unshare — run program with some namespaces unshared from parent
unshare [options] program
Unshares the indicated namespaces from the parent process
and then executes the specified
The namespaces can optionally be made persistent by bind
mounting /proc/pid/ns/type files to a filesystem
path and entered with nsenter(1) even after the
Once a persistent namespace is no longer needed, it can be
unpersisted with umount(8). See the
EXAMPLES section for more
The namespaces to be unshared are indicated via options. Unshareable namespaces are:
Mounting and unmounting filesystems will not affect
the rest of the system (
CLONE_NEWNS flag), except for
filesystems which are explicitly marked as shared (with
/proc/self/mountinfo or findmnt -o+PROPAGATION for
the shared flags).
util-linux version 2.27 automatically sets propagation
to private in a new
mount namespace to make sure that the new namespace is
really unshared. It's possible to disable this feature
Note that private is the kernel
Setting hostname or domainname will not affect the
rest of the system. (
The process will have an independent namespace for
System V message queues, semaphore sets and shared
memory segments. (
The process will have independent IPv4 and IPv6
stacks, IP routing tables, firewall rules, the
trees, sockets, etc. (
Children will have a distinct set of PID-to-process
mappings from their parent. (
The process will have a virtualized view of
new cgroup mounts will be rooted at the namespace
cgroup root. (
The process will have a distinct set of UIDs, GIDs
and capabilities. (
See clone(2) for the exact semantics of the flags.
Unshare the IPC namespace. If file is specified, then a persistent namespace is created by a bind mount.
Unshare the mount namespace. If file is specified, then a persistent namespace is created by a bind mount. Note that file has to be located on a filesystem with the propagation flag set to private. Use the command findmnt -o+PROPAGATION when not sure about the current setting. See also the examples below.
Unshare the network namespace. If file is specified, then a persistent namespace is created by a bind mount.
Unshare the PID namespace. If file is specified
then persistent namespace is created by a bind mount.
See also the
Unshare the UTS namespace. If file is specified, then a persistent namespace is created by a bind mount.
Unshare the user namespace. If file is specified, then a persistent namespace is created by a bind mount.
Unshare the cgroup namespace. If file is specified then persistent namespace is created by bind mount.
Fork the specified
program as a child
process of unshare rather than
running it directly. This is useful when creating a new
Just before running the program, mount the proc filesystem at mountpoint (default is /proc). This is useful when creating a new PID namespace. It also implies creating a new mount namespace since the /proc mount would otherwise mess up existing programs on the system. The new proc filesystem is explicitly mounted as private (with MS_PRIVATE|MS_REC).
Run the program only after the current effective
user and group IDs have been mapped to the superuser
UID and GID in the newly created user namespace. This
makes it possible to conveniently gain capabilities
needed to manage various aspects of the newly created
namespaces (such as configuring interfaces in the
network namespace or mounting filesystems in the mount
namespace) even when run unprivileged. As a mere
convenience feature, it does not support more
sophisticated use cases, such as mapping multiple
ranges of UIDs and GIDs. This option implies
Recursively set the mount propagation flag in the
new mount namespace. The default is to set the
propagation to private. It is
possible to disable this feature with the argument
unchanged. The option
is silently ignored when the mount namespace
Allow or deny the setgroups(2) syscall in a user namespace.
To be able to call setgroups(2), the
calling process must at least have CAP_SETGID. But
since Linux 3.19 a further restriction applies: the
kernel gives permission to call setgroups(2) only
after the GID map (
been set. The GID map is writable by root when
enabled (i.e. allow, the default),
and the GID map becomes writable by unprivileged
processes when setgroups(2) is
permanently disabled (with deny).
Display version information and exit.
Display help text and exit.
# unshare --fork --pid --mount-proc readlink /proc/self 1
Establish a PID namespace, ensure we're PID 1 in it against a newly mounted procfs instance.
$ unshare --map-root-user --user sh -c whoami root
Establish a user namespace as an unprivileged user with a root user within it.
# touch /root/uts-ns # unshare --uts=/root/uts-ns hostname FOO # nsenter --uts=/root/uts-ns hostname FOO # umount /root/uts-ns
Establish a persistent UTS namespace, and modify the hostname. The namespace is then entered with nsenter. The namespace is destroyed by unmounting the bind reference.
# mount --bind /root/namespaces /root/namespaces # mount --make-private /root/namespaces # touch /root/namespaces/mnt # unshare --mount=/root/namespaces/mnt
Establish a persistent mount namespace referenced by the bind mount /root/namespaces/mnt. This example shows a portable solution, because it makes sure that the bind mount is created on a shared filesystem.