LinuxCommandLibrary

unshare

Create isolated namespaces for processes

TLDR

Execute a command without sharing access to connected networks

$ unshare [[-n|--net]] [command] [command_arguments]
copy

Execute a command as a child process without sharing mounts, processes, or networks
$ unshare [[-m|--mount]] [[-i|--pid]] [[-n|--net]] [[-f|--fork]] [command] [command_arguments]
copy

SYNOPSIS

unshare [options] command [arguments...]

PARAMETERS

--fork, -f
    Forks a new process, allowing the parent to exit while the unshared child continues running.

--pid, -p
    Unshares the PID namespace. The new process becomes PID 1 in its own namespace, and its children are re-parented to it upon termination.

--mount, -m
    Unshares the mount namespace. This creates a new private set of mount points for the process, independent of the parent's mount table.

--uts, -u
    Unshares the UTS (UNIX Time-sharing System) namespace. Allows the process to set its own hostname and NIS domain name without affecting the global system.

--ipc, -i
    Unshares the IPC (Interprocess Communication) namespace. Provides a private set of System V IPC objects and POSIX message queues.

--network, -n
    Unshares the network namespace. Provides a private set of network devices, IP addresses, routing tables, and firewall rules.

--user, -U
    Unshares the user namespace. Allows the process to have a different set of user and group IDs, and capabilities, often enabling non-root users to perform privileged operations within the namespace.

--cgroup, -C
    Unshares the cgroup namespace. Isolates the process from the host's cgroup hierarchy.

--map-root-user
    When used with --user, maps the current effective user ID to UID 0 (root) in the new user namespace. Requires a new user namespace.

--mount-proc, -r
    When used with --pid, mounts a new /proc filesystem. Essential for PID namespace isolation to correctly reflect PIDs within the namespace.

--propagation <type>
    Sets the mount propagation type for the new mount namespace (e.g., slave, private, shared, unbindable).

--help, -h
    Display help message and exit.

--version, -V
    Output version information and exit.

DESCRIPTION

The unshare command allows a process to disassociate from certain system resources of its parent, creating new, isolated instances of namespaces for itself. This enables a process to have its own private view of resources like process IDs, mount points, network interfaces, user IDs, and more, without affecting the rest of the system. It's a fundamental tool for creating lightweight containment environments or 'sandboxes', often serving as a building block for higher-level container technologies like Docker and LXC. By isolating specific aspects of the system, unshare enhances security, facilitates testing, and provides a clean execution environment for applications.

CAVEATS

Using unshare effectively often requires understanding the intricate interactions between different namespaces. For instance, a new user namespace (via --user) is typically necessary to gain sufficient privileges to manipulate other namespaces (like network or mount) as a non-root user. If a PID namespace is unshared, a new /proc filesystem must usually be mounted (using --mount-proc) to correctly reflect the process IDs within the new namespace. Many namespace operations, especially those involving network or mount, still require root privileges on the host system unless a user namespace is carefully configured to map UIDs and GIDs.

NAMESPACE TYPES

Linux supports several types of namespaces, each isolating a specific global system resource:

PID Namespace: Isolates process IDs. Processes in a new PID namespace have their own PID 1, independent of the host's PID tree.
Mount Namespace: Isolates the list of mount points. Changes to the filesystem hierarchy within a new mount namespace do not affect the host.
Network Namespace: Isolates network devices, IP addresses, routing tables, port numbers, etc. Each network namespace has its own loopback device and can have its own virtual interfaces.
IPC Namespace: Isolates System V interprocess communication objects (message queues, semaphores, shared memory) and POSIX message queues.
UTS Namespace: Isolates hostname and NIS domain name. Allows a process to change its hostname without affecting the system's global hostname.
User Namespace: Isolates user and group IDs and capabilities. Allows processes to have different UIDs/GIDs and capabilities than on the host, often enabling unprivileged users to gain 'root' capabilities within the namespace.
Cgroup Namespace: Isolates the cgroup hierarchy. Processes in a new cgroup namespace see a simplified cgroup hierarchy.

COMMON USE CASES

unshare is frequently used for:

Lightweight Sandboxing: Creating isolated environments for running untrusted applications or for testing software without affecting the host system.
Containerization Foundation: It's a core component used by container runtimes (like Docker, Podman, LXC) to achieve process, network, and filesystem isolation.
Network Isolation: Creating dedicated network environments for specific applications, complete with their own IP addresses and routing.
Testing and Development: Setting up clean, reproducible environments for testing system-level changes or experiments without requiring a full virtual machine.

HISTORY

The concept of namespaces in Linux began with mount namespaces in kernel version 2.4.19. Over the years, other namespaces like PID, IPC, Network, and UTS were introduced. User namespaces, a crucial component for unprivileged containerization, arrived with Linux 3.8, followed by Cgroup namespaces in Linux 4.6. The unshare command, part of the util-linux package, provides a user-friendly command-line interface to these powerful kernel features, abstracting the underlying clone(2) system calls and their flags. Its development has mirrored the evolution of Linux's containerization capabilities, making it a foundational tool for creating isolated environments.

SEE ALSO

namespaces(7), clone(2), setns(2), lsns(8), nsenter(1), ip-netns(8), chroot(1)

Copied to clipboard