diff options
Diffstat (limited to 'sys-utils/nsenter.1')
| -rw-r--r-- | sys-utils/nsenter.1 | 269 |
1 files changed, 269 insertions, 0 deletions
diff --git a/sys-utils/nsenter.1 b/sys-utils/nsenter.1 new file mode 100644 index 0000000..5674f8d --- /dev/null +++ b/sys-utils/nsenter.1 @@ -0,0 +1,269 @@ +.TH NSENTER 1 "June 2013" "util-linux" "User Commands" +.SH NAME +nsenter \- run program in different namespaces +.SH SYNOPSIS +.B nsenter +[options] +.RI [ program +.RI [ arguments ]] +.SH DESCRIPTION +The +.B nsenter +command executes +.I program +in the namespace(s) that are specified in the command-line options +(described below). +If \fIprogram\fP is not given, then ``${SHELL}'' is run (default: /bin\:/sh). +.PP +Enterable namespaces are: +.TP +.B mount namespace +Mounting and unmounting filesystems will not affect the rest of the system, +except for filesystems which are explicitly marked as shared (with +\fBmount --make-\:shared\fP; see \fI/proc\:/self\:/mountinfo\fP for the +\fBshared\fP flag). +For further details, see +.BR mount_namespaces (7) +and the discussion of the +.B CLONE_NEWNS +flag in +.BR clone (2). +.TP +.B UTS namespace +Setting hostname or domainname will not affect the rest of the system. +For further details, see +.BR uts_namespaces (7). +.TP +.B IPC namespace +The process will have an independent namespace for POSIX message queues +as well as System V message queues, +semaphore sets and shared memory segments. +For further details, see +.BR ipc_namespaces (7). +.TP +.B network namespace +The process will have independent IPv4 and IPv6 stacks, IP routing tables, +firewall rules, the +.I /proc\:/net +and +.I /sys\:/class\:/net +directory trees, sockets, etc. +For further details, see +.BR network_namespaces (7). +.TP +.B PID namespace +Children will have a set of PID to process mappings separate from the +.B nsenter +process. +.B nsenter +will fork by default if changing the PID namespace, so that the new program +and its children share the same PID namespace and are visible to each other. +If \fB\-\-no\-fork\fP is used, the new program will be exec'ed without forking. +For further details, see +.BR pid_namespaces (7). +.TP +.B user namespace +The process will have a distinct set of UIDs, GIDs and capabilities. +For further details, see +.BR user_namespaces (7). +.TP +.B cgroup namespace +The process will have a virtualized view of \fI/proc\:/self\:/cgroup\fP, and new +cgroup mounts will be rooted at the namespace cgroup root. +For further details, see +.BR cgroup_namespaces (7). +.TP +.B time namespace +The process can have a distinct view of +.B CLOCK_MONOTONIC +and/or +.B CLOCK_BOOTTIME +which can be changed using \fI/proc/self/timens_offsets\fP. +For further details, see +.BR time_namespaces (7). +.SH OPTIONS +Various of the options below that relate to namespaces take an optional +.I file +argument. +This should be one of the +.I /proc/[pid]/ns/* +files described in +.BR namespaces (7), +or the pathname of a bind mount that was created on one of those files. +.TP +\fB\-a\fR, \fB\-\-all\fR +Enter all namespaces of the target process by the default +.I /proc/[pid]/ns/* +namespace paths. The default paths to the target process namespaces may be +overwritten by namespace specific options (e.g., --all --mount=[path]). + +The user namespace will be ignored if the same as the caller's current user +namespace. It prevents a caller that has dropped capabilities from regaining +those capabilities via a call to setns(). See +.BR setns (2) +for more details. +.TP +\fB\-t\fR, \fB\-\-target\fR \fIpid\fP +Specify a target process to get contexts from. The paths to the contexts +specified by +.I pid +are: +.RS +.PD 0 +.IP "" 20 +.TP +/proc/\fIpid\fR/ns/mnt +the mount namespace +.TP +/proc/\fIpid\fR/ns/uts +the UTS namespace +.TP +/proc/\fIpid\fR/ns/ipc +the IPC namespace +.TP +/proc/\fIpid\fR/ns/net +the network namespace +.TP +/proc/\fIpid\fR/ns/pid +the PID namespace +.TP +/proc/\fIpid\fR/ns/user +the user namespace +.TP +/proc/\fIpid\fR/ns/cgroup +the cgroup namespace +.TP +/proc/\fIpid\fR/ns/time +the time namespace +.TP +/proc/\fIpid\fR/root +the root directory +.TP +/proc/\fIpid\fR/cwd +the working directory respectively +.PD +.RE +.TP +\fB\-m\fR, \fB\-\-mount\fR[=\fIfile\fR] +Enter the mount namespace. If no file is specified, enter the mount namespace +of the target process. +If +.I file +is specified, enter the mount namespace +specified by +.IR file . +.TP +\fB\-u\fR, \fB\-\-uts\fR[=\fIfile\fR] +Enter the UTS namespace. If no file is specified, enter the UTS namespace of +the target process. +If +.I file +is specified, enter the UTS namespace specified by +.IR file . +.TP +\fB\-i\fR, \fB\-\-ipc\fR[=\fIfile\fR] +Enter the IPC namespace. If no file is specified, enter the IPC namespace of +the target process. +If +.I file +is specified, enter the IPC namespace specified by +.IR file . +.TP +\fB\-n\fR, \fB\-\-net\fR[=\fIfile\fR] +Enter the network namespace. If no file is specified, enter the network +namespace of the target process. +If +.I file +is specified, enter the network namespace specified by +.IR file . +.TP +\fB\-p\fR, \fB\-\-pid\fR[=\fIfile\fR] +Enter the PID namespace. If no file is specified, enter the PID namespace of +the target process. +If +.I file +is specified, enter the PID namespace specified by +.IR file . +.TP +\fB\-U\fR, \fB\-\-user\fR[=\fIfile\fR] +Enter the user namespace. If no file is specified, enter the user namespace of +the target process. +If +.I file +is specified, enter the user namespace specified by +.IR file . +See also the \fB\-\-setuid\fR and \fB\-\-setgid\fR options. +.TP +\fB\-C\fR, \fB\-\-cgroup\fR[=\fIfile\fR] +Enter the cgroup namespace. If no file is specified, enter the cgroup namespace of +the target process. +If +.I file +is specified, enter the cgroup namespace specified by +.IR file . +.TP +\fB\-T\fR, \fB\-\-time\fR[=\fIfile\fR] +Enter the time namespace. If no file is specified, enter the time namespace of +the target process. +If +.I file +is specified, enter the time namespace specified by +.IR file . +.TP +\fB\-G\fR, \fB\-\-setgid\fR \fIgid\fR +Set the group ID which will be used in the entered namespace and drop +supplementary groups. +.BR nsenter (1) +always sets GID for user namespaces, the default is 0. +.TP +\fB\-S\fR, \fB\-\-setuid\fR \fIuid\fR +Set the user ID which will be used in the entered namespace. +.BR nsenter (1) +always sets UID for user namespaces, the default is 0. +.TP +\fB\-\-preserve\-credentials\fR +Don't modify UID and GID when enter user namespace. The default is to +drops supplementary groups and sets GID and UID to 0. +.TP +\fB\-r\fR, \fB\-\-root\fR[=\fIdirectory\fR] +Set the root directory. If no directory is specified, set the root directory to +the root directory of the target process. If directory is specified, set the +root directory to the specified directory. +.TP +\fB\-w\fR, \fB\-\-wd\fR[=\fIdirectory\fR] +Set the working directory. If no directory is specified, set the working +directory to the working directory of the target process. If directory is +specified, set the working directory to the specified directory. +.TP +\fB\-F\fR, \fB\-\-no\-fork\fR +Do not fork before exec'ing the specified program. By default, when entering a +PID namespace, \fBnsenter\fP calls \fBfork\fP before calling \fBexec\fP so that +any children will also be in the newly entered PID namespace. +.TP +\fB\-Z\fR, \fB\-\-follow\-context\fR +Set the SELinux security context used for executing a new process according to +already running process specified by \fB\-\-target\fR PID. (The util-linux has +to be compiled with SELinux support otherwise the option is unavailable.) +.TP +\fB\-V\fR, \fB\-\-version\fR +Display version information and exit. +.TP +\fB\-h\fR, \fB\-\-help\fR +Display help text and exit. +.SH AUTHORS +.UR biederm@xmission.com +Eric Biederman +.UE +.br +.UR kzak@redhat.com +Karel Zak +.UE +.SH SEE ALSO +.BR clone (2), +.BR setns (2), +.BR namespaces (7) +.SH AVAILABILITY +The nsenter command is part of the util-linux package and is available from +.UR https://\:www.kernel.org\:/pub\:/linux\:/utils\:/util-linux/ +Linux Kernel Archive +.UE . |