NAME
namespaces - overview of Linux namespaces
DESCRIPTION
A namespace wraps a global system resource in an abstraction that makes it appear to the processes within the namespace that they have their own isolated instance of the global resource. Changes to the global resource are visible to other processes that are members of the namespace, but are invisible to other processes. One use of namespaces is to implement containers. Linux provides the following namespaces: Namespace Constant Isolates Cgroup CLONE_NEWCGROUP Cgroup root directory IPC CLONE_NEWIPC System V IPC, POSIX message queues Network CLONE_NEWNET Network devices, stacks, ports, etc. Mount CLONE_NEWNS Mount points PID CLONE_NEWPID Process IDs User CLONE_NEWUSER User and group IDs UTS CLONE_NEWUTS Hostname and NIS domain name This page describes the various namespaces and the associated /proc files, and summarizes the APIs for working with namespaces. The namespaces API As well as various /proc files described below, the namespaces API includes the following system calls: clone(2) The clone(2) system call creates a new process. If the flags argument of the call specifies one or more of the CLONE_NEW* flags listed below, then new namespaces are created for each flag, and the child process is made a member of those namespaces. (This system call also implements a number of features unrelated to namespaces.) setns(2) The setns(2) system call allows the calling process to join an existing namespace. The namespace to join is specified via a file descriptor that refers to one of the /proc/[pid]/ns files described below. unshare(2) The unshare(2) system call moves the calling process to a new namespace. If the flags argument of the call specifies one or more of the CLONE_NEW* flags listed below, then new namespaces are created for each flag, and the calling process is made a member of those namespaces. (This system call also implements a number of features unrelated to namespaces.) Creation of new namespaces using clone(2) and unshare(2) in most cases requires the CAP_SYS_ADMIN capability. User namespaces are the exception: since Linux 3.8, no privilege is required to create a user namespace. The /proc/[pid]/ns/ directory Each process has a /proc/[pid]/ns/ subdirectory containing one entry for each namespace that supports being manipulated by setns(2): $ ls -l /proc/$$/ns total 0 lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 cgroup -> cgroup:[4026531835] lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 ipc -> ipc:[4026531839] lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 mnt -> mnt:[4026531840] lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 net -> net:[4026531969] lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 pid -> pid:[4026531836] lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 user -> user:[4026531837] lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 uts -> uts:[4026531838] Bind mounting (see mount(2)) one of the files in this directory to somewhere else in the filesystem keeps the corresponding namespace of the process specified by pid alive even if all processes currently in the namespace terminate. Opening one of the files in this directory (or a file that is bind mounted to one of these files) returns a file handle for the corresponding namespace of the process specified by pid. As long as this file descriptor remains open, the namespace will remain alive, even if all processes in the namespace terminate. The file descriptor can be passed to setns(2). In Linux 3.7 and earlier, these files were visible as hard links. Since Linux 3.8, they appear as symbolic links. If two processes are in the same namespace, then the inode numbers of their /proc/[pid]/ns/xxx symbolic links will be the same; an application can check this using the stat.st_ino field returned by stat(2). The content of this symbolic link is a string containing the namespace type and inode number as in the following example: $ readlink /proc/$$/ns/uts uts:[4026531838] The symbolic links in this subdirectory are as follows: /proc/[pid]/ns/cgroup (since Linux 4.6) This file is a handle for the cgroup namespace of the process. /proc/[pid]/ns/ipc (since Linux 3.0) This file is a handle for the IPC namespace of the process. /proc/[pid]/ns/mnt (since Linux 3.8) This file is a handle for the mount namespace of the process. /proc/[pid]/ns/net (since Linux 3.0) This file is a handle for the network namespace of the process. /proc/[pid]/ns/pid (since Linux 3.8) This file is a handle for the PID namespace of the process. /proc/[pid]/ns/user (since Linux 3.8) This file is a handle for the user namespace of the process. /proc/[pid]/ns/uts (since Linux 3.0) This file is a handle for the UTS namespace of the process. Permission to dereference or read (readlink(2)) these symbolic links is governed by a ptrace access mode PTRACE_MODE_READ_FSCREDS check; see ptrace(2). Cgroup namespaces (CLONE_NEWCGROUP) See cgroup_namespaces(7). IPC namespaces (CLONE_NEWIPC) IPC namespaces isolate certain IPC resources, namely, System V IPC objects (see svipc(7)) and (since Linux 2.6.30) POSIX message queues (see mq_overview(7)). The common characteristic of these IPC mechanisms is that IPC objects are identified by mechanisms other than filesystem pathnames. Each IPC namespace has its own set of System V IPC identifiers and its own POSIX message queue filesystem. Objects created in an IPC namespace are visible to all other processes that are members of that namespace, but are not visible to processes in other IPC namespaces. The following /proc interfaces are distinct in each IPC namespace: * The POSIX message queue interfaces in /proc/sys/fs/mqueue. * The System V IPC interfaces in /proc/sys/kernel, namely: msgmax, msgmnb, msgmni, sem, shmall, shmmax, shmmni, and shm_rmid_forced. * The System V IPC interfaces in /proc/sysvipc. When an IPC namespace is destroyed (i.e., when the last process that is a member of the namespace terminates), all IPC objects in the namespace are automatically destroyed. Use of IPC namespaces requires a kernel that is configured with the CONFIG_IPC_NS option. Network namespaces (CLONE_NEWNET) Network namespaces provide isolation of the system resources associated with networking: network devices, IPv4 and IPv6 protocol stacks, IP routing tables, firewalls, the /proc/net directory, the /sys/class/net directory, port numbers (sockets), and so on. A physical network device can live in exactly one network namespace. A virtual network device ("veth") pair provides a pipe-like abstraction that can be used to create tunnels between network namespaces, and can be used to create a bridge to a physical network device in another namespace. When a network namespace is freed (i.e., when the last process in the namespace terminates), its physical network devices are moved back to the initial network namespace (not to the parent of the process). Use of network namespaces requires a kernel that is configured with the CONFIG_NET_NS option. Mount namespaces (CLONE_NEWNS) See mount_namespaces(7). PID namespaces (CLONE_NEWPID) See pid_namespaces(7). User namespaces (CLONE_NEWUSER) See user_namespaces(7). UTS namespaces (CLONE_NEWUTS) UTS namespaces provide isolation of two system identifiers: the hostname and the NIS domain name. These identifiers are set using sethostname(2) and setdomainname(2), and can be retrieved using uname(2), gethostname(2), and getdomainname(2). Use of UTS namespaces requires a kernel that is configured with the CONFIG_UTS_NS option. Introspecting namespace relationships Since Linux 4.9, two ioctl(2) operations are provided to allow introspection of namespace relationships (see user_namespaces(7) and pid_namespaces(7)). The form of the calls is: new_fd = ioctl(fd, request); In each case, fd refers to a /proc/[pid]/ns/* file. Both operations return a new file descriptor on success. NS_GET_USERNS Returns a file descriptor that refers to the owning user namespace for the namespace referred to by fd. NS_GET_PARENT Returns a file descriptor that refers to the parent namespace of the namespace referred to by fd. This operation is valid only for hierarchical namespaces (i.e., PID and user namespaces). For user namespaces, NS_GET_PARENT is synonymous with NS_GET_USERNS. The new file descriptor returned by these operations is opened with the O_RDONLY and O_CLOEXEC (close-on-exec; see fcntl(2))flags. By applying fstat(2) to the returned file descriptor, one obtains a stat structure whose st_dev (resident device) and st_ino (inode number) fields together identify the owning/parent namespace. This inode number can be matched with the inode number of another /proc/[pid]/ns/{pid,user} file to determine whether that is the owning/parent namespace. Either of these ioctl(2) operations can fail with the following errors: EPERM The requested namespace is outside of the caller's namespace scope. This error can occur if, for example, the owning user namespace is an ancestor of the caller's current user namespace. It can also occur on attempts to obtain the parent of the initial user or PID namespace. ENOTTY The operation is not supported by this kernel version. Additionally, the NS_GET_PARENT operation can fail with the following error: EINVAL fd refers to a nonhierarchical namespace. See the EXAMPLE section for an example of the use of these operations.
CONFORMING TO
Namespaces are a Linux-specific feature.
EXAMPLE
For one example, user_namespaces(7). The example shown below uses the ioctl(2) operations described above to perform simple introspection of namespace relationships. The following shell sessions show various examples of the use of this program. Trying to get the parent of the initial user namespace fails, for the reasons explained earlier: $ ./ns_introspect /proc/self/ns/user p The parent namespace is outside your namespace scope Create a process running sleep(1) that resides in new user and UTS namespaces, and show that new UTS namespace is associated with the new user namespace: $ unshare -Uu sleep 1000 & [1] 23235 $ ./ns_introspect /proc/23235/ns/uts Device/Inode of owning user namespace is: [0,3] / 4026532448 $ readlink /proc/23235/ns/user user:[4026532448] Then show that the parent of the new user namespace in the preceding example is the initial user namespace: $ readlink /proc/self/ns/user user:[4026531837] $ ./ns_introspect /proc/23235/ns/user Device/Inode of owning user namespace is: [0,3] / 4026531837 Start a shell in a new user namespace, and show that from within this shell, the parent user namespace can't be discovered. Similarly, the UTS namespace (which is associated with the initial user namespace) can't be discovered. $ PS1="sh2$ " unshare -U bash sh2$ ./ns_introspect /proc/self/ns/user p The parent namespace is outside your namespace scope sh2$ ./ns_introspect /proc/self/ns/uts u The owning user namespace is outside your namespace scope Program source /* ns_introspect.c Licensed under the GNU General Public License v2 or later. */ #include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <fcntl.h> #include <string.h> #include <sys/stat.h> #include <sys/ioctl.h> #include <errno.h> #include <sys/sysmacros.h> #ifndef NS_GET_USERNS #define NSIO 0xb7 #define NS_GET_USERNS _IO(NSIO, 0x1) #define NS_GET_PARENT _IO(NSIO, 0x2) #endif int main(int argc, char *argv[]) { int fd, userns_fd, parent_fd; struct stat sb; if (argc < 2) { fprintf(stderr, "Usage: %s /proc/[pid]/ns/[file] [p|u]\n", argv[0]); fprintf(stderr, "\nDisplay the result of one or both " "of NS_GET_USERNS (u) or NS_GET_PARENT (p)\n" "for the specified /proc/[pid]/ns/[file]. If neither " "'p' nor 'u' is specified,\n" "NS_GET_USERNS is the default.\n"); exit(EXIT_FAILURE); } /* Obtain a file descriptor for the 'ns' file specified in argv[1] */ fd = open(argv[1], O_RDONLY); if (fd == -1) { perror("open"); exit(EXIT_FAILURE); } /* Obtain a file descriptor for the owning user namespace and then obtain and display the inode number of that namespace */ if (argc < 3 || strchr(argv[2], 'u')) { userns_fd = ioctl(fd, NS_GET_USERNS); if (userns_fd == -1) { if (errno == EPERM) printf("The owning user namespace is outside " "your namespace scope\n"); else perror("ioctl-NS_GET_USERNS"); exit(EXIT_FAILURE); } if (fstat(userns_fd, &sb) == -1) { perror("fstat-userns"); exit(EXIT_FAILURE); } printf("Device/Inode of owning user namespace is: " "[%lx,%lx] / %ld\n", (long) major(sb.st_dev), (long) minor(sb.st_dev), (long) sb.st_ino); close(userns_fd); } /* Obtain a file descriptor for the parent namespace and then obtain and display the inode number of that namespace */ if (argc > 2 && strchr(argv[2], 'p')) { parent_fd = ioctl(fd, NS_GET_PARENT); if (parent_fd == -1) { if (errno == EINVAL) printf("Can' get parent namespace of a " "nonhierarchical namespace\n"); else if (errno == EPERM) printf("The parent namespace is outside " "your namespace scope\n"); else perror("ioctl-NS_GET_PARENT"); exit(EXIT_FAILURE); } if (fstat(parent_fd, &sb) == -1) { perror("fstat-parentns"); exit(EXIT_FAILURE); } printf("Device/Inode of parent namespace is: [%lx,%lx] / %ld\n", (long) major(sb.st_dev), (long) minor(sb.st_dev), (long) sb.st_ino); close(parent_fd); } exit(EXIT_SUCCESS); }
SEE ALSO
nsenter(1), readlink(1), unshare(1), clone(2), setns(2), unshare(2), proc(5), capabilities(7), cgroup_namespaces(7), cgroups(7), credentials(7), pid_namespaces(7), user_namespaces(7), lsns(8), switch_root(8)
COLOPHON
This page is part of release 4.09 of the Linux man-pages project. A description of the project, information about reporting bugs, and the latest version of this page, can be found at https://www.kernel.org/doc/man-pages/.
More Linux Commands
manpages/g++.1.html
g++(1) - GNU project C and C++ compiler - Linux manual page
When you invoke GCC, it normally does preprocessing, compilation, assembly and linking. The overall options allow you to stop this process at an intermediate st
manpages/SDL_CDPause.3.html
SDL_CDPause(3) - Pauses a CDROM (Library - Linux man page)
Pauses play on the given cdrom. RETURN VALUE Returns 0 on success, or -1 on an error. SEE ALSO SDL_CDPlay, SDL_CDResume SDL_CDPause.3 (Library - Linux manual pa
manpages/FcStrSetEqual.3.html
FcStrSetEqual(3) - check sets for equality - Linux man page
Returns whether set_a contains precisely the same strings as set_b. Ordering of strings within the two sets is not considered. VERSION Fontconfig version 2.8.0
manpages/SDL_AudioSpec.3.html
SDL_AudioSpec(3) - Audio Specification Structure (Man Page)
The SDL_AudioSpec structure is used to describe the format of some audio data. This structure is used by SDL_OpenAudio and SDL_LoadWAV. While all fields are use
manpages/pasuspender.1.html
pasuspender(1) - Temporarily suspend PulseAudio (Man Page)
pasuspender is a tool that can be used to tell a local PulseAudio sound server to temporarily suspend access to the audio devices, to allow other applications a
manpages/SDL_JoystickNumBalls.3.html
SDL_JoystickNumBalls(3) - Get the number of joystick trackba
Return the number of trackballs available from a previously opened SDL_Joystick. RETURN VALUE Number of trackballs. SEE ALSO SDL_JoystickGetBall, SDL_JoystickOp
manpages/fileno_unlocked.3.html
fileno_unlocked(3) - nonlocking stdio functions (Man Page)
Each of these functions has the same behavior as its counterpart without the _unlocked suffix, except that they do not use locking (they do not set locks themse
manpages/lj4_font.5.html
lj4_font(5) - groff fonts for use with devlj4 (Man Page)....
Nominally, all Hewlett-Packard LaserJet 4-series and newer printers have the same internal fonts: 45 scalable fonts and one bitmapped Lineprinter font. The scal
manpages/gluBuild2DMipmaps.3gl.html
gluBuild2DMipmaps(3gl) - builds a two-dimensional mipmap....
gluBuild2DMipmaps builds a series of prefiltered two-dimensional texture maps of decreasing resolutions called a mipmap. This is used for the antialiasing of te
manpages/isinff.3.html
isinff(3) - BSD floating-point classification functions.....
The finite(), finitef(), and finitel() functions return a nonzero value if x is neither infinite nor a not-a-number (NaN) value, and 0 otherwise. The isnan(), i
manpages/__fbufsize.3.html
__fbufsize(3) - interfaces to stdio FILE structure (ManPage)
Solaris introduced routines to allow portable access to the internals of the FILE structure, and glibc also implemented these. The __fbufsize() function returns
manpages/ripngd.8.html
ripngd(8) - a RIPNG routing engine for use with Quagga routi
ripngd is a routing component that works with the Quagga routing engine. OPTIONS Options available for the ripngd command: OPTIONS -d, --daemon Runs in daemon m
