[thirdparty/man-pages.git] / man2 / clone.2

.\" Hey Emacs! This file is -*- nroff -*- source.
.\"
.\" Copyright (c) 1992 Drew Eckhardt <drew@cs.colorado.edu>, March 28, 1992
.\" and Copyright (c) Michael Kerrisk, 2001, 2002, 2005
.\" May be distributed under the GNU General Public License.
.\" Modified by Michael Haardt <michael@moria.de>
.\" Modified 24 Jul 1993 by Rik Faith <faith@cs.unc.edu>
.\" Modified 21 Aug 1994 by Michael Chastain <mec@shell.portal.com>:
.\"   New man page (copied from 'fork.2').
.\" Modified 10 June 1995 by Andries Brouwer <aeb@cwi.nl>
.\" Modified 25 April 1998 by Xavier Leroy <Xavier.Leroy@inria.fr>
.\" Modified 26 Jun 2001 by Michael Kerrisk
.\"     Mostly upgraded to 2.4.x
.\"     Added prototype for sys_clone() plus description
.\"	Added CLONE_THREAD with a brief description of thread groups
.\"	Added CLONE_PARENT and revised entire page remove ambiguity
.\"		between "calling process" and "parent process"
.\"	Added CLONE_PTRACE and CLONE_VFORK
.\"	Added EPERM and EINVAL error codes
.\"	Renamed "__clone" to "clone" (which is the prototype in <sched.h>)
.\"	various other minor tidy ups and clarifications.
.\" Modified 26 Jun 2001 by Michael Kerrisk <mtk.manpages@gmail.com>
.\"	Updated notes for 2.4.7+ behavior of CLONE_THREAD
.\" Modified 15 Oct 2002 by Michael Kerrisk <mtk.manpages@gmail.com>
.\"	Added description for CLONE_NEWNS, which was added in 2.4.19
.\" Slightly rephrased, aeb.
.\" Modified 1 Feb 2003 - added CLONE_SIGHAND restriction, aeb.
.\" Modified 1 Jan 2004 - various updates, aeb
.\" Modified 2004-09-10 - added CLONE_PARENT_SETTID etc. - aeb.
.\" 2005-04-12, mtk, noted the PID caching behavior of NPTL's getpid()
.\"	wrapper under BUGS.
.\" 2005-05-10, mtk, added CLONE_SYSVSEM, CLONE_UNTRACED, CLONE_STOPPED.
.\" 2005-05-17, mtk, Substantially enhanced discussion of CLONE_THREAD.
.\" 2008-11-18, mtk, order CLONE_* flags alphabetically
.\" 2008-11-18, mtk, document CLONE_NEWPID
.\" 2008-11-19, mtk, document CLONE_NEWUTS
.\" 2008-11-19, mtk, document CLONE_NEWIPC
.\" 2008-11-19, Jens Axboe, mtk, document CLONE_IO
.\"
.\" FIXME Document CLONE_NEWUSER, which is new in 2.6.23
.\"       (also supported for unshare()?)
.\"
.TH CLONE 2 2011-09-08 "Linux" "Linux Programmer's Manual"
.SH NAME
clone, __clone2 \- create a child process
.SH SYNOPSIS
.nf
.BR "#define _GNU_SOURCE" "             /* See feature_test_macros(7) */"
.\" Actually _BSD_SOURCE || _SVID_SOURCE
.\" See http://sources.redhat.com/bugzilla/show_bug.cgi?id=4749
.B #include <sched.h>

.BI "int clone(int (*" "fn" ")(void *), void *" child_stack ,
.BI "          int " flags ", void *" "arg" ", ... "
.BI "          /* pid_t *" ptid ", struct user_desc *" tls \
", pid_t *" ctid " */ );"
.fi
.SH DESCRIPTION
.BR clone ()
creates a new process, in a manner similar to
.BR fork (2).
It is actually a library function layered on top of the underlying
.BR clone ()
system call, hereinafter referred to as
.BR sys_clone .
A description of
.B sys_clone
is given toward the end of this page.

Unlike
.BR fork (2),
these calls
allow the child process to share parts of its execution context with
the calling process, such as the memory space, the table of file
descriptors, and the table of signal handlers.
(Note that on this manual
page, "calling process" normally corresponds to "parent process".
But see the description of
.B CLONE_PARENT
below.)

The main use of
.BR clone ()
is to implement threads: multiple threads of control in a program that
run concurrently in a shared memory space.

When the child process is created with
.BR clone (),
it executes the function
application
.IR fn ( arg ).
(This differs from
.BR fork (2),
where execution continues in the child from the point
of the
.BR fork (2)
call.)
The
.I fn
argument is a pointer to a function that is called by the child
process at the beginning of its execution.
The
.I arg
argument is passed to the
.I fn
function.

When the
.IR fn ( arg )
function application returns, the child process terminates.
The integer returned by
.I fn
is the exit code for the child process.
The child process may also terminate explicitly by calling
.BR exit (2)
or after receiving a fatal signal.

The
.I child_stack
argument specifies the location of the stack used by the child process.
Since the child and calling process may share memory,
it is not possible for the child process to execute in the
same stack as the calling process.
The calling process must therefore
set up memory space for the child stack and pass a pointer to this
space to
.BR clone ().
Stacks grow downward on all processors that run Linux
(except the HP PA processors), so
.I child_stack
usually points to the topmost address of the memory space set up for
the child stack.

The low byte of
.I flags
contains the number of the
.I "termination signal"
sent to the parent when the child dies.
If this signal is specified as anything other than
.BR SIGCHLD ,
then the parent process must specify the
.B __WALL
or
.B __WCLONE
options when waiting for the child with
.BR wait (2).
If no signal is specified, then the parent process is not signaled
when the child terminates.

.I flags
may also be bitwise-or'ed with zero or more of the following constants,
in order to specify what is shared between the calling process
and the child process:
.TP
.BR CLONE_CHILD_CLEARTID " (since Linux 2.5.49)"
Erase child thread ID at location
.I ctid
in child memory when the child exits, and do a wakeup on the futex
at that address.
The address involved may be changed by the
.BR set_tid_address (2)
system call.
This is used by threading libraries.
.TP
.BR CLONE_CHILD_SETTID " (since Linux 2.5.49)"
Store child thread ID at location
.I ctid
in child memory.
.TP
.B CLONE_FILES
If
.B CLONE_FILES
is set, the calling process and the child process share the same file
descriptor table.
Any file descriptor created by the calling process or by the child
process is also valid in the other process.
Similarly, if one of the processes closes a file descriptor,
or changes its associated flags (using the
.BR fcntl (2)
.B F_SETFD
operation), the other process is also affected.

If
.B CLONE_FILES
is not set, the child process inherits a copy of all file descriptors
opened in the calling process at the time of
.BR clone ().
(The duplicated file descriptors in the child refer to the
same open file descriptions (see
.BR open (2))
as the corresponding file descriptors in the calling process.)
Subsequent operations that open or close file descriptors,
or change file descriptor flags,
performed by either the calling
process or the child process do not affect the other process.
.TP
.B CLONE_FS
If
.B CLONE_FS
is set, the caller and the child process share the same file system
information.
This includes the root of the file system, the current
working directory, and the umask.
Any call to
.BR chroot (2),
.BR chdir (2),
or
.BR umask (2)
performed by the calling process or the child process also affects the
other process.

If
.B CLONE_FS
is not set, the child process works on a copy of the file system
information of the calling process at the time of the
.BR clone ()
call.
Calls to
.BR chroot (2),
.BR chdir (2),
.BR umask (2)
performed later by one of the processes do not affect the other process.
.TP
.BR CLONE_IO " (since Linux 2.6.25)"
If
.B CLONE_IO
is set, then the new process shares an I/O context with
the calling process.
If this flag is not set, then (as with
.BR fork (2))
the new process has its own I/O context.

.\" The following based on text from Jens Axboe
The I/O context is the I/O scope of the disk scheduler (i.e,
what the I/O scheduler uses to model scheduling of a process's I/O).
If processes share the same I/O context,
they are treated as one by the I/O scheduler.
As a consequence, they get to share disk time.
For some I/O schedulers,
.\" the anticipatory and CFQ scheduler
if two processes share an I/O context,
they will be allowed to interleave their disk access.
If several threads are doing I/O on behalf of the same process
.RB ( aio_read (3),
for instance), they should employ
.BR CLONE_IO
to get better I/O performance.
.\" with CFQ and AS.

If the kernel is not configured with the
.B CONFIG_BLOCK
option, this flag is a no-op.
.TP
.BR CLONE_NEWIPC " (since Linux 2.6.19)"
If
.B CLONE_NEWIPC
is set, then create the process in a new IPC namespace.
If this flag is not set, then (as with
.BR fork (2)),
the process is created in the same IPC namespace as
the calling process.
This flag is intended for the implementation of containers.

An IPC namespace consists of the set of identifiers for
System V IPC objects.
(These objects are created using
.BR msgctl (2),
.BR semctl (2),
and
.BR shmctl (2)).
Objects created in an IPC namespace are visible to all other processes
that are members of that namespace,
but are not visible to processes in other IPC namespaces.

When an IPC namespace is destroyed
(i.e, when the last process that is a member of the namespace terminates),
all IPC objects in the namespace are automatically destroyed.

Use of this flag requires: a kernel configured with the
.B CONFIG_SYSVIPC
and
.B CONFIG_IPC_NS
options and that the process be privileged
.RB ( CAP_SYS_ADMIN ).
This flag can't be specified in conjunction with
.BR CLONE_SYSVSEM .
.TP
.BR CLONE_NEWNET " (since Linux 2.6.24)"
.\" FIXME Check when the implementation was completed
(The implementation of this flag was only completed
by about kernel version 2.6.29.)

If
.B CLONE_NEWNET
is set, then create the process in a new network namespace.
If this flag is not set, then (as with
.BR fork (2)),
the process is created in the same network namespace as
the calling process.
This flag is intended for the implementation of containers.

A network namespace provides an isolated view of the networking stack
(network device interfaces, IPv4 and IPv6 protocol stacks,
IP routing tables, firewall rules, the
.I /proc/net
and
.I /sys/class/net
directory trees, sockets, etc.).
A physical network device can live in exactly one
network namespace.
A virtual network device ("veth") pair provides a pipe-like abstraction
that can be used to create tunnels between network namespaces,
and can be used to create a bridge to a physical network device
in another namespace.

When a network namespace is freed
(i.e., when the last process in the namespace terminates),
its physical network devices are moved back to the
initial network namespace (not to the parent of the process).

Use of this flag requires: a kernel configured with the
.B CONFIG_NET_NS
option and that the process be privileged
.RB ( CAP_SYS_ADMIN ).
.TP
.BR CLONE_NEWNS " (since Linux 2.4.19)"
Start the child in a new mount namespace.

Every process lives in a mount namespace.
The
.I namespace
of a process is the data (the set of mounts) describing the file hierarchy
as seen by that process.
After a
.BR fork (2)
or
.BR clone ()
where the
.B CLONE_NEWNS
flag is not set, the child lives in the same mount
namespace as the parent.
The system calls
.BR mount (2)
and
.BR umount (2)
change the mount namespace of the calling process, and hence affect
all processes that live in the same namespace, but do not affect
processes in a different mount namespace.

After a
.BR clone ()
where the
.B CLONE_NEWNS
flag is set, the cloned child is started in a new mount namespace,
initialized with a copy of the namespace of the parent.

Only a privileged process (one having the \fBCAP_SYS_ADMIN\fP capability)
may specify the
.B CLONE_NEWNS
flag.
It is not permitted to specify both
.B CLONE_NEWNS
and
.B CLONE_FS
in the same
.BR clone ()
call.
.TP
.BR CLONE_NEWPID " (since Linux 2.6.24)"
.\" This explanation draws a lot of details from
.\" http://lwn.net/Articles/259217/
.\" Authors: Pavel Emelyanov <xemul@openvz.org>
.\" and Kir Kolyshkin <kir@openvz.org>
.\"
.\" The primary kernel commit is 30e49c263e36341b60b735cbef5ca37912549264
.\" Author: Pavel Emelyanov <xemul@openvz.org>
If
.B CLONE_NEWPID
is set, then create the process in a new PID namespace.
If this flag is not set, then (as with
.BR fork (2)),
the process is created in the same PID namespace as
the calling process.
This flag is intended for the implementation of containers.

A PID namespace provides an isolated environment for PIDs:
PIDs in a new namespace start at 1,
somewhat like a standalone system, and calls to
.BR fork (2),
.BR vfork (2),
or
.BR clone ()
will produce processes with PIDs that are unique within the namespace.

The first process created in a new namespace
(i.e., the process created using the
.BR CLONE_NEWPID
flag) has the PID 1, and is the "init" process for the namespace.
Children that are orphaned within the namespace will be reparented
to this process rather than
.BR init (8).
Unlike the traditional
.B init
process, the "init" process of a PID namespace can terminate,
and if it does, all of the processes in the namespace are terminated.

PID namespaces form a hierarchy.
Commit	Line	Data
fea681da MK	1	.\" Hey Emacs! This file is -- nroff -- source.
	2	.\"
	3	.\" Copyright (c) 1992 Drew Eckhardt <drew@cs.colorado.edu>, March 28, 1992
1130df60	4	.\" and Copyright (c) Michael Kerrisk, 2001, 2002, 2005
fea681da MK	5	.\" May be distributed under the GNU General Public License.
	6	.\" Modified by Michael Haardt <michael@moria.de>
	7	.\" Modified 24 Jul 1993 by Rik Faith <faith@cs.unc.edu>
	8	.\" Modified 21 Aug 1994 by Michael Chastain <mec@shell.portal.com>:
	9	.\" New man page (copied from 'fork.2').
	10	.\" Modified 10 June 1995 by Andries Brouwer <aeb@cwi.nl>
	11	.\" Modified 25 April 1998 by Xavier Leroy <Xavier.Leroy@inria.fr>
	12	.\" Modified 26 Jun 2001 by Michael Kerrisk
	13	.\" Mostly upgraded to 2.4.x
	14	.\" Added prototype for sys_clone() plus description
	15	.\" Added CLONE_THREAD with a brief description of thread groups
c13182ef	16	.\" Added CLONE_PARENT and revised entire page remove ambiguity
fea681da MK	17	.\" between "calling process" and "parent process"
	18	.\" Added CLONE_PTRACE and CLONE_VFORK
	19	.\" Added EPERM and EINVAL error codes
fd8a5be4	20	.\" Renamed "__clone" to "clone" (which is the prototype in <sched.h>)
fea681da	21	.\" various other minor tidy ups and clarifications.
c11b1abf	22	.\" Modified 26 Jun 2001 by Michael Kerrisk <mtk.manpages@gmail.com>
d9bfdb9c	23	.\" Updated notes for 2.4.7+ behavior of CLONE_THREAD
c11b1abf	24	.\" Modified 15 Oct 2002 by Michael Kerrisk <mtk.manpages@gmail.com>
fea681da MK	25	.\" Added description for CLONE_NEWNS, which was added in 2.4.19
	26	.\" Slightly rephrased, aeb.
	27	.\" Modified 1 Feb 2003 - added CLONE_SIGHAND restriction, aeb.
	28	.\" Modified 1 Jan 2004 - various updates, aeb
0967c11f	29	.\" Modified 2004-09-10 - added CLONE_PARENT_SETTID etc. - aeb.
d9bfdb9c	30	.\" 2005-04-12, mtk, noted the PID caching behavior of NPTL's getpid()
31830ef0	31	.\" wrapper under BUGS.
fd8a5be4 MK	32	.\" 2005-05-10, mtk, added CLONE_SYSVSEM, CLONE_UNTRACED, CLONE_STOPPED.
fd8a5be4 MK	33	.\" 2005-05-17, mtk, Substantially enhanced discussion of CLONE_THREAD.
4e836144	34	.\" 2008-11-18, mtk, order CLONE_* flags alphabetically
82ee147a	35	.\" 2008-11-18, mtk, document CLONE_NEWPID
43ce9dda	36	.\" 2008-11-19, mtk, document CLONE_NEWUTS
667417b3	37	.\" 2008-11-19, mtk, document CLONE_NEWIPC
cfdc761b	38	.\" 2008-11-19, Jens Axboe, mtk, document CLONE_IO
fea681da	39	.\"
185341d4 MK	40	.\" FIXME Document CLONE_NEWUSER, which is new in 2.6.23
185341d4 MK	41	.\" (also supported for unshare()?)
360ed6b3	42	.\"
a60450a9	43	.TH CLONE 2 2011-09-08 "Linux" "Linux Programmer's Manual"
fea681da	44	.SH NAME
9b0e0996	45	clone, __clone2 \- create a child process
fea681da	46	.SH SYNOPSIS
c10859eb	47	.nf
86b91fdf	48	.BR "#define _GNU_SOURCE" " /* See feature_test_macros(7) */"
cc4615cc MK	49	.\" Actually _BSD_SOURCE \|\| _SVID_SOURCE
cc4615cc MK	50	.\" See http://sources.redhat.com/bugzilla/show_bug.cgi?id=4749
fea681da	51	.B #include <sched.h>
c10859eb	52
ff929e3b MK	53	.BI "int clone(int (" "fn" ")(void ), void *" child_stack ,
ff929e3b MK	54	.BI " int " flags ", void *" "arg" ", ... "
d3dbc9b1	55	.BI " /* pid_t " ptid ", struct user_desc " tls \
ff929e3b	56	", pid_t " ctid " / );"
c10859eb	57	.fi
fea681da	58	.SH DESCRIPTION
edcc65ff MK	59	.BR clone ()
edcc65ff MK	60	creates a new process, in a manner similar to
fea681da	61	.BR fork (2).
735f354f	62	It is actually a library function layered on top of the underlying
e511ffb6	63	.BR clone ()
fea681da MK	64	system call, hereinafter referred to as
	65	.BR sys_clone .
	66	A description of
0daa9e92	67	.B sys_clone
5fab2e7c	68	is given toward the end of this page.
fea681da MK	69
	70	Unlike
	71	.BR fork (2),
c13182ef	72	these calls
fea681da MK	73	allow the child process to share parts of its execution context with
fea681da MK	74	the calling process, such as the memory space, the table of file
c13182ef MK	75	descriptors, and the table of signal handlers.
	76	(Note that on this manual
	77	page, "calling process" normally corresponds to "parent process".
	78	But see the description of
	79	.B CLONE_PARENT
fea681da MK	80	below.)
	81
	82	The main use of
edcc65ff	83	.BR clone ()
fea681da MK	84	is to implement threads: multiple threads of control in a program that
	85	run concurrently in a shared memory space.
	86
	87	When the child process is created with
c13182ef	88	.BR clone (),
fea681da MK	89	it executes the function
fea681da MK	90	application
c13182ef	91	.IR fn ( arg ).
fea681da	92	(This differs from
c13182ef	93	.BR fork (2),
fea681da	94	where execution continues in the child from the point
c13182ef MK	95	of the
c13182ef MK	96	.BR fork (2)
fea681da MK	97	call.)
	98	The
	99	.I fn
	100	argument is a pointer to a function that is called by the child
	101	process at the beginning of its execution.
	102	The
	103	.I arg
	104	argument is passed to the
	105	.I fn
	106	function.
	107
c13182ef	108	When the
fea681da	109	.IR fn ( arg )
c13182ef MK	110	function application returns, the child process terminates.
c13182ef MK	111	The integer returned by
fea681da	112	.I fn
c13182ef MK	113	is the exit code for the child process.
c13182ef MK	114	The child process may also terminate explicitly by calling
fea681da MK	115	.BR exit (2)
	116	or after receiving a fatal signal.
	117
	118	The
	119	.I child_stack
c13182ef MK	120	argument specifies the location of the stack used by the child process.
c13182ef MK	121	Since the child and calling process may share memory,
fea681da	122	it is not possible for the child process to execute in the
c13182ef MK	123	same stack as the calling process.
c13182ef MK	124	The calling process must therefore
fea681da MK	125	set up memory space for the child stack and pass a pointer to this
fea681da MK	126	space to
edcc65ff	127	.BR clone ().
5fab2e7c	128	Stacks grow downward on all processors that run Linux
fea681da MK	129	(except the HP PA processors), so
	130	.I child_stack
	131	usually points to the topmost address of the memory space set up for
	132	the child stack.
	133
	134	The low byte of
	135	.I flags
fd8a5be4 MK	136	contains the number of the
	137	.I "termination signal"
	138	sent to the parent when the child dies.
	139	If this signal is specified as anything other than
fea681da MK	140	.BR SIGCHLD ,
fea681da MK	141	then the parent process must specify the
c13182ef MK	142	.B __WALL
c13182ef MK	143	or
fea681da	144	.B __WCLONE
c13182ef MK	145	options when waiting for the child with
c13182ef MK	146	.BR wait (2).
fea681da MK	147	If no signal is specified, then the parent process is not signaled
	148	when the child terminates.
	149
	150	.I flags
fd8a5be4 MK	151	may also be bitwise-or'ed with zero or more of the following constants,
fd8a5be4 MK	152	in order to specify what is shared between the calling process
fea681da	153	and the child process:
fea681da	154	.TP
f5dbc7c8 MK	155	.BR CLONE_CHILD_CLEARTID " (since Linux 2.5.49)"
f5dbc7c8 MK	156	Erase child thread ID at location
d3dbc9b1	157	.I ctid
f5dbc7c8 MK	158	in child memory when the child exits, and do a wakeup on the futex
	159	at that address.
	160	The address involved may be changed by the
	161	.BR set_tid_address (2)
	162	system call.
	163	This is used by threading libraries.
	164	.TP
	165	.BR CLONE_CHILD_SETTID " (since Linux 2.5.49)"
	166	Store child thread ID at location
d3dbc9b1	167	.I ctid
f5dbc7c8 MK	168	in child memory.
	169	.TP
	170	.B CLONE_FILES
fea681da	171	If
f5dbc7c8 MK	172	.B CLONE_FILES
	173	is set, the calling process and the child process share the same file
	174	descriptor table.
	175	Any file descriptor created by the calling process or by the child
	176	process is also valid in the other process.
	177	Similarly, if one of the processes closes a file descriptor,
	178	or changes its associated flags (using the
	179	.BR fcntl (2)
	180	.B F_SETFD
	181	operation), the other process is also affected.
fea681da MK	182
fea681da MK	183	If
f5dbc7c8 MK	184	.B CLONE_FILES
	185	is not set, the child process inherits a copy of all file descriptors
	186	opened in the calling process at the time of
	187	.BR clone ().
	188	(The duplicated file descriptors in the child refer to the
	189	same open file descriptions (see
	190	.BR open (2))
	191	as the corresponding file descriptors in the calling process.)
	192	Subsequent operations that open or close file descriptors,
	193	or change file descriptor flags,
	194	performed by either the calling
	195	process or the child process do not affect the other process.
fea681da MK	196	.TP
	197	.B CLONE_FS
	198	If
	199	.B CLONE_FS
314c8ff4	200	is set, the caller and the child process share the same file system
c13182ef MK	201	information.
	202	This includes the root of the file system, the current
	203	working directory, and the umask.
	204	Any call to
fea681da MK	205	.BR chroot (2),
	206	.BR chdir (2),
	207	or
	208	.BR umask (2)
edcc65ff	209	performed by the calling process or the child process also affects the
fea681da MK	210	other process.
fea681da MK	211
c13182ef	212	If
fea681da MK	213	.B CLONE_FS
	214	is not set, the child process works on a copy of the file system
	215	information of the calling process at the time of the
edcc65ff	216	.BR clone ()
fea681da MK	217	call.
	218	Calls to
	219	.BR chroot (2),
	220	.BR chdir (2),
	221	.BR umask (2)
	222	performed later by one of the processes do not affect the other process.
fea681da	223	.TP
a4cc375e	224	.BR CLONE_IO " (since Linux 2.6.25)"
11f27a1c JA	225	If
	226	.B CLONE_IO
	227	is set, then the new process shares an I/O context with
	228	the calling process.
	229	If this flag is not set, then (as with
	230	.BR fork (2))
	231	the new process has its own I/O context.
	232
	233	.\" The following based on text from Jens Axboe
a113945f	234	The I/O context is the I/O scope of the disk scheduler (i.e,
11f27a1c JA	235	what the I/O scheduler uses to model scheduling of a process's I/O).
	236	If processes share the same I/O context,
	237	they are treated as one by the I/O scheduler.
	238	As a consequence, they get to share disk time.
	239	For some I/O schedulers,
	240	.\" the anticipatory and CFQ scheduler
	241	if two processes share an I/O context,
	242	they will be allowed to interleave their disk access.
	243	If several threads are doing I/O on behalf of the same process
	244	.RB ( aio_read (3),
	245	for instance), they should employ
	246	.BR CLONE_IO
	247	to get better I/O performance.
	248	.\" with CFQ and AS.
	249
	250	If the kernel is not configured with the
	251	.B CONFIG_BLOCK
	252	option, this flag is a no-op.
	253	.TP
8722311b	254	.BR CLONE_NEWIPC " (since Linux 2.6.19)"
667417b3 MK	255	If
	256	.B CLONE_NEWIPC
	257	is set, then create the process in a new IPC namespace.
	258	If this flag is not set, then (as with
	259	.BR fork (2)),
	260	the process is created in the same IPC namespace as
	261	the calling process.
0236bea9	262	This flag is intended for the implementation of containers.
667417b3 MK	263
	264	An IPC namespace consists of the set of identifiers for
	265	System V IPC objects.
	266	(These objects are created using
	267	.BR msgctl (2),
	268	.BR semctl (2),
	269	and
	270	.BR shmctl (2)).
c440fe01	271	Objects created in an IPC namespace are visible to all other processes
667417b3 MK	272	that are members of that namespace,
	273	but are not visible to processes in other IPC namespaces.
	274
83c1f4b5 MK	275	When an IPC namespace is destroyed
	276	(i.e, when the last process that is a member of the namespace terminates),
	277	all IPC objects in the namespace are automatically destroyed.
	278
667417b3 MK	279	Use of this flag requires: a kernel configured with the
	280	.B CONFIG_SYSVIPC
	281	and
	282	.B CONFIG_IPC_NS
c8e18bd1	283	options and that the process be privileged
667417b3 MK	284	.RB ( CAP_SYS_ADMIN ).
	285	This flag can't be specified in conjunction with
	286	.BR CLONE_SYSVSEM .
	287	.TP
163bf178	288	.BR CLONE_NEWNET " (since Linux 2.6.24)"
b9145b2c	289	.\" FIXME Check when the implementation was completed
9108d867 MK	290	(The implementation of this flag was only completed
9108d867 MK	291	by about kernel version 2.6.29.)
163bf178 MK	292
	293	If
	294	.B CLONE_NEWNET
	295	is set, then create the process in a new network namespace.
	296	If this flag is not set, then (as with
	297	.BR fork (2)),
	298	the process is created in the same network namespace as
	299	the calling process.
	300	This flag is intended for the implementation of containers.
	301
	302	A network namespace provides an isolated view of the networking stack
	303	(network device interfaces, IPv4 and IPv6 protocol stacks,
	304	IP routing tables, firewall rules, the
	305	.I /proc/net
	306	and
	307	.I /sys/class/net
	308	directory trees, sockets, etc.).
	309	A physical network device can live in exactly one
	310	network namespace.
	311	A virtual network device ("veth") pair provides a pipe-like abstraction
	312	that can be used to create tunnels between network namespaces,
	313	and can be used to create a bridge to a physical network device
	314	in another namespace.
	315
bf032425 SH	316	When a network namespace is freed
	317	(i.e., when the last process in the namespace terminates),
	318	its physical network devices are moved back to the
	319	initial network namespace (not to the parent of the process).
	320
163bf178 MK	321	Use of this flag requires: a kernel configured with the
	322	.B CONFIG_NET_NS
	323	option and that the process be privileged
cae2ec15	324	.RB ( CAP_SYS_ADMIN ).
163bf178	325	.TP
c10859eb	326	.BR CLONE_NEWNS " (since Linux 2.4.19)"
732e54dd	327	Start the child in a new mount namespace.
fea681da	328
732e54dd	329	Every process lives in a mount namespace.
c13182ef	330	The
fea681da MK	331	.I namespace
fea681da MK	332	of a process is the data (the set of mounts) describing the file hierarchy
c13182ef MK	333	as seen by that process.
c13182ef MK	334	After a
fea681da MK	335	.BR fork (2)
fea681da MK	336	or
2777b1ca	337	.BR clone ()
fea681da MK	338	where the
fea681da MK	339	.B CLONE_NEWNS
732e54dd	340	flag is not set, the child lives in the same mount
4df2eb09	341	namespace as the parent.
fea681da MK	342	The system calls
	343	.BR mount (2)
	344	and
	345	.BR umount (2)
732e54dd	346	change the mount namespace of the calling process, and hence affect
fea681da	347	all processes that live in the same namespace, but do not affect
732e54dd	348	processes in a different mount namespace.
fea681da MK	349
fea681da MK	350	After a
2777b1ca	351	.BR clone ()
fea681da MK	352	where the
fea681da MK	353	.B CLONE_NEWNS
732e54dd	354	flag is set, the cloned child is started in a new mount namespace,
fea681da MK	355	initialized with a copy of the namespace of the parent.
fea681da MK	356
0b9bdf82	357	Only a privileged process (one having the \fBCAP_SYS_ADMIN\fP capability)
fea681da MK	358	may specify the
	359	.B CLONE_NEWNS
	360	flag.
	361	It is not permitted to specify both
	362	.B CLONE_NEWNS
	363	and
	364	.B CLONE_FS
	365	in the same
e511ffb6	366	.BR clone ()
fea681da	367	call.
fea681da	368	.TP
82ee147a MK	369	.BR CLONE_NEWPID " (since Linux 2.6.24)"
	370	.\" This explanation draws a lot of details from
	371	.\" http://lwn.net/Articles/259217/
	372	.\" Authors: Pavel Emelyanov <xemul@openvz.org>
	373	.\" and Kir Kolyshkin <kir@openvz.org>
	374	.\"
	375	.\" The primary kernel commit is 30e49c263e36341b60b735cbef5ca37912549264
	376	.\" Author: Pavel Emelyanov <xemul@openvz.org>
	377	If
5c95e5e8	378	.B CLONE_NEWPID
82ee147a MK	379	is set, then create the process in a new PID namespace.
	380	If this flag is not set, then (as with
	381	.BR fork (2)),
	382	the process is created in the same PID namespace as
	383	the calling process.
0236bea9	384	This flag is intended for the implementation of containers.
82ee147a MK	385
	386	A PID namespace provides an isolated environment for PIDs:
	387	PIDs in a new namespace start at 1,
	388	somewhat like a standalone system, and calls to
	389	.BR fork (2),
	390	.BR vfork (2),
	391	or
27d47e71	392	.BR clone ()
5584229c	393	will produce processes with PIDs that are unique within the namespace.
82ee147a MK	394
	395	The first process created in a new namespace
	396	(i.e., the process created using the
	397	.BR CLONE_NEWPID
	398	flag) has the PID 1, and is the "init" process for the namespace.
	399	Children that are orphaned within the namespace will be reparented
	400	to this process rather than
	401	.BR init (8).
	402	Unlike the traditional
	403	.B init
	404	process, the "init" process of a PID namespace can terminate,
	405	and if it does, all of the processes in the namespace are terminated.
	406
	407	PID namespaces form a hierarchy.