buildah/docs/buildah-unshare.md

# buildah-unshare "1" "June 2018" "buildah"

## NAME
buildah\-unshare - Run a command inside of a modified user namespace.

## SYNOPSIS
**buildah unshare** [*options*] [**--**] [*command*]

## DESCRIPTION
Launches a process (by default, *$SHELL*) in a new user namespace.  The user
namespace is configured so that the invoking user's UID and primary GID appear
to be UID 0 and GID 0, respectively.  Any ranges which match that user and
group in /etc/subuid and /etc/subgid are also mapped in as themselves with the
help of the *newuidmap(1)* and *newgidmap(1)* helpers.

buildah unshare is useful for troubleshooting unprivileged operations and for
manually clearing storage and other data related to images and containers.

It is also useful if you want to use the `buildah mount` command.  If an unprivileged users wants to mount and work with a container, then they need to execute
buildah unshare.  Executing `buildah mount` fails for unprivileged users unless the user is running inside a `buildah unshare` session.

## OPTIONS
**--mount** [*VARIABLE=]containerNameOrID*

Mount the *containerNameOrID* container while running *command*, and set the
environment variable *VARIABLE* to the path of the mountpoint.  If *VARIABLE*
is not specified, it defaults to *containerNameOrID*, which may not be a valid
name for an environment variable.

## EXAMPLE

buildah unshare id

buildah unshare pwd

buildah unshare cat /proc/self/uid\_map /proc/self/gid\_map

buildah unshare rm -fr $HOME/.local/share/containers/storage /run/user/\`id -u\`/run

buildah unshare --mount containerID sh -c 'cat ${containerID}/etc/os-release'

If you want to use buildah with a mount command then you can create a script that looks something like:

```
cat buildah-script.sh << _EOF
#!/bin/sh
ctr=$(buildah from scratch)
mnt=$(buildah mount $ctr)
dnf -y install --installroot=$mnt PACKAGES
dnf -y clean all --installroot=$mnt
buildah config --entrypoint="/bin/PACKAGE" --env "FOO=BAR" $ctr
buildah commit $ctr imagename
buildah unmount $ctr
_EOF
```
Then execute it with:
```
buildah unshare buildah-script.sh
```

## SEE ALSO
buildah(1), buildah-mount(1), namespaces(7), newuidmap(1), newgidmap(1), user\_namespaces(7)
Help document using buildah mount in rootless mode Update man page to show example of using buildah mount in rootless mode. Also enhance buildah mount --help to explain the buildah unshare requirement. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1341 Approved by: TomSweeneyRedHat 2019-02-15 04:59:42 +08:00			`# buildah-unshare "1" "June 2018" "buildah"`
main: if unprivileged, reexec in a user namespace If our CLI is invoked as an unprivileged user (uid != 0), * create a namespace using our own UID and GID as "0" followed by the ranges matching our name and our primary group's name that we find in /etc/subuid and /etc/subgid (the latter by way of using newuidmap and newgidmap) * re-exec ourselves inside of that user namespace, prepending global CLI arguments that: * override the driver from storage.conf with "vfs" * override the storage root from storage.conf with a "containers/storage" subdirectory of $XDG_DATA_HOME, or $HOME/.local/share. * override the storage runroot from storage.conf with either "$XDG_RUNTIME_DIR/run" or "/var/run/user/$uid/run" * set default ID mapping settings to map all of the ranges matching our name and our primary group's name that we found in /etc/subuid and /etc/subgid * can still be overridden using the command line Add a "buildah unshare" CLI that will start an arbitrary command in the first namespace, so that manual cleanup of locations used by the second namespace will be possible. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com> Closes: #823 Approved by: rhatdan 2018-06-15 03:42:33 +08:00
			`## NAME`
			`buildah\-unshare - Run a command inside of a modified user namespace.`

			`## SYNOPSIS`
docs: Follow man-pages(7) suggestions for SYNOPSIS man-pages(7) has [1]: > For commands, this shows the syntax of the command and its arguments > (including options); boldface is used for as-is text and italics are > used to indicate replaceable arguments. Brackets ([]) surround > optional arguments, vertical bars (\|) separate choices, and ellipses > (...) can be repeated. I've adjusted our SYNOPSIS entries to match that formatting, and generally tried to make them more consistent with the precedent set by the man-pages project. Outside of the SYNOPSIS entry, I prefer using backticks for literals, although in some places I've left the ** bolding to keep things visually similar to a nearby SYNOPSIS entry. I've also simplified a few placeholders, e.g. "containerID" -> "container", because I didn't think the additional bit was providing much additional context. If there is ambiguity about the representation, it should be addressed in the DESCRIPTION instead of with an "ID" or "Name" suffix. [1]: http://man7.org/linux/man-pages/man7/man-pages.7.html Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #839 Approved by: rhatdan 2018-06-30 03:39:36 +08:00			`buildah unshare [options] [--] [command]`
main: if unprivileged, reexec in a user namespace If our CLI is invoked as an unprivileged user (uid != 0), * create a namespace using our own UID and GID as "0" followed by the ranges matching our name and our primary group's name that we find in /etc/subuid and /etc/subgid (the latter by way of using newuidmap and newgidmap) * re-exec ourselves inside of that user namespace, prepending global CLI arguments that: * override the driver from storage.conf with "vfs" * override the storage root from storage.conf with a "containers/storage" subdirectory of $XDG_DATA_HOME, or $HOME/.local/share. * override the storage runroot from storage.conf with either "$XDG_RUNTIME_DIR/run" or "/var/run/user/$uid/run" * set default ID mapping settings to map all of the ranges matching our name and our primary group's name that we found in /etc/subuid and /etc/subgid * can still be overridden using the command line Add a "buildah unshare" CLI that will start an arbitrary command in the first namespace, so that manual cleanup of locations used by the second namespace will be possible. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com> Closes: #823 Approved by: rhatdan 2018-06-15 03:42:33 +08:00
			`## DESCRIPTION`
			`Launches a process (by default, $SHELL) in a new user namespace. The user`
			`namespace is configured so that the invoking user's UID and primary GID appear`
			`to be UID 0 and GID 0, respectively. Any ranges which match that user and`
			`group in /etc/subuid and /etc/subgid are also mapped in as themselves with the`
			`help of the newuidmap(1) and newgidmap(1) helpers.`

fix unshare option handling and documentation buildah unshare ls -l was blowing up. This is fixed by this PR. Also added more documentation on use cases of `buildah unshare` Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1375 Approved by: TomSweeneyRedHat 2019-02-27 23:29:09 +08:00			`buildah unshare is useful for troubleshooting unprivileged operations and for`
main: if unprivileged, reexec in a user namespace If our CLI is invoked as an unprivileged user (uid != 0), * create a namespace using our own UID and GID as "0" followed by the ranges matching our name and our primary group's name that we find in /etc/subuid and /etc/subgid (the latter by way of using newuidmap and newgidmap) * re-exec ourselves inside of that user namespace, prepending global CLI arguments that: * override the driver from storage.conf with "vfs" * override the storage root from storage.conf with a "containers/storage" subdirectory of $XDG_DATA_HOME, or $HOME/.local/share. * override the storage runroot from storage.conf with either "$XDG_RUNTIME_DIR/run" or "/var/run/user/$uid/run" * set default ID mapping settings to map all of the ranges matching our name and our primary group's name that we found in /etc/subuid and /etc/subgid * can still be overridden using the command line Add a "buildah unshare" CLI that will start an arbitrary command in the first namespace, so that manual cleanup of locations used by the second namespace will be possible. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com> Closes: #823 Approved by: rhatdan 2018-06-15 03:42:33 +08:00			`manually clearing storage and other data related to images and containers.`

fix unshare option handling and documentation buildah unshare ls -l was blowing up. This is fixed by this PR. Also added more documentation on use cases of `buildah unshare` Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1375 Approved by: TomSweeneyRedHat 2019-02-27 23:29:09 +08:00			It is also useful if you want to use the `buildah mount` command. If an unprivileged users wants to mount and work with a container, then they need to execute
			buildah unshare. Executing `buildah mount` fails for unprivileged users unless the user is running inside a `buildah unshare` session.

unshare: add a --mount flag Add a --mount flag to `buildah unshare`, so that the command it runs can have a container's root filesystem mounted, and the location where it's mounted provided in its environment. This is primarily aimed at cases where `buildah unshare` is used to run one-liner commands, as proper scripts can simply call `buildah mount` themselves. Users still have to be careful about quoting references to the environment if the command needs to be executed by a shell (for example, if it's run as `buildah unshare --mount foo sh -c 'ls $foo'`), so that the shell that's invoking `buildah unshare` doesn't try to expand the variable's value first. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com> 2019-07-16 06:01:51 +08:00			`## OPTIONS`
			`--mount [VARIABLE=]containerNameOrID`

			`Mount the containerNameOrID container while running command, and set the`
			`environment variable VARIABLE to the path of the mountpoint. If VARIABLE`
			`is not specified, it defaults to containerNameOrID, which may not be a valid`
			`name for an environment variable.`

main: if unprivileged, reexec in a user namespace If our CLI is invoked as an unprivileged user (uid != 0), * create a namespace using our own UID and GID as "0" followed by the ranges matching our name and our primary group's name that we find in /etc/subuid and /etc/subgid (the latter by way of using newuidmap and newgidmap) * re-exec ourselves inside of that user namespace, prepending global CLI arguments that: * override the driver from storage.conf with "vfs" * override the storage root from storage.conf with a "containers/storage" subdirectory of $XDG_DATA_HOME, or $HOME/.local/share. * override the storage runroot from storage.conf with either "$XDG_RUNTIME_DIR/run" or "/var/run/user/$uid/run" * set default ID mapping settings to map all of the ranges matching our name and our primary group's name that we found in /etc/subuid and /etc/subgid * can still be overridden using the command line Add a "buildah unshare" CLI that will start an arbitrary command in the first namespace, so that manual cleanup of locations used by the second namespace will be possible. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com> Closes: #823 Approved by: rhatdan 2018-06-15 03:42:33 +08:00			`## EXAMPLE`

			`buildah unshare id`

			`buildah unshare pwd`

fix unshare option handling and documentation buildah unshare ls -l was blowing up. This is fixed by this PR. Also added more documentation on use cases of `buildah unshare` Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1375 Approved by: TomSweeneyRedHat 2019-02-27 23:29:09 +08:00			`buildah unshare cat /proc/self/uid\_map /proc/self/gid\_map`
main: if unprivileged, reexec in a user namespace If our CLI is invoked as an unprivileged user (uid != 0), * create a namespace using our own UID and GID as "0" followed by the ranges matching our name and our primary group's name that we find in /etc/subuid and /etc/subgid (the latter by way of using newuidmap and newgidmap) * re-exec ourselves inside of that user namespace, prepending global CLI arguments that: * override the driver from storage.conf with "vfs" * override the storage root from storage.conf with a "containers/storage" subdirectory of $XDG_DATA_HOME, or $HOME/.local/share. * override the storage runroot from storage.conf with either "$XDG_RUNTIME_DIR/run" or "/var/run/user/$uid/run" * set default ID mapping settings to map all of the ranges matching our name and our primary group's name that we found in /etc/subuid and /etc/subgid * can still be overridden using the command line Add a "buildah unshare" CLI that will start an arbitrary command in the first namespace, so that manual cleanup of locations used by the second namespace will be possible. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com> Closes: #823 Approved by: rhatdan 2018-06-15 03:42:33 +08:00
Switch references of /var/run -> /run Systemd is now complaining or mentioning /var/run as a legacy directory. It has been many years where /var/run is a symlink to /run on all most distributions, make the change to the default. Partial fix for https://github.com/containers/podman/issues/8369 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> 2020-12-18 19:37:59 +08:00			buildah unshare rm -fr $HOME/.local/share/containers/storage /run/user/\`id -u\`/run
main: if unprivileged, reexec in a user namespace If our CLI is invoked as an unprivileged user (uid != 0), * create a namespace using our own UID and GID as "0" followed by the ranges matching our name and our primary group's name that we find in /etc/subuid and /etc/subgid (the latter by way of using newuidmap and newgidmap) * re-exec ourselves inside of that user namespace, prepending global CLI arguments that: * override the driver from storage.conf with "vfs" * override the storage root from storage.conf with a "containers/storage" subdirectory of $XDG_DATA_HOME, or $HOME/.local/share. * override the storage runroot from storage.conf with either "$XDG_RUNTIME_DIR/run" or "/var/run/user/$uid/run" * set default ID mapping settings to map all of the ranges matching our name and our primary group's name that we found in /etc/subuid and /etc/subgid * can still be overridden using the command line Add a "buildah unshare" CLI that will start an arbitrary command in the first namespace, so that manual cleanup of locations used by the second namespace will be possible. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com> Closes: #823 Approved by: rhatdan 2018-06-15 03:42:33 +08:00
unshare: add a --mount flag Add a --mount flag to `buildah unshare`, so that the command it runs can have a container's root filesystem mounted, and the location where it's mounted provided in its environment. This is primarily aimed at cases where `buildah unshare` is used to run one-liner commands, as proper scripts can simply call `buildah mount` themselves. Users still have to be careful about quoting references to the environment if the command needs to be executed by a shell (for example, if it's run as `buildah unshare --mount foo sh -c 'ls $foo'`), so that the shell that's invoking `buildah unshare` doesn't try to expand the variable's value first. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com> 2019-07-16 06:01:51 +08:00			`buildah unshare --mount containerID sh -c 'cat ${containerID}/etc/os-release'`

fix unshare option handling and documentation buildah unshare ls -l was blowing up. This is fixed by this PR. Also added more documentation on use cases of `buildah unshare` Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1375 Approved by: TomSweeneyRedHat 2019-02-27 23:29:09 +08:00			`If you want to use buildah with a mount command then you can create a script that looks something like:`

			```
			`cat buildah-script.sh << _EOF`
Update unshare man page to fix script example The example showing how to use unshare to mount a volume was no longer working. Updated to make it work. Fixes: #2218 Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com> 2020-03-14 05:41:38 +08:00			`#!/bin/sh`
fix unshare option handling and documentation buildah unshare ls -l was blowing up. This is fixed by this PR. Also added more documentation on use cases of `buildah unshare` Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1375 Approved by: TomSweeneyRedHat 2019-02-27 23:29:09 +08:00			`ctr=$(buildah from scratch)`
			`mnt=$(buildah mount $ctr)`
			`dnf -y install --installroot=$mnt PACKAGES`
			`dnf -y clean all --installroot=$mnt`
			`buildah config --entrypoint="/bin/PACKAGE" --env "FOO=BAR" $ctr`
Update unshare man page to fix script example The example showing how to use unshare to mount a volume was no longer working. Updated to make it work. Fixes: #2218 Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com> 2020-03-14 05:41:38 +08:00			`buildah commit $ctr imagename`
fix unshare option handling and documentation buildah unshare ls -l was blowing up. This is fixed by this PR. Also added more documentation on use cases of `buildah unshare` Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1375 Approved by: TomSweeneyRedHat 2019-02-27 23:29:09 +08:00			`buildah unmount $ctr`
			`_EOF`
			```
			`Then execute it with:`
			```
			`buildah unshare buildah-script.sh`
			```

main: if unprivileged, reexec in a user namespace If our CLI is invoked as an unprivileged user (uid != 0), * create a namespace using our own UID and GID as "0" followed by the ranges matching our name and our primary group's name that we find in /etc/subuid and /etc/subgid (the latter by way of using newuidmap and newgidmap) * re-exec ourselves inside of that user namespace, prepending global CLI arguments that: * override the driver from storage.conf with "vfs" * override the storage root from storage.conf with a "containers/storage" subdirectory of $XDG_DATA_HOME, or $HOME/.local/share. * override the storage runroot from storage.conf with either "$XDG_RUNTIME_DIR/run" or "/var/run/user/$uid/run" * set default ID mapping settings to map all of the ranges matching our name and our primary group's name that we found in /etc/subuid and /etc/subgid * can still be overridden using the command line Add a "buildah unshare" CLI that will start an arbitrary command in the first namespace, so that manual cleanup of locations used by the second namespace will be possible. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com> Closes: #823 Approved by: rhatdan 2018-06-15 03:42:33 +08:00			`## SEE ALSO`
fix unshare option handling and documentation buildah unshare ls -l was blowing up. This is fixed by this PR. Also added more documentation on use cases of `buildah unshare` Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1375 Approved by: TomSweeneyRedHat 2019-02-27 23:29:09 +08:00			`buildah(1), buildah-mount(1), namespaces(7), newuidmap(1), newgidmap(1), user\_namespaces(7)`