1 |
NAME |
2 |
Linux::Clone - an interface to the linux clone, unshare, setns, |
3 |
pivot_root and kcmp syscalls |
4 |
|
5 |
SYNOPSIS |
6 |
use Linux::Clone; |
7 |
|
8 |
DESCRIPTION |
9 |
This module exposes the linux clone(2), unshare(2) and some related |
10 |
syscalls to Perl. |
11 |
|
12 |
$retval = unshare $flags |
13 |
The following CLONE_ flag values (without CLONE_ prefix) are |
14 |
supported for unshare, if found, in this release. See the |
15 |
documentation for unshare(2) for more info on what they do: |
16 |
|
17 |
Linux::Clone::FILES |
18 |
Linux::Clone::FS |
19 |
Linux::Clone::NEWNS (in unshare, implies FS) |
20 |
Linux::Clone::VM (in unshare, implies SIGHAND) |
21 |
Linux::Clone::THREAD (in unshare, implies VM, SIGHAND) |
22 |
Linux::Clone::SIGHAND |
23 |
Linux::Clone::SYSVSEM |
24 |
Linux::Clone::NEWUSER (in unshare, implies CLONE_THREAD) |
25 |
Linux::Clone::NEWPID |
26 |
Linux::Clone::NEWUTS |
27 |
Linux::Clone::NEWIPC |
28 |
Linux::Clone::NEWNET |
29 |
Linux::Clone::NEWCGROUP |
30 |
Linux::Clone::NEWTIME |
31 |
|
32 |
Example: unshare the network namespace and prove that by calling |
33 |
ifconfig, showing only the unconfigured lo interface. |
34 |
|
35 |
Linux::Clone::unshare Linux::Clone::NEWNET |
36 |
and "unshare: $!"; |
37 |
Linux::Clone::configure_loopback; |
38 |
system "ifconfig"; |
39 |
|
40 |
Example: unshare the network namespace, initialise the loopback |
41 |
interface, create a veth interface pair, put one interface into the |
42 |
parent processes namespace (use ifconfig -a from another shell), |
43 |
configure the other interface with 192.168.99.2 -> 192.168.99.1 and |
44 |
start a shell. |
45 |
|
46 |
use Linux::Clone; |
47 |
|
48 |
# unshare our network namespace |
49 |
Linux::Clone::unshare Linux::Clone::NEWNET |
50 |
and "unshare: $!"; |
51 |
|
52 |
Linux::Clone::configure_loopback; |
53 |
|
54 |
my $ppid = getppid; |
55 |
|
56 |
system " |
57 |
# create veth pair |
58 |
ip link add name veth_master type veth peer name veth_slave |
59 |
|
60 |
# move veth_master to our parent process' namespace |
61 |
ip link set veth_master netns $ppid |
62 |
|
63 |
# configure the local interface |
64 |
ip link set veth_slave up |
65 |
ip addr add 192.168.99.2/32 dev veth_slave |
66 |
ip route add 192.168.99.1/32 dev veth_slave |
67 |
"; |
68 |
|
69 |
print <<EOF; |
70 |
say hi to your new network namespace, use exit to return. |
71 |
|
72 |
try this from another shell to get networking up: |
73 |
|
74 |
ip link set veth_master up |
75 |
ip addr add 192.168.99.1/32 dev veth_master |
76 |
ip route add 192.168.99.2/32 dev veth_master |
77 |
|
78 |
EOF |
79 |
system "bash"; |
80 |
|
81 |
Example: unshare the filesystem namespace and make a confusing bind |
82 |
mount only visible to the current process. |
83 |
|
84 |
use Linux::Clone; |
85 |
|
86 |
Linux::Clone::unshare Linux::Clone::NEWNS |
87 |
and die "unshare: $!"; |
88 |
|
89 |
# now bind-mount /lib over /etc and ls -l /etc - looks scary |
90 |
system "mount -n --bind /lib /etc"; |
91 |
system "ls -l /etc"; |
92 |
|
93 |
$retval = Linux::Clone::clone $coderef, $stacksize, $flags[, $ptid, |
94 |
$tls, $ctid] |
95 |
Clones a new process as specified via $flags and calls $coderef |
96 |
without any arguments (a closure might help you if you need to pass |
97 |
arguments without global variables). The return value from coderef |
98 |
is returned to the system. |
99 |
|
100 |
The $stacksize specifies how large a stack to allocate for the |
101 |
child. If it is 0, then a default stack size (currently 4MB) will be |
102 |
allocated. There is currently no way to free this area again in the |
103 |
child. |
104 |
|
105 |
$ptid, if specified, will receive the thread id, $tls, if specified, |
106 |
must contain a "struct user_desc" and $ctid is currently totally |
107 |
unsupported and must not be specified. |
108 |
|
109 |
Since this call basically bypasses both perl and your libc (for |
110 |
example, $$ might reflect the parent *or* child pid in the child), |
111 |
you need to be very careful when using this call, which means you |
112 |
should probably have a very good understanding of perl memory |
113 |
management and how fork and clone work. |
114 |
|
115 |
The following flags are supported for clone, in addition to all |
116 |
flags supported by "unshare", above, and a signal number. When in |
117 |
doubt, refer to the clone(2) manual page. |
118 |
|
119 |
Linux::Clone::PTRACE |
120 |
Linux::Clone::VFORK |
121 |
Linux::Clone::SETTLS (not yet implemented) |
122 |
Linux::Clone::PARENT_SETTID (not yet implemented) |
123 |
Linux::Clone::CHILD_SETTID (not yet implemented) |
124 |
Linux::Clone::CHILD_CLEARTID (not yet implemented) |
125 |
Linux::Clone::PIDFD (not yet implemented) |
126 |
Linux::Clone::DETACHED |
127 |
Linux::Clone::UNTRACED |
128 |
Linux::Clone::IO |
129 |
Linux::Clone::CSIGNAL exit signal mask |
130 |
|
131 |
Note that for practical reasons you basically must not use |
132 |
"Linux::Clone::VM" or "Linux::Clone::VFORK", as perl is unlikely to |
133 |
cope with that. |
134 |
|
135 |
This is the glibc clone call, it cannot be used to emulate fork. |
136 |
|
137 |
Example: do a fork-like clone, sharing nothing, slightly confusing |
138 |
perl and your libc, and exit immediately. |
139 |
|
140 |
my $pid = Linux::Clone::clone sub { warn "in child"; 77 }, 0, POSIX::SIGCHLD; |
141 |
|
142 |
Linux::Clone::setns $fh_or_fd[, $nstype] |
143 |
Calls setns(2) on the file descriptor (or file handle) $fh_or_fd. If |
144 |
$nstype is missing, then 0 is used. |
145 |
|
146 |
The argument $nstype can be 0, "Linux::Clone::NEWIPC", |
147 |
"Linux::Clone::NEWNET", "Linux::Clone::NEWUTS", |
148 |
"Linux::Clone::NEWCGROUP", "Linux::Clone::NEWNS", |
149 |
"Linux::Clone::NEWPID" or "Linux::Clone::NEWUSER". |
150 |
|
151 |
Linux::Clone::pivot_root $new_root, $old_root |
152 |
Calls pivot_root(2) - refer to its manpage for details. |
153 |
|
154 |
Linux::Clone::kcmp $pid1, $pid2, $type[, $idx1, $idx2] |
155 |
Calls kcmp(2) - refer to its manpage for details on operations. |
156 |
|
157 |
The following $type constants are available if the kcmp syscall |
158 |
number was available during compilation: |
159 |
|
160 |
"Linux::Clone::KCMP_FILE", "Linux::Clone::KCMP_VM", |
161 |
"Linux::Clone::KCMP_FILES", "Linux::Clone::KCMP_FS", |
162 |
"Linux::Clone::KCMP_SIGHAND", "Linux::Clone::KCMP_IO", |
163 |
"Linux::Clone::KCMP_SYSVSEM" and "Linux::Clone::KCMP_EPOLL_TFD". |
164 |
|
165 |
Linux::Clone::configure_loopback |
166 |
Configures a working loopback interface (basically, does the |
167 |
equivalent of "ifconfig lo up" which automatically adds ipv4/ipv6 |
168 |
addresses and routes), which can be useful to get a network |
169 |
namespace going. |
170 |
|
171 |
Dies on error and returns nothing. |
172 |
|
173 |
"ioctl" symbols |
174 |
The following ioctl symbols are also provided by this module (see |
175 |
ioctl_ns(8)). |
176 |
|
177 |
Linux::Clone::NS_GET_USERNS |
178 |
Linux::Clone::NS_GET_PARENT |
179 |
Linux::Clone::NS_GET_NSTYPE |
180 |
Linux::Clone::NS_OWNER_UID |
181 |
|
182 |
SEE ALSO |
183 |
IO::AIO has some related functions, such as "pidfd_send_signal", and |
184 |
some unrelated functions that might be useful. |
185 |
|
186 |
namspaces(7), cgroup_namespaces(7), pid_namespaces(7), |
187 |
user_namespaces(7), time_namespaces(7), ip-netns(8), switch_root(8), |
188 |
ioctl_ns(2), lsns(8)Q |
189 |
|
190 |
AUTHOR |
191 |
Marc Lehmann <schmorp@schmorp.de> |
192 |
http://home.schmorp.de/ |
193 |
|