Provided by: vdens_0.2-2build3_amd64 
NAME
vdens - create a user namespace connected to a vde network
SYNOPSIS
vdens [ options ] [ vde_network [ command [ args ] ] ]
vdens -m [ options ] vde_network [ vde_network ... ] [ -- command [ args ] ]
vdens --multi [ options ] vde_network [ vde_network ... ] [ -- command [ args ] ]
DESCRIPTION
vdens creates a user namespace with a private network namespace.
Vdens launches the command indicated as a parameter ($SHELL if omitted) in a private network namespace.
If the vde_network parameter is present (and it does not match one of the strings "-" or "no") the
virtual private network namespace will have a virtual interface connected to the specified vde network.
Vdens grants the capabilities CAP_NET_BIND_SERVICE, CAP_NET_BROADCAST, CAP_NET_ADMIN and CAP_NET_RAW to
the command to permit the configuration of the virtual interface. The scope of these capabilities is
limited to the user namespace created by vdens. Once the network has been configured, the capabilities
can be dropped (e.g. using csdrop(1)) in order to increase the security (obeying to the principle of
least privilege).
OPTIONS
OPTIONS vdens accepts the following options.
-m
--multi
connect the vde namespace to one or more vde networks. A virtual interface is defined for each
vde_network: vde0 is connected to the first vde_network, vde1 is connected to the second and so
on. (It is possible to use a different prefix for the interface names instead of "vde", see -i or
--iface below).
-i interface_prefix
--iface interface_prefix
define the prefix of the interface name. For example use --iface eth to name the interfaces
"eth0", "eth1", etc. (the default value is "vde")
-R ip_addr(s)
--resolvaddr ip_addr(s)
define the address (or addresses) of the domain name servers for the namespace. (multiple IPv4 or
IPv6 addresses can be separated by commas, e.g. "-R 9.9.9.9,9.9.8.8")
-r pathname
--resolvconf pathname
define the pathname of the file which will appear as /etc/config.sys in the user namespace. (it
is ignored if used together with -R or --resolvaddr)
-s
--sysadm
grant also CAP_SYS_ADMIN in the namespace so that it is possible to bind mount files and
directories.
-c
--clone
Use clone(2) to create the private network namespace. Vdens needs one more thread to manage the
vde communication.
-u
--unshare
Use unshare(2) to create the private network namespace. It may not work if the vde plugin in use
is multithreaded (e.g. slirp). If neither -c/--clone nor -u/--unshare is set, vdens tries unshare
first and then it uses clone if unshare fails. (If both are set vdens uses clone).
ENVIRONMENT VARIABLES
VDE_RESOLVCONF
define the default value for the --resolvconf option
VDE_RESOLVADDR
define the default value for the --resolvaddr option
NOTES
Use of user namespaces requires a kernel that is configured with the CONFIG_USER_NS option. In some
distributions (e.g. Debian) user namespaces must be enabled by writing 1 to
/proc/sys/kernel/unprivileged_userns_clone.
SEE ALSO
vde_plug(1), cadrop(1), cado(1), capabilities(7)
AUTHORS
Renzo Davoli <renzo@cs.unibo.it>, Davide Berardi <berardi.dav@gmail.com>.
VirtualSquare Labs November 26, 2016 VDENS(1)