vdens(1)

create a user namespace connected to a vde network

Section 1 vdens bookworm source

Description

VDENS

NAME

vdens - create a user namespace connected to a vde network

SYNOPSIS

vdens [ options ] [ vde_network [ command [ args ] ] ]

vdens -m [ options ] vde_network [ vde_network ... ] [ -- command [ args ] ]

vdens --multi [ options ] vde_network [ vde_network ... ] [ -- command [ args ] ]

DESCRIPTION

vdens creates a user namespace with a private network namespace.

Vdens launches the command indicated as a parameter ($SHELL if omitted) in a private network namespace.

If the vde_network parameter is present (and it does not match one of the strings "-" or "no") the virtual private network namespace will have a virtual interface connected to the specified vde network.

Vdens grants the capabilities CAP_NET_BIND_SERVICE, CAP_NET_BROADCAST, CAP_NET_ADMIN and CAP_NET_RAW to the command to permit the configuration of the virtual interface. The scope of these capabilities is limited to the user namespace created by vdens. Once the network has been configured, the capabilities can be dropped (e.g. using csdrop(1)) in order to increase the security (obeying to the principle of least privilege).

OPTIONS

OPTIONS vdens accepts the following options.

-m

--multi

connect the vde namespace to one or more vde networks. A virtual interface is defined for each vde_network: vde0 is connected to the first vde_network, vde1 is connected to the second and so on. (It is possible to use a different prefix for the interface names instead of "vde", see -i or --iface below).

-i interface_prefix
--iface interface_prefix

define the prefix of the interface name. For example use --iface eth to name the interfaces "eth0", "eth1", etc. (the default value is "vde")

-R ip_addr(s)
--resolvaddr ip_addr(s)

define the address (or addresses) of the domain name servers for the namespace. (multiple IPv4 or IPv6 addresses can be separated by commas, e.g. "-R 9.9.9.9,9.9.8.8")

-r pathname
--resolvconf pathname

define the pathname of the file which will appear as /etc/config.sys in the user namespace. (it is ignored if used together with -R or --resolvaddr)

-s

--sysadm

grant also CAP_SYS_ADMIN in the namespace so that it is possible to bind mount files and directories.

-c

--clone

Use clone(2) to create the private network namespace. Vdens needs one more thread to manage the vde communication.

-u

--unshare

Use unshare(2) to create the private network namespace. It may not work if the vde plugin in use is multithreaded (e.g. slirp). If neither -c/--clone nor -u/--unshare is set, vdens tries unshare first and then it uses clone if unshare fails. (If both are set vdens uses clone).

ENVIRONMENT VARIABLES

VDE_RESOLVCONF

define the default value for the --resolvconf option

VDE_RESOLVADDR

define the default value for the --resolvaddr option

NOTES

Use of user namespaces requires a kernel that is configured with the CONFIG_USER_NS option. In some distributions (e.g. Debian) user namespaces must be enabled by writing 1 to /proc/sys/kernel/unprivileged_userns_clone.

SEE ALSO

vde_plug(1), cadrop(1), cado(1), capabilities(7)

AUTHORS

Renzo Davoli <renzo@cs.unibo.it>, Davide Berardi <berardi.dav@gmail.com>.