#Bash 的 nsenter 命令
nsenter [OPTION]... [CMD [ARG]...]
功能
进入指定的命名空间然后运行命令。
类型
可执行文件(/usr/bin/nsenter),属于 util-linux。
参数
OPTION选项:-a,--all- 根据默认的命名空间路径/proc/${PID}/ns/*进入目标进程的所有命名空间;与t选项一同使用-t,--target PID- 通过PID指定目标进程;进入目标进程的命名空间-m,--mount[=file]- 进入file指定的 mount namespace;如果没有file,则进入目标进程的 mount namespace-u,--uts[=file]- 进入file指定的 UTS namespace;如果没有file,则进入目标进程的 UTS namespace-i,--ipc[=file]- 进入file指定的 IPC namespace;如果没有file,则进入目标进程的 IPC namespace-n,--net[=file]- 进入file指定的 network namespace;如果没有file,则进入目标进程的 network namespace-p,--pid[=file]- 进入file指定的 PID namespace;如果没有file,则进入目标进程的 PID namespace-U,--user[=file]- 进入file指定的 user namespace;如果没有file,则进入目标进程的 user namespace-C,--cgroup[=file]- 进入file指定的 cgroup namespace;如果没有file,则进入目标进程的 cgroup namespace-T,--time[=file]- 进入file指定的 time namespace;如果没有file,则进入目标进程的 time namespace-G,--setgid gid- 设置组 ID 并删除补充组 ID;默认为 0-S,--setuid uid- 设置用户 ID;默认为 0--preserve-credentials- 不修改用户 ID 和 组 ID-r,--root[=directory]- 设置根目录-w,--wd[=directory]- 设置工作目录;在进入命名空间之前打开-W,--wdns[=directory]- 设置工作目录;在 chroot 指定打开-e,--env- 将目标进程的环境变量传递给新创建的进程-F,--no-fork- 不要在 exec 之前调用 fork 函数-Z,--follow-context- 将目标进程的安全上下文传递给新创建的进程-h,--help- 显示帮助-V,--version- 显示版本
CMD- 要执行的命令;默认执行${SHELL}ARG- 命令的参数列表
#Linux 的命名空间
| 命名空间 | 中文说明 |
|---|---|
| mount namespace | 挂载或卸载文件系统不会影响系统的其他部分,除非该文件系统被显式标记为共享(使用 mount --make-shared;共享标志可在 /proc/self/mountinfo 中查看)。更多细节参见 mount_namespaces(7) 以及 clone(2) 中关于 CLONE_NEWNS 标志的说明。 |
| UTS namespace | 设置主机名(hostname)或域名(domainname)不会影响系统的其他部分。更多细节参见 uts_namespaces(7)。 |
| IPC namespace | 进程将拥有独立的 IPC 命名空间,包括 POSIX 消息队列,以及 System V 消息队列、信号量集合和共享内存段。更多细节参见 ipc_namespaces(7)。 |
| network namespace | 进程将拥有独立的 IPv4 和 IPv6 协议栈、IP 路由表、防火墙规则、/proc/net 和 /sys/class/net 目录树、套接字等资源。更多细节参见 network_namespaces(7)。 |
| PID namespace | 子进程将拥有一套与 nsenter 进程分离的 PID 到进程映射关系。如果更改 PID 命名空间,nsenter 默认会执行 fork,以便新程序及其子进程共享同一个 PID 命名空间并彼此可见。如果使用 --no-fork,则新程序将在不进行 fork 的情况下通过 exec 启动。更多细节参见 pid_namespaces(7)。 |
| user namespace | 进程将拥有独立的一组 UID、GID 以及能力(capabilities)。更多细节参见 user_namespaces(7)。 |
| cgroup namespace | 进程将看到虚拟化后的 /proc/self/cgroup 视图,新创建的 cgroup 挂载点将以该命名空间的 cgroup 根目录为起点。更多细节参见 cgroup_namespaces(7)。 |
| time namespace | 进程可以拥有独立的 CLOCK_MONOTONIC 和/或 CLOCK_BOOTTIME 视图,这些时间偏移可通过 /proc/self/timens_offsets 进行修改。更多细节参见 time_namespaces(7)。 |
#示例
$ nsenter -t 12345 -a ls # 进入进程 12345 的所有命名空间,执行 ls
$ nsenter -t 12345 -a # 进入进程 12345 的所有命名空间,执行 /bin/bash
#相关命令
| 命令 | 说明 |
|---|---|
| unshare | 创建新的命名空间执行命令 |
#推荐阅读
#手册
NSENTER(1) User Commands NSENTER(1)
NAME
nsenter - run program in different namespaces
SYNOPSIS
nsenter [options] [program [arguments]]
DESCRIPTION
The nsenter command executes program in the namespace(s) that are
specified in the command-line options (described below). If program is
not given, then "${SHELL}" is run (default: /bin/sh).
Enterable namespaces are:
mount namespace
Mounting and unmounting filesystems will not affect the rest of the
system, except for filesystems which are explicitly marked as
shared (with mount --make-shared; see /proc/self/mountinfo for the
shared flag). For further details, see mount_namespaces(7) and the
discussion of the CLONE_NEWNS flag in clone(2).
UTS namespace
Setting hostname or domainname will not affect the rest of the
system. For further details, see uts_namespaces(7).
IPC namespace
The process will have an independent namespace for POSIX message
queues as well as System V message queues, semaphore sets and
shared memory segments. For further details, see ipc_namespaces(7).
network namespace
The process will have independent IPv4 and IPv6 stacks, IP routing
tables, firewall rules, the /proc/net and /sys/class/net directory
trees, sockets, etc. For further details, see
network_namespaces(7).
PID namespace
Children will have a set of PID to process mappings separate from
the nsenter process. nsenter will fork by default if changing the
PID namespace, so that the new program and its children share the
same PID namespace and are visible to each other. If --no-fork is
used, the new program will be exec’ed without forking. For further
details, see pid_namespaces(7).
user namespace
The process will have a distinct set of UIDs, GIDs and
capabilities. For further details, see user_namespaces(7).
cgroup namespace
The process will have a virtualized view of /proc/self/cgroup, and
new cgroup mounts will be rooted at the namespace cgroup root. For
further details, see cgroup_namespaces(7).
time namespace
The process can have a distinct view of CLOCK_MONOTONIC and/or
CLOCK_BOOTTIME which can be changed using
/proc/self/timens_offsets. For further details, see
time_namespaces(7).
OPTIONS
Various of the options below that relate to namespaces take an optional
file argument. This should be one of the /proc/[pid]/ns/* files
described in namespaces(7), or the pathname of a bind mount that was
created on one of those files.
-a, --all
Enter all namespaces of the target process by the default
/proc/[pid]/ns/* namespace paths. The default paths to the target
process namespaces may be overwritten by namespace specific options
(e.g., --all --mount=[path]).
The user namespace will be ignored if the same as the caller’s
current user namespace. It prevents a caller that has dropped
capabilities from regaining those capabilities via a call to
setns(). See setns(2) for more details.
-t, --target PID
Specify a target process to get contexts from. The paths to the
contexts specified by pid are:
/proc/pid/ns/mnt
the mount namespace
/proc/pid/ns/uts
the UTS namespace
/proc/pid/ns/ipc
the IPC namespace
/proc/pid/ns/net
the network namespace
/proc/pid/ns/pid
the PID namespace
/proc/pid/ns/user
the user namespace
/proc/pid/ns/cgroup
the cgroup namespace
/proc/pid/ns/time
the time namespace
/proc/pid/root
the root directory
/proc/pid/cwd
the working directory respectively
-m, --mount[=file]
Enter the mount namespace. If no file is specified, enter the mount
namespace of the target process. If file is specified, enter the
mount namespace specified by file.
-u, --uts[=file]
Enter the UTS namespace. If no file is specified, enter the UTS
namespace of the target process. If file is specified, enter the
UTS namespace specified by file.
-i, --ipc[=file]
Enter the IPC namespace. If no file is specified, enter the IPC
namespace of the target process. If file is specified, enter the
IPC namespace specified by file.
-n, --net[=file]
Enter the network namespace. If no file is specified, enter the
network namespace of the target process. If file is specified,
enter the network namespace specified by file.
-p, --pid[=file]
Enter the PID namespace. If no file is specified, enter the PID
namespace of the target process. If file is specified, enter the
PID namespace specified by file.
-U, --user[=file]
Enter the user namespace. If no file is specified, enter the user
namespace of the target process. If file is specified, enter the
user namespace specified by file. See also the --setuid and
--setgid options.
-C, --cgroup[=file]
Enter the cgroup namespace. If no file is specified, enter the
cgroup namespace of the target process. If file is specified, enter
the cgroup namespace specified by file.
-T, --time[=file]
Enter the time namespace. If no file is specified, enter the time
namespace of the target process. If file is specified, enter the
time namespace specified by file.
-G, --setgid gid
Set the group ID which will be used in the entered namespace and
drop supplementary groups. nsenter always sets GID for user
namespaces, the default is 0. If the argument "follow" is specified
the GID of the target process is used.
-S, --setuid uid
Set the user ID which will be used in the entered namespace.
nsenter always sets UID for user namespaces, the default is 0. If
the argument "follow" is specified the UID of the target process is
used.
--preserve-credentials
Don’t modify UID and GID when enter user namespace. The default is
to drops supplementary groups and sets GID and UID to 0.
-r, --root[=directory]
Set the root directory. If no directory is specified, set the root
directory to the root directory of the target process. If directory
is specified, set the root directory to the specified directory.
The specified directory is open before it switches to the requested
namespaces.
-w, --wd[=directory]
Set the working directory. If no directory is specified, set the
working directory to the working directory of the target process.
If directory is specified, set the working directory to the
specified directory. The specified directory is open before it
switches to the requested namespaces, it means the specified
directory works as "tunnel" to the current namespace. See also
--wdns.
-W, --wdns[=directory]
Set the working directory. The directory is open after switch to
the requested namespaces and after chroot(2) call. The options --wd
and --wdns are mutually exclusive.
-e, --env
Pass environment variables from the target process to the new
process being created. If this option is not provided, the
environment variables will remain the same as in the current
namespace..
-F, --no-fork
Do not fork before exec’ing the specified program. By default, when
entering a PID namespace, nsenter calls fork before calling exec so
that any children will also be in the newly entered PID namespace.
-Z, --follow-context
Set the SELinux security context used for executing a new process
according to already running process specified by --target PID.
(The util-linux has to be compiled with SELinux support otherwise
the option is unavailable.)
-h, --help
Display help text and exit.
-V, --version
Print version and exit.
AUTHORS
Eric Biederman <biederm@xmission.com>, Karel Zak <kzak@redhat.com>
SEE ALSO
clone(2), setns(2), namespaces(7)
REPORTING BUGS
For bug reports, use the issue tracker at
https://github.com/util-linux/util-linux/issues.
AVAILABILITY
The nsenter command is part of the util-linux package which can be
downloaded from Linux Kernel Archive
<https://www.kernel.org/pub/linux/utils/util-linux/>.
util-linux 2.39.3 2023-12-01 NSENTER(1)