Namespaced Linux processes

Run a process in a Linux namespace.

Privileges

To use this behaviour, the system process supervisor must have root privileges. These privileges are dropped before running the command.

Root privileges can be enabled by setting the setuid bit on the prx executable or by running it under a program like sudo(8).

Operations

Note

To mount a namespaced root (chroot) directory, the chroot directory structure must be created before using this behaviour.

See make_chroot_tree!/0 and make_chroot_tree!/1.

See Stdio.config/0 for configuration options.

• creates a process in a new UTS, IPC, PID, mount and by default, net namespace

• creates a new session

• sets the process priority [:priority=0]

• bind mounts as read-only /bin, /sbin, /usr, /lib and the list specified in fstab into the container mount namespace

• mounts /tmp and /home as tmpfs filesystems

• changes the mount namespace root directory to the chroot

• sets resource limits defined in the rlimit option [:rlimit=disable coredumps]

• sends the process a SIGKILL if the parent process exits

• sets additional groups as specified in the group option [:groups=remove additional groups]

• drops privileges to the value of uid and gid or a high UID system user [:uid/:gid=65536-131071]

• disables the ability of the process to escalate privileges [:setuid=false]

Warning

The generated UID/GID may overlap with existing users.

Examples

iex> Stdio.stream!("pstree", Stdio.Container) |> Enum.to_list()
[stdout: "sh---pstree\n", exit_status: 0]