Back to Commands

unshare

system administrationLinux
The unshare command is one of the most frequently used commands in Linux/Unix-like operating systems. unshare Run program in new namespaces
See ExamplesView Syntax

Quick Reference

Command Name:

unshare

Category:

system administration

Platform:

Linux

Basic Usage:

unshare [options] [arguments]

Common Use Cases

    Syntax

    unshare [options] [program [arguments]]

    Options

    Option Description
    -m, --mount[=file] Unshare the mount namespace
    -u, --uts[=file] Unshare the UTS namespace (hostname, etc.)
    -i, --ipc[=file] Unshare the IPC namespace
    -n, --net[=file] Unshare the network namespace
    -p, --pid[=file] Unshare the PID namespace
    -U, --user[=file] Unshare the user namespace
    -C, --cgroup[=file] Unshare the cgroup namespace
    -T, --time[=file] Unshare the time namespace
    --fork Fork the specified program as a child process
    --kill-child[=signame] When dying, kill the forked child (implies --fork)
    --mount-proc[=mountpoint] Mount proc filesystem first (implies --mount)
    --map-root-user Map current user to root (implies --user)
    --propagation private|shared|slave|unchanged Modify mount propagation in mount namespace
    --setgroups allow|deny Control the setgroups syscall in user namespaces
    -r, --root=dir Set the root directory
    -w, --wd=dir Set the working directory
    -S, --setuid uid Set uid in entered namespace
    -G, --setgid gid Set gid in entered namespace
    --keep-caps Retain capabilities granted in user namespaces

    Examples

    How to Use These Examples

    The examples below show common ways to use the unshare command. Try them in your terminal to see the results. You can copy any example by clicking on the code block.

    Basic Examples:

    Run a shell in a new namespace, unsharing mounts
    sudo unshare -m /bin/bash
    Create a new UTS namespace (hostname isolation)
    sudo unshare --uts /bin/bash
    Create a new PID namespace
    sudo unshare --pid --fork /bin/bash

    Advanced Examples:

    Create a full container-like environment with multiple namespaces
    sudo unshare --mount --uts --ipc --net --pid --fork --user --map-root-user bash
    Create a new network namespace and configure it
    sudo unshare --net ip link
    sudo unshare --net bash -c "ip link set lo up"
    Create a new mount namespace and mount a tmpfs
    sudo unshare -m bash -c "mount -t tmpfs none /mnt && df -h /mnt"
    Run a specific command in a new PID namespace
    sudo unshare --pid --fork bash -c "sleep 30 & ps aux"
    Create a user namespace without requiring root privileges
    unshare --user --map-root-user bash -c "id"
    Mount a proc filesystem in a new PID namespace
    sudo unshare --pid --fork --mount-proc bash
    Create a network namespace with custom hostname
    sudo unshare --uts --net bash -c "hostname container1 && hostname && ip a"
    Test filesystem isolation with a private /tmp
    sudo unshare --mount bash -c "mount -t tmpfs none /tmp && touch /tmp/test && ls -la /tmp"
    Combine with chroot for more isolation
    sudo unshare --mount --uts --ipc --net --pid --fork chroot /path/to/rootfs /bin/bash

    Try It Yourself

    Practice makes perfect! The best way to learn is by trying these examples on your own system with real files.

    Understanding Syntax

    Pay attention to the syntax coloring: commands, options, and file paths are highlighted differently.

    Notes

    The `unshare` command is a powerful Linux utility that allows users to create and manage Linux namespaces, which are a fundamental feature of Linux containerization technology. This command essentially runs a program with some namespaces "unshared" from the parent process, creating isolated environments for various system resources. Namespaces are a Linux kernel feature that partitions kernel resources such that one set of processes sees one set of resources while another set of processes sees a different set. This isolation is a key building block for containers and other forms of lightweight virtualization. **Key Namespaces Types that `unshare` can work with:** 1. **Mount Namespace (`-m, --mount`)**: Isolates the filesystem mount points seen by a group of processes. This allows processes to have their own set of mounted filesystems, independent of the host system. 2. **UTS Namespace (`-u, --uts`)**: Isolates the hostname and domain name, allowing each container to have its own hostname. 3. **IPC Namespace (`-i, --ipc`)**: Isolates Inter-Process Communication resources, like System V IPC objects and POSIX message queues. 4. **Network Namespace (`-n, --net`)**: Provides an isolated view of the network stack, including network interfaces, routing tables, and firewall rules. This enables containers to have their own network configuration. 5. **PID Namespace (`-p, --pid`)**: Isolates the process ID number space, meaning that processes in different PID namespaces can have the same PID. This is crucial for container isolation, as it allows each container to have its own init process (PID 1). 6. **User Namespace (`-U, --user`)**: Isolates user and group ID number spaces, allowing a process to have root privileges within its namespace while having no privileges on the host system. This is a key security feature for unprivileged containers. 7. **Cgroup Namespace (`-C, --cgroup`)**: Isolates the view of the cgroup hierarchy, which is used for resource control. 8. **Time Namespace (`-T, --time`)**: Isolates the system clocks, allowing different processes to see different system times. **Practical Applications:** 1. **Container Implementation**: Tools like Docker, LXC, and Podman use namespace isolation extensively. While these tools provide higher-level interfaces, understanding `unshare` helps grasp the underlying technology. 2. **Testing and Development**: Developers can use `unshare` to test applications in isolated environments without setting up full containers. 3. **System Administration**: It can be used for tasks like mounting filesystems in isolation or testing network configurations without affecting the host system. 4. **Security Research**: Security professionals can use `unshare` to analyze application behavior in controlled environments. 5. **Education**: It provides a hands-on way to learn about Linux namespaces and containerization technology. While `unshare` is extremely powerful, it requires careful use, as improper isolation can lead to unexpected behavior or security issues. In most cases, users interact with higher-level tools like Docker that manage namespaces automatically, but understanding `unshare` provides valuable insights into how these technologies work at a lower level. Most options of `unshare` require root privileges (except for user namespaces in some configurations), as they involve modifying kernel resource allocation. This command is primarily found on Linux systems, as it relies on specific Linux kernel features that may not be available on other Unix-like systems.

    Related Commands

    These commands are frequently used alongside unshare or serve similar purposes:

    nsenter
    chroot
    lsns
    ip-netns
    docker
    lxc-execute
    Explore All Commands

    Use Cases

    Learn By Doing

    The best way to learn Linux commands is by practicing. Try out these examples in your terminal to build muscle memory and understand how the unshare command works in different scenarios.

    See ExamplesTry Lab Exercises
    $ unshare
    View All Commands