Karel Zak <kzak@xxxxxxxxxx> writes: > On Tue, Jan 06, 2015 at 11:11:49AM -0600, Eric W. Biederman wrote: >> No. An empty pid namespace is valid. An empty pid namespace is one >> in which an init process has not entered the pid namespace, or one in > > but if I create a PID namespace (unshare/clone) then then I'm the init > process.... how I can create empty PID namespace (from userspace)? Unshare creates an empty PID namespace. Your first child when you fork becomes the init process. You can not change your current pid namespace only the pid namespace for your children. >> which the init process has exited (and thus no more processes are >> allowed). > > yes, this makes sense > >> So an empty pid namespace is a little weird but valid. >> >> The implementation details of the patch completely baffle me. I can't >> see a reason for things being implemented with clone for example. > > Yes, this part of the patch is strange, but I like the basic idea > of the patch -- so make it possible to create an empty namespace and > then later enter by nsenter. The idea of making a new namespace and making it possible to enter it later with nsenter seems reasonable. But really that should be just a matter of adding the C equivalent of "mount --bind /proc/self/ns/$TYPE $FILENAME" which should be a very trivial addition to unshare. Eric -- To unsubscribe from this list: send the line "unsubscribe util-linux" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
