October 12, 2022
Learning Namespaces: Unsharing is caring
Learning bits from Linux Containers the Hard Way workshop.
Linux namespaces are spawned by using either the clone or unshare system calls. unshare command is a Bash wrapper to the unshare system call.
$ unshare --help Usage: unshare [options] [<program> [<argument>...]] Run a program with some namespaces unshared from the parent. Options: -m, --mount[=<file>] unshare mounts namespace -u, --uts[=<file>] unshare UTS namespace (hostname etc) -i, --ipc[=<file>] unshare System V IPC namespace -n, --net[=<file>] unshare network namespace -p, --pid[=<file>] unshare pid namespace -U, --user[=<file>] unshare user namespace -C, --cgroup[=<file>] unshare cgroup namespace -T, --time[=<file>] unshare time namespace -f, --fork fork before launching <program> --map-user=<uid>|<name> map current user to uid (implies --user) --map-group=<gid>|<name> map current group to gid (implies --user) -r, --map-root-user map current user to root (implies --user) -c, --map-current-user map current user to itself (implies --user) --map-auto map users and groups automatically (implies --user) --map-users=<outeruid>,<inneruid>,<count> map count users from outeruid to inneruid (implies --user) --map-groups=<outergid>,<innergid>,<count> map count groups from outergid to innergid (implies --user) --kill-child[=<signame>] when dying, kill the forked child (implies --fork) defaults to SIGKILL --mount-proc[=<dir>] mount proc filesystem first (implies --mount) --propagation slave|shared|private|unchanged modify mount propagation in mount namespace --setgroups allow|deny control the setgroups syscall in user namespaces --keep-caps retain capabilities granted in user namespaces -R, --root=<dir> run the command with root directory set to <dir> -w, --wd=<dir> change working directory to <dir> -S, --setuid <uid> set uid in entered namespace -G, --setgid <gid> set gid in entered namespace --monotonic <offset> set clock monotonic offset (seconds) in time namespaces --boottime <offset> set clock boottime offset (seconds) in time namespaces -h, --help display this help -V, --version display version For more details see unshare(1).
Read more