running a process in another namespace

I would like to run a new process (for example an xterm) in another network namespace. This could be done like this:

sudo ip netns exec otherns sudo -u $USER xterm

This command looks a bit complicated and involves running a sudo which runs ip which runs sudo which runs the final xterm.

Is there a more direct way to run a process in a new namespace?

I was thinking of writing a own small (SUID or capability enabled) binary which switches namespace restores permissions and user and runs the command, but shouldn't there already be some standard tool doing exactly that?

This would allow me to simply call something like:

runns otherns xterm

asked Jun 2 '15 at 22:40

michas

15.4k33872

Do you have a kernel 3.8 (necessary for user namespaces)? If so you shouldn't need sudo at all. The basic tool to create a namespace is unshare.

– Gilles
Jun 2 '15 at 23:36

My kernel is 4.0.4. Namespaces are available and working. (In this case I am talking about network namespaces not user namespaces.) Both the unshare and the setns system call need the CAP_SYS_ADMIN capability, hence "normal" users are not allowed to switch namespaces.

– michas
Jun 2 '15 at 23:52

add a comment |

I would like to run a new process (for example an xterm) in another network namespace. This could be done like this:

sudo ip netns exec otherns sudo -u $USER xterm

This command looks a bit complicated and involves running a sudo which runs ip which runs sudo which runs the final xterm.

Is there a more direct way to run a process in a new namespace?

This would allow me to simply call something like:

runns otherns xterm

asked Jun 2 '15 at 22:40

michas

15.4k33872

Do you have a kernel 3.8 (necessary for user namespaces)? If so you shouldn't need sudo at all. The basic tool to create a namespace is unshare.

– Gilles
Jun 2 '15 at 23:36

My kernel is 4.0.4. Namespaces are available and working. (In this case I am talking about network namespaces not user namespaces.) Both the unshare and the setns system call need the CAP_SYS_ADMIN capability, hence "normal" users are not allowed to switch namespaces.

– michas
Jun 2 '15 at 23:52

add a comment |

I would like to run a new process (for example an xterm) in another network namespace. This could be done like this:

sudo ip netns exec otherns sudo -u $USER xterm

This command looks a bit complicated and involves running a sudo which runs ip which runs sudo which runs the final xterm.

Is there a more direct way to run a process in a new namespace?

This would allow me to simply call something like:

runns otherns xterm

asked Jun 2 '15 at 22:40

michas

15.4k33872

I would like to run a new process (for example an xterm) in another network namespace. This could be done like this:

sudo ip netns exec otherns sudo -u $USER xterm

This command looks a bit complicated and involves running a sudo which runs ip which runs sudo which runs the final xterm.

Is there a more direct way to run a process in a new namespace?

This would allow me to simply call something like:

runns otherns xterm

namespace network-namespaces

asked Jun 2 '15 at 22:40

michas

15.4k33872

asked Jun 2 '15 at 22:40

michas

15.4k33872

asked Jun 2 '15 at 22:40

michas

15.4k33872

asked Jun 2 '15 at 22:40

michas

15.4k33872

asked Jun 2 '15 at 22:40

michas

15.4k33872

Do you have a kernel 3.8 (necessary for user namespaces)? If so you shouldn't need sudo at all. The basic tool to create a namespace is unshare.

– Gilles
Jun 2 '15 at 23:36

My kernel is 4.0.4. Namespaces are available and working. (In this case I am talking about network namespaces not user namespaces.) Both the unshare and the setns system call need the CAP_SYS_ADMIN capability, hence "normal" users are not allowed to switch namespaces.

– michas
Jun 2 '15 at 23:52

add a comment |

Do you have a kernel 3.8 (necessary for user namespaces)? If so you shouldn't need sudo at all. The basic tool to create a namespace is unshare.

– Gilles
Jun 2 '15 at 23:36

My kernel is 4.0.4. Namespaces are available and working. (In this case I am talking about network namespaces not user namespaces.) Both the unshare and the setns system call need the CAP_SYS_ADMIN capability, hence "normal" users are not allowed to switch namespaces.

– michas
Jun 2 '15 at 23:52

Do you have a kernel 3.8 (necessary for user namespaces)? If so you shouldn't need sudo at all. The basic tool to create a namespace is unshare.

– Gilles
Jun 2 '15 at 23:36

My kernel is 4.0.4. Namespaces are available and working. (In this case I am talking about network namespaces not user namespaces.) Both the unshare and the setns system call need the CAP_SYS_ADMIN capability, hence "normal" users are not allowed to switch namespaces.

– michas
Jun 2 '15 at 23:52

add a comment |

1 Answer
1

active

oldest

votes

Would the --setuid option of nsenter(1) come to your rescue? Such as in:

sudo nsenter --net=/run/netns/otherns --setuid 1000 --setguid 1000 xterm

answered Jul 2 '18 at 20:58

TheDiveO

273111

add a comment |

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);

);

draft saved

draft discarded

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f207182%2frunning-a-process-in-another-namespace%23new-answer', 'question_page');

);

Post as a guest

Name

Required, but never shown

1 Answer
1

active

oldest

votes

1 Answer
1

active

oldest

votes

Would the --setuid option of nsenter(1) come to your rescue? Such as in:

sudo nsenter --net=/run/netns/otherns --setuid 1000 --setguid 1000 xterm

answered Jul 2 '18 at 20:58

TheDiveO

273111

add a comment |

Would the --setuid option of nsenter(1) come to your rescue? Such as in:

sudo nsenter --net=/run/netns/otherns --setuid 1000 --setguid 1000 xterm

answered Jul 2 '18 at 20:58

TheDiveO

273111

add a comment |

Would the --setuid option of nsenter(1) come to your rescue? Such as in:

sudo nsenter --net=/run/netns/otherns --setuid 1000 --setguid 1000 xterm

answered Jul 2 '18 at 20:58

TheDiveO

273111

Would the --setuid option of nsenter(1) come to your rescue? Such as in:

sudo nsenter --net=/run/netns/otherns --setuid 1000 --setguid 1000 xterm

answered Jul 2 '18 at 20:58

TheDiveO

273111

answered Jul 2 '18 at 20:58

TheDiveO

273111

answered Jul 2 '18 at 20:58

TheDiveO

273111

answered Jul 2 '18 at 20:58

TheDiveO

273111

add a comment |

draft saved

draft discarded

Thanks for contributing an answer to Unix & Linux Stack Exchange!

Please be sure to answer the question. Provide details and share your research!

But avoid …

Asking for help, clarification, or responding to other answers.

Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.

draft saved

draft discarded

Post as a guest

Name

Required, but never shown

Name

Required, but never shown

Name

Required, but never shown

搜尋此網誌

mjhjmtu