regaining those capabilities via a call to
79 setns(). See setns(2) for more details.
80 -t, --target pid
82 Specify a target process to get contexts from. The paths to the
83 contexts specified by pid are:
84 /proc/pid/ns/mnt the mount namespace
86 /proc/pid/ns/uts the UTS namespace
87 /proc/pid/ns/ipc the IPC namespace
88 /proc/pid/ns/net the network namespace
89 /proc/pid/ns/pid the PID namespace
90 /proc/pid/ns/user the user namespace
91 /proc/pid/ns/cgroup the cgroup namespace
92 /proc/pid/root the root directory
93 /proc/pid/cwd the working directory respectively
94 -m, --mount[=file]
96 Enter the mount namespace. If no file is specified, enter the
97 mount namespace of the target process. If file is specified,
98 enter the mount namespace specified by file.
99 -u, --uts[=file]
101 Enter the UTS namespace. If no file is specified, enter the UTS
102 namespace of the target process. If file is specified, enter
103 the UTS namespace specified by file.
104 -i, --ipc[=file]
106 Enter the IPC namespace. If no file is specified, enter the IPC
107 namespace of the target process. If file is specified, enter
108 the IPC namespace specified by file.
109 -n, --net[=file]
111 Enter the network namespace. If no file is specified, enter the
112 network namespace of the target process. If file is specified,
113 enter the network namespace specified by file.
114 -p, --pid[=file]
116 Enter the PID namespace. If no file is specified, enter the PID
117 namespace of the target process. If file is specified, enter
118 the PID namespace specified by file.
119 -U, --user[=file]
121 Enter the user namespace. If no file is specified, enter the
122 user namespace of the target process. If file is specified,
123 enter the user namespace specified by file. See also the
124 --setuid and --setgid options.
125 -C, --cgroup[=file]
127 Enter the cgroup namespace. If no file is specified, enter the
128 cgroup namespace of the target process. If file is specified,
129 enter the cgroup namespace specified by file.
130 -G, --setgid gid
132 Set the group ID which will be used in the entered namespace and
133 drop supplementary groups. nsenter(1) always sets GID for user
134 namespaces, the default is 0.
135 -S, --setuid uid
137 Set the user ID which will be used in the entered namespace.
138 nsenter(1) always sets UID for user namespaces, the default is
139 0.
140 --preserve-credentials
142 Don't modify UID and GID when enter user namespace. The default
143 is to drops supplementary groups and sets GID and UID to 0.
144 -r, --root[=directory]
146 Set the root directory. If no directory is specified, set the
147 root directory to the root directory of the target process. If
148 directory is specified, set the root directory to the specified
149 directory.
150 -w, --wd[=directory]
152 Set the working directory. If no directory is specified, set
153 the working directory to the working directory of the target
154 process. If directory is specified, set the working directory
155 to the specified directory.
156 -F, --no-fork
158 Do not fork before exec'ing the specified program. By default,
159 when entering a PID namespace, nsenter calls fork before calling
160 exec so that any children will also be in the newly entered PID
161 namespace.
162 -Z, --follow-context
164 Set the SELinux security context used for executing a new
165 process according to already running process specified by --tar‐
166 get PID. (The util-linux has to be compiled with SELinux support
167 otherwise the option is unavailable.)
168 -V, --version
170 Display version information and exit.
171 -h, --help
173 Display help text and exit.
174
176 clone(2), setns(2), namespaces(7)
177
179 Eric Biederman ⟨biederm@xmission.com⟩
180 Karel Zak ⟨kzak@redhat.com⟩
181
183 The nsenter command is part of the util-linux package and is available
184 from Linux Kernel Archive ⟨https://www.kernel.org/pub/linux/utils/util-
185 linux/⟩.
186util-linux June 2013 NSENTER(1)