current community

your communities

more stack exchange communities

company blog
Stack Exchange Inbox Reputation and Badges
tour help

Tagged Questions

The tag has no usage guidance, but it has a tag wiki.

learn more… | top users | synonyms

2
votes
0answers
39 views

How to whitelist directories for Units in systemd

There are many options available for Units (like services) in systemd. Three of them are called ReadWriteDirectories, ReadOnlyDirectories and InaccessibleDirectories. I'm using Debian 8.5 on a virtual ...
2
votes
0answers
14 views

veth between two network process namespaces?

I created two namespaces: unshare -mnpf bash --norc -is host1 (& host2) At the prompt of host1, I run: ip link add name host1-eth0 type veth peer name host2-eth0 netns <host2-pid> But it ...
1
vote
0answers
35 views

why is CAP_SYS_ADMIN needed for CLONE_NEWPID?

man 2 unshare tells Use of CLONE_NEWPID requires the CAP_SYS_ADMIN capability and the suggested read for further information as suggested man 7 pid_namespaces does not really disclose or talk ...
1
vote
0answers
35 views

What are the ways and risks of using linux namespaces as nonroot user?

I know unshare and nsenter are userland tools to work with linux namespaces. Since I, as much as possible, try to avoid working with root priveledges enabled, I often run into troubles with those ...
1
vote
2answers
42 views

Is it possible join two different process namespaces?

I'm wondering if its possible to join two process namespaces in Linux. To demonstrate what I mean, the following is a scenario: 1) A process runs in its own separate namespace, Lets call this process ...
3
votes
1answer
120 views

routing between linux namespaces

I have the following network topology using linux namespaces: .--------.veth0 .--------.veth2 .--------. | ns_snd |------------| ns_mid |------------| ns_rcv | '--------' veth1'-----...
1
vote
1answer
59 views

How to bind (or remap) a socket with an abstract name to a path?

In our system (Linux 4.4) we see a a unix socket with an abstract namespace (those starting with @ with no corresponding file on the file system). Showing its details with lsof reports: serv 7539 ...
1
vote
1answer
83 views

Connect network namespace to internet

My scenario is this: I want to be able to execute a program in a separate namespace with a network interface of its own. But I also want it to be able to access internet though my physical network ...
3
votes
0answers
108 views

Persistent network namespace configuration

When creating a namespace with ip netns add <namespace> the namespace and it's related config is deleted on reboot along with created interfaces like veth pairs. What is the correct way to: ...
3
votes
1answer
73 views

Why does child with mount namespace affect parent mounts?

I am trying to understand Linux namespaces using a Debian jessie server where I have root access. Consider this C code: # /tmp/test.c #define _GNU_SOURCE #include <sched.h> #include <stdio....
0
votes
0answers
108 views

Non-Root Container

I'm attempting to create some kind of gentoo "subsystem" without root permissions. I've encountered a problem with my approach and I'm wondering if it's possible to do or not. The way I'm attempting ...
1
vote
0answers
34 views

unshare -m seemingly not creating mount namespace

I ran unshare -mfp sh -c 'mount -tproc none /proc ; ls /proc' That printed a /proc with only directories for PID 1 and PID 3, and exited, leaving me back in my old prompt in the root namespace, as ...
1
vote
1answer
48 views

remove link from Linux namespace

I created a namespace in Linux with 'ip netns add foo', created a pair of veth interfaces and moved one in the namespace. I set up IP addresses etc., so that now I can ping my 'foo' namespace from the ...
5
votes
0answers
70 views

LXC: Any security difference between root and end-user owned unprivileged containers?

I intend to use LXC containers to isolate most of the network facing services. As per my understanding, I have mainly two ways to do this: Create unprivileged containers owned by root. In this case,...
0
votes
1answer
187 views

Trying to run OpenVPN in Network Namespace

I want certain apps to access the internet via OpenVPN. I found a solution in the final answer/comment at the bottom of this question/thread here: Feed all traffic through OpenVPN for a specific ...
2
votes
0answers
219 views

Netlink access inside a network namespace

I'm trying set up an IPsec gateway (strongSwan) on a Raspberry Pi 2. The Pi was already providing a number of services on the LAN using a private IP address. My initial attempt to turn it into an ...
1
vote
1answer
35 views

Starting isolated namespace inside network namespace

I've managed to create two network namespaces (ns1 and ns2) and connect them via veth connection. They can ping each other fine, and even ssh one into another (provided I started sshd). What I would ...
2
votes
1answer
87 views

Compute total CPU usage of a PID namespace

I'd like to monitor the CPU usage for all processes in a particular PID namespace. I'd like to do it programmatically (C, if possible). I have an idea of how to do it, but I'd like to know if Linux ...
3
votes
2answers
188 views

Is it possible to mount a device in a process' namespace after unshare()

Say I have a process with an isolated MOUNT namespace pid 1200 the process called unshare() to isolate its namespace from the parent process. I then want to mount a device only accessible outside pid ...
2
votes
1answer
121 views

Is it possible to run 'unshare -n [program]' as an unprivileged user?

I want to run a program without any internet access, e.g. unshare -n ping 127.0.0.1. As an unprivileged user, it returns Operation not permitted, as a privileged user, it returns the desired ...
0
votes
0answers
39 views

mount namespace not work in ubuntu whether 15.04 or 14.04

NOTE: Referencing this Q&A: Why is my bind mount visible outside its mount namespace? It gave an unshare example, but it did not work in Ubuntu. I tried on Ubuntu 15.04, with util-linux 2.25. I ...
5
votes
2answers
425 views

Why is my bind mount visible outside its mount namespace?

So I'm trying to get a handle on how Linux's mount namespace works. So, I did a little experiment and opened up two terminals and ran the following: Terminal 1 root@goliath:~# mkdir a b root@...
2
votes
1answer
93 views

Is there a way to isolate a running program from the rest of a Linux system?

First of all, I know about virtualisation and containers. I'm sure "he wants containers" is what popped in your mind. (Don't deny it!) However containers are like chroot: if you want to execute bash ...
1
vote
2answers
347 views

SSH: shell opened in IP namespace

I'm trying to force users logging in through SSH to have a shell inside IP namespace. I've tried replacing the shell in /etc/passwd with something like ip netns exec sshns /bin/bash but it didn't ...
5
votes
1answer
145 views

PID in arch-chroot is incorrect

I am trying to run a python script in a chroot (specifically, the chroot is created with arch-chroot). The python script relies on os.getpid(), but this seems to be returning an incorrect PID within ...
1
vote
0answers
24 views

Is an unprivileged LXC where the host user itself is mapped to 0 less secure of one where one of its subids is mapped to 0, and why?

Instead of creating "common" LXC unprivileged containers where all the users are mapped to (unprivileged) subuid/gid of my host user, I'm considering a mapping where my host user itself will be mapped ...
1
vote
1answer
999 views

What characters are valid to use in filenames? [duplicate]

I seems like it is possible to create filenames in unix with just about any valid character. touch \; && touch \\ && touch \" && touch $'\n' && touch $'\t' && ...
1
vote
0answers
117 views

Recursively unmount Bind mount in both User and Mount namespace

I am trying to use recursive bind mount in a new user namespace and mount namespace. This is what I do. Assume /foo/bar/ and /foo are both mount points. Firstly I do mount --rbind /foo/bar/ /baz, and ...
1
vote
1answer
176 views

Allow a single process to access a file

If I am the owner of a file, then is there a way I can give another process (running under another user that doesn't have read/write permission to that file) permission to access it? I want only that ...
3
votes
0answers
93 views

Sandboxing a binary on linux

I am trying to understand various options I have to restrict/sandbox a binary in Linux. I see that I can use namespaces and cgroups like docker does. I could use SELinux like this link suggests. Which ...
3
votes
0answers
87 views

What happens if the last process in a namespace exits?

I am running Linux. I have a single process in a mount namespace. I did in this process a mount -t tmpfs tmpfs /mountpoint. What happens if the process exits and there are no more processes in ...
1
vote
0answers
37 views

Is it allowed to assign one range of subordinate IDs to two different users?

Is it allowed to assign the same range of subordinate user and group IDs to different users on the system defining the subordinate IDs? Please provide sources for your answer. The idea here would ...
1
vote
0answers
207 views

running a process in another namespace

I would like to run a new process (for example an xterm) in another network namespace. This could be done like this: sudo ip netns exec otherns sudo -u $USER xterm This command looks a bit ...
1
vote
1answer
99 views

Using a VPN for certain applications via a network namespace

I am trying to use a network namespace for VPN-specific traffic, using this guide: https://schnouki.net/posts/2014/12/12/openvpn-for-a-single-application-on-linux/ on Debian. Everything works with ...
1
vote
0answers
61 views

icmp limited in many network spaces?

I wrote small script do show example usage of ip netns on unused class size C (here changed into 192.168.10) #!/bin/sh network=192.168.10 for id in `seq 0 127`; do ip netns del test-$id; done; ...
2
votes
1answer
134 views

Re-enter PID 1 namespace

I'm trying to enter PID namespace that process with PID 1 is in from a process cloned with CLONE_NEWPID. I keep getting Invalid argument error. In other words, I clone a child process with clone() ...
10
votes
1answer
4k views

What's a UTS namespace?

The man page of unshare says: UTS namespace setting hostname, domainname will not affect rest of the system (CLONE_NEWUTS flag) What does UTS stand for?
2
votes
1answer
476 views

Is Traffic control inside namespace on ports created by OpenvSwitch supported?

I am trying to limit the bandwidth of an interface inside a namespace using tc without much success. Seems it's not supported according to https://lists.linux-foundation.org/pipermail/containers/2009-...
5
votes
1answer
389 views

View/manipulate mount namespaces in Linux

Is there any way to view or manipulate the mount namespace for an arbitrary process? For example, a docker container is running which has a local mount to an NFS server. It can be seen from inside ...
1
vote
0answers
282 views

Running HTTP process as a sole child in PID/NET namespace

First time posting here so I appreciate your help and patience. After reading about namespaces, looking on various forums including this thread and trial and error I'm still looking for answers for a ...
1
vote
1answer
166 views

How to map IP by iptables ?

I create a network namespace In this namespace, I open a nginx So for now, I can visit web server by 172.17.0.2 What I want to do is mapping this IP to 127.0.0.1 Lets say if I visit 127.0.0.1, I ...
3
votes
3answers
2k views

linux namespace, How to connect internet in network namespace?

I want to test linux network namespace. The current problem is I cannot connect internet in the namespace here is my commands: 1 Create network namespace netns1, create a pair of veths (A and B) ...
4
votes
1answer
4k views

per process private file system mount points

I was checking unshare command and according to it's man page, unshare - run program with some namespaces unshared from parent I also see there is a type of namespace listed as, mount ...
1
vote
0answers
364 views

How to start a process chain from the shell

Is it possible and if so how do I: Start a /bin/bash process that is not bound to a terminal from a terminal? Hence, a shell process that shows up in the process tree as init -- bash. (Shells ...
0
votes
3answers
2k views

Is reparenting from the shell possible?

This question is closely related to How to "correctly" start an application from a shell but tries to tackle a more specific problem. How can I spawn an application from a shell and thereby ...
2
votes
0answers
676 views

Network connectivity issue between different hosts from a network namespace in one host

I have created two Ubuntu 12.04 VMs using VMWare Player with NAT network configuration. I am able to ping them from each other. After that, I created a network namespace in one of them and add a ...
5
votes
1answer
2k views

LXC container to use “virtual” interface from host (namespace semantics)

So according to the documentation on the Ubuntu LXC documentation the following statement can be found at the time of this writing: A NIC can only exist in one namespace at a time, so a physical ...
3
votes
1answer
434 views

Set environment inside `nsenter /bin/bash`

I'm entering a namespace with nsenter -m -u -i -n -p -t $PID /bin/bash. However, printenv inside this namespace doesn't have everything I need. I'd like to send these variables in, but I'd like to ...
10
votes
1answer
2k views

Reliable way to jail child processes using `nsenter:`

I know that Linux namespaces, among many other things, can be leveraged to handle restricting and jailing child processes securely without any chance of their being zombied and dumped on init. But I'm ...
1
vote
1answer
516 views

Linux PID namespaces

I have a question about number of PIDs a process has in context of Linux PID namespaces. Suppose: (NS = namespace) P1 (PID NS1) -> clone -> P2 (PID NS2) -> clone -> P3 (PID NS3) How many PIDs does ...

1 2