running a process in another namespace
Clash Royale CLAN TAG#URR8PPP
I would like to run a new process (for example an xterm) in another network namespace. This could be done like this:
sudo ip netns exec otherns sudo -u $USER xterm
This command looks a bit complicated and involves running a sudo
which runs ip
which runs sudo
which runs the final xterm
.
Is there a more direct way to run a process in a new namespace?
I was thinking of writing a own small (SUID or capability enabled) binary which switches namespace restores permissions and user and runs the command, but shouldn't there already be some standard tool doing exactly that?
This would allow me to simply call something like:
runns otherns xterm
namespace network-namespaces
add a comment |
I would like to run a new process (for example an xterm) in another network namespace. This could be done like this:
sudo ip netns exec otherns sudo -u $USER xterm
This command looks a bit complicated and involves running a sudo
which runs ip
which runs sudo
which runs the final xterm
.
Is there a more direct way to run a process in a new namespace?
I was thinking of writing a own small (SUID or capability enabled) binary which switches namespace restores permissions and user and runs the command, but shouldn't there already be some standard tool doing exactly that?
This would allow me to simply call something like:
runns otherns xterm
namespace network-namespaces
Do you have a kernel 3.8 (necessary for user namespaces)? If so you shouldn't need sudo at all. The basic tool to create a namespace isunshare
.
– Gilles
Jun 2 '15 at 23:36
My kernel is 4.0.4. Namespaces are available and working. (In this case I am talking about network namespaces not user namespaces.) Both theunshare
and thesetns
system call need the CAP_SYS_ADMIN capability, hence "normal" users are not allowed to switch namespaces.
– michas
Jun 2 '15 at 23:52
add a comment |
I would like to run a new process (for example an xterm) in another network namespace. This could be done like this:
sudo ip netns exec otherns sudo -u $USER xterm
This command looks a bit complicated and involves running a sudo
which runs ip
which runs sudo
which runs the final xterm
.
Is there a more direct way to run a process in a new namespace?
I was thinking of writing a own small (SUID or capability enabled) binary which switches namespace restores permissions and user and runs the command, but shouldn't there already be some standard tool doing exactly that?
This would allow me to simply call something like:
runns otherns xterm
namespace network-namespaces
I would like to run a new process (for example an xterm) in another network namespace. This could be done like this:
sudo ip netns exec otherns sudo -u $USER xterm
This command looks a bit complicated and involves running a sudo
which runs ip
which runs sudo
which runs the final xterm
.
Is there a more direct way to run a process in a new namespace?
I was thinking of writing a own small (SUID or capability enabled) binary which switches namespace restores permissions and user and runs the command, but shouldn't there already be some standard tool doing exactly that?
This would allow me to simply call something like:
runns otherns xterm
namespace network-namespaces
namespace network-namespaces
asked Jun 2 '15 at 22:40
michasmichas
15.4k33872
15.4k33872
Do you have a kernel 3.8 (necessary for user namespaces)? If so you shouldn't need sudo at all. The basic tool to create a namespace isunshare
.
– Gilles
Jun 2 '15 at 23:36
My kernel is 4.0.4. Namespaces are available and working. (In this case I am talking about network namespaces not user namespaces.) Both theunshare
and thesetns
system call need the CAP_SYS_ADMIN capability, hence "normal" users are not allowed to switch namespaces.
– michas
Jun 2 '15 at 23:52
add a comment |
Do you have a kernel 3.8 (necessary for user namespaces)? If so you shouldn't need sudo at all. The basic tool to create a namespace isunshare
.
– Gilles
Jun 2 '15 at 23:36
My kernel is 4.0.4. Namespaces are available and working. (In this case I am talking about network namespaces not user namespaces.) Both theunshare
and thesetns
system call need the CAP_SYS_ADMIN capability, hence "normal" users are not allowed to switch namespaces.
– michas
Jun 2 '15 at 23:52
Do you have a kernel 3.8 (necessary for user namespaces)? If so you shouldn't need sudo at all. The basic tool to create a namespace is
unshare
.– Gilles
Jun 2 '15 at 23:36
Do you have a kernel 3.8 (necessary for user namespaces)? If so you shouldn't need sudo at all. The basic tool to create a namespace is
unshare
.– Gilles
Jun 2 '15 at 23:36
My kernel is 4.0.4. Namespaces are available and working. (In this case I am talking about network namespaces not user namespaces.) Both the
unshare
and the setns
system call need the CAP_SYS_ADMIN capability, hence "normal" users are not allowed to switch namespaces.– michas
Jun 2 '15 at 23:52
My kernel is 4.0.4. Namespaces are available and working. (In this case I am talking about network namespaces not user namespaces.) Both the
unshare
and the setns
system call need the CAP_SYS_ADMIN capability, hence "normal" users are not allowed to switch namespaces.– michas
Jun 2 '15 at 23:52
add a comment |
1 Answer
1
active
oldest
votes
Would the --setuid
option of nsenter(1) come to your rescue? Such as in:
sudo nsenter --net=/run/netns/otherns --setuid 1000 --setguid 1000 xterm
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f207182%2frunning-a-process-in-another-namespace%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Would the --setuid
option of nsenter(1) come to your rescue? Such as in:
sudo nsenter --net=/run/netns/otherns --setuid 1000 --setguid 1000 xterm
add a comment |
Would the --setuid
option of nsenter(1) come to your rescue? Such as in:
sudo nsenter --net=/run/netns/otherns --setuid 1000 --setguid 1000 xterm
add a comment |
Would the --setuid
option of nsenter(1) come to your rescue? Such as in:
sudo nsenter --net=/run/netns/otherns --setuid 1000 --setguid 1000 xterm
Would the --setuid
option of nsenter(1) come to your rescue? Such as in:
sudo nsenter --net=/run/netns/otherns --setuid 1000 --setguid 1000 xterm
answered Jul 2 '18 at 20:58
TheDiveOTheDiveO
273111
273111
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f207182%2frunning-a-process-in-another-namespace%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Do you have a kernel 3.8 (necessary for user namespaces)? If so you shouldn't need sudo at all. The basic tool to create a namespace is
unshare
.– Gilles
Jun 2 '15 at 23:36
My kernel is 4.0.4. Namespaces are available and working. (In this case I am talking about network namespaces not user namespaces.) Both the
unshare
and thesetns
system call need the CAP_SYS_ADMIN capability, hence "normal" users are not allowed to switch namespaces.– michas
Jun 2 '15 at 23:52