container/podman
container/podman
1
0
Fork 0
mirror of https://github.com/containers/podman synced 2024-10-20 01:03:51 +00:00
Code Issues Packages Projects Releases Wiki Activity
podman/docs/source/markdown/podman-unshare.1.md
Ed Santiago c6090c290e Docs: consistency between man / --help 
New functionality in hack/man-page-checker: start cross-
referencing the man page 'Synopsis' line against the
output of 'podman foo --help'. This is part 1, flag/option
consistency. Part 2 (arg consistency) is too big and will
have to wait for later.

flag/option consistency means: if 'podman foo --help'
includes the string '[flags]' in the Usage message,
make sure the man page includes '[*options*]' in its
Synopsis line, and vice-versa. This found several
inconsistencies, which I've fixed.

While doing this I realized that Cobra automatically
includes a 'Flags:' subsection in its --help output
for all subcommands that have defined flags. This
is great - it lets us cross-check against the
usage synopsis, and make sure that '[flags]' is
present or absent as needed, without fear of
human screwups. If a flag-less subcommand ever
gets extended with flags, but the developer forgets
to add '[flags]' and remove DisableFlagsInUseLine,
we now have a test that will catch that. (This,
too, caught two instances which I fixed).

I don't actually know if the new man-page-checker
functionality will work in CI: I vaguely recall that
it might run before 'make podman' does; and also
vaguely recall that some steps were taken to remedy
that.

Signed-off-by: Ed Santiago <santiago@redhat.com>
2020-06-24 10:39:10 -06:00

1.5 KiB
Raw Blame History

% podman-unshare(1)

NAME

podman-unshare - Run a command inside of a modified user namespace

SYNOPSIS

podman unshare [--] [command]

DESCRIPTION

Launches a process (by default, $SHELL) in a new user namespace. The user namespace is configured so that the invoking user's UID and primary GID appear to be UID 0 and GID 0, respectively. Any ranges which match that user and group in /etc/subuid and /etc/subgid are also mapped in as themselves with the help of the newuidmap(1) and newgidmap(1) helpers.

podman unshare is useful for troubleshooting unprivileged operations and for manually clearing storage and other data related to images and containers.

It is also useful if you want to use the podman mount command. If an unprivileged user wants to mount and work with a container, then they need to execute podman unshare. Executing podman mount fails for unprivileged users unless the user is running inside a podman unshare session.

The unshare session defines two environment variables:

  • CONTAINERS_GRAPHROOT: the path to the persistent container's data.
  • CONTAINERS_RUNROOT: the path to the volatile container's data.

EXAMPLE

$ podman unshare id
uid=0(root) gid=0(root) groups=0(root),65534(nobody)

$ podman unshare cat /proc/self/uid_map /proc/self/gid_map
         0       1000          1
         1      10000      65536
         0       1000          1
         1      10000      65536

SEE ALSO

podman(1), podman-mount(1), namespaces(7), newuidmap(1), newgidmap(1), user_namespaces(7)