+++ /dev/null
-.\" Copyright (c) 2013 by Michael Kerrisk <mtk.manpages@gmail.com>
-.\" and Copyright (c) 2012 by Eric W. Biederman <ebiederm@xmission.com>
-.\"
-.\" %%%LICENSE_START(VERBATIM)
-.\" Permission is granted to make and distribute verbatim copies of this
-.\" manual provided the copyright notice and this permission notice are
-.\" preserved on all copies.
-.\"
-.\" Permission is granted to copy and distribute modified versions of this
-.\" manual under the conditions for verbatim copying, provided that the
-.\" entire resulting derived work is distributed under the terms of a
-.\" permission notice identical to this one.
-.\"
-.\" Since the Linux kernel and libraries are constantly changing, this
-.\" manual page may be incorrect or out-of-date. The author(s) assume no
-.\" responsibility for errors or omissions, or for damages resulting from
-.\" the use of the information contained herein. The author(s) may not
-.\" have taken the same level of care in the production of this manual,
-.\" which is licensed free of charge, as they might when working
-.\" professionally.
-.\"
-.\" Formatted or processed versions of this manual, if unaccompanied by
-.\" the source, must acknowledge the copyright and authors of this work.
-.\" %%%LICENSE_END
-.\"
-.\"
-.TH NAMESPACES 7 2014-09-21 "Linux" "Linux Programmer's Manual"
-.SH NAME
-namespaces \- overview of Linux namespaces
-.SH DESCRIPTION
-A namespace wraps a global system resource in an abstraction that
-makes it appear to the processes within the namespace that they
-have their own isolated instance of the global resource.
-Changes to the global resource are visible to other processes
-that are members of the namespace, but are invisible to other processes.
-One use of namespaces is to implement containers.
-
-Linux provides the following namespaces:
-.TS
-lB lB lB
-l lB l.
-Namespace Constant Isolates
-IPC CLONE_NEWIPC System V IPC, POSIX message queues
-Network CLONE_NEWNET Network devices, stacks, ports, etc.
-Mount CLONE_NEWNS Mount points
-PID CLONE_NEWPID Process IDs
-User CLONE_NEWUSER User and group IDs
-UTS CLONE_NEWUTS Hostname and NIS domain name
-.TE
-
-This page describes the various namespaces and the associated
-.I /proc
-files, and summarizes the APIs for working with namespaces.
-.\"
-.\" ==================== The namespaces API ====================
-.\"
-.SS The namespaces API
-As well as various
-.I /proc
-files described below,
-the namespaces API includes the following system calls:
-.TP
-.BR clone (2)
-The
-.BR clone (2)
-system call creates a new process.
-If the
-.I flags
-argument of the call specifies one or more of the
-.B CLONE_NEW*
-flags listed below, then new namespaces are created for each flag,
-and the child process is made a member of those namespaces.
-(This system call also implements a number of features
-unrelated to namespaces.)
-.TP
-.BR setns (2)
-The
-.BR setns (2)
-system call allows the calling process to join an existing namespace.
-The namespace to join is specified via a file descriptor that refers to
-one of the
-.IR /proc/[pid]/ns
-files described below.
-.TP
-.BR unshare (2)
-The
-.BR unshare (2)
-system call moves the calling process to a new namespace.
-If the
-.I flags
-argument of the call specifies one or more of the
-.B CLONE_NEW*
-flags listed below, then new namespaces are created for each flag,
-and the calling process is made a member of those namespaces.
-(This system call also implements a number of features
-unrelated to namespaces.)
-.PP
-Creation of new namespaces using
-.BR clone (2)
-and
-.BR unshare (2)
-in most cases requires the
-.BR CAP_SYS_ADMIN
-capability.
-User namespaces are the exception: since Linux 3.8,
-no privilege is required to create a user namespace.
-.\"
-.\" ==================== The /proc/[pid]/ns/ directory ====================
-.\"
-.SS The /proc/[pid]/ns/ directory
-Each process has a
-.IR /proc/[pid]/ns/
-.\" See commit 6b4e306aa3dc94a0545eb9279475b1ab6209a31f
-subdirectory containing one entry for each namespace that
-supports being manipulated by
-.BR setns (2):
-
-.in +4n
-.nf
-$ \fBls -l /proc/$$/ns\fP
-total 0
-lrwxrwxrwx. 1 mtk mtk 0 Jan 14 01:20 ipc -> ipc:[4026531839]
-lrwxrwxrwx. 1 mtk mtk 0 Jan 14 01:20 mnt -> mnt:[4026531840]
-lrwxrwxrwx. 1 mtk mtk 0 Jan 14 01:20 net -> net:[4026531956]
-lrwxrwxrwx. 1 mtk mtk 0 Jan 14 01:20 pid -> pid:[4026531836]
-lrwxrwxrwx. 1 mtk mtk 0 Jan 14 01:20 user -> user:[4026531837]
-lrwxrwxrwx. 1 mtk mtk 0 Jan 14 01:20 uts -> uts:[4026531838]
-.fi
-.in
-
-Bind mounting (see
-.BR mount (2))
-one of the files in this directory
-to somewhere else in the filesystem keeps
-the corresponding namespace of the process specified by
-.I pid
-alive even if all processes currently in the namespace terminate.
-
-Opening one of the files in this directory
-(or a file that is bind mounted to one of these files)
-returns a file handle for
-the corresponding namespace of the process specified by
-.IR pid .
-As long as this file descriptor remains open,
-the namespace will remain alive,
-even if all processes in the namespace terminate.
-The file descriptor can be passed to
-.BR setns (2).
-
-In Linux 3.7 and earlier, these files were visible as hard links.
-Since Linux 3.8, they appear as symbolic links.
-If two processes are in the same namespace, then the inode numbers of their
-.IR /proc/[pid]/ns/xxx
-symbolic links will be the same; an application can check this using the
-.I stat.st_ino
-field returned by
-.BR stat (2).
-The content of this symbolic link is a string containing
-the namespace type and inode number as in the following example:
-
-.in +4n
-.nf
-$ \fBreadlink /proc/$$/ns/uts\fP
-uts:[4026531838]
-.fi
-.in
-
-The files in this subdirectory are as follows:
-.TP
-.IR /proc/[pid]/ns/ipc " (since Linux 3.0)"
-This file is a handle for the IPC namespace of the process.
-.TP
-.IR /proc/[pid]/ns/mnt " (since Linux 3.8)"
-This file is a handle for the mount namespace of the process.
-.TP
-.IR /proc/[pid]/ns/net " (since Linux 3.0)"
-This file is a handle for the network namespace of the process.
-.TP
-.IR /proc/[pid]/ns/pid " (since Linux 3.8)"
-This file is a handle for the PID namespace of the process.
-.TP
-.IR /proc/[pid]/ns/user " (since Linux 3.8)"
-This file is a handle for the user namespace of the process.
-.TP
-.IR /proc/[pid]/ns/uts " (since Linux 3.0)"
-This file is a handle for the UTS namespace of the process.
-.\"
-.\" ==================== IPC namespaces ====================
-.\"
-.SS IPC namespaces (CLONE_NEWIPC)
-IPC namespaces isolate certain IPC resources,
-namely, System V IPC objects (see
-.BR svipc (7))
-and (since Linux 2.6.30)
-.\" commit 7eafd7c74c3f2e67c27621b987b28397110d643f
-.\" https://lwn.net/Articles/312232/
-POSIX message queues (see
-.BR mq_overview (7)).
-The common characteristic of these IPC mechanisms is that IPC
-objects are identified by mechanisms other than filesystem
-pathnames.
-
-Each IPC namespace has its own set of System V IPC identifiers and
-its own POSIX message queue filesystem.
-Objects created in an IPC namespace are visible to all other processes
-that are members of that namespace,
-but are not visible to processes in other IPC namespaces.
-
-The following
-.I /proc
-interfaces are distinct in each IPC namespace:
-.IP * 3
-The POSIX message queue interfaces in
-.IR /proc/sys/fs/mqueue .
-.IP *
-The System V IPC interfaces in
-.IR /proc/sys/kernel ,
-namely:
-.IR msgmax ,
-.IR msgmnb ,
-.IR msgmni ,
-.IR sem ,
-.IR shmall ,
-.IR shmmax ,
-.IR shmmni ,
-and
-.IR shm_rmid_forced .
-.IP *
-The System V IPC interfaces in
-.IR /proc/sysvipc .
-.PP
-When an IPC namespace is destroyed
-(i.e., when the last process that is a member of the namespace terminates),
-all IPC objects in the namespace are automatically destroyed.
-
-Use of IPC namespaces requires a kernel that is configured with the
-.B CONFIG_IPC_NS
-option.
-.\"
-.\" ==================== Network namespaces ====================
-.\"
-.SS Network namespaces (CLONE_NEWNET)
-Network namespaces provide isolation of the system resources associated
-with networking: network devices, IPv4 and IPv6 protocol stacks,
-IP routing tables, firewalls, the
-.I /proc/net
-directory, the
-.I /sys/class/net
-directory, port numbers (sockets), and so on.
-A physical network device can live in exactly one
-network namespace.
-A virtual network device ("veth") pair provides a pipe-like abstraction
-.\" FIXME Add pointer to veth(4) page when it is eventually completed
-that can be used to create tunnels between network namespaces,
-and can be used to create a bridge to a physical network device
-in another namespace.
-
-When a network namespace is freed
-(i.e., when the last process in the namespace terminates),
-its physical network devices are moved back to the
-initial network namespace (not to the parent of the process).
-
-Use of network namespaces requires a kernel that is configured with the
-.B CONFIG_NET_NS
-option.
-.\"
-.\" ==================== Mount namespaces ====================
-.\"
-.SS Mount namespaces (CLONE_NEWNS)
-Mount namespaces isolate the set of filesystem mount points,
-meaning that processes in different mount namespaces can
-have different views of the filesystem hierarchy.
-The set of mounts in a mount namespace is modified using
-.BR mount (2)
-and
-.BR umount (2).
-
-The
-.IR /proc/[pid]/mounts
-file (present since Linux 2.4.19)
-lists all the filesystems currently mounted in the
-process's mount namespace.
-The format of this file is documented in
-.BR fstab (5).
-Since kernel version 2.6.15, this file is pollable:
-after opening the file for reading, a change in this file
-(i.e., a filesystem mount or unmount) causes
-.BR select (2)
-to mark the file descriptor as readable, and
-.BR poll (2)
-and
-.BR epoll_wait (2)
-mark the file as having an error condition.
-
-The
-.IR /proc/[pid]/mountstats
-file (present since Linux 2.6.17)
-exports information (statistics, configuration information)
-about the mount points in the process's mount namespace.
-This file is readable only by the owner of the process.
-Lines in this file have the form:
-.RS
-.in 12
-.nf
-
-device /dev/sda7 mounted on /home with fstype ext3 [statistics]
-( 1 ) ( 2 ) (3 ) (4)
-.fi
-.in
-
-The fields in each line are:
-.TP 5
-(1)
-The name of the mounted device
-(or "nodevice" if there is no corresponding device).
-.TP
-(2)
-The mount point within the filesystem tree.
-.TP
-(3)
-The filesystem type.
-.TP
-(4)
-Optional statistics and configuration information.
-Currently (as at Linux 2.6.26), only NFS filesystems export
-information via this field.
-.RE
-.\"
-.\" ==================== PID namespaces ====================
-.\"
-.SS PID namespaces (CLONE_NEWPID)
-See
-.BR pid_namespaces (7).
-.\"
-.\" ==================== User namespaces ====================
-.\"
-.SS User namespaces (CLONE_NEWUSER)
-See
-.BR user_namespaces (7).
-.\"
-.\" ==================== UTS namespaces ====================
-.\"
-.SS UTS namespaces (CLONE_NEWUTS)
-UTS namespaces provide isolation of two system identifiers:
-the hostname and the NIS domain name.
-These identifiers are set using
-.BR sethostname (2)
-and
-.BR setdomainname (2),
-and can be retrieved using
-.BR uname (2),
-.BR gethostname (2),
-and
-.BR getdomainname (2).
-
-Use of UTS namespaces requires a kernel that is configured with the
-.B CONFIG_UTS_NS
-option.
-.SH CONFORMING TO
-Namespaces are a Linux-specific feature.
-.SH EXAMPLE
-See
-.BR user_namespaces (7).
-.SH SEE ALSO
-.BR nsenter (1),
-.BR readlink (1),
-.BR unshare (1),
-.BR clone (2),
-.BR setns (2),
-.BR unshare (2),
-.BR proc (5),
-.BR credentials (7),
-.BR capabilities (7),
-.BR pid_namespaces (7),
-.BR user_namespaces (7),
-.BR switch_root (8)
-.SH COLOPHON
-This page is part of release 3.79 of the Linux
-.I man-pages
-project.
-A description of the project,
-information about reporting bugs,
-and the latest version of this page,
-can be found at
-\%http://www.kernel.org/doc/man\-pages/.
OSDN Git Service
