502 lines
13 KiB
HTML
502 lines
13 KiB
HTML
|
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
|
<HTML><HEAD><TITLE>Man page of SETNS</TITLE>
|
|
</HEAD><BODY>
|
|
<H1>SETNS</H1>
|
|
Section: Linux Programmer's Manual (2)<BR>Updated: 2019-10-10<BR><A HREF="#index">Index</A>
|
|
<A HREF="/cgi-bin/man/man2html">Return to Main Contents</A><HR>
|
|
|
|
<A NAME="lbAB"> </A>
|
|
<H2>NAME</H2>
|
|
|
|
setns - reassociate thread with a namespace
|
|
<A NAME="lbAC"> </A>
|
|
<H2>SYNOPSIS</H2>
|
|
|
|
<PRE>
|
|
<B>#define _GNU_SOURCE</B> /* See <A HREF="/cgi-bin/man/man2html?7+feature_test_macros">feature_test_macros</A>(7) */
|
|
<B>#include <<A HREF="file:///usr/include/sched.h">sched.h</A>></B>
|
|
|
|
<B>int setns(int </B><I>fd</I><B>, int </B><I>nstype</I><B>);</B>
|
|
</PRE>
|
|
|
|
<A NAME="lbAD"> </A>
|
|
<H2>DESCRIPTION</H2>
|
|
|
|
Given a file descriptor referring to a namespace,
|
|
reassociate the calling thread with that namespace.
|
|
<P>
|
|
|
|
The
|
|
<I>fd</I>
|
|
|
|
argument is a file descriptor referring to one of the namespace entries in a
|
|
<I>/proc/[pid]/ns/</I>
|
|
|
|
directory; see
|
|
<B><A HREF="/cgi-bin/man/man2html?7+namespaces">namespaces</A></B>(7)
|
|
|
|
for further information on
|
|
<I>/proc/[pid]/ns/</I>.
|
|
|
|
The calling thread will be reassociated with the corresponding namespace,
|
|
subject to any constraints imposed by the
|
|
<I>nstype</I>
|
|
|
|
argument.
|
|
<P>
|
|
|
|
The
|
|
<I>nstype</I>
|
|
|
|
argument specifies which type of namespace
|
|
the calling thread may be reassociated with.
|
|
This argument can have one of the following values:
|
|
<DL COMPACT>
|
|
<DT id="1"><B>0</B>
|
|
|
|
<DD>
|
|
Allow any type of namespace to be joined.
|
|
<DT id="2"><B>CLONE_NEWCGROUP</B> (since Linux 4.6)
|
|
|
|
<DD>
|
|
<I>fd</I>
|
|
|
|
must refer to a cgroup namespace.
|
|
<DT id="3"><B>CLONE_NEWIPC</B> (since Linux 3.0)
|
|
|
|
<DD>
|
|
<I>fd</I>
|
|
|
|
must refer to an IPC namespace.
|
|
<DT id="4"><B>CLONE_NEWNET</B> (since Linux 3.0)
|
|
|
|
<DD>
|
|
<I>fd</I>
|
|
|
|
must refer to a network namespace.
|
|
<DT id="5"><B>CLONE_NEWNS</B> (since Linux 3.8)
|
|
|
|
<DD>
|
|
<I>fd</I>
|
|
|
|
must refer to a mount namespace.
|
|
<DT id="6"><B>CLONE_NEWPID</B> (since Linux 3.8)
|
|
|
|
<DD>
|
|
<I>fd</I>
|
|
|
|
must refer to a descendant PID namespace.
|
|
<DT id="7"><B>CLONE_NEWUSER</B> (since Linux 3.8)
|
|
|
|
<DD>
|
|
<I>fd</I>
|
|
|
|
must refer to a user namespace.
|
|
<DT id="8"><B>CLONE_NEWUTS</B> (since Linux 3.0)
|
|
|
|
<DD>
|
|
<I>fd</I>
|
|
|
|
must refer to a UTS namespace.
|
|
</DL>
|
|
<P>
|
|
|
|
Specifying
|
|
<I>nstype</I>
|
|
|
|
as 0 suffices if the caller knows (or does not care)
|
|
what type of namespace is referred to by
|
|
<I>fd</I>.
|
|
|
|
Specifying a nonzero value for
|
|
<I>nstype</I>
|
|
|
|
is useful if the caller does not know what type of namespace is referred to by
|
|
<I>fd</I>
|
|
|
|
and wants to ensure that the namespace is of a particular type.
|
|
(The caller might not know the type of the namespace referred to by
|
|
<I>fd</I>
|
|
|
|
if the file descriptor was opened by another process and, for example,
|
|
passed to the caller via a UNIX domain socket.)
|
|
|
|
<A NAME="lbAE"> </A>
|
|
<H3>Details for specific namespace types</H3>
|
|
|
|
Note the following details and restrictions when reassociating with
|
|
specific namespace types:
|
|
<DL COMPACT>
|
|
<DT id="9">User namespaces<DD>
|
|
A process reassociating itself with a user namespace must have the
|
|
<B>CAP_SYS_ADMIN</B>
|
|
|
|
|
|
capability in the target user namespace.
|
|
(This necessarily implies that it is only possible to join
|
|
a descendant user namespace.)
|
|
Upon successfully joining a user namespace,
|
|
a process is granted all capabilities in that namespace,
|
|
regardless of its user and group IDs.
|
|
<DT id="10"><DD>
|
|
A multithreaded process may not change user namespace with
|
|
<B>setns</B>().
|
|
|
|
<DT id="11"><DD>
|
|
It is not permitted to use
|
|
<B>setns</B>()
|
|
|
|
to reenter the caller's current user namespace.
|
|
This prevents a caller that has dropped capabilities from regaining
|
|
those capabilities via a call to
|
|
<B>setns</B>().
|
|
|
|
<DT id="12"><DD>
|
|
For security reasons,
|
|
|
|
|
|
a process can't join a new user namespace if it is sharing
|
|
filesystem-related attributes
|
|
(the attributes whose sharing is controlled by the
|
|
<B><A HREF="/cgi-bin/man/man2html?2+clone">clone</A></B>(2)
|
|
|
|
<B>CLONE_FS</B>
|
|
|
|
flag) with another process.
|
|
<DT id="13"><DD>
|
|
For further details on user namespaces, see
|
|
<B><A HREF="/cgi-bin/man/man2html?7+user_namespaces">user_namespaces</A></B>(7).
|
|
|
|
<DT id="14">Mount namespaces<DD>
|
|
Changing the mount namespace requires that the caller possess both
|
|
<B>CAP_SYS_CHROOT</B>
|
|
|
|
and
|
|
<B>CAP_SYS_ADMIN</B>
|
|
|
|
capabilities in its own user namespace and
|
|
<B>CAP_SYS_ADMIN</B>
|
|
|
|
in the user namespace that owns the target mount namespace.
|
|
<DT id="15"><DD>
|
|
A process can't join a new mount namespace if it is sharing
|
|
filesystem-related attributes
|
|
(the attributes whose sharing is controlled by the
|
|
<B><A HREF="/cgi-bin/man/man2html?2+clone">clone</A></B>(2)
|
|
|
|
<B>CLONE_FS</B>
|
|
|
|
flag) with another process.
|
|
|
|
<DT id="16"><DD>
|
|
See
|
|
<B><A HREF="/cgi-bin/man/man2html?7+user_namespaces">user_namespaces</A></B>(7)
|
|
|
|
for details on the interaction of user namespaces and mount namespaces.
|
|
<DT id="17">PID namespaces<DD>
|
|
In order to reassociate itself with a new PID namespace,
|
|
the caller must have the
|
|
<B>CAP_SYS_ADMIN</B>
|
|
|
|
capability both in its own user namespace and in the user namespace
|
|
that owns the target PID namespace.
|
|
<DT id="18"><DD>
|
|
If
|
|
<I>fd</I>
|
|
|
|
refers to a PID namespace, the semantics are somewhat different
|
|
from other namespace types:
|
|
reassociating the calling thread with a PID namespace changes only
|
|
the PID namespace that subsequently created child processes of
|
|
the caller will be placed in;
|
|
it does not change the PID namespace of the caller itself.
|
|
<DT id="19"><DD>
|
|
Reassociating with a PID namespace is allowed only if the
|
|
PID namespace specified by
|
|
<I>fd</I>
|
|
|
|
is a descendant (child, grandchild, etc.)
|
|
of the PID namespace of the caller.
|
|
<DT id="20"><DD>
|
|
For further details on PID namespaces, see
|
|
<B><A HREF="/cgi-bin/man/man2html?7+pid_namespaces">pid_namespaces</A></B>(7).
|
|
|
|
<DT id="21">Cgroup namespaces<DD>
|
|
In order to reassociate itself with a new cgroup namespace,
|
|
the caller must have the
|
|
<B>CAP_SYS_ADMIN</B>
|
|
|
|
capability both in its own user namespace and in the user namespace
|
|
that owns the target cgroup namespace.
|
|
<DT id="22"><DD>
|
|
Using
|
|
<B>setns</B>()
|
|
|
|
to change the caller's cgroup namespace does not change
|
|
the caller's cgroup memberships.
|
|
<DT id="23">Network, IPC, and UTS namespaces<DD>
|
|
In order to reassociate itself with a new network, IPC, or UTS namespace,
|
|
the caller must have the
|
|
<B>CAP_SYS_ADMIN</B>
|
|
|
|
capability both in its own user namespace and in the user namespace
|
|
that owns the target namespace.
|
|
</DL>
|
|
<A NAME="lbAF"> </A>
|
|
<H2>RETURN VALUE</H2>
|
|
|
|
On success,
|
|
<B>setns</B>()
|
|
|
|
returns 0.
|
|
On failure, -1 is returned and
|
|
<I>errno</I>
|
|
|
|
is set to indicate the error.
|
|
<A NAME="lbAG"> </A>
|
|
<H2>ERRORS</H2>
|
|
|
|
<DL COMPACT>
|
|
<DT id="24"><B>EBADF</B>
|
|
|
|
<DD>
|
|
<I>fd</I>
|
|
|
|
is not a valid file descriptor.
|
|
<DT id="25"><B>EINVAL</B>
|
|
|
|
<DD>
|
|
<I>fd</I>
|
|
|
|
refers to a namespace whose type does not match that specified in
|
|
<I>nstype</I>.
|
|
|
|
<DT id="26"><B>EINVAL</B>
|
|
|
|
<DD>
|
|
There is problem with reassociating
|
|
the thread with the specified namespace.
|
|
<DT id="27">
|
|
<DD>
|
|
<B>EINVAL</B>
|
|
|
|
The caller tried to join an ancestor (parent, grandparent, and so on)
|
|
PID namespace.
|
|
<DT id="28"><B>EINVAL</B>
|
|
|
|
<DD>
|
|
The caller attempted to join the user namespace
|
|
in which it is already a member.
|
|
<DT id="29"><B>EINVAL</B>
|
|
|
|
<DD>
|
|
|
|
The caller shares filesystem
|
|
(<B>CLONE_FS</B>)
|
|
|
|
state (in particular, the root directory)
|
|
with other processes and tried to join a new user namespace.
|
|
<DT id="30"><B>EINVAL</B>
|
|
|
|
<DD>
|
|
|
|
The caller is multithreaded and tried to join a new user namespace.
|
|
<DT id="31"><B>ENOMEM</B>
|
|
|
|
<DD>
|
|
Cannot allocate sufficient memory to change the specified namespace.
|
|
<DT id="32"><B>EPERM</B>
|
|
|
|
<DD>
|
|
The calling thread did not have the required capability
|
|
for this operation.
|
|
</DL>
|
|
<A NAME="lbAH"> </A>
|
|
<H2>VERSIONS</H2>
|
|
|
|
The
|
|
<B>setns</B>()
|
|
|
|
system call first appeared in Linux in kernel 3.0;
|
|
library support was added to glibc in version 2.14.
|
|
<A NAME="lbAI"> </A>
|
|
<H2>CONFORMING TO</H2>
|
|
|
|
The
|
|
<B>setns</B>()
|
|
|
|
system call is Linux-specific.
|
|
<A NAME="lbAJ"> </A>
|
|
<H2>NOTES</H2>
|
|
|
|
Not all of the attributes that can be shared when
|
|
a new thread is created using
|
|
<B><A HREF="/cgi-bin/man/man2html?2+clone">clone</A></B>(2)
|
|
|
|
can be changed using
|
|
<B>setns</B>().
|
|
|
|
<A NAME="lbAK"> </A>
|
|
<H2>EXAMPLE</H2>
|
|
|
|
The program below takes two or more arguments.
|
|
The first argument specifies the pathname of a namespace file in an existing
|
|
<I>/proc/[pid]/ns/</I>
|
|
|
|
directory.
|
|
The remaining arguments specify a command and its arguments.
|
|
The program opens the namespace file, joins that namespace using
|
|
<B>setns</B>(),
|
|
|
|
and executes the specified command inside that namespace.
|
|
<P>
|
|
|
|
The following shell session demonstrates the use of this program
|
|
(compiled as a binary named
|
|
<I>ns_exec</I>)
|
|
|
|
in conjunction with the
|
|
<B>CLONE_NEWUTS</B>
|
|
|
|
example program in the
|
|
<B><A HREF="/cgi-bin/man/man2html?2+clone">clone</A></B>(2)
|
|
|
|
man page (complied as a binary named
|
|
<I>newuts</I>).
|
|
|
|
<P>
|
|
|
|
We begin by executing the example program in
|
|
<B><A HREF="/cgi-bin/man/man2html?2+clone">clone</A></B>(2)
|
|
|
|
in the background.
|
|
That program creates a child in a separate UTS namespace.
|
|
The child changes the hostname in its namespace,
|
|
and then both processes display the hostnames in their UTS namespaces,
|
|
so that we can see that they are different.
|
|
<P>
|
|
|
|
|
|
|
|
$ <B>su</B> # Need privilege for namespace operations
|
|
Password:
|
|
# <B>./newuts bizarro &</B>
|
|
[1] 3549
|
|
clone() returned 3550
|
|
uts.nodename in child: bizarro
|
|
uts.nodename in parent: antero
|
|
# <B>uname -n</B> # Verify hostname in the shell
|
|
antero
|
|
|
|
|
|
<P>
|
|
|
|
We then run the program shown below,
|
|
using it to execute a shell.
|
|
Inside that shell, we verify that the hostname is the one
|
|
set by the child created by the first program:
|
|
<P>
|
|
|
|
|
|
|
|
# <B>./ns_exec /proc/3550/ns/uts /bin/bash</B>
|
|
# <B>uname -n</B> # Executed in shell started by ns_exec
|
|
bizarro
|
|
|
|
|
|
<A NAME="lbAL"> </A>
|
|
<H3>Program source</H3>
|
|
|
|
|
|
#define _GNU_SOURCE
|
|
#include <<A HREF="file:///usr/include/fcntl.h">fcntl.h</A>>
|
|
#include <<A HREF="file:///usr/include/sched.h">sched.h</A>>
|
|
#include <<A HREF="file:///usr/include/unistd.h">unistd.h</A>>
|
|
#include <<A HREF="file:///usr/include/stdlib.h">stdlib.h</A>>
|
|
#include <<A HREF="file:///usr/include/stdio.h">stdio.h</A>>
|
|
<P>
|
|
#define errExit(msg) do { perror(msg); exit(EXIT_FAILURE); \
|
|
<BR> } while (0)
|
|
<P>
|
|
int
|
|
main(int argc, char *argv[])
|
|
{
|
|
<BR> int fd;
|
|
<P>
|
|
<BR> if (argc < 3) {
|
|
<BR> fprintf(stderr, "%s /proc/PID/ns/FILE cmd args...\n", argv[0]);
|
|
<BR> exit(EXIT_FAILURE);
|
|
<BR> }
|
|
<P>
|
|
<BR> fd = open(argv[1], O_RDONLY); /* Get file descriptor for namespace */
|
|
<BR> if (fd == -1)
|
|
<BR> errExit("open");
|
|
<P>
|
|
<BR> if (setns(fd, 0) == -1) /* Join that namespace */
|
|
<BR> errExit("setns");
|
|
<P>
|
|
<BR> execvp(argv[2], &argv[2]); /* Execute a command in namespace */
|
|
<BR> errExit("execvp");
|
|
}
|
|
|
|
<A NAME="lbAM"> </A>
|
|
<H2>SEE ALSO</H2>
|
|
|
|
<B><A HREF="/cgi-bin/man/man2html?1+nsenter">nsenter</A></B>(1),
|
|
|
|
<B><A HREF="/cgi-bin/man/man2html?2+clone">clone</A></B>(2),
|
|
|
|
<B><A HREF="/cgi-bin/man/man2html?2+fork">fork</A></B>(2),
|
|
|
|
<B><A HREF="/cgi-bin/man/man2html?2+unshare">unshare</A></B>(2),
|
|
|
|
<B><A HREF="/cgi-bin/man/man2html?2+vfork">vfork</A></B>(2),
|
|
|
|
<B><A HREF="/cgi-bin/man/man2html?7+namespaces">namespaces</A></B>(7),
|
|
|
|
<B><A HREF="/cgi-bin/man/man2html?7+unix">unix</A></B>(7)
|
|
|
|
<A NAME="lbAN"> </A>
|
|
<H2>COLOPHON</H2>
|
|
|
|
This page is part of release 5.05 of the Linux
|
|
<I>man-pages</I>
|
|
|
|
project.
|
|
A description of the project,
|
|
information about reporting bugs,
|
|
and the latest version of this page,
|
|
can be found at
|
|
<A HREF="https://www.kernel.org/doc/man-pages/.">https://www.kernel.org/doc/man-pages/.</A>
|
|
<P>
|
|
|
|
<HR>
|
|
<A NAME="index"> </A><H2>Index</H2>
|
|
<DL>
|
|
<DT id="33"><A HREF="#lbAB">NAME</A><DD>
|
|
<DT id="34"><A HREF="#lbAC">SYNOPSIS</A><DD>
|
|
<DT id="35"><A HREF="#lbAD">DESCRIPTION</A><DD>
|
|
<DL>
|
|
<DT id="36"><A HREF="#lbAE">Details for specific namespace types</A><DD>
|
|
</DL>
|
|
<DT id="37"><A HREF="#lbAF">RETURN VALUE</A><DD>
|
|
<DT id="38"><A HREF="#lbAG">ERRORS</A><DD>
|
|
<DT id="39"><A HREF="#lbAH">VERSIONS</A><DD>
|
|
<DT id="40"><A HREF="#lbAI">CONFORMING TO</A><DD>
|
|
<DT id="41"><A HREF="#lbAJ">NOTES</A><DD>
|
|
<DT id="42"><A HREF="#lbAK">EXAMPLE</A><DD>
|
|
<DL>
|
|
<DT id="43"><A HREF="#lbAL">Program source</A><DD>
|
|
</DL>
|
|
<DT id="44"><A HREF="#lbAM">SEE ALSO</A><DD>
|
|
<DT id="45"><A HREF="#lbAN">COLOPHON</A><DD>
|
|
</DL>
|
|
<HR>
|
|
This document was created by
|
|
<A HREF="/cgi-bin/man/man2html">man2html</A>,
|
|
using the manual pages.<BR>
|
|
Time: 00:05:34 GMT, March 31, 2021
|
|
</BODY>
|
|
</HTML>
|