.\" %%%LICENSE_END
.\"
.\"
-.TH NAMESPACES 7 2017-09-15 "Linux" "Linux Programmer's Manual"
+.TH NAMESPACES 7 2019-03-06 "Linux" "Linux Programmer's Manual"
.SH NAME
namespaces \- overview of Linux namespaces
.SH DESCRIPTION
and the calling process is made a member of those namespaces.
(This system call also implements a number of features
unrelated to namespaces.)
+.TP
+.BR ioctl (2)
+Various
+.BR ioctl (2)
+operations can be used to discover information about namespaces.
+These operations are described in
+.BR ioctl_ns (2).
.PP
Creation of new namespaces using
.BR clone (2)
.BR unshare (2)
in most cases requires the
.BR CAP_SYS_ADMIN
-capability.
+capability, since, in the new namespace,
+the creator will have the power to change global resources
+that are visible to other processes that are subsequently created in,
+or join the namespace.
User namespaces are the exception: since Linux 3.8,
no privilege is required to create a user namespace.
.\"
Since Linux 3.8,
.\" commit bf056bfa80596a5d14b26b17276a56a0dcb080e5
they appear as symbolic links.
-If two processes are in the same namespace, then the inode numbers of their
+If two processes are in the same namespace,
+then the device IDs and inode numbers of their
.IR /proc/[pid]/ns/xxx
symbolic links will be the same; an application can check this using the
+.I stat.st_dev
+and
.I stat.st_ino
-field returned by
+fields returned by
.BR stat (2).
The content of this symbolic link is a string containing
the namespace type and inode number as in the following example:
.BR pid_namespaces (7)),
so the file may differ from
.IR /proc/[pid]/ns/pid .
+The symbolic link gains a value only after the first child process
+is created in the namespace.
+(Beforehand,
+.BR readlink (2)
+of the symbolic link will return an empty buffer.)
.TP
.IR /proc/[pid]/ns/user " (since Linux 3.8)"
.\" commit cde1975bc242f3e1072bde623ef378e547b73f91
.TP
.IR max_uts_namespaces
The value in this file defines a per-user limit on the number of
-user namespaces that may be created in the user namespace.
+uts namespaces that may be created in the user namespace.
.PP
Note the following details about these files:
.IP * 3
cannot be used as a means to escape the limits in force
in the current user namespace.
.RE
-.PP
.\"
.\" ==================== Cgroup namespaces ====================
.\"
Use of UTS namespaces requires a kernel that is configured with the
.B CONFIG_UTS_NS
option.
+.\"
+.SS Namespace lifetime
+Absent any other factors,
+a namespace is automatically torn down when the last process in
+the namespace terminates or leaves the namespace.
+However, there are a number of other factors that may pin
+a namespace into existence even though it has no member processes.
+These factors include the following:
+.IP * 3
+An open file descriptor or a bind mount exists for the corresponding
+.IR /proc/[pid]/ns/*
+file.
+.IP *
+The namespace is hierarchical (i.e., a PID or user namespace),
+and has a child namespace.
+.IP *
+It is a user namespace that owns one or more nonuser namespaces.
+.IP *
+It is a PID namespace,
+and there is a process that refers to the namespace via a
+.IR /proc/[pid]/ns/pid_for_children
+symbolic link.
+.IP *
+It is an IPC namespace, and a corresponding mount of an
+.I mqueue
+filesystem (see
+.BR mq_overview (7))
+refers to this namespace.
+.IP *
+It is a PID namespace, and a corresponding mount of a
+.BR proc (5)
+filesystem refers to this namespace.
.SH EXAMPLE
See
.BR clone (2)
.BR pid_namespaces (7),
.BR user_namespaces (7),
.BR lsns (8),
+.BR pam_namespace (8),
.BR switch_root (8)