NAME Sys::Linux::Namespace - A Module for setting up linux namespaces SYNOPSIS use Sys::Linux::Namespace; # Create a namespace with a private /tmp my $ns1 = Sys::Linux::Namespace->new(private_tmp => 1); $ns1->setup(code => sub { # This code has it's own completely private /tmp filesystem open(my $fh, "new(private_tmp => 1, private_pid => 1); $ns2->setup(code => sub { # I will only see PID 1. I can fork anything I want and they will only see me # if I die they die too. use Data::Dumper; print Dumper([glob "/proc/*"]); }); # We're back to our previous global /tmp and PID namespace # all processes and private filesystems have been removed # Now let's set up a private /tmp $ns1->setup(); # We're now permanently (for this process) using a private /tmp. REQUIREMENTS This module requires your script to have CAP_SYS_ADMIN, usually by running as "root". Without that it will fail to setup the namespaces and cause your program to exit. METHODS "new" Construct a new Sys::Linux::Namespace object. This collects all the options you want to enable, but does not engage them. All arguments are passed in like a hash. code A coderef to run when setting up the namespaces. This gets run in a child process that's isolated from the parent. If you don't pass one in during construction or to "setup" then the namespace changes will happen to the current process. private_mount Setup a private mount namespace, this makes every currently mounted filesystem private to our process. This means we can unmount and mount new filesystems without other processes seeing the mounts. private_tmp Sets up the private mount namespace as above, but also automatically sets up /tmp to be a clean private tmpfs mount. Takes either a true value, or a hashref with options to pass to the mount syscall. See "man 8 mount" for a list of possible options. private_pid Create a private PID namespace. This requires a "code" parameter either to "new()" or to "setup()" private_net TODO This is not yet implemented. Once done however, it will allow a child process to execute with a private network preventing communication. Will require a "code" parameter to "new()" or "setup". private_ipc Create a private IPC namespace. private_user Create a new user namespace. See "man 7 user_namespaces" for more information. private_uts Create a new UTS namespace. This will let you safely change the hostname of the system without affect anyone else. private_sysvsem Create a new System V Semaphore namespace. This will let you create new semaphores without anyone else touching them. "setup" Engage the namespaces with all the configured options. All arguments are passed by name like a hash. You may pass in a "code" parameter to run in a child process, this overrides one provided during construction. Any other parameters are passed through to your coderef if present. AUTHOR Ryan Voots simcop@cpan.org