The intro paragraph talks about entering the namespace of other
processes. That's not quite accurate, since nsenter can be used (via
a bind mount) to enter a namespace that has no member processes. So
rework NAME and the intro paragraph in DESCRIPTION to remove mention
of "processes".
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
Back in commits f85b9777c2 and 894efece9e, in the
description of each namespace type, I added repeated cross references
to clone(2). Drop these references. The Section 7 namespaces pages,
which are already noted in the nsenter(1) and unshare(1) manual pages,
provide much more relevant information. Furthermore, pointing the
reader at clone(2) is perhaps a little misleading, since the system
call underlying nsenter(1) is setns(2) and the system call underlying
unshare(1) is unshare(2).
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
Nowadays, the Linux man-pages project provides separate Section 7
manual pages for each type of namespace. Update the cross references
in nsenter.1 and unshare.1 to reflect this.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
There is value in ensuring that manual page sections use consistently
named sections, as far as possible, and also that sections have a
consistent order within manual pages. This is one of a series of patches
to place manual page sections in a consistent order.
In this patch, we ensure that the AUTHORS, COPYRIGHT, SEE ALSO, and
AVAILABILITY sections are always placed at the end of the page.
Testing that no gross editing mistake (causing accidental loss or addition
of text) was performed as follows:
$ cat $(grep '\.SH' -l $(find . -name '*.[1-9]') |sort) | sort > a
[Apply patch]
$ cat $(grep '\.SH' -l $(find . -name '*.[1-9]') |sort) | sort > b
$ diff a b
$ echo $?
0
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
The "Further details" sentence in the PID namespace section got merged
with the surrounding text; this patch moves it to the end, to match
the other namespace sections, and adds the missing clone(2) reference.
Fixes: 894efece9e ("Provide better cross references for namespace concepts")
Signed-off-by: Stephen Kitt <steve@sk2.org>
Just as with unshare and lsns this adds time namespace support to
nsenter.
In contrast to unshare nsenter does not have the options '--boottime'
and '--monotonic' as that offset can only be set as long as there have
no processes being started in the corresponding time namespace.
Signed-off-by: Adrian Reber <areber@redhat.com>
Add a comma (,) after "e.g." and "i.e.", or use English words
(man-pages(7) [package "manpages"]).
Abbreviation points should be protected (usually with the
non-printing, zero width character '\&') from being interpreted as an
end of sentence, if they are not, and that independent of their current
place on the line.
This is important when typing, as one does not usually know in
advance when the editor jumps to a new line.
Signed-off-by: Bjarni Ingi Gislason <bjarniig@rhi.hi.is>
Use the correct macro (I, B) for the font change of one argument, not
those that are used for alternating two fonts, like "BR", "IR", "RB",
or "RI".
Signed-off-by: Bjarni Ingi Gislason <bjarniig@rhi.hi.is>
As described in pid_namespaces(7), IPC namespaces also
isolate POSIX message queues. Update the unshare(1)
and nsenter(1) pages to clarify that.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
For each namespace that is discussed, add more explicit
references to the corresponding clone(2) flags and
add references to relevant section 7 namespace pages.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This patch does only the following:
* Order SEE ALSO entries first by section name, then alphabetically
within section
* Adds one or two missing commas in SEE ALSO lists
* Removes one or two periods that were (inconsistently) used
at the end of SEE ALSO lists.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
The new context is copied from --target <PID>. This solution allows to
keep SELinux happy when you enter container by nsenter(1).
Addresses: https://bugzilla.redhat.com/show_bug.cgi?id=1116100
Signed-off-by: Karel Zak <kzak@redhat.com>
The new option --preserve-credentials completely disables all
operations related to UIGs and GIDs.
The patch also calls setgroups() before we enter user namespace (so
root can always clear their groups) and after we enter user namespace
(to detect /proc/self/setgroups "deny"). If both fail then nsenter
complains.
Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Karel Zak <kzak@redhat.com>
Now it's possible to set UID and GID for user namespaces only. This
patch removes this restriction and allow to use --set{uid,gid} in all
cases. The default for user namespaces is still GID=0, UID=0.
Reported-by: Tomas Doran <bobtfish@bobtfish.net>
Signed-off-by: Karel Zak <kzak@redhat.com>
Also, for renice, adapt the descriptions to the behaviour: the -g,
-p and -u options do not actually need to be followed by any ID.
Signed-off-by: Benno Schulenberg <bensberg@justemail.net>
Using -S (--setuid) and -G (--setgid) one can select the uid/gid which
will be used in the entered user namespace.
[kzak@redhat.com: - use setuid/gid unconditionally (always),
- update man page]
Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Karel Zak <kzak@redhat.com>
The behaviour mimics chroot.
Possibly it would have been nicer to to query the password database in
the new namepace and run the shell of the user there, but it's hard to
do correctly. getpwuid() might need to load nss plugins, and the arch
in the new namespace might be different (in case of NEWNS mounts), or
the hostname might be different, etc. So in general it's not possible
to do it reliably.
Signed-off-by: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Most visible change; the --target option has a path - explanation table
instead a long paragraph. This makes pairing of the information easier
for an average user such as me.
The rest of the changes are about aligning with howto, i.e., fix spaces
after dots, URL & mail address macros, remove inline emphasis where
possible, mark directory paths and words with underscore to be line
breakable, use optional option syntax from howto, cut line lenght to 80
chars.
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
The naming of this option was really confusing.
Just rename it for clarity.
[kzak@redhat.com: rebase to original code without --all]
Signed-off-by: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Signed-off-by: Karel Zak <kzak@redhat.com>
Inspired by unshare, nsenter is a simple wrapper around setns that
allows running a new process in the context of an existing process.
Full paths may be specified to the namespace arguments so that
namespace file descriptors may be used wherever they reside in the
filesystem.
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
