Questions tagged [unshare]
The unshare tag has no usage guidance.
42 questions
0
votes
1
answer
35
views
Order of mounting of entries in a mount namespace
I'm aware of unshare -m creates a new mount namespace moving the process executing it into the new mount namespace being created.
The latter gets a copy of parent's mount namespace. Indeed look at the ...
- 65
0
votes
1
answer
398
views
basename complains about missing operand using unshare
If I try to create namespaces, basename complains about missing operand:
sudo unshare --mount --ipc --uts --pid --fork --user /bin/bash
basename: missing operand
Try 'basename --help' for more ...
- 4,579
1
vote
0
answers
33
views
Isolating a child process in a remote desktop program
I'm developing a remote desktop/streaming program for linux. When a user logs in, they specify a program to launch, and the remote server launches that program as a new process. The server process ...
- 11
3
votes
2
answers
999
views
Can't `chown` with `unshare`
I run unshare -r touch file. However, unshare -r chown nobody file gives me Invalid argument. Why?
2
votes
2
answers
1k
views
Why unshare with chroot does not isolate /dev like /proc?
I am following Container from scratch by Kevin Boone
I have alpine mini root filesystem under /mnt/container/
I am a little puzzled about how the mount works with chroot and unshare involved.
Without ...
- 225
4
votes
1
answer
1k
views
How do you get the child pid of `unshare` when using --fork for `nsenter -t <pid>`?
When using unshare --pid --fork, the nsenter command must attach to the child pid not the unshare pid to get to the right pid namespace.
I can get unshare's pid as follows:
unshare --pid --mount --...
- 505
2
votes
2
answers
828
views
Why is the Linux command `unshare --pid=p --mount=m` not creating a persistent namespace?
From everything I have read in the unshare and nsenter man pages, I should be able to bind-mount a directory to itself, mount --make-private the directory, and then use files within that directory to ...
- 505
1
vote
1
answer
315
views
If ports are unpriviledged, why can't I access them if I am root in a namespace?
I've run sudo sysctl -w net.ipv4.ip_unprivileged_port_start=1. However, sudo ip netns exec myvpn unshare -r python -m http.server -b 127.0.0.1 2 does not work. Strangely enough, this does: sudo ip ...
0
votes
1
answer
495
views
How to login to a user namespace created by unshare?
How to login to a user namespace created by unshare -U from another terminal?
- 309
0
votes
0
answers
211
views
How to expand the number of subuids for a linux namespace
After running something like this:
$ unshare -rUm
$ mkdir opt
$ mount --bind opt /opt
$ touch /opt/test
$ chown 1000:1000 /opt/test
I'm receiving this:
chown: changing ownership of '/opt/test': ...
- 1
2
votes
1
answer
1k
views
Unshare with overlayfs results in permission denied with su
I am trying to setup 'rootless' containers by hand, with just unshare and
mounting overlayfs. Currently, I can unpack a rootfs tarball, setup a /tmp
and /proc mount, and pivot_root/chroot into it ...
- 767
1
vote
1
answer
1k
views
echo to gid_map fails but uid_map success
I'm trying to map the user and group ids in new namespace by writing to uid_map and gid_map files.
So on terminal-1 I'm doing
vaibhav@vaibhav:~$ unshare -U /bin/sh
$ id
uid=65534(nobody) gid=65534(...
- 143
4
votes
1
answer
2k
views
How can I use a bind mount in a network namespace?
I have an app I run in a network namespace. This works well.
I want to run the app multiple times, in different namespaces. For convenience, I want to bind mount the app's working directory to ...
- 205
1
vote
1
answer
2k
views
Unshare with --mount-proc creates a new mnt namespace
I am a little confused about what --mount-proc does when used with unshare command.
When I use unshare -fp --mount-proc bash, I notice that it results in both a new PID namespace and a new MNT ...
- 23
4
votes
0
answers
288
views
unshare with supplementary groups
On my Linux machine, I (my user) have a main group and multiple other groups (note I belong to group 150):
$ id -u; id -g; id -G
1000
1000
1000 6 21 91 97 150 190 465 996 1003
I need to isolate a ...
- 141
1
vote
0
answers
202
views
Getting different PIDs from unshare
Here's some of the basic code inside a script called test.sh.
bash -c "sleep 10; echo \$(pidof unshare)" &
sudo unshare --mount --uts --ipc --net --pid --fork /bin/sh -c "
... do ...
- 111
2
votes
1
answer
142
views
Why are PIDs in new PID namespace not contiguous
I am running Ubuntu 20.04. According to https://lwn.net/Articles/531419/ and https://stackoverflow.com/questions/3446727/how-does-linux-determine-the-next-pid/3457108#3457108, assigned PIDs should be ...
- 123
7
votes
1
answer
2k
views
How are time namespaces supposed to be used?
I thought I could do something like:
sudo unshare -T bash -c 'date -s "$1" && foobar' sh "$(date -d -1day)"
so foobar would see a different system time from the rest of ...
- 4,855
0
votes
1
answer
740
views
Can I use rootless podman with regular user-namespaces (created outside of podman)?
If I create a uts namespace using unshare and set the hostname to foo,
$ unshare --map-root-user --uts /bin/sh
# echo $$
31882
# readlink /proc/31882/ns/uts
uts:[4026532825]
# hostname foo
How can I ...
- 32.9k
0
votes
2
answers
291
views
How can I test that a buildah script is run under buildah-unshare?
If I have a script that uses buildah mount. I use the same way the docs specify,
mnt=$(buildah mount $ctr)
If I invoke my script sh ./build.sh, I get
cannot mount using driver overlay in rootless ...
- 32.9k
2
votes
2
answers
855
views
unshare -r: Failed to connect to bus: Operation not permitted
When I run unshare -r, I get
Failed to connect to bus: Operation not permitted
The id still shows I'm root,
❯ id
uid=0(root) gid=0(root) groups=0(root),65534(nogroup)
What does this error/warning ...
- 32.9k
3
votes
1
answer
3k
views
Why is it possible to create other namespaces without real root using user namespaces?
When using the command unshare to create namespaces, if you are not the root in the host machine and creating any namespace but the user type, you will receive this error: Operation not permitted. ...
- 49
2
votes
2
answers
674
views
Strange behaviour of pivot_root(".", ".") in mount namespace
I'm trying to understand containers and stumbled upon a trick apparently found by the LXC developers, see this runc PR: You can call pivot_root(".", ".") which avoids the need for a directory to put ...
- 121
2
votes
2
answers
1k
views
"unshare --mount" inside a jenkins chroot environment
In some of my build scripts I've been using mount namespaces as a mechanism to safely mount without ever leaving these mounts behind when the script terminates. Unshared mount points are implicitly ...
- 19.6k
2
votes
1
answer
2k
views
Why unshare -p does not imply -f and --mount-proc?
The man page specifies that you may be interested in using --fork and --mount-proc when creating a PID namespace, but why those options are not default?
- 39
6
votes
1
answer
2k
views
Why can I not bind a mount namespace to a file
I observe the following:
As unprivileged user in shell No 1:
user@box:~$ sysctl kernel.unprivileged_userns_clone
kernel.unprivileged_userns_clone = 1
user@box:~$ unshare --mount --user
nobody@box:~$ ...
- 1,141
0
votes
1
answer
413
views
Why does unshare binary call clone() so many times?
I am trying to test the unshare command in Linux. I am using it to create a new user namespace. I tried the following test:
user1@myPC$ strace -e clone,unshare,fork,execve unshare --user
execve("/usr/...
- 1,403
3
votes
0
answers
927
views
How to make unshare(CLONE_NEWUSER) succeed after chroot?
My call to unshare(CLONE_NEWUSER) when called as a non-root user returns EPERM because of this (http://man7.org/linux/man-pages/man2/unshare.2.html):
EPERM (since Linux 3.9)
...
- 1,089
6
votes
1
answer
2k
views
How to prevent a process from writing to the systemd journal?
I am using a third party .NET Core application (a binary distribution used by a VS Code extension) that unfortunately has diagnostic logging enabled with no apparent way to disable it (I did already ...
- 253
3
votes
1
answer
1k
views
With Linux user namespaces, why can clone() mount /proc, but unshare() cannot?
I am trying to get a non-root user to mount /proc in a Linux user namespace.
If I create a namespace via clone(), then I can mount /proc.
However, if I create a namespace via unshare(), then the ...
- 1,741
3
votes
1
answer
1k
views
Why does unsharing mount namespace require CAP_SYS_ADMIN?
For a project of mine I need only the mount namespace unshared, which requires the CAP_SYS_ADMIN capability (see namespaces). While it is possible to create a new mount-namespace without capabilities ...
- 359
1
vote
1
answer
2k
views
How to `unshare -n` without changing to root?
I'd like to run a shell that behaves exactly like the parent but without network. Why do I have to su <login> after unshare?
- 1,247
11
votes
1
answer
3k
views
Losing permissions by adding capability?
I observed the following phenomenon that I can not explain. After adding the CAP_SYS_ADMIN capability, unshare is no longer able to write to /proc/self/setgroups.
In fact, writing to this file ...
- 345
3
votes
1
answer
3k
views
how to unshare network for current process
It's possible to run a new command without network access as non-root using unshare -r -n, for example:
$ unshare -r -n ls
a.txt b.txt
A command that does require network access will fail ...
- 3,106
1
vote
3
answers
1k
views
Making a bind-mount take effect only in the context of the current process and its descendants
I have 2 files: /MyDir/a and /MyDir/MySubDir/b and am running a bash script, to which I want to add code to make file /a point to file /b, but only in the current process and its descendants.
In ...
- 13
13
votes
2
answers
6k
views
unshare --map-root-user switch to original uid/username after setup
I'm using unshare to create per process mounts, which is working perfectly fine by
unshare -m --map-root-user
However, after having created my bind-mounts by
mount --bind src dst
I want to change ...
- 359
8
votes
2
answers
25k
views
How can I check if cgroups are available on my Linux host?
Is there a command to check if the container services are running on a Linux system? Someone suggested unshare but I am not sure if that is the best way to do it.
- 804
7
votes
1
answer
2k
views
Why does unshare based killing only work reliably with --fork?
From this answer we have learned that you can implement reliable killing of entire process subtrees with Linux PID namespaces via unshare -p.
Here is problem with it that I don't understand:
It only ...
- 1,781
7
votes
2
answers
4k
views
Mounting a file system image inside an unshared namespace
I'm using unshare to perform things like bind mounts local to a certain process without requiring root access, e.g.:
unshare -mr bash mount --bind a b
(Yes, this seems kinda dumb; in my actual use ...
- 236
3
votes
1
answer
749
views
Is there a way to cancel unshare(2)?
If I called unshare ./fooprogram, is there a way to cancel that unshare while fooprogram is running?
- 491
3
votes
1
answer
1k
views
Force program to use /dev/urandom
I'm trying to create a little container that will let me remap /dev/random to /dev/urandom without root for a specific program. What I have so far:
unshare -r bash -c 'chroot . /bin/busybox sh'
For ...
- 518
16
votes
3
answers
9k
views
Simulate chroot with unshare
I am trying to write a bootstrapper for a minimal, from-source linux distribution.
I would like to build in a chroot-like environment. This should simplify packaging. I do not care about security at ...
- 161