[ViewVC] Annotation of: cvs/Linux-Clone/README

NAME
    Linux::Clone - an interface to the linux clone, unshare, setns,
    pivot_root and kcmp syscalls

SYNOPSIS
     use Linux::Clone;

DESCRIPTION
    This module exposes the linux clone(2), unshare(2) and some related
    syscalls to Perl.

    $retval = unshare $flags
        The following CLONE_ flag values (without CLONE_ prefix) are
        supported for unshare, if found, in this release. See the
        documentation for unshare(2) for more info on what they do:

           Linux::Clone::FILES
           Linux::Clone::FS
           Linux::Clone::NEWNS   (in unshare, implies FS)
           Linux::Clone::VM      (in unshare, implies SIGHAND)
           Linux::Clone::THREAD  (in unshare, implies VM, SIGHAND)
           Linux::Clone::SIGHAND
           Linux::Clone::SYSVSEM
           Linux::Clone::NEWUSER (in unshare, implies CLONE_THREAD)
           Linux::Clone::NEWPID
           Linux::Clone::NEWUTS
           Linux::Clone::NEWIPC
           Linux::Clone::NEWNET
           Linux::Clone::NEWCGROUP
           Linux::Clone::NEWTIME

        Example: unshare the network namespace and prove that by calling
        ifconfig, showing only the unconfigured lo interface.

           Linux::Clone::unshare Linux::Clone::NEWNET
              and "unshare: $!";
           Linux::Clone::configure_loopback;
           system "ifconfig";

        Example: unshare the network namespace, initialise the loopback
        interface, create a veth interface pair, put one interface into the
        parent processes namespace (use ifconfig -a from another shell),
        configure the other interface with 192.168.99.2 -> 192.168.99.1 and
        start a shell.

           use Linux::Clone;

           # unshare our network namespace
           Linux::Clone::unshare Linux::Clone::NEWNET
             and "unshare: $!";

           Linux::Clone::configure_loopback;

           my $ppid = getppid;

           system "
              # create veth pair
              ip link add name veth_master type veth peer name veth_slave

              # move veth_master to our parent process' namespace
              ip link set veth_master netns $ppid

              # configure the local interface
              ip link set veth_slave up
              ip addr add 192.168.99.2/32 dev veth_slave
              ip route add 192.168.99.1/32 dev veth_slave
           ";

           print <<EOF;
           say hi to your new network namespace, use exit to return.

           try this from another shell to get networking up:

           ip link set veth_master up
           ip addr add 192.168.99.1/32 dev veth_master
           ip route add 192.168.99.2/32 dev veth_master

           EOF
           system "bash";

        Example: unshare the filesystem namespace and make a confusing bind
        mount only visible to the current process.

           use Linux::Clone;

           Linux::Clone::unshare Linux::Clone::NEWNS
              and die "unshare: $!";

           # now bind-mount /lib over /etc and ls -l /etc - looks scary
           system "mount -n --bind /lib /etc";
           system "ls -l /etc";

    $retval = Linux::Clone::clone $coderef, $stacksize, $flags[, $ptid,
    $tls, $ctid]
        Clones a new process as specified via $flags and calls $coderef
        without any arguments (a closure might help you if you need to pass
        arguments without global variables). The return value from coderef
        is returned to the system.

        The $stacksize specifies how large a stack to allocate for the
        child. If it is 0, then a default stack size (currently 4MB) will be
        allocated. There is currently no way to free this area again in the
        child.

        $ptid, if specified, will receive the thread id, $tls, if specified,
        must contain a "struct user_desc" and $ctid is currently totally
        unsupported and must not be specified.

        Since this call basically bypasses both perl and your libc (for
        example, $$ might reflect the parent *or* child pid in the child),
        you need to be very careful when using this call, which means you
        should probably have a very good understanding of perl memory
        management and how fork and clone work.

        The following flags are supported for clone, in addition to all
        flags supported by "unshare", above, and a signal number. When in
        doubt, refer to the clone(2) manual page.

           Linux::Clone::PTRACE
           Linux::Clone::VFORK
           Linux::Clone::SETTLS         (not yet implemented)
           Linux::Clone::PARENT_SETTID  (not yet implemented)
           Linux::Clone::CHILD_SETTID   (not yet implemented)
           Linux::Clone::CHILD_CLEARTID (not yet implemented)
           Linux::Clone::PIDFD          (not yet implemented)
           Linux::Clone::DETACHED
           Linux::Clone::UNTRACED
           Linux::Clone::IO
           Linux::Clone::CSIGNAL exit signal mask

        Note that for practical reasons you basically must not use
        "Linux::Clone::VM" or "Linux::Clone::VFORK", as perl is unlikely to
        cope with that.

        This is the glibc clone call, it cannot be used to emulate fork.

        Example: do a fork-like clone, sharing nothing, slightly confusing
        perl and your libc, and exit immediately.

           my $pid = Linux::Clone::clone sub { warn "in child"; 77 }, 0, POSIX::SIGCHLD;

    Linux::Clone::setns $fh_or_fd[, $nstype]
        Calls setns(2) on the file descriptor (or file handle) $fh_or_fd. If
        $nstype is missing, then 0 is used.

        The argument $nstype can be 0, "Linux::Clone::NEWIPC",
        "Linux::Clone::NEWNET", "Linux::Clone::NEWUTS",
        "Linux::Clone::NEWCGROUP", "Linux::Clone::NEWNS",
        "Linux::Clone::NEWPID" or "Linux::Clone::NEWUSER".

    Linux::Clone::pivot_root $new_root, $old_root
        Calls pivot_root(2) - refer to its manpage for details.

    Linux::Clone::kcmp $pid1, $pid2, $type[, $idx1, $idx2]
        Calls kcmp(2) - refer to its manpage for details on operations.

        The following $type constants are available if the kcmp syscall
        number was available during compilation:

        "Linux::Clone::KCMP_FILE", "Linux::Clone::KCMP_VM",
        "Linux::Clone::KCMP_FILES", "Linux::Clone::KCMP_FS",
        "Linux::Clone::KCMP_SIGHAND", "Linux::Clone::KCMP_IO",
        "Linux::Clone::KCMP_SYSVSEM" and "Linux::Clone::KCMP_EPOLL_TFD".

    Linux::Clone::configure_loopback
        Configures a working loopback interface (basically, does the
        equivalent of "ifconfig lo up" which automatically adds ipv4/ipv6
        addresses and routes), which can be useful to get a network
        namespace going.

        Dies on error and returns nothing.

    "ioctl" symbols
        The following ioctl symbols are also provided by this module (see
        ioctl_ns(8)).

           Linux::Clone::NS_GET_USERNS
           Linux::Clone::NS_GET_PARENT
           Linux::Clone::NS_GET_NSTYPE
           Linux::Clone::NS_OWNER_UID

SEE ALSO
    IO::AIO has some related functions, such as "pidfd_send_signal", and
    some unrelated functions that might be useful.

    namspaces(7), cgroup_namespaces(7), pid_namespaces(7),
    user_namespaces(7), time_namespaces(7), ip-netns(8), switch_root(8),
    ioctl_ns(2), lsns(8)Q

AUTHOR
     Marc Lehmann <schmorp@schmorp.de>
     http://home.schmorp.de/

Revision:	1.4
Committed:	Tue Sep 6 10:57:02 2022 UTC (20 months, 2 weeks ago) by root
Branch:	MAIN
CVS Tags:	rel-1_3, HEAD
Changes since 1.3:	+39 -12 lines
Log Message:	1.3
#	User	Rev	Content
1	root	1.1	NAME
2	root	1.3	Linux::Clone - an interface to the linux clone, unshare, setns,
3			pivot_root and kcmp syscalls
4	root	1.1
5			SYNOPSIS
6			use Linux::Clone;
7
8			DESCRIPTION
9	root	1.4	This module exposes the linux clone(2), unshare(2) and some related
10			syscalls to Perl.
11	root	1.1
12			$retval = unshare $flags
13			The following CLONE_ flag values (without CLONE_ prefix) are
14			supported for unshare, if found, in this release. See the
15			documentation for unshare(2) for more info on what they do:
16
17			Linux::Clone::FILES
18			Linux::Clone::FS
19			Linux::Clone::NEWNS (in unshare, implies FS)
20			Linux::Clone::VM (in unshare, implies SIGHAND)
21			Linux::Clone::THREAD (in unshare, implies VM, SIGHAND)
22			Linux::Clone::SIGHAND
23			Linux::Clone::SYSVSEM
24	root	1.2	Linux::Clone::NEWUSER (in unshare, implies CLONE_THREAD)
25			Linux::Clone::NEWPID
26	root	1.1	Linux::Clone::NEWUTS
27			Linux::Clone::NEWIPC
28			Linux::Clone::NEWNET
29	root	1.2	Linux::Clone::NEWCGROUP
30	root	1.4	Linux::Clone::NEWTIME
31	root	1.1
32			Example: unshare the network namespace and prove that by calling
33	root	1.4	ifconfig, showing only the unconfigured lo interface.
34	root	1.1
35			Linux::Clone::unshare Linux::Clone::NEWNET
36			and "unshare: $!";
37	root	1.4	Linux::Clone::configure_loopback;
38			system "ifconfig";
39	root	1.1
40			Example: unshare the network namespace, initialise the loopback
41			interface, create a veth interface pair, put one interface into the
42			parent processes namespace (use ifconfig -a from another shell),
43			configure the other interface with 192.168.99.2 -> 192.168.99.1 and
44			start a shell.
45
46			use Linux::Clone;
47
48			# unshare our network namespace
49			Linux::Clone::unshare Linux::Clone::NEWNET
50			and "unshare: $!";
51
52	root	1.4	Linux::Clone::configure_loopback;
53
54	root	1.1	my $ppid = getppid;
55
56			system "
57			# create veth pair
58			ip link add name veth_master type veth peer name veth_slave
59
60			# move veth_master to our parent process' namespace
61			ip link set veth_master netns $ppid
62
63			# configure the local interface
64			ip link set veth_slave up
65			ip addr add 192.168.99.2/32 dev veth_slave
66			ip route add 192.168.99.1/32 dev veth_slave
67			";
68
69			print <<EOF;
70			say hi to your new network namespace, use exit to return.
71
72			try this from another shell to get networking up:
73
74			ip link set veth_master up
75			ip addr add 192.168.99.1/32 dev veth_master
76			ip route add 192.168.99.2/32 dev veth_master
77
78			EOF
79			system "bash";
80
81			Example: unshare the filesystem namespace and make a confusing bind
82			mount only visible to the current process.
83
84			use Linux::Clone;
85
86			Linux::Clone::unshare Linux::Clone::NEWNS
87			and die "unshare: $!";
88
89	root	1.4	# now bind-mount /lib over /etc and ls -l /etc - looks scary
90	root	1.1	system "mount -n --bind /lib /etc";
91			system "ls -l /etc";
92
93			$retval = Linux::Clone::clone $coderef, $stacksize, $flags[, $ptid,
94			$tls, $ctid]
95			Clones a new process as specified via $flags and calls $coderef
96			without any arguments (a closure might help you if you need to pass
97			arguments without global variables). The return value from coderef
98			is returned to the system.
99
100			The $stacksize specifies how large a stack to allocate for the
101			child. If it is 0, then a default stack size (currently 4MB) will be
102			allocated. There is currently no way to free this area again in the
103			child.
104
105			$ptid, if specified, will receive the thread id, $tls, if specified,
106			must contain a "struct user_desc" and $ctid is currently totally
107			unsupported and must not be specified.
108
109			Since this call basically bypasses both perl and your libc (for
110			example, $$ might reflect the parent or child pid in the child),
111			you need to be very careful when using this call, which means you
112			should probably have a very good understanding of perl memory
113			management and how fork and clone work.
114
115			The following flags are supported for clone, in addition to all
116			flags supported by "unshare", above, and a signal number. When in
117			doubt, refer to the clone(2) manual page.
118
119			Linux::Clone::PTRACE
120			Linux::Clone::VFORK
121			Linux::Clone::SETTLS (not yet implemented)
122			Linux::Clone::PARENT_SETTID (not yet implemented)
123			Linux::Clone::CHILD_SETTID (not yet implemented)
124			Linux::Clone::CHILD_CLEARTID (not yet implemented)
125	root	1.4	Linux::Clone::PIDFD (not yet implemented)
126	root	1.1	Linux::Clone::DETACHED
127			Linux::Clone::UNTRACED
128			Linux::Clone::IO
129	root	1.4	Linux::Clone::CSIGNAL exit signal mask
130	root	1.1
131			Note that for practical reasons you basically must not use
132			"Linux::Clone::VM" or "Linux::Clone::VFORK", as perl is unlikely to
133			cope with that.
134
135			This is the glibc clone call, it cannot be used to emulate fork.
136
137			Example: do a fork-like clone, sharing nothing, slightly confusing
138			perl and your libc, and exit immediately.
139
140			my $pid = Linux::Clone::clone sub { warn "in child"; 77 }, 0, POSIX::SIGCHLD;
141
142	root	1.2	Linux::Clone::setns $fh_or_fd[, $nstype]
143			Calls setns(2) on the file descriptor (or file handle) $fh_or_fd. If
144			$nstype is missing, then 0 is used.
145
146	root	1.3	The argument $nstype can be 0, "Linux::Clone::NEWIPC",
147	root	1.4	"Linux::Clone::NEWNET", "Linux::Clone::NEWUTS",
148	root	1.3	"Linux::Clone::NEWCGROUP", "Linux::Clone::NEWNS",
149			"Linux::Clone::NEWPID" or "Linux::Clone::NEWUSER".
150
151			Linux::Clone::pivot_root $new_root, $old_root
152			Calls pivot_root(2) - refer to its manpage for details.
153
154			Linux::Clone::kcmp $pid1, $pid2, $type[, $idx1, $idx2]
155			Calls kcmp(2) - refer to its manpage for details on operations.
156
157			The following $type constants are available if the kcmp syscall
158			number was available during compilation:
159
160			"Linux::Clone::KCMP_FILE", "Linux::Clone::KCMP_VM",
161			"Linux::Clone::KCMP_FILES", "Linux::Clone::KCMP_FS",
162	root	1.4	"Linux::Clone::KCMP_SIGHAND", "Linux::Clone::KCMP_IO",
163			"Linux::Clone::KCMP_SYSVSEM" and "Linux::Clone::KCMP_EPOLL_TFD".
164
165			Linux::Clone::configure_loopback
166			Configures a working loopback interface (basically, does the
167			equivalent of "ifconfig lo up" which automatically adds ipv4/ipv6
168			addresses and routes), which can be useful to get a network
169			namespace going.
170
171			Dies on error and returns nothing.
172
173			"ioctl" symbols
174			The following ioctl symbols are also provided by this module (see
175			ioctl_ns(8)).
176
177			Linux::Clone::NS_GET_USERNS
178			Linux::Clone::NS_GET_PARENT
179			Linux::Clone::NS_GET_NSTYPE
180			Linux::Clone::NS_OWNER_UID
181
182			SEE ALSO
183			IO::AIO has some related functions, such as "pidfd_send_signal", and
184			some unrelated functions that might be useful.
185
186			namspaces(7), cgroup_namespaces(7), pid_namespaces(7),
187			user_namespaces(7), time_namespaces(7), ip-netns(8), switch_root(8),
188			ioctl_ns(2), lsns(8)Q
189	root	1.2
190	root	1.1	AUTHOR
191			Marc Lehmann <schmorp@schmorp.de>
192			http://home.schmorp.de/
193