Performs an os::clone after entering a set of namespaces for the specified target process.
This function provides two steps of functionality: (1) Enter a set of namespaces via two fork calls. (1) Perform a clone within that set of namespaces.
Step (1) of functionality is similar to the nsenter command line utility. Step (2) allows us to perform a clone that itself might create a nested set of namespaces, which enables us to have nested containers.
Double Fork:
In order to enter a PID namespace we need to do a double fork because doing a setns for a PID namespace only effects future children.
Moreover, attempting to setns before we do any forks and then have the parent setns back to the original namespaces does not work because entering a depriviledged user namespace will not let us reassociate back with the original namespace, even if we keep the file descriptor of the original namespace open.
Because we have to double fork we need to send back the actual PID of the final process that's executing the provided function f. We use domain sockets for this because in the event we've entered a PID namespace we need the kernel to translate the PID to the PID in our PID namespace.
- Parameters
-
| target | Target process whose namespaces we should enter. |
| nstypes | Namespaces we should enter. |
| f | Function to invoke after entering the namespaces and cloning. |
| flags | Flags to pass to clone. |
- Returns
pid_t of the child process.
