lunar (1) vdens.1.gz

Provided by: vdens_0.2-1_amd64 bug

NAME

       vdens - create a user namespace connected to a vde network

SYNOPSIS

       vdens [ options ] [ vde_network [ command [ args ] ] ]

       vdens -m [ options ] vde_network [ vde_network ...  ] [ -- command [ args ] ]

       vdens --multi [ options ] vde_network [ vde_network ...  ] [ -- command [ args ] ]

DESCRIPTION

       vdens creates a user namespace with a private network namespace.

       Vdens  launches  the  command  indicated  as  a parameter ($SHELL if omitted) in a private
       network namespace.

       If the vde_network parameter is present (and it does not match one of the strings  "-"  or
       "no") the virtual private network namespace will have a virtual interface connected to the
       specified vde network.

       Vdens grants the capabilities CAP_NET_BIND_SERVICE, CAP_NET_BROADCAST,  CAP_NET_ADMIN  and
       CAP_NET_RAW to the command to permit the configuration of the virtual interface. The scope
       of these capabilities is limited to the user namespace created by vdens. Once the  network
       has  been  configured,  the capabilities can be dropped (e.g. using csdrop(1)) in order to
       increase the security (obeying to the principle of least privilege).

OPTIONS

       OPTIONS vdens accepts the following options.

       -m
       --multi
              connect the vde namespace to one or more  vde  networks.  A  virtual  interface  is
              defined  for  each vde_network: vde0 is connected to the first vde_network, vde1 is
              connected to the second and so on. (It is possible to use a  different  prefix  for
              the interface names instead of "vde", see -i or --iface below).

       -i  interface_prefix
       --iface  interface_prefix
              define  the  prefix  of the interface name. For example use --iface eth to name the
              interfaces "eth0", "eth1", etc.  (the default value is "vde")

       -R  ip_addr(s)
       --resolvaddr  ip_addr(s)
              define the address (or addresses) of the domain name  servers  for  the  namespace.
              (multiple   IPv4   or   IPv6  addresses  can  be  separated  by  commas,  e.g.  "-R
              9.9.9.9,9.9.8.8")

       -r  pathname
       --resolvconf  pathname
              define the pathname of the file which will appear as /etc/config.sys  in  the  user
              namespace.  (it is ignored if used together with -R or --resolvaddr)

       -s
       --sysadm
              grant  also  CAP_SYS_ADMIN  in  the  namespace so that it is possible to bind mount
              files and directories.

       -c
       --clone
              Use clone(2) to create the private network namespace. Vdens needs one  more  thread
              to manage the vde communication.

       -u
       --unshare
              Use  unshare(2) to create the private network namespace. It may not work if the vde
              plugin in use is multithreaded (e.g. slirp). If neither -c/--clone nor -u/--unshare
              is set, vdens tries unshare first and then it uses clone if unshare fails. (If both
              are set vdens uses clone).

ENVIRONMENT VARIABLES

       VDE_RESOLVCONF
              define the default value for the --resolvconf  option

       VDE_RESOLVADDR
              define the default value for the --resolvaddr  option

NOTES

       Use of user namespaces requires a  kernel  that  is  configured  with  the  CONFIG_USER_NS
       option.   In some distributions (e.g. Debian) user namespaces must be enabled by writing 1
       to /proc/sys/kernel/unprivileged_userns_clone.

SEE ALSO

       vde_plug(1), cadrop(1), cado(1), capabilities(7)

AUTHORS

       Renzo Davoli <renzo@cs.unibo.it>, Davide Berardi <berardi.dav@gmail.com>.