Wednesday, December 9, 2009

unshare(1)

The unshare(1) is a new command line interface to unshare Linux syscall and allows a program to run with some parts of the process execution context unshared from parent. This new command is available in util-linux-ng 2.17 (thanks to Mikhail Gusarov who is author of the command).

Currently, the unshare(1) command allows to disassociates:
  • mount namespace
  • UTS (since kernel 2.6.19, independent hostname and domainname)
  • IPC namespace (System V message queues, semaphores, and shared memory)
  • network namespace (since kernel 2.6.24, independent IP stacks, IP routing tables, firewall, ...)

Probably the most attractive is unshared mount namespace (see Mike Hommey's "newns" or pam_namespace).

For example I have two xterms, let's start a new bash with unshared mount namespace in the first session:

Session1:

# unshare --mount /bin/bash
# mount /dev/sda1 /mnt/test
# grep test /proc/mounts
/dev/sda1 /mnt/test ext3 rw,relatime,errors=continue,user_xattr,acl,data=ordered 0 0
Session2:

# grep test /proc/mounts
# ll /mnt/test
total 0
... the /mnt/test filesystem is visible in the Session1 only. That's all, pretty simple and pretty useful :-)