man-pages/man1/nsenter.1.html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML><HEAD><TITLE>Man page of NSENTER</TITLE>
</HEAD><BODY>
<H1>NSENTER</H1>
Section: User Commands (1)<BR>Updated: June 2013<BR><A HREF="#index">Index</A>
<A HREF="/cgi-bin/man/man2html">Return to Main Contents</A><HR>

<A NAME="lbAB">&nbsp;</A>
<H2>NAME</H2>

nsenter - run program with namespaces of other processes
<A NAME="lbAC">&nbsp;</A>
<H2>SYNOPSIS</H2>

<B>nsenter</B>

[options]
[<I>program</I>

[<I>arguments</I>]]

<A NAME="lbAD">&nbsp;</A>
<H2>DESCRIPTION</H2>

Enters the namespaces of one or more other processes and then executes the specified
<I>program</I>. If <I>program</I> is not given, then ``${SHELL}'' is run (default: /bin:/sh).
<P>

Enterable namespaces are:
<DL COMPACT>
<DT id="1"><B>mount namespace</B>

<DD>
Mounting and unmounting filesystems will not affect the rest of the system,
except for filesystems which are explicitly marked as shared (with
<B>mount --make-:shared</B>; see <I>/proc:/self:/mountinfo</I> for the
<B>shared</B> flag).
For further details, see
<B><A HREF="/cgi-bin/man/man2html?7+mount_namespaces">mount_namespaces</A></B>(7)

and the discussion of the
<B>CLONE_NEWNS</B>

flag in
<B><A HREF="/cgi-bin/man/man2html?2+clone">clone</A></B>(2).

<DT id="2"><B>UTS namespace</B>

<DD>
Setting hostname or domainname will not affect the rest of the system.
For further details, see
<B><A HREF="/cgi-bin/man/man2html?7+namespaces">namespaces</A></B>(7)

and the discussion of the
<B>CLONE_NEWUTS</B>

flag in
<B><A HREF="/cgi-bin/man/man2html?2+clone">clone</A></B>(2).

<DT id="3"><B>IPC namespace</B>

<DD>
The process will have an independent namespace for POSIX message queues
as well as System V message queues,
semaphore sets and shared memory segments.
For further details, see
<B><A HREF="/cgi-bin/man/man2html?7+namespaces">namespaces</A></B>(7)

and the discussion of the
<B>CLONE_NEWIPC</B>

flag in
<B><A HREF="/cgi-bin/man/man2html?2+clone">clone</A></B>(2).

<DT id="4"><B>network namespace</B>

<DD>
The process will have independent IPv4 and IPv6 stacks, IP routing tables,
firewall rules, the
<I>/proc:/net</I>

and
<I>/sys:/class:/net</I>

directory trees, sockets, etc.
For further details, see
<B><A HREF="/cgi-bin/man/man2html?7+namespaces">namespaces</A></B>(7)

and the discussion of the
<B>CLONE_NEWNET</B>

flag in
<B><A HREF="/cgi-bin/man/man2html?2+clone">clone</A></B>(2).

<DT id="5"><B>PID namespace</B>

<DD>
Children will have a set of PID to process mappings separate from the
<B>nsenter</B>

process
For further details, see
<B><A HREF="/cgi-bin/man/man2html?7+pid_namespaces">pid_namespaces</A></B>(7)

and
the discussion of the
<B>CLONE_NEWPID</B>

flag in
<B>nsenter</B>

will fork by default if changing the PID namespace, so that the new program
and its children share the same PID namespace and are visible to each other.
If <B>--no-fork</B> is used, the new program will be exec'ed without forking.
<DT id="6"><B>user namespace</B>

<DD>
The process will have a distinct set of UIDs, GIDs and capabilities.
For further details, see
<B><A HREF="/cgi-bin/man/man2html?7+user_namespaces">user_namespaces</A></B>(7)

and the discussion of the
<B>CLONE_NEWUSER</B>

flag in
<B><A HREF="/cgi-bin/man/man2html?2+clone">clone</A></B>(2).

<DT id="7"><B>cgroup namespace</B>

<DD>
The process will have a virtualized view of <I>/proc:/self:/cgroup</I>, and new
cgroup mounts will be rooted at the namespace cgroup root.
For further details, see
<B><A HREF="/cgi-bin/man/man2html?7+cgroup_namespaces">cgroup_namespaces</A></B>(7)

and the discussion of the
<B>CLONE_NEWCGROUP</B>

flag in
<B><A HREF="/cgi-bin/man/man2html?2+clone">clone</A></B>(2).

<DT id="8">See <B><A HREF="/cgi-bin/man/man2html?2+clone">clone</A></B>(2) for the exact semantics of the flags.<DD>
</DL>
<A NAME="lbAE">&nbsp;</A>
<H2>OPTIONS</H2>

Various of the options below that relate to namespaces take an optional
<I>file</I>

argument.
This should be one of the
<I>/proc/[pid]/ns/*</I>

files described in
<B><A HREF="/cgi-bin/man/man2html?7+namespaces">namespaces</A></B>(7).

<DL COMPACT>
<DT id="9"><B>-a</B>, <B>--all</B><DD>
Enter all namespaces of the target process by the default
<I>/proc/[pid]/ns/*</I>

namespace paths. The default paths to the target process namespaces may be
overwritten by namespace specific options (e.g. --all --mount=[path]).
<P>
The user namespace will be ignored if the same as the caller's current user
namespace. It prevents a caller that has dropped capabilities from regaining
those capabilities via a call to setns().  See
<B><A HREF="/cgi-bin/man/man2html?2+setns">setns</A></B>(2)

for more details.
<DT id="10"><B>-t</B>, <B>--target</B> <I>pid</I><DD>
Specify a target process to get contexts from.  The paths to the contexts
specified by
<I>pid</I>

are:
<DL COMPACT><DT id="11"><DD>

<DL COMPACT>
<DT id="12"><DD>
<DT id="13">/proc/<I>pid</I>/ns/mnt<DD>
the mount namespace
<DT id="14">/proc/<I>pid</I>/ns/uts<DD>
the UTS namespace
<DT id="15">/proc/<I>pid</I>/ns/ipc<DD>
the IPC namespace
<DT id="16">/proc/<I>pid</I>/ns/net<DD>
the network namespace
<DT id="17">/proc/<I>pid</I>/ns/pid<DD>
the PID namespace
<DT id="18">/proc/<I>pid</I>/ns/user<DD>
the user namespace
<DT id="19">/proc/<I>pid</I>/ns/cgroup<DD>
the cgroup namespace
<DT id="20">/proc/<I>pid</I>/root<DD>
the root directory
<DT id="21">/proc/<I>pid</I>/cwd<DD>
the working directory respectively

</DL>
</DL>

<DT id="22"><B>-m</B>, <B>--mount</B>[=<I>file</I>]<DD>
Enter the mount namespace.  If no file is specified, enter the mount namespace
of the target process.
If
<I>file</I>

is specified, enter the mount namespace
specified by
<I>file</I>.

<DT id="23"><B>-u</B>, <B>--uts</B>[=<I>file</I>]<DD>
Enter the UTS namespace.  If no file is specified, enter the UTS namespace of
the target process.
If
<I>file</I>

is specified, enter the UTS namespace specified by
<I>file</I>.

<DT id="24"><B>-i</B>, <B>--ipc</B>[=<I>file</I>]<DD>
Enter the IPC namespace.  If no file is specified, enter the IPC namespace of
the target process.
If
<I>file</I>

is specified, enter the IPC namespace specified by
<I>file</I>.

<DT id="25"><B>-n</B>, <B>--net</B>[=<I>file</I>]<DD>
Enter the network namespace.  If no file is specified, enter the network
namespace of the target process.
If
<I>file</I>

is specified, enter the network namespace specified by
<I>file</I>.

<DT id="26"><B>-p</B>, <B>--pid</B>[=<I>file</I>]<DD>
Enter the PID namespace.  If no file is specified, enter the PID namespace of
the target process.
If
<I>file</I>

is specified, enter the PID namespace specified by
<I>file</I>.

<DT id="27"><B>-U</B>, <B>--user</B>[=<I>file</I>]<DD>
Enter the user namespace.  If no file is specified, enter the user namespace of
the target process.
If
<I>file</I>

is specified, enter the user namespace specified by
<I>file</I>.

See also the <B>--setuid</B> and <B>--setgid</B> options.
<DT id="28"><B>-C</B>, <B>--cgroup</B>[=<I>file</I>]<DD>
Enter the cgroup namespace.  If no file is specified, enter the cgroup namespace of
the target process.
If
<I>file</I>

is specified, enter the cgroup namespace specified by
<I>file</I>.

<DT id="29"><B>-G</B>, <B>--setgid</B> <I>gid</I><DD>
Set the group ID which will be used in the entered namespace and drop
supplementary groups.
<B><A HREF="/cgi-bin/man/man2html?1+nsenter">nsenter</A></B>(1)

always sets GID for user namespaces, the default is 0.
<DT id="30"><B>-S</B>, <B>--setuid</B> <I>uid</I><DD>
Set the user ID which will be used in the entered namespace.
<B><A HREF="/cgi-bin/man/man2html?1+nsenter">nsenter</A></B>(1)

always sets UID for user namespaces, the default is 0.
<DT id="31"><B>--preserve-credentials</B><DD>
Don't modify UID and GID when enter user namespace. The default is to
drops supplementary groups and sets GID and UID to 0.
<DT id="32"><B>-r</B>, <B>--root</B>[=<I>directory</I>]<DD>
Set the root directory.  If no directory is specified, set the root directory to
the root directory of the target process.  If directory is specified, set the
root directory to the specified directory.
<DT id="33"><B>-w</B>, <B>--wd</B>[=<I>directory</I>]<DD>
Set the working directory.  If no directory is specified, set the working
directory to the working directory of the target process.  If directory is
specified, set the working directory to the specified directory.
<DT id="34"><B>-F</B>, <B>--no-fork</B><DD>
Do not fork before exec'ing the specified program.  By default, when entering a
PID namespace, <B>nsenter</B> calls <B>fork</B> before calling <B>exec</B> so that
any children will also be in the newly entered PID namespace.
<DT id="35"><B>-Z</B>, <B>--follow-context</B><DD>
Set the SELinux security context used for executing a new process according to
already running process specified by <B>--target</B> PID. (The util-linux has
to be compiled with SELinux support otherwise the option is unavailable.)
<DT id="36"><B>-V</B>, <B>--version</B><DD>
Display version information and exit.
<DT id="37"><B>-h</B>, <B>--help</B><DD>
Display help text and exit.
</DL>
<A NAME="lbAF">&nbsp;</A>
<H2>SEE ALSO</H2>

<B><A HREF="/cgi-bin/man/man2html?2+clone">clone</A></B>(2),

<B><A HREF="/cgi-bin/man/man2html?2+setns">setns</A></B>(2),

<B><A HREF="/cgi-bin/man/man2html?7+namespaces">namespaces</A></B>(7)

<A NAME="lbAG">&nbsp;</A>
<H2>AUTHORS</H2>


Eric Biederman

<BR>


Karel Zak

<A NAME="lbAH">&nbsp;</A>
<H2>AVAILABILITY</H2>

The nsenter command is part of the util-linux package and is available from

Linux Kernel Archive

<P>

<HR>
<A NAME="index">&nbsp;</A><H2>Index</H2>
<DL>
<DT id="38"><A HREF="#lbAB">NAME</A><DD>
<DT id="39"><A HREF="#lbAC">SYNOPSIS</A><DD>
<DT id="40"><A HREF="#lbAD">DESCRIPTION</A><DD>
<DT id="41"><A HREF="#lbAE">OPTIONS</A><DD>
<DT id="42"><A HREF="#lbAF">SEE ALSO</A><DD>
<DT id="43"><A HREF="#lbAG">AUTHORS</A><DD>
<DT id="44"><A HREF="#lbAH">AVAILABILITY</A><DD>
</DL>
<HR>
This document was created by
<A HREF="/cgi-bin/man/man2html">man2html</A>,
using the manual pages.<BR>
Time: 00:05:20 GMT, March 31, 2021
</BODY>
</HTML>