LDP
/
man-pages
mirror of https://github.com/mkerrisk/man-pages
0
1
Fork 0
Code Releases Activity

pid_namespaces.7: Rewrite discussion of nested PID namespaces 

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
Michael Kerrisk 2013-02-28 11:40:26 +01:00
parent 4085d4cde3
commit 546fb4eefe
1 changed files with 33 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
man7/pid_namespaces.7
View File

@ -111,35 +111,48 @@ and so will result in the usual actions associated with those signals
.\" ============================================================ .\" ============================================================
.\" .\"
.SS Nesting PID namespaces .SS Nesting PID namespaces
PID namespaces can be nested. PID namespaces can be nested:
When a new PID namespace is created, each PID namespace has a parent,
the processes in that namespace are visible except for the initial ("root") PID namespace.
in the PID namespace of the process that created the new namespace; The parent of a PID namespace is the PID namespace of the process that
analogously, if the parent PID namespace is itself created the namespace using
the child of another PID namespace, .BR clone (2)
then processes in the child and parent PID namespaces will both be or
visible in the grandparent PID namespace. .BR unshare (2).
Conversely, the processes in the "child" PID namespace do not see PID namespaces thus form a tree,
the processes in the parent namespace. with all namespaces ultimately tracing their ancestry to the root namespace.
More succinctly: a process can see (e.g., send signals with
.BR kill(2))
only processes contained in its own PID namespace
and the namespaces nested below that PID namespace.
A process will have one PID for each of the layers of the hierarchy A process is visible to other processes in its PID namespace,
starting from the PID namespace in which it is visible, and to the processes in each direct ancestor PID namespace
starting from the namespace in which it resides going back to the root PID namespace.
In this context, "visible" means that one process
can be the target of operations by another process using
system calls that specify a process ID.
Conversely, the processes in a child PID namespace can't see
processes in the parent and further removed ancestor namespace.
More succinctly: a process can see (e.g., send signals with
.BR kill(2),
set nice values with
.BR setpriority (2),
etc.) only processes contained in its own PID namespace
and in descendants of that namespace.
A process has one process ID in each of the layers of the PID
namespace hierarchy in which is visible,
and walking back though each direct ancestor namespace
through to the root PID namespace. through to the root PID namespace.
System calls that operate on process IDs always
operate using the process ID that is visible in the
PID namespace of the caller.
A call to A call to
.BR getpid (2) .BR getpid (2)
always returns the PID associated with the namespace in which always returns the PID associated with the namespace in which
the process resides. the process was created.
Some processes in a PID namespace may have parents Some processes in a PID namespace may have parents
that are outside of the namespace. that are outside of the namespace.
For example, the parent of the initial process in the namespace For example, the parent of the initial process in the namespace
(i.e., (i.e., the
the
.BR init (1) .BR init (1)
process with PID 1) is necessarily in another namespace. process with PID 1) is necessarily in another namespace.
Likewise, the direct children of a process that uses Likewise, the direct children of a process that uses