unshare — run program with some namespaces unshared from parent
unshare [options] program
[arguments]
Unshares the indicated namespaces from the parent process and then executes the specified program. The namespaces to be unshared are indicated via options. Unshareable namespaces are:
Mounting and unmounting filesystems will not affect
the rest of the system (CLONE_NEWNS flag), except for
filesystems which are explicitly marked as shared (with
mount
--make-shared; see /proc/self/mountinfo for the
shared
flags).
Setting hostname or domainname will not affect the
rest of the system. (CLONE_NEWUTS flag)
The process will have an independent namespace for
System V message queues, semaphore sets and shared
memory segments. (CLONE_NEWIPC flag)
The process will have independent IPv4 and IPv6
stacks, IP routing tables, firewall rules, the
/proc/net and
/sys/class/net directory
trees, sockets, etc. (CLONE_NEWNET flag)
Children will have a distinct set of PID to process
mappings from their parent. (CLONE_NEWPID flag)
The process will have a distinct set of UIDs, GIDs
and capabilities. (CLONE_NEWUSER flag)
See clone(2) for the exact semantics of the flags.
−h,
−−helpDisplay help text and exit.
−i,
−−ipcUnshare the IPC namespace.
−m,
−−mountUnshare the mount namespace.
−n,
−−netUnshare the network namespace.
−p,
−−pidUnshare the pid namespace. See also the −−fork and −−mount−proc
options.
−u,
−−utsUnshare the UTS namespace.
−U,
−−userUnshare the user namespace.
−f,
−−forkFork the specified program as a child
process of unshare rather than
running it directly. This is useful when creating a new
pid namespace.
−−mount−proc[=mountpoint]Just before running the program, mount the proc filesystem at the mountpoint (default is /proc). This is useful when creating a new pid namespace. It also implies creating a new mount namespace since the /proc mount would otherwise mess up existing programs on the system.