2013-01-13 23:45:09 +00:00
|
|
|
.\" Copyright (c) 2013 by Michael Kerrisk <mtk.manpages@gmail.com>
|
2013-01-14 04:33:36 +00:00
|
|
|
.\" and Copyright (c) 2012 by Eric W. Biederman <ebiederm@xmission.com>
|
2013-01-13 23:45:09 +00:00
|
|
|
.\"
|
2014-09-16 07:05:40 +00:00
|
|
|
.\" %%%LICENSE_START(VERBATIM)
|
2013-01-13 23:45:09 +00:00
|
|
|
.\" Permission is granted to make and distribute verbatim copies of this
|
|
|
|
.\" manual provided the copyright notice and this permission notice are
|
|
|
|
.\" preserved on all copies.
|
|
|
|
.\"
|
|
|
|
.\" Permission is granted to copy and distribute modified versions of this
|
|
|
|
.\" manual under the conditions for verbatim copying, provided that the
|
|
|
|
.\" entire resulting derived work is distributed under the terms of a
|
|
|
|
.\" permission notice identical to this one.
|
|
|
|
.\"
|
|
|
|
.\" Since the Linux kernel and libraries are constantly changing, this
|
|
|
|
.\" manual page may be incorrect or out-of-date. The author(s) assume no
|
|
|
|
.\" responsibility for errors or omissions, or for damages resulting from
|
|
|
|
.\" the use of the information contained herein. The author(s) may not
|
|
|
|
.\" have taken the same level of care in the production of this manual,
|
|
|
|
.\" which is licensed free of charge, as they might when working
|
|
|
|
.\" professionally.
|
|
|
|
.\"
|
|
|
|
.\" Formatted or processed versions of this manual, if unaccompanied by
|
|
|
|
.\" the source, must acknowledge the copyright and authors of this work.
|
2014-09-16 07:05:40 +00:00
|
|
|
.\" %%%LICENSE_END
|
2013-01-13 23:45:09 +00:00
|
|
|
.\"
|
|
|
|
.\"
|
ldd.1, localedef.1, add_key.2, chroot.2, clone.2, fork.2, futex.2, get_mempolicy.2, get_robust_list.2, getitimer.2, getpriority.2, ioctl.2, ioctl_ficlonerange.2, ioctl_fideduperange.2, kcmp.2, kill.2, lookup_dcookie.2, mmap.2, mount.2, open.2, pciconfig_read.2, perf_event_open.2, prctl.2, process_vm_readv.2, ptrace.2, quotactl.2, recv.2, setfsgid.2, setfsuid.2, sysinfo.2, umask.2, umount.2, unshare.2, utimensat.2, wait.2, assert.3, fmax.3, fmin.3, getauxval.3, inet_pton.3, malloc_hook.3, memmem.3, mkdtemp.3, mktemp.3, printf.3, strcasecmp.3, strcat.3, strtoul.3, strxfrm.3, console_codes.4, console_ioctl.4, lirc.4, tty.4, vcs.4, charmap.5, elf.5, locale.5, proc.5, repertoiremap.5, utmp.5, capabilities.7, cgroup_namespaces.7, cgroups.7, charsets.7, cp1251.7, cp1252.7, credentials.7, feature_test_macros.7, iso_8859-1.7, iso_8859-15.7, iso_8859-5.7, koi8-r.7, koi8-u.7, man-pages.7, mount_namespaces.7, namespaces.7, netlink.7, pid_namespaces.7, unix.7, user_namespaces.7, utf-8.7: tstamp
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-07-17 16:07:58 +00:00
|
|
|
.TH NAMESPACES 7 2016-07-17 "Linux" "Linux Programmer's Manual"
|
2013-01-13 23:45:09 +00:00
|
|
|
.SH NAME
|
|
|
|
namespaces \- overview of Linux namespaces
|
|
|
|
.SH DESCRIPTION
|
|
|
|
A namespace wraps a global system resource in an abstraction that
|
|
|
|
makes it appear to the processes within the namespace that they
|
|
|
|
have their own isolated instance of the global resource.
|
|
|
|
Changes to the global resource are visible to other processes
|
|
|
|
that are members of the namespace, but are invisible to other processes.
|
|
|
|
One use of namespaces is to implement containers.
|
|
|
|
|
2014-06-02 13:33:41 +00:00
|
|
|
Linux provides the following namespaces:
|
|
|
|
.TS
|
|
|
|
lB lB lB
|
|
|
|
l lB l.
|
|
|
|
Namespace Constant Isolates
|
2016-04-28 12:25:20 +00:00
|
|
|
Cgroup CLONE_NEWCGROUP Cgroup root directory
|
2014-09-21 20:50:35 +00:00
|
|
|
IPC CLONE_NEWIPC System V IPC, POSIX message queues
|
2014-06-02 13:33:41 +00:00
|
|
|
Network CLONE_NEWNET Network devices, stacks, ports, etc.
|
|
|
|
Mount CLONE_NEWNS Mount points
|
|
|
|
PID CLONE_NEWPID Process IDs
|
|
|
|
User CLONE_NEWUSER User and group IDs
|
|
|
|
UTS CLONE_NEWUTS Hostname and NIS domain name
|
|
|
|
.TE
|
|
|
|
|
2013-01-13 23:45:09 +00:00
|
|
|
This page describes the various namespaces and the associated
|
|
|
|
.I /proc
|
|
|
|
files, and summarizes the APIs for working with namespaces.
|
2013-02-25 13:00:44 +00:00
|
|
|
.\"
|
|
|
|
.\" ==================== The namespaces API ====================
|
|
|
|
.\"
|
2013-01-13 23:45:09 +00:00
|
|
|
.SS The namespaces API
|
|
|
|
As well as various
|
|
|
|
.I /proc
|
|
|
|
files described below,
|
2013-02-18 15:10:30 +00:00
|
|
|
the namespaces API includes the following system calls:
|
2013-01-13 23:45:09 +00:00
|
|
|
.TP
|
|
|
|
.BR clone (2)
|
|
|
|
The
|
|
|
|
.BR clone (2)
|
|
|
|
system call creates a new process.
|
|
|
|
If the
|
|
|
|
.I flags
|
|
|
|
argument of the call specifies one or more of the
|
|
|
|
.B CLONE_NEW*
|
|
|
|
flags listed below, then new namespaces are created for each flag,
|
|
|
|
and the child process is made a member of those namespaces.
|
|
|
|
(This system call also implements a number of features
|
|
|
|
unrelated to namespaces.)
|
|
|
|
.TP
|
|
|
|
.BR setns (2)
|
|
|
|
The
|
|
|
|
.BR setns (2)
|
|
|
|
system call allows the calling process to join an existing namespace.
|
|
|
|
The namespace to join is specified via a file descriptor that refers to
|
|
|
|
one of the
|
|
|
|
.IR /proc/[pid]/ns
|
|
|
|
files described below.
|
|
|
|
.TP
|
|
|
|
.BR unshare (2)
|
|
|
|
The
|
|
|
|
.BR unshare (2)
|
|
|
|
system call moves the calling process to a new namespace.
|
|
|
|
If the
|
|
|
|
.I flags
|
|
|
|
argument of the call specifies one or more of the
|
|
|
|
.B CLONE_NEW*
|
|
|
|
flags listed below, then new namespaces are created for each flag,
|
|
|
|
and the calling process is made a member of those namespaces.
|
|
|
|
(This system call also implements a number of features
|
|
|
|
unrelated to namespaces.)
|
2013-01-16 09:24:52 +00:00
|
|
|
.PP
|
2013-01-14 05:08:22 +00:00
|
|
|
Creation of new namespaces using
|
|
|
|
.BR clone (2)
|
|
|
|
and
|
|
|
|
.BR unshare (2)
|
|
|
|
in most cases requires the
|
|
|
|
.BR CAP_SYS_ADMIN
|
|
|
|
capability.
|
|
|
|
User namespaces are the exception: since Linux 3.8,
|
2013-01-14 08:30:04 +00:00
|
|
|
no privilege is required to create a user namespace.
|
2013-02-25 13:00:44 +00:00
|
|
|
.\"
|
|
|
|
.\" ==================== The /proc/[pid]/ns/ directory ====================
|
|
|
|
.\"
|
2013-01-14 00:22:01 +00:00
|
|
|
.SS The /proc/[pid]/ns/ directory
|
2014-09-21 09:24:24 +00:00
|
|
|
Each process has a
|
2013-01-14 00:22:01 +00:00
|
|
|
.IR /proc/[pid]/ns/
|
|
|
|
.\" See commit 6b4e306aa3dc94a0545eb9279475b1ab6209a31f
|
|
|
|
subdirectory containing one entry for each namespace that
|
|
|
|
supports being manipulated by
|
2013-01-14 00:24:16 +00:00
|
|
|
.BR setns (2):
|
|
|
|
|
|
|
|
.in +4n
|
|
|
|
.nf
|
2016-12-11 10:06:24 +00:00
|
|
|
$ \fBls \-l /proc/$$/ns\fP
|
2013-01-14 00:24:16 +00:00
|
|
|
total 0
|
2016-12-11 10:06:24 +00:00
|
|
|
lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 cgroup \-> cgroup:[4026531835]
|
|
|
|
lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 ipc \-> ipc:[4026531839]
|
|
|
|
lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 mnt \-> mnt:[4026531840]
|
|
|
|
lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 net \-> net:[4026531969]
|
|
|
|
lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 pid \-> pid:[4026531836]
|
|
|
|
lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 user \-> user:[4026531837]
|
|
|
|
lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 uts \-> uts:[4026531838]
|
2013-01-14 00:24:16 +00:00
|
|
|
.fi
|
|
|
|
.in
|
2013-01-14 00:22:01 +00:00
|
|
|
|
|
|
|
Bind mounting (see
|
|
|
|
.BR mount (2))
|
|
|
|
one of the files in this directory
|
2014-03-14 18:54:00 +00:00
|
|
|
to somewhere else in the filesystem keeps
|
2013-01-14 00:22:01 +00:00
|
|
|
the corresponding namespace of the process specified by
|
|
|
|
.I pid
|
|
|
|
alive even if all processes currently in the namespace terminate.
|
|
|
|
|
|
|
|
Opening one of the files in this directory
|
|
|
|
(or a file that is bind mounted to one of these files)
|
|
|
|
returns a file handle for
|
|
|
|
the corresponding namespace of the process specified by
|
|
|
|
.IR pid .
|
|
|
|
As long as this file descriptor remains open,
|
|
|
|
the namespace will remain alive,
|
|
|
|
even if all processes in the namespace terminate.
|
|
|
|
The file descriptor can be passed to
|
|
|
|
.BR setns (2).
|
|
|
|
|
|
|
|
In Linux 3.7 and earlier, these files were visible as hard links.
|
2016-11-29 16:55:08 +00:00
|
|
|
Since Linux 3.8,
|
|
|
|
.\" commit bf056bfa80596a5d14b26b17276a56a0dcb080e5
|
|
|
|
they appear as symbolic links.
|
2013-01-14 00:22:01 +00:00
|
|
|
If two processes are in the same namespace, then the inode numbers of their
|
|
|
|
.IR /proc/[pid]/ns/xxx
|
|
|
|
symbolic links will be the same; an application can check this using the
|
|
|
|
.I stat.st_ino
|
|
|
|
field returned by
|
|
|
|
.BR stat (2).
|
|
|
|
The content of this symbolic link is a string containing
|
|
|
|
the namespace type and inode number as in the following example:
|
|
|
|
|
|
|
|
.in +4n
|
|
|
|
.nf
|
|
|
|
$ \fBreadlink /proc/$$/ns/uts\fP
|
|
|
|
uts:[4026531838]
|
|
|
|
.fi
|
|
|
|
.in
|
|
|
|
|
2016-06-11 09:32:47 +00:00
|
|
|
The symbolic links in this subdirectory are as follows:
|
2013-01-14 00:22:01 +00:00
|
|
|
.TP
|
2016-04-28 12:25:20 +00:00
|
|
|
.IR /proc/[pid]/ns/cgroup " (since Linux 4.6)"
|
|
|
|
This file is a handle for the cgroup namespace of the process.
|
|
|
|
.TP
|
2013-01-14 00:22:01 +00:00
|
|
|
.IR /proc/[pid]/ns/ipc " (since Linux 3.0)"
|
|
|
|
This file is a handle for the IPC namespace of the process.
|
|
|
|
.TP
|
|
|
|
.IR /proc/[pid]/ns/mnt " (since Linux 3.8)"
|
2016-06-01 16:21:29 +00:00
|
|
|
.\" commit 8823c079ba7136dc1948d6f6dcb5f8022bde438e
|
2013-01-14 00:22:01 +00:00
|
|
|
This file is a handle for the mount namespace of the process.
|
|
|
|
.TP
|
|
|
|
.IR /proc/[pid]/ns/net " (since Linux 3.0)"
|
|
|
|
This file is a handle for the network namespace of the process.
|
|
|
|
.TP
|
|
|
|
.IR /proc/[pid]/ns/pid " (since Linux 3.8)"
|
2016-06-01 16:21:29 +00:00
|
|
|
.\" commit 57e8391d327609cbf12d843259c968b9e5c1838f
|
2013-01-14 00:22:01 +00:00
|
|
|
This file is a handle for the PID namespace of the process.
|
|
|
|
.TP
|
|
|
|
.IR /proc/[pid]/ns/user " (since Linux 3.8)"
|
2016-06-01 16:21:29 +00:00
|
|
|
.\" commit cde1975bc242f3e1072bde623ef378e547b73f91
|
2013-01-14 00:22:01 +00:00
|
|
|
This file is a handle for the user namespace of the process.
|
|
|
|
.TP
|
|
|
|
.IR /proc/[pid]/ns/uts " (since Linux 3.0)"
|
2014-09-01 17:00:32 +00:00
|
|
|
This file is a handle for the UTS namespace of the process.
|
2016-06-11 09:35:06 +00:00
|
|
|
.PP
|
|
|
|
Permission to dereference or read
|
|
|
|
.RB ( readlink (2))
|
|
|
|
these symbolic links is governed by a ptrace access mode
|
|
|
|
.B PTRACE_MODE_READ_FSCREDS
|
|
|
|
check; see
|
|
|
|
.BR ptrace (2).
|
2013-02-25 13:00:44 +00:00
|
|
|
.\"
|
2016-04-28 12:25:20 +00:00
|
|
|
.\" ==================== Cgroup namespaces ====================
|
|
|
|
.\"
|
|
|
|
.SS Cgroup namespaces (CLONE_NEWCGROUP)
|
2016-05-06 14:08:33 +00:00
|
|
|
See
|
|
|
|
.BR cgroup_namespaces (7).
|
2016-04-28 12:25:20 +00:00
|
|
|
.\"
|
2013-02-25 13:00:44 +00:00
|
|
|
.\" ==================== IPC namespaces ====================
|
|
|
|
.\"
|
2013-01-13 23:45:09 +00:00
|
|
|
.SS IPC namespaces (CLONE_NEWIPC)
|
|
|
|
IPC namespaces isolate certain IPC resources,
|
|
|
|
namely, System V IPC objects (see
|
|
|
|
.BR svipc (7))
|
2013-01-14 03:21:33 +00:00
|
|
|
and (since Linux 2.6.30)
|
|
|
|
.\" commit 7eafd7c74c3f2e67c27621b987b28397110d643f
|
|
|
|
.\" https://lwn.net/Articles/312232/
|
|
|
|
POSIX message queues (see
|
2014-11-02 19:23:55 +00:00
|
|
|
.BR mq_overview (7)).
|
2013-01-14 03:21:33 +00:00
|
|
|
The common characteristic of these IPC mechanisms is that IPC
|
2014-03-14 18:54:00 +00:00
|
|
|
objects are identified by mechanisms other than filesystem
|
2013-01-14 03:21:33 +00:00
|
|
|
pathnames.
|
|
|
|
|
2013-01-13 23:45:09 +00:00
|
|
|
Each IPC namespace has its own set of System V IPC identifiers and
|
2014-03-14 18:54:00 +00:00
|
|
|
its own POSIX message queue filesystem.
|
2013-01-14 03:21:33 +00:00
|
|
|
Objects created in an IPC namespace are visible to all other processes
|
|
|
|
that are members of that namespace,
|
|
|
|
but are not visible to processes in other IPC namespaces.
|
|
|
|
|
2013-03-18 08:42:04 +00:00
|
|
|
The following
|
|
|
|
.I /proc
|
|
|
|
interfaces are distinct in each IPC namespace:
|
|
|
|
.IP * 3
|
|
|
|
The POSIX message queue interfaces in
|
|
|
|
.IR /proc/sys/fs/mqueue .
|
|
|
|
.IP *
|
2014-06-02 13:22:54 +00:00
|
|
|
The System V IPC interfaces in
|
2013-03-18 08:42:04 +00:00
|
|
|
.IR /proc/sys/kernel ,
|
|
|
|
namely:
|
|
|
|
.IR msgmax ,
|
|
|
|
.IR msgmnb ,
|
|
|
|
.IR msgmni ,
|
|
|
|
.IR sem ,
|
|
|
|
.IR shmall ,
|
|
|
|
.IR shmmax ,
|
|
|
|
.IR shmmni ,
|
|
|
|
and
|
|
|
|
.IR shm_rmid_forced .
|
|
|
|
.IP *
|
2014-06-02 13:22:54 +00:00
|
|
|
The System V IPC interfaces in
|
2013-03-18 08:42:04 +00:00
|
|
|
.IR /proc/sysvipc .
|
|
|
|
.PP
|
2013-01-14 03:21:33 +00:00
|
|
|
When an IPC namespace is destroyed
|
|
|
|
(i.e., when the last process that is a member of the namespace terminates),
|
|
|
|
all IPC objects in the namespace are automatically destroyed.
|
|
|
|
|
|
|
|
Use of IPC namespaces requires a kernel that is configured with the
|
|
|
|
.B CONFIG_IPC_NS
|
|
|
|
option.
|
2013-02-25 13:00:44 +00:00
|
|
|
.\"
|
|
|
|
.\" ==================== Network namespaces ====================
|
|
|
|
.\"
|
2013-01-13 23:45:09 +00:00
|
|
|
.SS Network namespaces (CLONE_NEWNET)
|
|
|
|
Network namespaces provide isolation of the system resources associated
|
2013-03-05 11:23:26 +00:00
|
|
|
with networking: network devices, IPv4 and IPv6 protocol stacks,
|
|
|
|
IP routing tables, firewalls, the
|
2013-01-13 23:45:09 +00:00
|
|
|
.I /proc/net
|
2014-09-21 09:24:24 +00:00
|
|
|
directory, the
|
|
|
|
.I /sys/class/net
|
2014-06-02 13:23:13 +00:00
|
|
|
directory, port numbers (sockets), and so on.
|
2013-01-14 03:24:34 +00:00
|
|
|
A physical network device can live in exactly one
|
|
|
|
network namespace.
|
|
|
|
A virtual network device ("veth") pair provides a pipe-like abstraction
|
2016-10-29 10:46:23 +00:00
|
|
|
.\" FIXME . Add pointer to veth(4) page when it is eventually completed
|
2013-01-14 03:24:34 +00:00
|
|
|
that can be used to create tunnels between network namespaces,
|
|
|
|
and can be used to create a bridge to a physical network device
|
|
|
|
in another namespace.
|
|
|
|
|
|
|
|
When a network namespace is freed
|
|
|
|
(i.e., when the last process in the namespace terminates),
|
|
|
|
its physical network devices are moved back to the
|
|
|
|
initial network namespace (not to the parent of the process).
|
|
|
|
|
|
|
|
Use of network namespaces requires a kernel that is configured with the
|
|
|
|
.B CONFIG_NET_NS
|
|
|
|
option.
|
2013-02-25 13:00:44 +00:00
|
|
|
.\"
|
|
|
|
.\" ==================== Mount namespaces ====================
|
|
|
|
.\"
|
2013-01-14 00:01:21 +00:00
|
|
|
.SS Mount namespaces (CLONE_NEWNS)
|
2016-06-18 20:10:12 +00:00
|
|
|
See
|
|
|
|
.BR mount_namespaces (7).
|
2013-02-25 13:00:44 +00:00
|
|
|
.\"
|
|
|
|
.\" ==================== PID namespaces ====================
|
|
|
|
.\"
|
2013-01-13 23:45:09 +00:00
|
|
|
.SS PID namespaces (CLONE_NEWPID)
|
2013-02-27 06:50:25 +00:00
|
|
|
See
|
|
|
|
.BR pid_namespaces (7).
|
2013-02-25 13:00:44 +00:00
|
|
|
.\"
|
|
|
|
.\" ==================== User namespaces ====================
|
|
|
|
.\"
|
2013-01-13 23:45:09 +00:00
|
|
|
.SS User namespaces (CLONE_NEWUSER)
|
2013-02-27 06:08:06 +00:00
|
|
|
See
|
|
|
|
.BR user_namespaces (7).
|
2013-02-25 13:00:44 +00:00
|
|
|
.\"
|
|
|
|
.\" ==================== UTS namespaces ====================
|
|
|
|
.\"
|
2013-01-13 23:45:09 +00:00
|
|
|
.SS UTS namespaces (CLONE_NEWUTS)
|
|
|
|
UTS namespaces provide isolation of two system identifiers:
|
|
|
|
the hostname and the NIS domain name.
|
|
|
|
These identifiers are set using
|
|
|
|
.BR sethostname (2)
|
|
|
|
and
|
|
|
|
.BR setdomainname (2),
|
|
|
|
and can be retrieved using
|
|
|
|
.BR uname (2),
|
|
|
|
.BR gethostname (2),
|
|
|
|
and
|
|
|
|
.BR getdomainname (2).
|
|
|
|
|
2013-01-14 05:14:16 +00:00
|
|
|
Use of UTS namespaces requires a kernel that is configured with the
|
|
|
|
.B CONFIG_UTS_NS
|
|
|
|
option.
|
2016-12-11 11:59:04 +00:00
|
|
|
.\"
|
|
|
|
.\" ============================================================
|
|
|
|
.\"
|
|
|
|
.SS Introspecting namespace relationships
|
|
|
|
Since Linux 4.9,
|
|
|
|
.\" commit bcac25a58bfc6bd79191ac5d7afb49bea96da8c9
|
|
|
|
.\" commit 6786741dbf99e44fb0c0ed85a37582b8a26f1c3b
|
|
|
|
.\" commit a7306ed8d94af729ecef8b6e37506a1c6fc14788
|
|
|
|
.\" commit 6ad92bf63e45f97e306da48cd1cbce6e4fef1e5d
|
|
|
|
two
|
|
|
|
.BR ioctl (2)
|
|
|
|
operations are provided to allow introspection of namespace relationships
|
|
|
|
(see
|
|
|
|
.BR user_namespaces (7)
|
|
|
|
and
|
|
|
|
.BR pid_namespaces (7)).
|
|
|
|
The form of the calls is:
|
|
|
|
|
2016-12-11 18:23:50 +00:00
|
|
|
new_fd = ioctl(fd, request);
|
2016-12-11 11:59:04 +00:00
|
|
|
|
|
|
|
In each case,
|
|
|
|
.I fd
|
|
|
|
refers to a
|
|
|
|
.IR /proc/[pid]/ns/*
|
|
|
|
file.
|
2016-12-11 18:23:50 +00:00
|
|
|
Both operations return a new file descriptor on success.
|
2016-12-11 11:59:04 +00:00
|
|
|
.TP
|
|
|
|
.BR NS_GET_USERNS
|
|
|
|
Returns a file descriptor that refers to the owning user namespace
|
|
|
|
for the namespace referred to by
|
|
|
|
.IR fd .
|
|
|
|
.TP
|
|
|
|
.BR NS_GET_PARENT
|
|
|
|
Returns a file descriptor that refers to the parent namespace of
|
|
|
|
the namespace referred to by
|
|
|
|
.IR fd .
|
|
|
|
This operation is valid only for hierarchical namespaces
|
|
|
|
(i.e., PID and user namespaces).
|
|
|
|
For user namespaces,
|
|
|
|
.BR NS_GET_PARENT
|
|
|
|
is synonymous with
|
|
|
|
.BR NS_GET_USERNS .
|
|
|
|
.PP
|
2016-12-11 18:23:50 +00:00
|
|
|
The new file descriptor returned by these operations is opened with the
|
2016-12-11 11:59:04 +00:00
|
|
|
.BR O_RDONLY
|
|
|
|
and
|
|
|
|
.BR O_CLOEXEC
|
2016-12-11 18:23:50 +00:00
|
|
|
(close-on-exec; see
|
|
|
|
.BR fcntl (2)) flags.
|
2016-12-11 11:59:04 +00:00
|
|
|
.PP
|
|
|
|
By applying
|
|
|
|
.BR fstat (2)
|
|
|
|
to the returned file descriptor, one obtains a
|
|
|
|
.I stat
|
|
|
|
structure whose
|
|
|
|
.I st_ino
|
|
|
|
(inode number) field identifies the owning/parent namespace.
|
|
|
|
This inode number can be matched with the inode number of another
|
|
|
|
.IR /proc/[pid]/ns/{pid,user}
|
|
|
|
file to determine whether that is the owning/parent namespace.
|
|
|
|
|
|
|
|
Either of these
|
|
|
|
.BR ioctl (2)
|
2016-12-11 19:48:25 +00:00
|
|
|
operations can fail with the following errors:
|
2016-12-11 11:59:04 +00:00
|
|
|
.TP
|
|
|
|
.B EPERM
|
|
|
|
The requested namespace is outside of the caller's namespace scope.
|
|
|
|
This error can occur if, for example, the owning user namespace is an
|
|
|
|
ancestor of the caller's current user namespace.
|
|
|
|
It can also occur on attempts to obtain the parent of the initial
|
|
|
|
user or PID namespace.
|
2016-12-11 19:48:25 +00:00
|
|
|
.TP
|
|
|
|
.B ENOTTY
|
|
|
|
The operation is not supported by this kernel version.
|
2016-12-11 11:59:04 +00:00
|
|
|
.PP
|
|
|
|
Additionally, the
|
|
|
|
.B NS_GET_PARENT
|
|
|
|
operation can fail with the following error:
|
|
|
|
.TP
|
|
|
|
.B EINVAL
|
|
|
|
.I fd
|
|
|
|
refers to a nonhierarchical namespace.
|
|
|
|
.PP
|
|
|
|
See the EXAMPLE section for an example of the use of these operations.
|
2013-01-13 23:45:09 +00:00
|
|
|
.SH CONFORMING TO
|
|
|
|
Namespaces are a Linux-specific feature.
|
2013-03-01 07:53:55 +00:00
|
|
|
.SH EXAMPLE
|
2016-12-11 11:59:04 +00:00
|
|
|
For one example,
|
2013-03-01 07:53:55 +00:00
|
|
|
.BR user_namespaces (7).
|
2016-12-11 11:59:04 +00:00
|
|
|
|
|
|
|
The example shown below uses the
|
|
|
|
.BR ioctl (2)
|
|
|
|
operations described above to perform simple
|
|
|
|
introspection of namespace relationships.
|
|
|
|
The following shell sessions show various examples of the use
|
|
|
|
of this program.
|
|
|
|
|
|
|
|
Trying to get the parent of the initial user namespace fails,
|
|
|
|
for the reasons explained earlier:
|
|
|
|
|
|
|
|
.nf
|
|
|
|
.in +4n
|
|
|
|
$ \fB./ns_introspect /proc/self/ns/user p\fP
|
|
|
|
The parent namespace is outside your namespace scope
|
|
|
|
.in
|
|
|
|
.fi
|
|
|
|
|
|
|
|
Create a process running
|
|
|
|
.BR sleep (1)
|
|
|
|
that resides in new user and UTS namespaces,
|
|
|
|
and show that new UTS namespace is associated with the new user namespace:
|
|
|
|
|
|
|
|
.nf
|
|
|
|
.in +4n
|
|
|
|
$ \fBunshare \-Uu sleep 1000 &\fP
|
|
|
|
[1] 23235
|
|
|
|
$ \fB./ns_introspect /proc/23235/ns/uts\fP
|
|
|
|
Inode number of owning user namespace is: 4026532448
|
|
|
|
$ \fBreadlink /proc/23235/ns/user \fP
|
|
|
|
user:[4026532448]
|
|
|
|
.in
|
|
|
|
.fi
|
|
|
|
|
|
|
|
Then show that the parent of the new user namespace in the preceding
|
|
|
|
example is the initial user namespace:
|
|
|
|
|
|
|
|
.nf
|
|
|
|
.in +4n
|
|
|
|
$ \fBreadlink /proc/self/ns/user\fP
|
|
|
|
user:[4026531837]
|
|
|
|
$ \fB./ns_introspect /proc/23235/ns/user\fP
|
|
|
|
Inode number of owning user namespace is: 4026531837
|
|
|
|
.in
|
|
|
|
.fi
|
|
|
|
|
|
|
|
Start a shell in a new user namespace, and show that from within
|
|
|
|
this shell, the parent user namespace can't be discovered.
|
|
|
|
Similarly, the UTS namespace
|
|
|
|
(which is associated with the initial user namespace)
|
|
|
|
can't be discovered.
|
|
|
|
|
|
|
|
.nf
|
|
|
|
.in +4n
|
2016-12-11 18:26:21 +00:00
|
|
|
$ \fBPS1="sh2$ " unshare \-U bash\fP
|
2016-12-11 11:59:04 +00:00
|
|
|
sh2$ \fB./ns_introspect /proc/self/ns/user p\fP
|
|
|
|
The parent namespace is outside your namespace scope
|
|
|
|
sh2$ \fB./ns_introspect /proc/self/ns/uts u\fP
|
|
|
|
The owning user namespace is outside your namespace scope
|
|
|
|
.in
|
|
|
|
.fi
|
|
|
|
.SS Program source
|
|
|
|
\&
|
|
|
|
.nf
|
|
|
|
/* ns_introspect.c
|
|
|
|
|
|
|
|
Licensed under GNU General Public License v2 or later
|
|
|
|
*/
|
|
|
|
#include <stdlib.h>
|
|
|
|
#include <unistd.h>
|
|
|
|
#include <stdio.h>
|
|
|
|
#include <sys/stat.h>
|
|
|
|
#include <fcntl.h>
|
|
|
|
#include <sys/ioctl.h>
|
|
|
|
#include <string.h>
|
|
|
|
#include <errno.h>
|
|
|
|
|
|
|
|
#ifndef NS_GET_USERNS
|
|
|
|
#define NSIO 0xb7
|
|
|
|
#define NS_GET_USERNS _IO(NSIO, 0x1)
|
|
|
|
#define NS_GET_PARENT _IO(NSIO, 0x2)
|
|
|
|
#endif
|
|
|
|
|
|
|
|
int
|
|
|
|
main(int argc, char *argv[])
|
|
|
|
{
|
|
|
|
int fd, userns_fd, parent_fd;
|
|
|
|
struct stat sb;
|
|
|
|
|
|
|
|
if (argc < 2) {
|
|
|
|
fprintf(stderr, "Usage: %s /proc/[pid]/ns/[file] [p|u]\\n",
|
|
|
|
argv[0]);
|
|
|
|
fprintf(stderr, "\\nDisplay the result of one or both "
|
|
|
|
"of NS_GET_USERNS (u) or NS_GET_PARENT (p)\\n"
|
|
|
|
"for the specified /proc/[pid]/ns/[file]. If neither "
|
|
|
|
"\(aqp\(aq nor \(aqu\(aq is specified,\\n"
|
|
|
|
"NS_GET_USERNS is the default.\\n");
|
|
|
|
exit(EXIT_FAILURE);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Obtain a file descriptor for the \(aqns\(aq file specified
|
|
|
|
in argv[1] */
|
|
|
|
|
|
|
|
fd = open(argv[1], O_RDONLY);
|
|
|
|
if (fd == \-1) {
|
|
|
|
perror("open");
|
|
|
|
exit(EXIT_FAILURE);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Obtain a file descriptor for the owning user namespace and
|
|
|
|
then obtain and display the inode number of that namespace */
|
|
|
|
|
|
|
|
if (argc < 3 || strchr(argv[2], \(aqu\(aq)) {
|
|
|
|
userns_fd = ioctl(fd, NS_GET_USERNS);
|
|
|
|
|
|
|
|
if (userns_fd == \-1) {
|
|
|
|
if (errno == EPERM)
|
|
|
|
printf("The owning user namespace is outside "
|
|
|
|
"your namespace scope\\n");
|
|
|
|
else
|
|
|
|
perror("ioctl\-NS_GET_USERNS");
|
|
|
|
exit(EXIT_FAILURE);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (fstat(userns_fd, &sb) == \-1) {
|
|
|
|
perror("fstat\-userns");
|
|
|
|
exit(EXIT_FAILURE);
|
|
|
|
}
|
|
|
|
printf("Inode number of owning user namespace is: %ld\\n",
|
|
|
|
(long) sb.st_ino);
|
|
|
|
|
|
|
|
close(userns_fd);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Obtain a file descriptor for the parent namespace and
|
|
|
|
then obtain and display the inode number of that namespace */
|
|
|
|
|
|
|
|
if (argc > 2 && strchr(argv[2], \(aqp\(aq)) {
|
|
|
|
parent_fd = ioctl(fd, NS_GET_PARENT);
|
|
|
|
|
|
|
|
if (parent_fd == \-1) {
|
|
|
|
if (errno == EINVAL)
|
|
|
|
printf("Can\(aq get parent namespace of a "
|
|
|
|
"nonhierarchical namespace\\n");
|
|
|
|
else if (errno == EPERM)
|
|
|
|
printf("The parent namespace is outside "
|
|
|
|
"your namespace scope\\n");
|
|
|
|
else
|
|
|
|
perror("ioctl\-NS_GET_PARENT");
|
|
|
|
exit(EXIT_FAILURE);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (fstat(parent_fd, &sb) == \-1) {
|
|
|
|
perror("fstat\-parentns");
|
|
|
|
exit(EXIT_FAILURE);
|
|
|
|
}
|
|
|
|
printf("Inode number of parent namespace is: %ld\\n",
|
|
|
|
(long) sb.st_ino);
|
|
|
|
|
|
|
|
close(parent_fd);
|
|
|
|
}
|
|
|
|
|
|
|
|
exit(EXIT_SUCCESS);
|
|
|
|
}
|
|
|
|
.fi
|
2013-01-13 23:45:09 +00:00
|
|
|
.SH SEE ALSO
|
2013-01-17 19:02:12 +00:00
|
|
|
.BR nsenter (1),
|
2013-01-13 23:45:09 +00:00
|
|
|
.BR readlink (1),
|
2013-01-17 19:02:12 +00:00
|
|
|
.BR unshare (1),
|
2013-01-13 23:45:09 +00:00
|
|
|
.BR clone (2),
|
|
|
|
.BR setns (2),
|
|
|
|
.BR unshare (2),
|
|
|
|
.BR proc (5),
|
2013-02-11 23:13:01 +00:00
|
|
|
.BR capabilities (7),
|
2016-05-06 14:08:33 +00:00
|
|
|
.BR cgroup_namespaces (7),
|
2016-04-24 18:53:18 +00:00
|
|
|
.BR cgroups (7),
|
2016-04-24 18:53:01 +00:00
|
|
|
.BR credentials (7),
|
2013-02-27 06:50:25 +00:00
|
|
|
.BR pid_namespaces (7),
|
2013-02-27 06:08:06 +00:00
|
|
|
.BR user_namespaces (7),
|
2016-09-23 11:56:31 +00:00
|
|
|
.BR lsns (8),
|
2013-02-11 23:13:01 +00:00
|
|
|
.BR switch_root (8)
|