podman-build/docs/build/man/podman-unshare.1

.nh
.TH podman-unshare 1
.SH NAME
podman-unshare \- Run a command inside of a modified user namespace

.SH SYNOPSIS
\fBpodman unshare\fP [\fIoptions\fP] [\fIcommand\fP]

.SH DESCRIPTION
Launches a process (by default, \fI$SHELL\fP) in a new user namespace. The user
namespace is configured so that the invoking user's UID and primary GID appear
to be UID 0 and GID 0, respectively.  Any ranges which match that user and
group in \fB/etc/subuid\fR and \fB/etc/subgid\fR are also mapped in as themselves with the
help of the \fInewuidmap(1)\fP and \fInewgidmap(1)\fP helpers.

.PP
\fBpodman unshare\fP is useful for troubleshooting unprivileged operations and for
manually clearing storage and other data related to images and containers.

.PP
It is also useful to use the \fBpodman mount\fP command.  If an unprivileged user wants to mount and work with a container, then they need to execute
\fBpodman unshare\fP\&.  Executing \fBpodman mount\fP fails for unprivileged users unless the user is running inside a \fBpodman unshare\fP session.

.PP
The unshare session defines two environment variables:
.IP \(bu 2
\fBCONTAINERS_GRAPHROOT\fP: the path to the persistent container's data.
.IP \(bu 2
\fBCONTAINERS_RUNROOT\fP: the path to the volatile container's data.

.PP
\fIIMPORTANT: This command is not available with the remote Podman client.\fP

.SH OPTIONS
.SS \fB--help\fP, \fB-h\fP
Print usage statement

.SS \fB--rootless-netns\fP
Join the rootless network namespace used for netavark networking. It can be used to
connect to a rootless container via IP address (bridge networking). This is otherwise
not possible from the host network namespace.

.SH Exit Codes
The exit code from \fBpodman unshare\fR gives information about why the container
failed to run or why it exited.  When \fBpodman unshare\fR commands exit with a non-zero code,
the exit codes follow the \fBchroot\fR standard, see below:

.PP
\fB125\fP The error is with podman \fB\fIitself\fP\fP

.EX
$ podman unshare --foo; echo $?
Error: unknown flag: --foo
125
.EE

.PP
\fB126\fP Executing a \fIcontained command\fP and the \fIcommand\fP cannot be invoked

.EX
$ podman unshare /etc; echo $?
Error: fork/exec /etc: permission denied
126
.EE

.PP
\fB127\fP Executing a \fIcontained command\fP and the \fIcommand\fP cannot be found

.EX
$ podman unshare foo; echo $?
Error: fork/exec /usr/bin/bogus: no such file or directory
127
.EE

.PP
\fBExit code\fP \fIcontained command\fP exit code

.EX
$ podman unshare /bin/sh -c 'exit 3'; echo $?
3
.EE

.SH EXAMPLE
Execute specified command in rootless user namespace:

.EX
$ podman unshare id
uid=0(root) gid=0(root) groups=0(root),65534(nobody)
.EE

.PP
Show user namespace mappings for rootless containers:

.EX
$ podman unshare cat /proc/self/uid_map /proc/self/gid_map
         0       1000          1
         1      10000      65536
         0       1000          1
         1      10000      65536
.EE

.PP
Show rootless netns information in user namespace for rootless containers:

.EX
$ podman unshare --rootless-netns ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: tap0: <BROADCAST,UP,LOWER_UP> mtu 65520 qdisc fq_codel state UNKNOWN group default qlen 1000
    link/ether aa:8c:0b:73:98:f6 brd ff:ff:ff:ff:ff:ff
    inet 10.0.2.100/24 brd 10.0.2.255 scope global tap0
       valid_lft forever preferred_lft forever
    inet6 fd00::a88c:bff:fe73:98f6/64 scope global dynamic mngtmpaddr
       valid_lft 86389sec preferred_lft 14389sec
    inet6 fe80::a88c:bff:fe73:98f6/64 scope link
       valid_lft forever preferred_lft forever
.EE

.SH SEE ALSO
\fBpodman(1)\fP, \fBpodman-mount(1)\fP, \fBnamespaces(7)\fP, \fBnewuidmap(1)\fP, \fBnewgidmap(1)\fP, \fBuser_namespaces(7)\fP