2019-07-23 19:42:58 +00:00
|
|
|
.\" Copyright (c) 2013, 2016, 2017 by Michael Kerrisk <mtk.manpages@gmail.com>
|
2013-01-14 04:33:36 +00:00
|
|
|
.\" and Copyright (c) 2012 by Eric W. Biederman <ebiederm@xmission.com>
|
2013-01-13 23:45:09 +00:00
|
|
|
.\"
|
2014-09-16 07:05:40 +00:00
|
|
|
.\" %%%LICENSE_START(VERBATIM)
|
2013-01-13 23:45:09 +00:00
|
|
|
.\" Permission is granted to make and distribute verbatim copies of this
|
|
|
|
.\" manual provided the copyright notice and this permission notice are
|
|
|
|
.\" preserved on all copies.
|
|
|
|
.\"
|
|
|
|
.\" Permission is granted to copy and distribute modified versions of this
|
|
|
|
.\" manual under the conditions for verbatim copying, provided that the
|
|
|
|
.\" entire resulting derived work is distributed under the terms of a
|
|
|
|
.\" permission notice identical to this one.
|
|
|
|
.\"
|
|
|
|
.\" Since the Linux kernel and libraries are constantly changing, this
|
|
|
|
.\" manual page may be incorrect or out-of-date. The author(s) assume no
|
|
|
|
.\" responsibility for errors or omissions, or for damages resulting from
|
|
|
|
.\" the use of the information contained herein. The author(s) may not
|
|
|
|
.\" have taken the same level of care in the production of this manual,
|
|
|
|
.\" which is licensed free of charge, as they might when working
|
|
|
|
.\" professionally.
|
|
|
|
.\"
|
|
|
|
.\" Formatted or processed versions of this manual, if unaccompanied by
|
|
|
|
.\" the source, must acknowledge the copyright and authors of this work.
|
2014-09-16 07:05:40 +00:00
|
|
|
.\" %%%LICENSE_END
|
2013-01-13 23:45:09 +00:00
|
|
|
.\"
|
|
|
|
.\"
|
getent.1, ldd.1, locale.1, localedef.1, memusage.1, memusagestat.1, mtrace.1, _exit.2, _syscall.2, accept.2, access.2, acct.2, add_key.2, adjtimex.2, alloc_hugepages.2, arch_prctl.2, bdflush.2, bind.2, bpf.2, brk.2, cacheflush.2, capget.2, chdir.2, chmod.2, chown.2, chroot.2, clock_getres.2, clock_nanosleep.2, clone.2, close.2, close_range.2, connect.2, copy_file_range.2, create_module.2, delete_module.2, dup.2, epoll_create.2, epoll_ctl.2, epoll_wait.2, eventfd.2, execve.2, execveat.2, fanotify_init.2, fanotify_mark.2, fcntl.2, flock.2, fork.2, fsync.2, futex.2, get_kernel_syms.2, get_mempolicy.2, get_robust_list.2, getcpu.2, getdents.2, getdomainname.2, getgid.2, getgroups.2, gethostname.2, getitimer.2, getpagesize.2, getpeername.2, getpid.2, getpriority.2, getrandom.2, getresuid.2, getrlimit.2, getrusage.2, getsid.2, getsockname.2, getsockopt.2, gettid.2, gettimeofday.2, getuid.2, getunwind.2, getxattr.2, idle.2, init_module.2, inotify_add_watch.2, inotify_rm_watch.2, io_cancel.2, io_destroy.2, io_getevents.2, io_setup.2, io_submit.2, ioctl.2, ioctl_console.2, ioctl_fat.2, ioctl_ficlonerange.2, ioctl_fideduperange.2, ioctl_fslabel.2, ioctl_getfsmap.2, ioctl_ns.2, ioctl_tty.2, ioctl_userfaultfd.2, ioperm.2, iopl.2, ipc.2, kcmp.2, kexec_load.2, keyctl.2, kill.2, link.2, listen.2, listxattr.2, llseek.2, lookup_dcookie.2, lseek.2, madvise.2, mbind.2, membarrier.2, memfd_create.2, migrate_pages.2, mincore.2, mkdir.2, mknod.2, mlock.2, mmap.2, mmap2.2, modify_ldt.2, mount.2, move_pages.2, mprotect.2, mq_getsetattr.2, mremap.2, msgctl.2, msgget.2, msgop.2, msync.2, nanosleep.2, nfsservctl.2, nice.2, open.2, open_by_handle_at.2, openat2.2, pause.2, pciconfig_read.2, perf_event_open.2, perfmonctl.2, personality.2, pidfd_getfd.2, pidfd_open.2, pidfd_send_signal.2, pipe.2, pivot_root.2, pkey_alloc.2, poll.2, posix_fadvise.2, prctl.2, pread.2, process_vm_readv.2, ptrace.2, query_module.2, quotactl.2, read.2, readahead.2, readdir.2, readlink.2, readv.2, reboot.2, recv.2, remap_file_pages.2, removexattr.2, rename.2, request_key.2, restart_syscall.2, rmdir.2, rt_sigqueueinfo.2, s390_guarded_storage.2, s390_pci_mmio_write.2, s390_runtime_instr.2, s390_sthyi.2, sched_get_priority_max.2, sched_rr_get_interval.2, sched_setaffinity.2, sched_setattr.2, sched_setparam.2, sched_setscheduler.2, sched_yield.2, seccomp.2, select.2, select_tut.2, semctl.2, semget.2, semop.2, send.2, sendfile.2, set_thread_area.2, seteuid.2, setfsgid.2, setfsuid.2, setgid.2, setpgid.2, setresuid.2, setreuid.2, setsid.2, setuid.2, setup.2, setxattr.2, sgetmask.2, shmctl.2, shmget.2, shmop.2, shutdown.2, sigaction.2, sigaltstack.2, signal.2, signalfd.2, sigpending.2, sigprocmask.2, sigreturn.2, sigsuspend.2, sigwaitinfo.2, socket.2, socketcall.2, socketpair.2, splice.2, spu_create.2, spu_run.2, stat.2, statfs.2, statx.2, stime.2, subpage_prot.2, swapon.2, symlink.2, sync.2, sync_file_range.2, syscall.2, syscalls.2, sysctl.2, sysfs.2, sysinfo.2, syslog.2, time.2, timer_create.2, timer_delete.2, timer_getoverrun.2, timer_settime.2, timerfd_create.2, times.2, tkill.2, truncate.2, umask.2, umount.2, uname.2, unimplemented.2, unlink.2, unshare.2, uselib.2, userfaultfd.2, ustat.2, utime.2, utimensat.2, vfork.2, vhangup.2, vm86.2, vmsplice.2, wait.2, wait4.2, write.2, CPU_SET.3, __ppc_get_timebase.3, __ppc_set_ppr_med.3, __ppc_yield.3, __setfpucw.3, a64l.3, abort.3, abs.3, acos.3, acosh.3, addseverity.3, adjtime.3, aio_cancel.3, aio_error.3, aio_fsync.3, aio_read.3, aio_return.3, aio_suspend.3, aio_write.3, alloca.3, argz_add.3, asin.3, asinh.3, asprintf.3, assert.3, assert_perror.3, atan.3, atan2.3, atanh.3, atexit.3, atof.3, atoi.3, backtrace.3, basename.3, bcmp.3, bcopy.3, bindresvport.3, bsd_signal.3, bsearch.3, bstring.3, btowc.3, byteorder.3, bzero.3, cabs.3, cacos.3, cacosh.3, canonicalize_file_name.3, carg.3, casin.3, casinh.3, catan.3, catanh.3, catgets.3, catopen.3, cbrt.3, ccos.3, ccosh.3, ceil.3, cexp.3, cexp2.3, cfree.3, cimag.3, circleq.3, clearenv.3, clock.3, clock_getcpuclockid.3, clog.3, clog10.3, clog2.3, closedir.3, cmsg.3, confstr.3, conj.3, copysign.3, cos.3, cosh.3, cpow.3, cproj.3, creal.3, crypt.3, csin.3, csinh.3, csqrt.3, ctan.3, ctanh.3, ctermid.3, ctime.3, daemon.3, des_crypt.3, difftime.3, dirfd.3, div.3, dl_iterate_phdr.3, dladdr.3, dlerror.3, dlinfo.3, dlopen.3, dlsym.3, drand48.3, drand48_r.3, duplocale.3, dysize.3, ecvt.3, ecvt_r.3, encrypt.3, endian.3, envz_add.3, erf.3, erfc.3, err.3, errno.3, error.3, ether_aton.3, euidaccess.3, exec.3, exit.3, exp.3, exp10.3, exp2.3, expm1.3, fabs.3, fclose.3, fcloseall.3, fdim.3, fenv.3, ferror.3, fexecve.3, fflush.3, ffs.3, fgetc.3, fgetgrent.3, fgetpwent.3, fgetwc.3, fgetws.3, fileno.3, finite.3, flockfile.3, floor.3, fma.3, fmax.3, fmemopen.3, fmin.3, fmod.3, fmtmsg.3, fnmatch.3, fopen.3, fopencookie.3, fpathconf.3, fpclassify.3, fpurge.3, fputwc.3, fputws.3, fread.3, frexp.3, fseek.3, fseeko.3, ftime.3, ftok.3, fts.3, ftw.3, futimes.3, fwide.3, gamma.3, gcvt.3, get_nprocs_conf.3, get_phys_pages.3, getaddrinfo.3, getaddrinfo_a.3, getauxval.3, getcontext.3, getcwd.3, getdate.3, getdirentries.3, getdtablesize.3, getentropy.3, getenv.3, getfsent.3, getgrent.3, getgrent_r.3, getgrnam.3, getgrouplist.3, gethostbyname.3, gethostid.3, getifaddrs.3, getipnodebyname.3, getline.3, getloadavg.3, getlogin.3, getmntent.3, getnameinfo.3, getnetent.3, getnetent_r.3, getopt.3, getpass.3, getprotoent.3, getprotoent_r.3, getpt.3, getpw.3, getpwent.3, getpwent_r.3, getpwnam.3, getrpcent.3, getrpcent_r.3, getrpcport.3, gets.3, getservent.3, getservent_r.3, getspnam.3, getsubopt.3, getttyent.3, getumask.3, getusershell.3, getutent.3, getutmp.3, getw.3, getwchar.3, glob.3, gnu_get_libc_version.3, grantpt.3, group_member.3, gsignal.3, hsearch.3, hypot.3, iconv.3, iconv_close.3, iconv_open.3, if_nameindex.3, if_nametoindex.3, ilogb.3, index.3, inet.3, inet_net_pton.3, inet_ntop.3, inet_pton.3, initgroups.3, insque.3, isalpha.3, isatty.3, isfdtype.3, isgreater.3, iswalnum.3, iswalpha.3, iswblank.3, iswcntrl.3, iswctype.3, iswdigit.3, iswgraph.3, iswlower.3, iswprint.3, iswpunct.3, iswspace.3, iswupper.3, iswxdigit.3, j0.3, key_setsecret.3, killpg.3, ldexp.3, lgamma.3, lio_listio.3, list.3, localeconv.3, lockf.3, log.3, log10.3, log1p.3, log2.3, logb.3, login.3, lrint.3, lround.3, lsearch.3, lseek64.3, makecontext.3, makedev.3, mallinfo.3, malloc.3, malloc_get_state.3, malloc_hook.3, malloc_info.3, malloc_stats.3, malloc_trim.3, malloc_usable_size.3, mallopt.3, matherr.3, mblen.3, mbrlen.3, mbrtowc.3, mbsinit.3, mbsnrtowcs.3, mbsrtowcs.3, mbstowcs.3, mbtowc.3, mcheck.3, memccpy.3, memchr.3, memcmp.3, memcpy.3, memfrob.3, memmem.3, memmove.3, mempcpy.3, memset.3, mkdtemp.3, mkfifo.3, mkstemp.3, mktemp.3, modf.3, mpool.3, mq_close.3, mq_getattr.3, mq_notify.3, mq_open.3, mq_receive.3, mq_send.3, mq_unlink.3, mtrace.3, nan.3, newlocale.3, nextafter.3, nextup.3, nl_langinfo.3, ntp_gettime.3, on_exit.3, open_memstream.3, opendir.3, openpty.3, perror.3, popen.3, posix_fallocate.3, posix_madvise.3, posix_memalign.3, posix_openpt.3, posix_spawn.3, pow.3, pow10.3, printf.3, profil.3, psignal.3, pthread_attr_init.3, pthread_attr_setaffinity_np.3, pthread_attr_setdetachstate.3, pthread_attr_setguardsize.3, pthread_attr_setinheritsched.3, pthread_attr_setschedparam.3, pthread_attr_setschedpolicy.3, pthread_attr_setscope.3, pthread_attr_setsigmask_np.3, pthread_attr_setstack.3, pthread_attr_setstackaddr.3, pthread_attr_setstacksize.3, pthread_cancel.3, pthread_cleanup_push.3, pthread_cleanup_push_defer_np.3, pthread_create.3, pthread_detach.3, pthread_equal.3, pthread_exit.3, pthread_getattr_default_np.3, pthread_getattr_np.3, pthread_getcpuclockid.3, pthread_join.3, pthread_kill.3, pthread_kill_other_threads_np.3, pthread_mutex_consistent.3, pthread_mutexattr_getpshared.3, pthread_mutexattr_setrobust.3, pthread_rwlockattr_setkind_np.3, pthread_self.3, pthread_setaffinity_np.3, pthread_setcancelstate.3, pthread_setconcurrency.3, pthread_setname_np.3, pthread_setschedparam.3, pthread_setschedprio.3, pthread_sigmask.3, pthread_sigqueue.3, pthread_spin_init.3, pthread_spin_lock.3, pthread_testcancel.3, pthread_tryjoin_np.3, pthread_yield.3, ptsname.3, putenv.3, putgrent.3, putpwent.3, puts.3, putwchar.3, qecvt.3, qsort.3, raise.3, rand.3, random.3, random_r.3, rcmd.3, re_comp.3, readdir.3, readdir_r.3, realpath.3, regex.3, remainder.3, remove.3, remquo.3, resolver.3, rewinddir.3, rexec.3, rint.3, round.3, rpc.3, rpmatch.3, rtime.3, rtnetlink.3, scalb.3, scalbln.3, scandir.3, scanf.3, sched_getcpu.3, seekdir.3, sem_close.3, sem_destroy.3, sem_getvalue.3, sem_init.3, sem_open.3, sem_post.3, sem_unlink.3, sem_wait.3, setaliasent.3, setbuf.3, setenv.3, setjmp.3, setlocale.3, setlogmask.3, setnetgrent.3, shm_open.3, siginterrupt.3, signbit.3, significand.3, sigpause.3, sigqueue.3, sigset.3, sigsetops.3, sigvec.3, sigwait.3, sin.3, sincos.3, sinh.3, sleep.3, slist.3, sockatmark.3, sqrt.3, stailq.3, statvfs.3, stdarg.3, stdio.3, stdio_ext.3, stpcpy.3, stpncpy.3, strcasecmp.3, strcat.3, strchr.3, strcmp.3, strcoll.3, strcpy.3, strdup.3, strerror.3, strfmon.3, strfromd.3, strfry.3, strftime.3, string.3, strlen.3, strnlen.3, strpbrk.3, strptime.3, strsep.3, strsignal.3, strspn.3, strstr.3, strtod.3, strtoimax.3, strtok.3, strtol.3, strtoul.3, strverscmp.3, strxfrm.3, swab.3, sysconf.3, syslog.3, system.3, sysv_signal.3, tailq.3, tan.3, tanh.3, tcgetpgrp.3, tcgetsid.3, telldir.3, tempnam.3, termios.3, tgamma.3, timegm.3, timeradd.3, tmpfile.3, tmpnam.3, toascii.3, toupper.3, towctrans.3, towlower.3, towupper.3, trunc.3, tsearch.3, ttyname.3, ttyslot.3, tzset.3, ualarm.3, ulimit.3, undocumented.3, ungetwc.3, unlocked_stdio.3, unlockpt.3, updwtmp.3, uselocale.3, usleep.3, wcpcpy.3, wcpncpy.3, wcrtomb.3, wcscasecmp.3, wcscat.3, wcschr.3, wcscmp.3, wcscpy.3, wcscspn.3, wcsdup.3, wcslen.3, wcsncasecmp.3, wcsncat.3, wcsncmp.3, wcsncpy.3, wcsnlen.3, wcsnrtombs.3, wcspbrk.3, wcsrchr.3, wcsrtombs.3, wcsspn.3, wcsstr.3, wcstoimax.3, wcstok.3, wcstombs.3, wcswidth.3, wctob.3, wctomb.3, wctrans.3, wctype.3, wcwidth.3, wmemchr.3, wmemcmp.3, wmemcpy.3, wmemmove.3, wmemset.3, wordexp.3, wprintf.3, xcrypt.3, xdr.3, y0.3, cciss.4, console_codes.4, dsp56k.4, hpsa.4, initrd.4, loop.4, lp.4, msr.4, random.4, rtc.4, smartpqi.4, veth.4, wavelan.4, acct.5, core.5, elf.5, hosts.5, locale.5, proc.5, resolv.conf.5, rpc.5, slabinfo.5, sysfs.5, tmpfs.5, utmp.5, address_families.7, aio.7, attributes.7, bootparam.7, capabilities.7, cgroups.7, complex.7, ddp.7, environ.7, epoll.7, fanotify.7, feature_test_macros.7, hier.7, inode.7, inotify.7, ip.7, ipv6.7, keyrings.7, locale.7, man-pages.7, man.7, math_error.7, mount_namespaces.7, namespaces.7, netdevice.7, netlink.7, numa.7, packet.7, pkeys.7, pthreads.7, queue.7, raw.7, rtnetlink.7, sched.7, session-keyring.7, shm_overview.7, sigevent.7, signal-safety.7, signal.7, sock_diag.7, socket.7, spufs.7, symlink.7, system_data_types.7, tcp.7, time_namespaces.7, udp.7, udplite.7, unicode.7, unix.7, uri.7, user_namespaces.7, vdso.7, vsock.7, x25.7, iconvconfig.8, ld.so.8, ldconfig.8, sln.8, tzselect.8: tstamp
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2021-03-21 23:15:34 +00:00
|
|
|
.TH NAMESPACES 7 2021-03-22 "Linux" "Linux Programmer's Manual"
|
2013-01-13 23:45:09 +00:00
|
|
|
.SH NAME
|
|
|
|
namespaces \- overview of Linux namespaces
|
|
|
|
.SH DESCRIPTION
|
|
|
|
A namespace wraps a global system resource in an abstraction that
|
|
|
|
makes it appear to the processes within the namespace that they
|
|
|
|
have their own isolated instance of the global resource.
|
|
|
|
Changes to the global resource are visible to other processes
|
|
|
|
that are members of the namespace, but are invisible to other processes.
|
|
|
|
One use of namespaces is to implement containers.
|
2017-08-12 20:45:48 +00:00
|
|
|
.PP
|
2019-10-09 06:59:22 +00:00
|
|
|
This page provides pointers to information on the various namespace types,
|
|
|
|
describes the associated
|
2013-01-13 23:45:09 +00:00
|
|
|
.I /proc
|
|
|
|
files, and summarizes the APIs for working with namespaces.
|
2013-02-25 13:00:44 +00:00
|
|
|
.\"
|
2019-10-09 06:59:22 +00:00
|
|
|
.SS Namespace types
|
|
|
|
The following table shows the namespace types available on Linux.
|
|
|
|
The second column of the table shows the flag value that is used to specify
|
|
|
|
the namespace type in various APIs.
|
|
|
|
The third column identifies the manual page that provides details
|
|
|
|
on the namespace type.
|
|
|
|
The last column is a summary of the resources that are isolated by
|
|
|
|
the namespace type.
|
clone.2, ioctl_tty.2, syslog.2, setlocale.3, stdio.3, console_codes.4, inode.7, namespaces.7, netlink.7, signal-safety.7, socket.7: Better table formatting
In particular, allow for rendering in widths different from
(especially less than) 80 columns.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2021-01-06 22:16:03 +00:00
|
|
|
.ad l
|
|
|
|
.nh
|
2019-10-09 06:59:22 +00:00
|
|
|
.TS
|
|
|
|
lB lB lB lB
|
|
|
|
l1 lB1 l1 l.
|
|
|
|
Namespace Flag Page Isolates
|
clone.2, ioctl_tty.2, syslog.2, setlocale.3, stdio.3, console_codes.4, inode.7, namespaces.7, netlink.7, signal-safety.7, socket.7: Better table formatting
In particular, allow for rendering in widths different from
(especially less than) 80 columns.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2021-01-06 22:16:03 +00:00
|
|
|
Cgroup CLONE_NEWCGROUP \fBcgroup_namespaces\fP(7) T{
|
|
|
|
Cgroup root directory
|
|
|
|
T}
|
2019-10-09 06:59:22 +00:00
|
|
|
IPC CLONE_NEWIPC \fBipc_namespaces\fP(7) T{
|
|
|
|
System V IPC,
|
|
|
|
POSIX message queues
|
|
|
|
T}
|
|
|
|
Network CLONE_NEWNET \fBnetwork_namespaces\fP(7) T{
|
|
|
|
Network devices,
|
|
|
|
stacks, ports, etc.
|
|
|
|
T}
|
|
|
|
Mount CLONE_NEWNS \fBmount_namespaces\fP(7) Mount points
|
|
|
|
PID CLONE_NEWPID \fBpid_namespaces\fP(7) Process IDs
|
2020-04-03 12:22:30 +00:00
|
|
|
Time CLONE_NEWTIME \fBtime_namespaces\fP(7) T{
|
|
|
|
Boot and monotonic
|
|
|
|
clocks
|
|
|
|
T}
|
2021-08-08 08:41:14 +00:00
|
|
|
User CLONE_NEWUSER \fBuser_namespaces\fP(7) T{
|
|
|
|
User and group IDs
|
clone.2, ioctl_tty.2, syslog.2, setlocale.3, stdio.3, console_codes.4, inode.7, namespaces.7, netlink.7, signal-safety.7, socket.7: Better table formatting
In particular, allow for rendering in widths different from
(especially less than) 80 columns.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2021-01-06 22:16:03 +00:00
|
|
|
T}
|
2019-10-09 06:59:22 +00:00
|
|
|
UTS CLONE_NEWUTS \fButs_namespaces\fP(7) T{
|
|
|
|
Hostname and NIS
|
|
|
|
domain name
|
|
|
|
T}
|
|
|
|
.TE
|
clone.2, ioctl_tty.2, syslog.2, setlocale.3, stdio.3, console_codes.4, inode.7, namespaces.7, netlink.7, signal-safety.7, socket.7: Better table formatting
In particular, allow for rendering in widths different from
(especially less than) 80 columns.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2021-01-06 22:16:03 +00:00
|
|
|
.hy
|
|
|
|
.ad
|
2019-10-09 06:59:22 +00:00
|
|
|
.\"
|
2013-02-25 13:00:44 +00:00
|
|
|
.\" ==================== The namespaces API ====================
|
|
|
|
.\"
|
2013-01-13 23:45:09 +00:00
|
|
|
.SS The namespaces API
|
|
|
|
As well as various
|
|
|
|
.I /proc
|
|
|
|
files described below,
|
2013-02-18 15:10:30 +00:00
|
|
|
the namespaces API includes the following system calls:
|
2013-01-13 23:45:09 +00:00
|
|
|
.TP
|
|
|
|
.BR clone (2)
|
|
|
|
The
|
|
|
|
.BR clone (2)
|
|
|
|
system call creates a new process.
|
|
|
|
If the
|
|
|
|
.I flags
|
|
|
|
argument of the call specifies one or more of the
|
|
|
|
.B CLONE_NEW*
|
2021-07-28 20:20:00 +00:00
|
|
|
flags listed above, then new namespaces are created for each flag,
|
2013-01-13 23:45:09 +00:00
|
|
|
and the child process is made a member of those namespaces.
|
|
|
|
(This system call also implements a number of features
|
|
|
|
unrelated to namespaces.)
|
|
|
|
.TP
|
|
|
|
.BR setns (2)
|
|
|
|
The
|
|
|
|
.BR setns (2)
|
|
|
|
system call allows the calling process to join an existing namespace.
|
|
|
|
The namespace to join is specified via a file descriptor that refers to
|
|
|
|
one of the
|
|
|
|
.IR /proc/[pid]/ns
|
|
|
|
files described below.
|
|
|
|
.TP
|
|
|
|
.BR unshare (2)
|
|
|
|
The
|
|
|
|
.BR unshare (2)
|
|
|
|
system call moves the calling process to a new namespace.
|
|
|
|
If the
|
|
|
|
.I flags
|
|
|
|
argument of the call specifies one or more of the
|
|
|
|
.B CLONE_NEW*
|
2021-07-28 20:20:00 +00:00
|
|
|
flags listed above, then new namespaces are created for each flag,
|
2013-01-13 23:45:09 +00:00
|
|
|
and the calling process is made a member of those namespaces.
|
|
|
|
(This system call also implements a number of features
|
|
|
|
unrelated to namespaces.)
|
2018-08-03 05:36:48 +00:00
|
|
|
.TP
|
|
|
|
.BR ioctl (2)
|
|
|
|
Various
|
|
|
|
.BR ioctl (2)
|
|
|
|
operations can be used to discover information about namespaces.
|
2018-08-06 12:39:56 +00:00
|
|
|
These operations are described in
|
2018-08-03 05:36:48 +00:00
|
|
|
.BR ioctl_ns (2).
|
2013-01-16 09:24:52 +00:00
|
|
|
.PP
|
2013-01-14 05:08:22 +00:00
|
|
|
Creation of new namespaces using
|
|
|
|
.BR clone (2)
|
|
|
|
and
|
|
|
|
.BR unshare (2)
|
|
|
|
in most cases requires the
|
|
|
|
.BR CAP_SYS_ADMIN
|
2018-10-31 07:39:02 +00:00
|
|
|
capability, since, in the new namespace,
|
|
|
|
the creator will have the power to change global resources
|
|
|
|
that are visible to other processes that are subsequently created in,
|
2018-10-31 07:40:21 +00:00
|
|
|
or join the namespace.
|
2013-01-14 05:08:22 +00:00
|
|
|
User namespaces are the exception: since Linux 3.8,
|
2013-01-14 08:30:04 +00:00
|
|
|
no privilege is required to create a user namespace.
|
2013-02-25 13:00:44 +00:00
|
|
|
.\"
|
|
|
|
.\" ==================== The /proc/[pid]/ns/ directory ====================
|
|
|
|
.\"
|
2013-01-14 00:22:01 +00:00
|
|
|
.SS The /proc/[pid]/ns/ directory
|
2014-09-21 09:24:24 +00:00
|
|
|
Each process has a
|
2013-01-14 00:22:01 +00:00
|
|
|
.IR /proc/[pid]/ns/
|
|
|
|
.\" See commit 6b4e306aa3dc94a0545eb9279475b1ab6209a31f
|
|
|
|
subdirectory containing one entry for each namespace that
|
|
|
|
supports being manipulated by
|
2013-01-14 00:24:16 +00:00
|
|
|
.BR setns (2):
|
2017-08-12 20:45:48 +00:00
|
|
|
.PP
|
2013-01-14 00:24:16 +00:00
|
|
|
.in +4n
|
execve.2, ioctl_console.2, ioctl_iflags.2, ioctl_ns.2, ioctl_userfaultfd.2, kcmp.2, kexec_load.2, keyctl.2, link.2, listxattr.2, membarrier.2, memfd_create.2, mmap.2, modify_ldt.2, mprotect.2, msgctl.2, nanosleep.2, open_by_handle_at.2, perf_event_open.2, poll.2, posix_fadvise.2, process_vm_readv.2, ptrace.2, query_module.2, quotactl.2, readdir.2, readv.2, recv.2, recvmmsg.2, request_key.2, sched_rr_get_interval.2, sched_setaffinity.2, sched_setattr.2, sched_setscheduler.2, seccomp.2, select.2, select_tut.2, semctl.2, semop.2, send.2, sendmmsg.2, set_thread_area.2, setns.2, shmctl.2, shmget.2, sigaction.2, sigaltstack.2, signal.2, sigwaitinfo.2, stat.2, statfs.2, statx.2, sync_file_range.2, syscall.2, sysctl.2, sysinfo.2, tee.2, timer_create.2, timer_settime.2, timerfd_create.2, unshare.2, userfaultfd.2, ustat.2, utime.2, utimensat.2, vmsplice.2, wait.2, adjtime.3, aio_init.3, backtrace.3, basename.3, bswap.3, btree.3, clock_getcpuclockid.3, cmsg.3, confstr.3, dbopen.3, dl_iterate_phdr.3, dladdr.3, dlinfo.3, dlopen.3, duplocale.3, encrypt.3, end.3, endian.3, err.3, errno.3, ether_aton.3, fgetgrent.3, fgetpwent.3, fmemopen.3, frexp.3, ftime.3, fts.3, getaddrinfo.3, getaddrinfo_a.3, getdate.3, getfsent.3, getgrent.3, getgrent_r.3, getgrnam.3, getgrouplist.3, gethostbyname.3, getifaddrs.3, getipnodebyname.3, getmntent.3, getnameinfo.3, getnetent.3, getopt.3, getprotoent.3, getprotoent_r.3, getpw.3, getpwent.3, getpwent_r.3, getpwnam.3, getrpcent.3, getservent.3, getservent_r.3, getspnam.3, getttyent.3, glob.3, gnu_get_libc_version.3, hash.3, hsearch.3, if_nameindex.3, inet.3, inet_net_pton.3, inet_pton.3, insque.3, isalpha.3, makecontext.3, mallinfo.3, malloc_info.3, mallopt.3, matherr.3, mbstowcs.3, mcheck.3, memchr.3, mq_getattr.3, mq_open.3, mq_receive.3, mq_send.3, mtrace.3, newlocale.3, ntp_gettime.3, posix_openpt.3, printf.3, pthread_attr_init.3, pthread_attr_setschedparam.3, pthread_cancel.3, pthread_cleanup_push.3, pthread_cleanup_push_defer_np.3, pthread_create.3, pthread_getattr_default_np.3, pthread_getattr_np.3, pthread_getcpuclockid.3, pthread_setname_np.3, pthread_setschedparam.3, pthread_sigmask.3, pthread_tryjoin_np.3, readdir.3, realpath.3, recno.3, regex.3, rpc.3, scanf.3, sched_getcpu.3, sem_wait.3, setaliasent.3, sigqueue.3, statvfs.3, strcat.3, strcpy.3, strftime.3, strtok.3, strtol.3, strverscmp.3, toupper.3, ttyslot.3, xdr.3, fuse.4, loop.4, rtc.4, st.4, acct.5, core.5, elf.5, slabinfo.5, aio.7, arp.7, capabilities.7, cgroup_namespaces.7, cgroups.7, ddp.7, fanotify.7, feature_test_macros.7, inode.7, inotify.7, ip.7, keyrings.7, locale.7, mount_namespaces.7, namespaces.7, netdevice.7, netlink.7, packet.7, pkeys.7, pthreads.7, sched.7, session-keyring.7, sock_diag.7, socket.7, spufs.7, udplite.7, unix.7, user_namespaces.7, vdso.7, x25.7, ld.so.8: Use consistent markup for code snippets
Change .nf/.fi to .EX/.EE
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2017-08-18 19:52:46 +00:00
|
|
|
.EX
|
2020-04-03 13:04:59 +00:00
|
|
|
$ \fBls \-l /proc/$$/ns | awk \(aq{print $1, $9, $10, $11}\(aq\fP
|
2013-01-14 00:24:16 +00:00
|
|
|
total 0
|
2020-04-03 13:04:59 +00:00
|
|
|
lrwxrwxrwx. cgroup \-> cgroup:[4026531835]
|
|
|
|
lrwxrwxrwx. ipc \-> ipc:[4026531839]
|
|
|
|
lrwxrwxrwx. mnt \-> mnt:[4026531840]
|
|
|
|
lrwxrwxrwx. net \-> net:[4026531969]
|
|
|
|
lrwxrwxrwx. pid \-> pid:[4026531836]
|
|
|
|
lrwxrwxrwx. pid_for_children \-> pid:[4026531834]
|
2021-01-09 22:21:02 +00:00
|
|
|
lrwxrwxrwx. time \-> time:[4026531834]
|
|
|
|
lrwxrwxrwx. time_for_children \-> time:[4026531834]
|
2020-04-03 13:04:59 +00:00
|
|
|
lrwxrwxrwx. user \-> user:[4026531837]
|
|
|
|
lrwxrwxrwx. uts \-> uts:[4026531838]
|
execve.2, ioctl_console.2, ioctl_iflags.2, ioctl_ns.2, ioctl_userfaultfd.2, kcmp.2, kexec_load.2, keyctl.2, link.2, listxattr.2, membarrier.2, memfd_create.2, mmap.2, modify_ldt.2, mprotect.2, msgctl.2, nanosleep.2, open_by_handle_at.2, perf_event_open.2, poll.2, posix_fadvise.2, process_vm_readv.2, ptrace.2, query_module.2, quotactl.2, readdir.2, readv.2, recv.2, recvmmsg.2, request_key.2, sched_rr_get_interval.2, sched_setaffinity.2, sched_setattr.2, sched_setscheduler.2, seccomp.2, select.2, select_tut.2, semctl.2, semop.2, send.2, sendmmsg.2, set_thread_area.2, setns.2, shmctl.2, shmget.2, sigaction.2, sigaltstack.2, signal.2, sigwaitinfo.2, stat.2, statfs.2, statx.2, sync_file_range.2, syscall.2, sysctl.2, sysinfo.2, tee.2, timer_create.2, timer_settime.2, timerfd_create.2, unshare.2, userfaultfd.2, ustat.2, utime.2, utimensat.2, vmsplice.2, wait.2, adjtime.3, aio_init.3, backtrace.3, basename.3, bswap.3, btree.3, clock_getcpuclockid.3, cmsg.3, confstr.3, dbopen.3, dl_iterate_phdr.3, dladdr.3, dlinfo.3, dlopen.3, duplocale.3, encrypt.3, end.3, endian.3, err.3, errno.3, ether_aton.3, fgetgrent.3, fgetpwent.3, fmemopen.3, frexp.3, ftime.3, fts.3, getaddrinfo.3, getaddrinfo_a.3, getdate.3, getfsent.3, getgrent.3, getgrent_r.3, getgrnam.3, getgrouplist.3, gethostbyname.3, getifaddrs.3, getipnodebyname.3, getmntent.3, getnameinfo.3, getnetent.3, getopt.3, getprotoent.3, getprotoent_r.3, getpw.3, getpwent.3, getpwent_r.3, getpwnam.3, getrpcent.3, getservent.3, getservent_r.3, getspnam.3, getttyent.3, glob.3, gnu_get_libc_version.3, hash.3, hsearch.3, if_nameindex.3, inet.3, inet_net_pton.3, inet_pton.3, insque.3, isalpha.3, makecontext.3, mallinfo.3, malloc_info.3, mallopt.3, matherr.3, mbstowcs.3, mcheck.3, memchr.3, mq_getattr.3, mq_open.3, mq_receive.3, mq_send.3, mtrace.3, newlocale.3, ntp_gettime.3, posix_openpt.3, printf.3, pthread_attr_init.3, pthread_attr_setschedparam.3, pthread_cancel.3, pthread_cleanup_push.3, pthread_cleanup_push_defer_np.3, pthread_create.3, pthread_getattr_default_np.3, pthread_getattr_np.3, pthread_getcpuclockid.3, pthread_setname_np.3, pthread_setschedparam.3, pthread_sigmask.3, pthread_tryjoin_np.3, readdir.3, realpath.3, recno.3, regex.3, rpc.3, scanf.3, sched_getcpu.3, sem_wait.3, setaliasent.3, sigqueue.3, statvfs.3, strcat.3, strcpy.3, strftime.3, strtok.3, strtol.3, strverscmp.3, toupper.3, ttyslot.3, xdr.3, fuse.4, loop.4, rtc.4, st.4, acct.5, core.5, elf.5, slabinfo.5, aio.7, arp.7, capabilities.7, cgroup_namespaces.7, cgroups.7, ddp.7, fanotify.7, feature_test_macros.7, inode.7, inotify.7, ip.7, keyrings.7, locale.7, mount_namespaces.7, namespaces.7, netdevice.7, netlink.7, packet.7, pkeys.7, pthreads.7, sched.7, session-keyring.7, sock_diag.7, socket.7, spufs.7, udplite.7, unix.7, user_namespaces.7, vdso.7, x25.7, ld.so.8: Use consistent markup for code snippets
Change .nf/.fi to .EX/.EE
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2017-08-18 19:52:46 +00:00
|
|
|
.EE
|
2013-01-14 00:24:16 +00:00
|
|
|
.in
|
2017-08-12 20:45:48 +00:00
|
|
|
.PP
|
2013-01-14 00:22:01 +00:00
|
|
|
Bind mounting (see
|
|
|
|
.BR mount (2))
|
|
|
|
one of the files in this directory
|
2014-03-14 18:54:00 +00:00
|
|
|
to somewhere else in the filesystem keeps
|
2013-01-14 00:22:01 +00:00
|
|
|
the corresponding namespace of the process specified by
|
|
|
|
.I pid
|
|
|
|
alive even if all processes currently in the namespace terminate.
|
2017-08-12 20:45:48 +00:00
|
|
|
.PP
|
2013-01-14 00:22:01 +00:00
|
|
|
Opening one of the files in this directory
|
|
|
|
(or a file that is bind mounted to one of these files)
|
|
|
|
returns a file handle for
|
|
|
|
the corresponding namespace of the process specified by
|
|
|
|
.IR pid .
|
|
|
|
As long as this file descriptor remains open,
|
|
|
|
the namespace will remain alive,
|
|
|
|
even if all processes in the namespace terminate.
|
|
|
|
The file descriptor can be passed to
|
|
|
|
.BR setns (2).
|
2017-08-12 20:45:48 +00:00
|
|
|
.PP
|
2013-01-14 00:22:01 +00:00
|
|
|
In Linux 3.7 and earlier, these files were visible as hard links.
|
2016-11-29 16:55:08 +00:00
|
|
|
Since Linux 3.8,
|
|
|
|
.\" commit bf056bfa80596a5d14b26b17276a56a0dcb080e5
|
|
|
|
they appear as symbolic links.
|
2018-04-27 12:10:32 +00:00
|
|
|
If two processes are in the same namespace,
|
|
|
|
then the device IDs and inode numbers of their
|
2013-01-14 00:22:01 +00:00
|
|
|
.IR /proc/[pid]/ns/xxx
|
|
|
|
symbolic links will be the same; an application can check this using the
|
2018-04-27 12:10:32 +00:00
|
|
|
.I stat.st_dev
|
2020-05-02 19:28:09 +00:00
|
|
|
.\" Eric Biederman: "I reserve the right for st_dev to be significant
|
|
|
|
.\" when comparing namespaces."
|
|
|
|
.\" https://lore.kernel.org/lkml/87poky5ca9.fsf@xmission.com/
|
|
|
|
.\" Re: Documenting the ioctl interfaces to discover relationships...
|
|
|
|
.\" Date: Mon, 12 Dec 2016 11:30:38 +1300
|
2018-04-27 12:10:32 +00:00
|
|
|
and
|
2013-01-14 00:22:01 +00:00
|
|
|
.I stat.st_ino
|
2018-04-27 12:10:32 +00:00
|
|
|
fields returned by
|
2013-01-14 00:22:01 +00:00
|
|
|
.BR stat (2).
|
|
|
|
The content of this symbolic link is a string containing
|
|
|
|
the namespace type and inode number as in the following example:
|
2017-08-12 20:45:48 +00:00
|
|
|
.PP
|
2013-01-14 00:22:01 +00:00
|
|
|
.in +4n
|
execve.2, ioctl_console.2, ioctl_iflags.2, ioctl_ns.2, ioctl_userfaultfd.2, kcmp.2, kexec_load.2, keyctl.2, link.2, listxattr.2, membarrier.2, memfd_create.2, mmap.2, modify_ldt.2, mprotect.2, msgctl.2, nanosleep.2, open_by_handle_at.2, perf_event_open.2, poll.2, posix_fadvise.2, process_vm_readv.2, ptrace.2, query_module.2, quotactl.2, readdir.2, readv.2, recv.2, recvmmsg.2, request_key.2, sched_rr_get_interval.2, sched_setaffinity.2, sched_setattr.2, sched_setscheduler.2, seccomp.2, select.2, select_tut.2, semctl.2, semop.2, send.2, sendmmsg.2, set_thread_area.2, setns.2, shmctl.2, shmget.2, sigaction.2, sigaltstack.2, signal.2, sigwaitinfo.2, stat.2, statfs.2, statx.2, sync_file_range.2, syscall.2, sysctl.2, sysinfo.2, tee.2, timer_create.2, timer_settime.2, timerfd_create.2, unshare.2, userfaultfd.2, ustat.2, utime.2, utimensat.2, vmsplice.2, wait.2, adjtime.3, aio_init.3, backtrace.3, basename.3, bswap.3, btree.3, clock_getcpuclockid.3, cmsg.3, confstr.3, dbopen.3, dl_iterate_phdr.3, dladdr.3, dlinfo.3, dlopen.3, duplocale.3, encrypt.3, end.3, endian.3, err.3, errno.3, ether_aton.3, fgetgrent.3, fgetpwent.3, fmemopen.3, frexp.3, ftime.3, fts.3, getaddrinfo.3, getaddrinfo_a.3, getdate.3, getfsent.3, getgrent.3, getgrent_r.3, getgrnam.3, getgrouplist.3, gethostbyname.3, getifaddrs.3, getipnodebyname.3, getmntent.3, getnameinfo.3, getnetent.3, getopt.3, getprotoent.3, getprotoent_r.3, getpw.3, getpwent.3, getpwent_r.3, getpwnam.3, getrpcent.3, getservent.3, getservent_r.3, getspnam.3, getttyent.3, glob.3, gnu_get_libc_version.3, hash.3, hsearch.3, if_nameindex.3, inet.3, inet_net_pton.3, inet_pton.3, insque.3, isalpha.3, makecontext.3, mallinfo.3, malloc_info.3, mallopt.3, matherr.3, mbstowcs.3, mcheck.3, memchr.3, mq_getattr.3, mq_open.3, mq_receive.3, mq_send.3, mtrace.3, newlocale.3, ntp_gettime.3, posix_openpt.3, printf.3, pthread_attr_init.3, pthread_attr_setschedparam.3, pthread_cancel.3, pthread_cleanup_push.3, pthread_cleanup_push_defer_np.3, pthread_create.3, pthread_getattr_default_np.3, pthread_getattr_np.3, pthread_getcpuclockid.3, pthread_setname_np.3, pthread_setschedparam.3, pthread_sigmask.3, pthread_tryjoin_np.3, readdir.3, realpath.3, recno.3, regex.3, rpc.3, scanf.3, sched_getcpu.3, sem_wait.3, setaliasent.3, sigqueue.3, statvfs.3, strcat.3, strcpy.3, strftime.3, strtok.3, strtol.3, strverscmp.3, toupper.3, ttyslot.3, xdr.3, fuse.4, loop.4, rtc.4, st.4, acct.5, core.5, elf.5, slabinfo.5, aio.7, arp.7, capabilities.7, cgroup_namespaces.7, cgroups.7, ddp.7, fanotify.7, feature_test_macros.7, inode.7, inotify.7, ip.7, keyrings.7, locale.7, mount_namespaces.7, namespaces.7, netdevice.7, netlink.7, packet.7, pkeys.7, pthreads.7, sched.7, session-keyring.7, sock_diag.7, socket.7, spufs.7, udplite.7, unix.7, user_namespaces.7, vdso.7, x25.7, ld.so.8: Use consistent markup for code snippets
Change .nf/.fi to .EX/.EE
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2017-08-18 19:52:46 +00:00
|
|
|
.EX
|
2013-01-14 00:22:01 +00:00
|
|
|
$ \fBreadlink /proc/$$/ns/uts\fP
|
|
|
|
uts:[4026531838]
|
execve.2, ioctl_console.2, ioctl_iflags.2, ioctl_ns.2, ioctl_userfaultfd.2, kcmp.2, kexec_load.2, keyctl.2, link.2, listxattr.2, membarrier.2, memfd_create.2, mmap.2, modify_ldt.2, mprotect.2, msgctl.2, nanosleep.2, open_by_handle_at.2, perf_event_open.2, poll.2, posix_fadvise.2, process_vm_readv.2, ptrace.2, query_module.2, quotactl.2, readdir.2, readv.2, recv.2, recvmmsg.2, request_key.2, sched_rr_get_interval.2, sched_setaffinity.2, sched_setattr.2, sched_setscheduler.2, seccomp.2, select.2, select_tut.2, semctl.2, semop.2, send.2, sendmmsg.2, set_thread_area.2, setns.2, shmctl.2, shmget.2, sigaction.2, sigaltstack.2, signal.2, sigwaitinfo.2, stat.2, statfs.2, statx.2, sync_file_range.2, syscall.2, sysctl.2, sysinfo.2, tee.2, timer_create.2, timer_settime.2, timerfd_create.2, unshare.2, userfaultfd.2, ustat.2, utime.2, utimensat.2, vmsplice.2, wait.2, adjtime.3, aio_init.3, backtrace.3, basename.3, bswap.3, btree.3, clock_getcpuclockid.3, cmsg.3, confstr.3, dbopen.3, dl_iterate_phdr.3, dladdr.3, dlinfo.3, dlopen.3, duplocale.3, encrypt.3, end.3, endian.3, err.3, errno.3, ether_aton.3, fgetgrent.3, fgetpwent.3, fmemopen.3, frexp.3, ftime.3, fts.3, getaddrinfo.3, getaddrinfo_a.3, getdate.3, getfsent.3, getgrent.3, getgrent_r.3, getgrnam.3, getgrouplist.3, gethostbyname.3, getifaddrs.3, getipnodebyname.3, getmntent.3, getnameinfo.3, getnetent.3, getopt.3, getprotoent.3, getprotoent_r.3, getpw.3, getpwent.3, getpwent_r.3, getpwnam.3, getrpcent.3, getservent.3, getservent_r.3, getspnam.3, getttyent.3, glob.3, gnu_get_libc_version.3, hash.3, hsearch.3, if_nameindex.3, inet.3, inet_net_pton.3, inet_pton.3, insque.3, isalpha.3, makecontext.3, mallinfo.3, malloc_info.3, mallopt.3, matherr.3, mbstowcs.3, mcheck.3, memchr.3, mq_getattr.3, mq_open.3, mq_receive.3, mq_send.3, mtrace.3, newlocale.3, ntp_gettime.3, posix_openpt.3, printf.3, pthread_attr_init.3, pthread_attr_setschedparam.3, pthread_cancel.3, pthread_cleanup_push.3, pthread_cleanup_push_defer_np.3, pthread_create.3, pthread_getattr_default_np.3, pthread_getattr_np.3, pthread_getcpuclockid.3, pthread_setname_np.3, pthread_setschedparam.3, pthread_sigmask.3, pthread_tryjoin_np.3, readdir.3, realpath.3, recno.3, regex.3, rpc.3, scanf.3, sched_getcpu.3, sem_wait.3, setaliasent.3, sigqueue.3, statvfs.3, strcat.3, strcpy.3, strftime.3, strtok.3, strtol.3, strverscmp.3, toupper.3, ttyslot.3, xdr.3, fuse.4, loop.4, rtc.4, st.4, acct.5, core.5, elf.5, slabinfo.5, aio.7, arp.7, capabilities.7, cgroup_namespaces.7, cgroups.7, ddp.7, fanotify.7, feature_test_macros.7, inode.7, inotify.7, ip.7, keyrings.7, locale.7, mount_namespaces.7, namespaces.7, netdevice.7, netlink.7, packet.7, pkeys.7, pthreads.7, sched.7, session-keyring.7, sock_diag.7, socket.7, spufs.7, udplite.7, unix.7, user_namespaces.7, vdso.7, x25.7, ld.so.8: Use consistent markup for code snippets
Change .nf/.fi to .EX/.EE
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2017-08-18 19:52:46 +00:00
|
|
|
.EE
|
2013-01-14 00:22:01 +00:00
|
|
|
.in
|
2017-08-12 20:45:48 +00:00
|
|
|
.PP
|
2016-06-11 09:32:47 +00:00
|
|
|
The symbolic links in this subdirectory are as follows:
|
2013-01-14 00:22:01 +00:00
|
|
|
.TP
|
2016-04-28 12:25:20 +00:00
|
|
|
.IR /proc/[pid]/ns/cgroup " (since Linux 4.6)"
|
|
|
|
This file is a handle for the cgroup namespace of the process.
|
|
|
|
.TP
|
2013-01-14 00:22:01 +00:00
|
|
|
.IR /proc/[pid]/ns/ipc " (since Linux 3.0)"
|
|
|
|
This file is a handle for the IPC namespace of the process.
|
|
|
|
.TP
|
|
|
|
.IR /proc/[pid]/ns/mnt " (since Linux 3.8)"
|
2016-06-01 16:21:29 +00:00
|
|
|
.\" commit 8823c079ba7136dc1948d6f6dcb5f8022bde438e
|
2013-01-14 00:22:01 +00:00
|
|
|
This file is a handle for the mount namespace of the process.
|
|
|
|
.TP
|
|
|
|
.IR /proc/[pid]/ns/net " (since Linux 3.0)"
|
|
|
|
This file is a handle for the network namespace of the process.
|
|
|
|
.TP
|
|
|
|
.IR /proc/[pid]/ns/pid " (since Linux 3.8)"
|
2016-06-01 16:21:29 +00:00
|
|
|
.\" commit 57e8391d327609cbf12d843259c968b9e5c1838f
|
2017-05-23 19:34:39 +00:00
|
|
|
This file is a handle for the PID namespace of the process.
|
|
|
|
This handle is permanent for the lifetime of the process
|
|
|
|
(i.e., a process's PID namespace membership never changes).
|
2017-05-18 15:05:30 +00:00
|
|
|
.TP
|
|
|
|
.IR /proc/[pid]/ns/pid_for_children " (since Linux 4.12)"
|
|
|
|
.\" commit eaa0d190bfe1ed891b814a52712dcd852554cb08
|
2017-05-23 19:34:39 +00:00
|
|
|
This file is a handle for the PID namespace of
|
|
|
|
child processes created by this process.
|
|
|
|
This can change as a consequence of calls to
|
|
|
|
.BR unshare (2)
|
|
|
|
and
|
|
|
|
.BR setns (2)
|
|
|
|
(see
|
|
|
|
.BR pid_namespaces (7)),
|
|
|
|
so the file may differ from
|
|
|
|
.IR /proc/[pid]/ns/pid .
|
2018-02-21 16:31:48 +00:00
|
|
|
The symbolic link gains a value only after the first child process
|
|
|
|
is created in the namespace.
|
|
|
|
(Beforehand,
|
|
|
|
.BR readlink (2)
|
|
|
|
of the symbolic link will return an empty buffer.)
|
2013-01-14 00:22:01 +00:00
|
|
|
.TP
|
2020-04-03 12:22:30 +00:00
|
|
|
.IR /proc/[pid]/ns/time " (since Linux 5.6)"
|
|
|
|
This file is a handle for the time namespace of the process.
|
|
|
|
.TP
|
|
|
|
.IR /proc/[pid]/ns/time_for_children " (since Linux 5.6)"
|
|
|
|
This file is a handle for the time namespace of
|
|
|
|
child processes created by this process.
|
|
|
|
This can change as a consequence of calls to
|
|
|
|
.BR unshare (2)
|
|
|
|
and
|
|
|
|
.BR setns (2)
|
|
|
|
(see
|
|
|
|
.BR time_namespaces (7)),
|
|
|
|
so the file may differ from
|
|
|
|
.IR /proc/[pid]/ns/time .
|
|
|
|
.TP
|
2013-01-14 00:22:01 +00:00
|
|
|
.IR /proc/[pid]/ns/user " (since Linux 3.8)"
|
2016-06-01 16:21:29 +00:00
|
|
|
.\" commit cde1975bc242f3e1072bde623ef378e547b73f91
|
2013-01-14 00:22:01 +00:00
|
|
|
This file is a handle for the user namespace of the process.
|
|
|
|
.TP
|
|
|
|
.IR /proc/[pid]/ns/uts " (since Linux 3.0)"
|
2014-09-01 17:00:32 +00:00
|
|
|
This file is a handle for the UTS namespace of the process.
|
2016-06-11 09:35:06 +00:00
|
|
|
.PP
|
|
|
|
Permission to dereference or read
|
|
|
|
.RB ( readlink (2))
|
|
|
|
these symbolic links is governed by a ptrace access mode
|
|
|
|
.B PTRACE_MODE_READ_FSCREDS
|
|
|
|
check; see
|
|
|
|
.BR ptrace (2).
|
2013-02-25 13:00:44 +00:00
|
|
|
.\"
|
2017-04-17 13:34:15 +00:00
|
|
|
.\" ==================== The /proc/sys/user directory ====================
|
|
|
|
.\"
|
|
|
|
.SS The /proc/sys/user directory
|
|
|
|
The files in the
|
|
|
|
.I /proc/sys/user
|
|
|
|
directory (which is present since Linux 4.9) expose limits
|
|
|
|
on the number of namespaces of various types that can be created.
|
|
|
|
The files are as follows:
|
|
|
|
.TP
|
|
|
|
.IR max_cgroup_namespaces
|
|
|
|
The value in this file defines a per-user limit on the number of
|
|
|
|
cgroup namespaces that may be created in the user namespace.
|
|
|
|
.TP
|
|
|
|
.IR max_ipc_namespaces
|
|
|
|
The value in this file defines a per-user limit on the number of
|
|
|
|
ipc namespaces that may be created in the user namespace.
|
|
|
|
.TP
|
|
|
|
.IR max_mnt_namespaces
|
|
|
|
The value in this file defines a per-user limit on the number of
|
|
|
|
mount namespaces that may be created in the user namespace.
|
|
|
|
.TP
|
|
|
|
.IR max_net_namespaces
|
|
|
|
The value in this file defines a per-user limit on the number of
|
|
|
|
network namespaces that may be created in the user namespace.
|
|
|
|
.TP
|
|
|
|
.IR max_pid_namespaces
|
|
|
|
The value in this file defines a per-user limit on the number of
|
2020-04-16 11:23:44 +00:00
|
|
|
PID namespaces that may be created in the user namespace.
|
2017-04-17 13:34:15 +00:00
|
|
|
.TP
|
2020-04-16 11:25:02 +00:00
|
|
|
.IR max_time_namespaces " (since Linux 5.7)"
|
|
|
|
.\" commit eeec26d5da8248ea4e240b8795bb4364213d3247
|
|
|
|
The value in this file defines a per-user limit on the number of
|
|
|
|
time namespaces that may be created in the user namespace.
|
|
|
|
.TP
|
2017-04-17 13:34:15 +00:00
|
|
|
.IR max_user_namespaces
|
|
|
|
The value in this file defines a per-user limit on the number of
|
|
|
|
user namespaces that may be created in the user namespace.
|
|
|
|
.TP
|
|
|
|
.IR max_uts_namespaces
|
|
|
|
The value in this file defines a per-user limit on the number of
|
2018-12-18 14:32:10 +00:00
|
|
|
uts namespaces that may be created in the user namespace.
|
2017-04-17 13:34:15 +00:00
|
|
|
.PP
|
|
|
|
Note the following details about these files:
|
|
|
|
.IP * 3
|
|
|
|
The values in these files are modifiable by privileged processes.
|
|
|
|
.IP *
|
|
|
|
The values exposed by these files are the limits for the user namespace
|
|
|
|
in which the opening process resides.
|
|
|
|
.IP *
|
|
|
|
The limits are per-user.
|
|
|
|
Each user in the same user namespace
|
|
|
|
can create namespaces up to the defined limit.
|
|
|
|
.IP *
|
|
|
|
The limits apply to all users, including UID 0.
|
|
|
|
.IP *
|
|
|
|
These limits apply in addition to any other per-namespace
|
|
|
|
limits (such as those for PID and user namespaces) that may be enforced.
|
|
|
|
.IP *
|
|
|
|
Upon encountering these limits,
|
|
|
|
.BR clone (2)
|
|
|
|
and
|
|
|
|
.BR unshare (2)
|
|
|
|
fail with the error
|
|
|
|
.BR ENOSPC .
|
|
|
|
.IP *
|
|
|
|
For the initial user namespace,
|
|
|
|
the default value in each of these files is half the limit on the number
|
|
|
|
of threads that may be created
|
2021-01-21 09:53:59 +00:00
|
|
|
.RI ( /proc/sys/kernel/threads\-max ).
|
2017-04-17 13:34:15 +00:00
|
|
|
In all descendant user namespaces, the default value in each file is
|
|
|
|
.BR MAXINT .
|
|
|
|
.IP *
|
|
|
|
When a namespace is created, the object is also accounted
|
|
|
|
against ancestor namespaces.
|
|
|
|
More precisely:
|
|
|
|
.RS
|
|
|
|
.IP + 3
|
|
|
|
Each user namespace has a creator UID.
|
|
|
|
.IP +
|
|
|
|
When a namespace is created,
|
|
|
|
it is accounted against the creator UIDs in each of the
|
|
|
|
ancestor user namespaces,
|
|
|
|
and the kernel ensures that the corresponding namespace limit
|
|
|
|
for the creator UID in the ancestor namespace is not exceeded.
|
|
|
|
.IP +
|
|
|
|
The aforementioned point ensures that creating a new user namespace
|
|
|
|
cannot be used as a means to escape the limits in force
|
|
|
|
in the current user namespace.
|
2020-02-23 23:39:45 +00:00
|
|
|
.RE
|
2018-08-03 05:30:17 +00:00
|
|
|
.\"
|
|
|
|
.SS Namespace lifetime
|
|
|
|
Absent any other factors,
|
|
|
|
a namespace is automatically torn down when the last process in
|
|
|
|
the namespace terminates or leaves the namespace.
|
|
|
|
However, there are a number of other factors that may pin
|
|
|
|
a namespace into existence even though it has no member processes.
|
|
|
|
These factors include the following:
|
|
|
|
.IP * 3
|
|
|
|
An open file descriptor or a bind mount exists for the corresponding
|
|
|
|
.IR /proc/[pid]/ns/*
|
|
|
|
file.
|
|
|
|
.IP *
|
|
|
|
The namespace is hierarchical (i.e., a PID or user namespace),
|
|
|
|
and has a child namespace.
|
|
|
|
.IP *
|
|
|
|
It is a user namespace that owns one or more nonuser namespaces.
|
|
|
|
.IP *
|
|
|
|
It is a PID namespace,
|
|
|
|
and there is a process that refers to the namespace via a
|
|
|
|
.IR /proc/[pid]/ns/pid_for_children
|
|
|
|
symbolic link.
|
|
|
|
.IP *
|
2020-10-20 10:31:34 +00:00
|
|
|
It is a time namespace,
|
|
|
|
and there is a process that refers to the namespace via a
|
|
|
|
.IR /proc/[pid]/ns/time_for_children
|
|
|
|
symbolic link.
|
|
|
|
.IP *
|
2018-08-03 05:30:17 +00:00
|
|
|
It is an IPC namespace, and a corresponding mount of an
|
|
|
|
.I mqueue
|
|
|
|
filesystem (see
|
|
|
|
.BR mq_overview (7))
|
|
|
|
refers to this namespace.
|
|
|
|
.IP *
|
2018-08-09 19:16:35 +00:00
|
|
|
It is a PID namespace, and a corresponding mount of a
|
2018-08-03 05:30:17 +00:00
|
|
|
.BR proc (5)
|
|
|
|
filesystem refers to this namespace.
|
2020-05-21 08:00:37 +00:00
|
|
|
.SH EXAMPLES
|
2017-01-08 18:22:28 +00:00
|
|
|
See
|
2017-10-18 07:33:50 +00:00
|
|
|
.BR clone (2)
|
|
|
|
and
|
2013-03-01 07:53:55 +00:00
|
|
|
.BR user_namespaces (7).
|
2013-01-13 23:45:09 +00:00
|
|
|
.SH SEE ALSO
|
2013-01-17 19:02:12 +00:00
|
|
|
.BR nsenter (1),
|
2013-01-13 23:45:09 +00:00
|
|
|
.BR readlink (1),
|
2013-01-17 19:02:12 +00:00
|
|
|
.BR unshare (1),
|
2013-01-13 23:45:09 +00:00
|
|
|
.BR clone (2),
|
2017-01-08 18:22:28 +00:00
|
|
|
.BR ioctl_ns (2),
|
2013-01-13 23:45:09 +00:00
|
|
|
.BR setns (2),
|
|
|
|
.BR unshare (2),
|
|
|
|
.BR proc (5),
|
2013-02-11 23:13:01 +00:00
|
|
|
.BR capabilities (7),
|
2016-05-06 14:08:33 +00:00
|
|
|
.BR cgroup_namespaces (7),
|
2016-04-24 18:53:18 +00:00
|
|
|
.BR cgroups (7),
|
2016-04-24 18:53:01 +00:00
|
|
|
.BR credentials (7),
|
2019-08-26 20:29:50 +00:00
|
|
|
.BR ipc_namespaces (7),
|
2017-12-08 09:23:09 +00:00
|
|
|
.BR network_namespaces (7),
|
2013-02-27 06:50:25 +00:00
|
|
|
.BR pid_namespaces (7),
|
2013-02-27 06:08:06 +00:00
|
|
|
.BR user_namespaces (7),
|
2019-08-26 20:52:25 +00:00
|
|
|
.BR uts_namespaces (7),
|
2016-09-23 11:56:31 +00:00
|
|
|
.BR lsns (8),
|
2013-02-11 23:13:01 +00:00
|
|
|
.BR switch_root (8)
|