pid_namespaces(7) Miscellaneous Information Manual pid_namespaces(7) pid_namespaces - Linux PID namespaces(7). PID , PID PID. PID / , PID. PID 1 , fork(2), vfork(2) clone(2) . PID , CONFIG_PID_NS. , (. ., , clone(2) CLONE_NEWPID , unshare(2) CLONE_NEWPID) PID 1, <<>> (init) ( init(1)). , - , PID ( ). If the "init" process of a PID namespace terminates, the kernel terminates all of the processes in the namespace via a SIGKILL signal. This behavior reflects the fact that the "init" process is essential for the correct operation of a PID namespace. In this case, a subsequent fork(2) into this PID namespace fail with the error ENOMEM; it is not possible to create a new process in a PID namespace whose "init" process has terminated. Such scenarios can occur when, for example, a process uses an open file descriptor for a /proc/pid/ns/pid file corresponding to a process that was in a namespace to setns(2) into that namespace after the "init" process has terminated. Another possible scenario can occur after a call to unshare(2): if the first child subsequently created by a fork(2) terminates, then subsequent calls to fork(2) fail with ENOMEM. PID <> , <> . , PID <>. Likewise, a process in an ancestor namespace can--subject to the usual permission checks described in kill(2)--send signals to the "init" process of a child PID namespace only if the "init" process has established a handler for that signal. (Within the handler, the siginfo_t si_pid field described in sigaction(2) will be zero.) SIGKILL or SIGSTOP are treated exceptionally: these signals are forcibly delivered when sent from an ancestor PID namespace. Neither of these signals can be caught by the "init" process, and so will result in the usual actions associated with those signals (respectively, terminating and stopping the process). Linux 3.4, reboot(2) <>. reboot(2). PID PID : PID , (<<>>) PID. PID -- PID , clone(2) unshare(2). PID , , . Linux 3.7, PID 32. PID, PID PID. <<>> , , . , PID . : (, kill(2), setpriority(2) . .) PID . PID, , , PID. , , , PID . getpid(2) PID, , . PID , . , (. ., init(1) PID 1) . , , setns(2) PID, PID setns(2). getppid(2) 0. PID (, setns(2) PID), . (, ..). PID -- . NS_GET_PARENT ioctl(2) PID; ioctl_ns(2). setns(2) unshare(2) Calls to setns(2) that specify a PID namespace file descriptor and calls to unshare(2) with the CLONE_NEWPID flag cause children subsequently created by the caller to be placed in a different PID namespace from the caller. (Since Linux 4.12, that PID namespace is shown via the /proc/pid/ns/pid_for_children file, as described in namespaces(7).) These calls do not, however, change the PID namespace of the calling process, because doing so would change the caller's idea of its own PID (as reported by getpid()), which would break many applications and libraries. : PID . , , PID: namespace. A process may call unshare(2) with the CLONE_NEWPID flag only once. After it has performed this operation, its /proc/pid/ns/pid_for_children symbolic link will be empty until the first child is created in the namespace. , <<>> PID ( prctl(2) PR_SET_CHILD_SUBREAPER ). , setns(2) unshare(2), , <> PID, PID , <> PID . CLONE_NEWPID CLONE_* In current versions of Linux, CLONE_NEWPID can't be combined with CLONE_THREAD. Threads are required to be in the same PID namespace such that the threads in a process can send signals to each other. Similarly, it must be possible to see all of the threads of a process in the proc(5) filesystem. Additionally, if two threads were in different PID namespaces, the process ID of the process sending a signal could not be meaningfully encoded when a signal is sent (see the description of the siginfo_t type in sigaction(2)). Since this is computed when a signal is enqueued, a signal queue shared by processes in multiple PID namespaces would defeat that. Linux CLONE_NEWPID ( EINVAL) CLONE_SIGHAND ( Linux 4.3), CLONE_VM ( Linux 3.12). , , . /proc PID A /proc filesystem shows (in the /proc/pid directories) only processes visible in the PID namespace of the process that performed the mount, even if the /proc filesystem is viewed from processes in other namespaces. PID procfs /proc , ps(1). , CLONE_NEWNS flags clone(2) unshare(2), : procfs /proc. /proc: $ mount -t proc proc /proc readlink(2) /proc/self PID, procfs (. ., PID , procfs). , PID . /proc /proc/sys/kernel/ns_last_pid ( Linux 3.3) This file (which is virtualized per PID namespace) displays the last PID that was allocated in this PID namespace. When the next PID is allocated, the kernel will search for the lowest unallocated PID that is greater than this value, and when this file is subsequently read it will show that PID. This file is writable by a process that has the CAP_SYS_ADMIN or (since Linux 5.9) CAP_CHECKPOINT_RESTORE capability inside the user namespace that owns the PID namespace. This makes it possible to determine the PID that is allocated to the next process that is created inside this PID namespace. UNIX PID ( SCM_CREDENTIALS unix(7)), PID PID . Linux. . user_namespaces(7). . clone(2), reboot(2), setns(2), unshare(2), proc(5), capabilities(7), credentials(7), mount_namespaces(7), namespaces(7), user_namespaces(7), switch_root(8) Alexey, Azamat Hackimov , kogamatranslator49 , Kogan, Max Is , Yuri Kozlov ; GNU 3 , . . , , . Linux man-pages 6.06 31 2023 . pid_namespaces(7)