Enum unshare::Namespace

pub enum Namespace {
    Mount,
    Uts,
    Ipc,
    User,
    Pid,
    Net,
}

Namespace name to unshare

See man 7 namespaces for more information

Variants

Mount

Unshare the mount namespace. It basically means that you can now mount and unmount folders without touching parent mount points.

But note that you also have to make all your mountpoints non-shareable or changes will be propagated to parent namespace anyway.

This is always needed if you want pivot_root (but not enforced by library)

Uts

Unshare the UTS namespace. This allows you to change hostname of the new container.

Ipc

Unshare the IPC namespace. This creates new namespace for System V IPC POSIX message queues and similar.

User

Unshare user namespace. This allows unprivileged user to be root user in new namespace and/or change mappings between real (outer) user namespace and the inner one.

This one is required if you want to unshare any other namespace without root privileges (it's not enforced by kernel not the library)

See man 7 user_namespaces for more information.

Pid

Unshare pid namespace. The child process becomes PID 1 (inside container) with the following rough list of consequences:

1. All daemon processes are reparented to the process
2. All signal dispositions are set to Ignore. E.g. process doesn't get killed by SIGINT (Ctrl+C), unless signal handler is explicitly set
3. If the process is dead, all its children are killed by SIGKILL (i.e. can't catch the death signal)

All this means that most of the time the new process having this namespace must be some kind of process supervisor.

Also take a note that /proc is not automatically changed. So you should also unshare Mount namespace and mount new /proc inside the PID namespace.

See man 7 pid_namespaces for more information

Net

Unshare network namespace

New namespace is empty and has no conectivity, even localhost network, unless some setup is done afterwards.

Note that unix sockets continue to work, but "abstract unix sockets" are isolated as a result of this option. The availability of unix sockets might also mean that libc is able to resolve DNS names by using NSCD. You may isolate unix sockets by using any kind of filesystem isolation.

Methods

impl Namespace

fn to_clone_flag(&self) -> u32

Trait Implementations

impl PartialEq for Namespace

fn eq(&self, __arg_0: &Namespace) -> bool

This method tests for self and other values to be equal, and is used by ==.

fn ne(&self, other: &Rhs) -> bool

This method tests for !=.

impl Eq for Namespace

impl Hash for Namespace

fn hash<__H: Hasher>(&self, __arg_0: &mut __H)

Feeds this value into the state given, updating the hasher as necessary.

fn hash_slice<H>(data: &[Self], state: &mut H) where H: Hasher

Feeds a slice of this type into the state provided.

impl Clone for Namespace

fn clone(&self) -> Namespace

Returns a copy of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Copy for Namespace