Sys::Linux::Namespace - A Module for setting up linux namespaces
use Sys::Linux::Namespace; # Create a namespace with a private /tmp my $ns1 = Sys::Linux::Namespace->new(private_tmp => 1); $ns1->setup(code => sub { # This code has it's own completely private /tmp filesystem open(my $fh, "</tmp/private"); print $fh "Hello Void"; }); # The private /tmp has been destroyed and we're back to our previous state # Let's do it again, but this time with a private PID space too my $ns2 = Sys::Linux::Namespace->new(private_tmp => 1, private_pid => 1); $ns2->setup(code => sub { # I will only see PID 1. I can fork anything I want and they will only see me # if I die they die too. use Data::Dumper; print Dumper([glob "/proc/*"]); }); # We're back to our previous global /tmp and PID namespace # all processes and private filesystems have been removed # Now let's set up a private /tmp $ns1->setup(); # We're now permanently (for this process) using a private /tmp.
This module requires your script to either have CAP_SYS_ADMIN, usually by running as root. Without that it will fail to setup the namespaces and cause your program to exit.
root
new
Construct a new Sys::Linux::Namespace object. This collects all the options you want to enable, but does not engage them.
setup
Engage the namespaces. Without a code parameter it will alter the current process and place it whatever namespaces are configured. If called with a code parameter, it will run the coderef in the namespace with a child process. This method also accepts an overriding code parameter so you can run multiple coderefs in a configured namespace without creating new objects.
code
private_mount
Setup a private mount namespace, this makes every currently mounted filesystem private to our process. This means we can unmount and mount new filesystems without other processes seeing the mounts.
private_tmp
Sets up the private mount namespace as above, but also automatically sets up /tmp to be a clean private tmpfs mount. Takes either a true value, or a hashref with options to pass to the mount syscall. See man 8 mount for a list of possible options.
man 8 mount
private_pid
Create a private PID namespace. This requires a code parameter either to new() or to setup()
new()
setup()
private_net
TODO This is not yet implemented. Once done however, it will allow a child process to execute with a private network preventing communication. Will require a code parameter to new() or setup.
Ryan Voots simcop@cpan.org
To install Sys::Linux::Namespace, copy and paste the appropriate command in to your terminal.
cpanm
cpanm Sys::Linux::Namespace
CPAN shell
perl -MCPAN -e shell install Sys::Linux::Namespace
For more information on module installation, please visit the detailed CPAN module installation guide.