Quoting Pavel Machek (pavel@xxxxxx):
> > Unlike clone(), clone_with_pids() needs CAP_SYS_ADMIN, at least for now, to
> > prevent unprivileged processes from misusing this interface.
> >
> > Call clone_with_pids as follows:
> >
> > pid_t pids[] = { 0, 77, 99 };
> > struct pid_set pid_set;
> >
> > pid_set.num_pids = sizeof(pids) / sizeof(int);
> > pid_set.pids = &pids;
> >
> > syscall(__NR_clone_with_pids, flags, stack, NULL, NULL, NULL, &pid_set);
> >
> > If a target-pid is 0, the kernel continues to assign a pid for the process in
> > that namespace. In the above example, pids[0] is 0, meaning the kernel will
> > assign next available pid to the process in init_pid_ns. But kernel will assign
> > pid 77 in the child pid namespace 1 and pid 99 in pid namespace 2. If either
> > 77 or 99 are taken, the system call fails with -EBUSY.
> >
> > If 'pid_set.num_pids' exceeds the current nesting level of pid namespaces,
> > the system call fails with -EINVAL.
>
> Does it make sense to set the pid in anything but innermost container?
Yup, we might be restarting an app using a nested pid namespace, in which
case restart would specify pids for 2 (or more) of the innermost containers.
thanks,
-serge
_______________________________________________
Containers mailing list
Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx
https://lists.linux-foundation.org/mailman/listinfo/containers
