clone 命令

常用示例

说明

clone() is a Linux system call that creates a new process or thread with fine-grained control over what resources are shared between parent and child. It is the foundation for both thread creation (via pthread) and container isolation (via namespaces). Unlike fork(), which creates a complete copy of the parent process, clone() allows specifying exactly which resources to share (memory, file descriptors, signal handlers) or isolate (namespaces). This flexibility enables implementing threads (maximum sharing) and containers (maximum isolation). Namespace flags create isolated environments for system resources. Containers like Docker use clone() with namespace flags to provide process isolation. The unshare and nsenter commands provide user-space access to these capabilities. The low byte of the flags argument contains the signal number sent to the parent when the child exits.

参数

CLONE_NEWNS

Create new mount namespace.

CLONE_NEWUTS

Create new UTS namespace (hostname/domainname).

CLONE_NEWIPC

Create new IPC namespace.

CLONE_NEWPID

Create new PID namespace.

CLONE_NEWNET

Create new network namespace.

CLONE_NEWUSER

Create new user namespace.

CLONE_NEWCGROUP

Create new cgroup namespace.

CLONE_VM

Share virtual memory space (used for threads).

CLONE_FILES

Share file descriptor table.

CLONE_FS

Share filesystem information (root, cwd, umask).

CLONE_SIGHAND

Share signal handler table.

CLONE_THREAD

Place child in same thread group as caller.

CLONE_SYSVSEM

Share System V semaphore adjustment values.

CLONE_CHILD_SETTID

Store child thread ID at a location in child's memory.

CLONE_CHILD_CLEARTID

Clear child thread ID at a location in child's memory on exit.