DOKK / manpages / debian 12 / vdens / vdens.1.en
VDENS(1) General Commands Manual VDENS(1)

vdens - create a user namespace connected to a vde network

vdens [ options ] [ vde_network [ command [ args ] ] ]

vdens -m [ options ] vde_network [ vde_network ... ] [ -- command [ args ] ]

vdens --multi [ options ] vde_network [ vde_network ... ] [ -- command [ args ] ]

vdens creates a user namespace with a private network namespace.

Vdens launches the command indicated as a parameter ($SHELL if omitted) in a private network namespace.

If the vde_network parameter is present (and it does not match one of the strings "-" or "no") the virtual private network namespace will have a virtual interface connected to the specified vde network.

Vdens grants the capabilities CAP_NET_BIND_SERVICE, CAP_NET_BROADCAST, CAP_NET_ADMIN and CAP_NET_RAW to the command to permit the configuration of the virtual interface. The scope of these capabilities is limited to the user namespace created by vdens. Once the network has been configured, the capabilities can be dropped (e.g. using csdrop(1)) in order to increase the security (obeying to the principle of least privilege).

OPTIONS vdens accepts the following options.

connect the vde namespace to one or more vde networks. A virtual interface is defined for each vde_network: vde0 is connected to the first vde_network, vde1 is connected to the second and so on. (It is possible to use a different prefix for the interface names instead of "vde", see -i or --iface below).

define the prefix of the interface name. For example use --iface eth to name the interfaces "eth0", "eth1", etc. (the default value is "vde")

define the address (or addresses) of the domain name servers for the namespace. (multiple IPv4 or IPv6 addresses can be separated by commas, e.g. "-R 9.9.9.9,9.9.8.8")

define the pathname of the file which will appear as /etc/config.sys in the user namespace. (it is ignored if used together with -R or --resolvaddr)

grant also CAP_SYS_ADMIN in the namespace so that it is possible to bind mount files and directories.

Use clone(2) to create the private network namespace. Vdens needs one more thread to manage the vde communication.

Use unshare(2) to create the private network namespace. It may not work if the vde plugin in use is multithreaded (e.g. slirp). If neither -c/--clone nor -u/--unshare is set, vdens tries unshare first and then it uses clone if unshare fails. (If both are set vdens uses clone).

define the default value for the --resolvconf option

define the default value for the --resolvaddr option

Use of user namespaces requires a kernel that is configured with the CONFIG_USER_NS option. In some distributions (e.g. Debian) user namespaces must be enabled by writing 1 to /proc/sys/kernel/unprivileged_userns_clone.

vde_plug(1), cadrop(1), cado(1), capabilities(7)

Renzo Davoli <renzo@cs.unibo.it>, Davide Berardi <berardi.dav@gmail.com>.

November 26, 2016 VirtualSquare Labs