Name

clone, __clone2 — create a child process

Synopsis

#define _GNU_SOURCE
#include <sched.h>
int clone( int (*fn)(void *),
  void *child_stack,
  int flags,
  void *arg,
  ... /* pid_t *ptid, struct user_desc *tls, pid_t *ctid */);
 

DESCRIPTION

clone() creates a new process, in a manner similar to fork(2). It is actually a library function layered on top of the underlying clone() system call, hereinafter referred to as sys_clone. A description of sys_clone is given towards the end of this page.

Unlike fork(2), these calls allow the child process to share parts of its execution context with the calling process, such as the memory space, the table of file descriptors, and the table of signal handlers. (Note that on this manual page, "calling process" normally corresponds to "parent process". But see the description of CLONE_PARENT below.)

The main use of clone() is to implement threads: multiple threads of control in a program that run concurrently in a shared memory space.

When the child process is created with clone(), it executes the function application fn(arg). (This differs from fork(2), where execution continues in the child from the point of the fork(2) call.) The fn argument is a pointer to a function that is called by the child process at the beginning of its execution. The arg argument is passed to the fn function.

When the fn(arg) function application returns, the child process terminates. The integer returned by fn is the exit code for the child process. The child process may also terminate explicitly by calling exit(2) or after receiving a fatal signal.

The child_stack argument specifies the location of the stack used by the child process. Since the child and calling process may share memory, it is not possible for the child process to execute in the same stack as the calling process. The calling process must therefore set up memory space for the child stack and pass a pointer to this space to clone(). Stacks grow downwards on all processors that run Linux (except the HP PA processors), so child_stack usually points to the topmost address of the memory space set up for the child stack.

The low byte of flags contains the number of the termination signal sent to the parent when the child dies. If this signal is specified as anything other than SIGCHLD, then the parent process must specify the __WALL or __WCLONE options when waiting for the child with wait(2). If no signal is specified, then the parent process is not signaled when the child terminates.

flags may also be bitwise-or'ed with zero or more of the following constants, in order to specify what is shared between the calling process and the child process:

CLONE_CHILD_CLEARTID (since Linux 2.5.49)

Erase child thread ID at location ctid in child memory when the child exits, and do a wakeup on the futex at that address. The address involved may be changed by the set_tid_address(2) system call. This is used by threading libraries.

CLONE_CHILD_SETTID (since Linux 2.5.49)

Store child thread ID at location ctid in child memory.

CLONE_FILES

If CLONE_FILES is set, the calling process and the child process share the same file descriptor table. Any file descriptor created by the calling process or by the child process is also valid in the other process. Similarly, if one of the processes closes a file descriptor, or changes its associated flags (using the fcntl(2) F_SETFD operation), the other process is also affected.

If CLONE_FILES is not set, the child process inherits a copy of all file descriptors opened in the calling process at the time of clone(). (The duplicated file descriptors in the child refer to the same open file descriptions (see open(2)) as the corresponding file descriptors in the calling process.) Subsequent operations that open or close file descriptors, or change file descriptor flags, performed by either the calling process or the child process do not affect the other process.

CLONE_FS

If CLONE_FS is set, the caller and the child process share the same file system information. This includes the root of the file system, the current working directory, and the umask. Any call to chroot(2), chdir(2), or umask(2) performed by the calling process or the child process also affects the other process.

If CLONE_FS is not set, the child process works on a copy of the file system information of the calling process at the time of the clone() call. Calls to chroot(2), chdir(2), umask(2) performed later by one of the processes do not affect the other process.

CLONE_IO (since Linux 2.6.25)

If CLONE_IO is set, then the new process shares an I/O context with the calling process. If this flag is not set, then (as with fork(2)) the new process has its own I/O context.

The I/O context is the I/O scope of the disk scheduler (i.e, what the I/O scheduler uses to model scheduling of a process's I/O). If processes share the same I/O context, they are treated as one by the I/O scheduler. As a consequence, they get to share disk time. For some I/O schedulers, if two processes share an I/O context, they will be allowed to interleave their disk access. If several threads are doing I/O on behalf of the same process (aio_read(3), for instance), they should employ CLONE_IO to get better I/O performance.

If the kernel is not configured with the CONFIG_BLOCK option, this flag is a no-op.

CLONE_NEWIPC (since Linux 2.6.19)

If CLONE_NEWIPC is set, then create the process in a new IPC namespace. If this flag is not set, then (as with fork(2)), the process is created in the same IPC namespace as the calling process. This flag is intended for the implementation of containers.

An IPC namespace consists of the set of identifiers for System V IPC objects. (These objects are created using msgctl(2), semctl(2), and shmctl(2)). Objects created in an IPC namespace are visible to all other processes that are members of that namespace, but are not visible to processes in other IPC namespaces.

When an IPC namespace is destroyed (i.e, when the last process that is a member of the namespace terminates), all IPC objects in the namespace are automatically destroyed.

Use of this flag requires: a kernel configured with the CONFIG_SYSVIPC and CONFIG_IPC_NS options and that the process be privileged (CAP_SYS_ADMIN). This flag can't be specified in conjunction with CLONE_SYSVSEM.

CLONE_NEWNET (since Linux 2.6.24)

(The implementation of this flag is not yet complete, but probably will be mostly complete by about Linux 2.6.28.)

If CLONE_NEWNET is set, then create the process in a new network namespace. If this flag is not set, then (as with fork(2)), the process is created in the same network namespace as the calling process. This flag is intended for the implementation of containers.

A network namespace provides an isolated view of the networking stack (network device interfaces, IPv4 and IPv6 protocol stacks, IP routing tables, firewall rules, the /proc/net and /sys/class/net directory trees, sockets, etc.). A physical network device can live in exactly one network namespace. A virtual network device ("veth") pair provides a pipe-like abstraction that can be used to create tunnels between network namespaces, and can be used to create a bridge to a physical network device in another namespace.

When a network namespace is freed (i.e., when the last process in the namespace terminates), its physical network devices are moved back to the initial network namespace (not to the parent of the process).

Use of this flag requires: a kernel configured with the CONFIG_NET_NS option and that the process be privileged (CAP_SYS_ADMIN).

CLONE_NEWNS (since Linux 2.4.19)

Start the child in a new mount namespace.

Every process lives in a mount namespace. The namespace of a process is the data (the set of mounts) describing the file hierarchy as seen by that process. After a fork(2) or clone() where the CLONE_NEWNS flag is not set, the child lives in the same mount namespace as the parent. The system calls mount(2) and umount(2) change the mount namespace of the calling process, and hence affect all processes that live in the same namespace, but do not affect processes in a different mount namespace.

After a clone() where the CLONE_NEWNS flag is set, the cloned child is started in a new mount namespace, initialized with a copy of the namespace of the parent.

Only a privileged process (one having the CAP_SYS_ADMIN capability) may specify the CLONE_NEWNS flag. It is not permitted to specify both CLONE_NEWNS and CLONE_FS in the same clone() call.

CLONE_NEWPID (since Linux 2.6.24)

If CLONE_NEWPID is set, then create the process in a new PID namespace. If this flag is not set, then (as with fork(2)), the process is created in the same PID namespace as the calling process. This flag is intended for the implementation of containers.

A PID namespace provides an isolated environment for PIDs: PIDs in a new namespace start at 1, somewhat like a standalone system, and calls to fork(2), vfork(2), or clone(2) will produce processes with PIDs that are unique within the namespace.

The first process created in a new namespace (i.e., the process created using the CLONE_NEWPID flag) has the PID 1, and is the "init" process for the namespace. Children that are orphaned within the namespace will be reparented to this process rather than init(8). Unlike the traditional init process, the "init" process of a PID namespace can terminate, and if it does, all of the processes in the namespace are terminated.

PID namespaces form a hierarchy. When a new PID namespace is created, the processes in that namespace are visible in the PID namespace of the process that created the new namespace; analogously, if the parent PID namespace is itself the child of another PID namespace, then processes in the child and parent PID namespaces will both be visible in the grandparent PID namespace. Conversely, the processes in the "child" PID namespace do not see the processes in the parent namespace. The existence of a namespace hierarchy means that each process may now have multiple PIDs: one for each namespace in which it is visible; each of these PIDs is unique within the corresponding namespace. (A call to getpid(2) always returns the PID associated with the namespace in which the process lives.)

After creating the new namespace, it is useful for the child to change its root directory and mount a new procfs instance at /proc so that tools such as ps(1) work correctly. (If CLONE_NEWNS is also included in flags, then it isn't necessary to change the root directory: a new procfs instance can be mounted directly over /proc.)

Use of this flag requires: a kernel configured with the CONFIG_PID_NS option and that the process be privileged (CAP_SYS_ADMIN). This flag can't be specified in conjunction with CLONE_THREAD.

CLONE_NEWUTS (since Linux 2.6.19)

If CLONE_NEWUTS is set, then create the process in a new UTS namespace, whose identifiers are initialized by duplicating the identifiers from the UTS namespace of the calling process. If this flag is not set, then (as with fork(2)), the process is created in the same UTS namespace as the calling process. This flag is intended for the implementation of containers.

A UTS namespace is the set of identifiers returned by uname(2); among these, the domain name and the host name can be modified by setdomainname(2) and sethostname(2), respectively. Changes made to the identifiers in a UTS namespace are visible to all other processes in the same namespace, but are not visible to processes in other UTS namespaces.

Use of this flag requires: a kernel configured with the CONFIG_UTS_NS option and that the process be privileged (CAP_SYS_ADMIN).

CLONE_PARENT (since Linux 2.3.12)

If CLONE_PARENT is set, then the parent of the new child (as returned by getppid(2)) will be the same as that of the calling process.

If CLONE_PARENT is not set, then (as with fork(2)) the child's parent is the calling process.

Note that it is the parent process, as returned by getppid(2), which is signaled when the child terminates, so that if CLONE_PARENT is set, then the parent of the calling process, rather than the calling process itself, will be signaled.

CLONE_PARENT_SETTID (since Linux 2.5.49)

Store child thread ID at location ptid in parent and child memory. (In Linux 2.5.32-2.5.48 there was a flag CLONE_SETTID that did this.)

CLONE_PID (obsolete)

If CLONE_PID is set, the child process is created with the same process ID as the calling process. This is good for hacking the system, but otherwise of not much use. Since 2.3.21 this flag can be specified only by the system boot process (PID 0). It disappeared in Linux 2.5.16.

CLONE_PTRACE

If CLONE_PTRACE is specified, and the calling process is being traced, then trace the child also (see ptrace(2)).

CLONE_SETTLS (since Linux 2.5.32)

The newtls argument is the new TLS (Thread Local Storage) descriptor. (See set_thread_area(2).)

CLONE_SIGHAND

If CLONE_SIGHAND is set, the calling process and the child process share the same table of signal handlers. If the calling process or child process calls sigaction(2) to change the behavior associated with a signal, the behavior is changed in the other process as well. However, the calling process and child processes still have distinct signal masks and sets of pending signals. So, one of them may block or unblock some signals using sigprocmask(2) without affecting the other process.

If CLONE_SIGHAND is not set, the child process inherits a copy of the signal handlers of the calling process at the time clone() is called. Calls to sigaction(2) performed later by one of the processes have no effect on the other process.

Since Linux 2.6.0-test6, flags must also include CLONE_VM if CLONE_SIGHAND is specified

CLONE_STOPPED (since Linux 2.6.0-test2)

If CLONE_STOPPED is set, then the child is initially stopped (as though it was sent a SIGSTOP signal), and must be resumed by sending it a SIGCONT signal.

From Linux 2.6.25 this flag is deprecated. You probably never wanted to use it, you certainly shouldn't be using it, and soon it will go away.

CLONE_SYSVSEM (since Linux 2.5.10)

If CLONE_SYSVSEM is set, then the child and the calling process share a single list of System V semaphore undo values (see semop(2)). If this flag is not set, then the child has a separate undo list, which is initially empty.

CLONE_THREAD (since Linux 2.4.0-test8)

If CLONE_THREAD is set, the child is placed in the same thread group as the calling process. To make the remainder of the discussion of CLONE_THREAD more readable, the term "thread" is used to refer to the processes within a thread group.

Thread groups were a feature added in Linux 2.4 to support the POSIX threads notion of a set of threads that share a single PID. Internally, this shared PID is the so-called thread group identifier (TGID) for the thread group. Since Linux 2.4, calls to getpid(2) return the TGID of the caller.

The threads within a group can be distinguished by their (system-wide) unique thread IDs (TID). A new thread's TID is available as the function result returned to the caller of clone(), and a thread can obtain its own TID using gettid(2).

When a call is made to clone() without specifying CLONE_THREAD, then the resulting thread is placed in a new thread group whose TGID is the same as the thread's TID. This thread is the leader of the new thread group.

A new thread created with CLONE_THREAD has the same parent process as the caller of clone() (i.e., like CLONE_PARENT), so that calls to getppid(2) return the same value for all of the threads in a thread group. When a CLONE_THREAD thread terminates, the thread that created it using clone() is not sent a SIGCHLD (or other termination) signal; nor can the status of such a thread be obtained using wait(2). (The thread is said to be detached.)

After all of the threads in a thread group terminate the parent process of the thread group is sent a SIGCHLD (or other termination) signal.

If any of the threads in a thread group performs an execve(2), then all threads other than the thread group leader are terminated, and the new program is executed in the thread group leader.

If one of the threads in a thread group creates a child using fork(2), then any thread in the group can wait(2) for that child.

Since Linux 2.5.35, flags must also include CLONE_SIGHAND if CLONE_THREAD is specified.

Signals may be sent to a thread group as a whole (i.e., a TGID) using kill(2), or to a specific thread (i.e., TID) using tgkill(2).

Signal dispositions and actions are process-wide: if an unhandled signal is delivered to a thread, then it will affect (terminate, stop, continue, be ignored in) all members of the thread group.

Each thread has its own signal mask, as set by sigprocmask(2), but signals can be pending either: for the whole process (i.e., deliverable to any member of the thread group), when sent with kill(2); or for an individual thread, when sent with tgkill(2). A call to sigpending(2) returns a signal set that is the union of the signals pending for the whole process and the signals that are pending for the calling thread.

If kill(2) is used to send a signal to a thread group, and the thread group has installed a handler for the signal, then the handler will be invoked in exactly one, arbitrarily selected member of the thread group that has not blocked the signal. If multiple threads in a group are waiting to accept the same signal using sigwaitinfo(2), the kernel will arbitrarily select one of these threads to receive a signal sent using kill(2).

CLONE_UNTRACED (since Linux 2.5.46)

If CLONE_UNTRACED is specified, then a tracing process cannot force CLONE_PTRACE on this child process.

CLONE_VFORK

If CLONE_VFORK is set, the execution of the calling process is suspended until the child releases its virtual memory resources via a call to execve(2) or _exit(2) (as with vfork(2)).

If CLONE_VFORK is not set then both the calling process and the child are schedulable after the call, and an application should not rely on execution occurring in any particular order.

CLONE_VM

If CLONE_VM is set, the calling process and the child process run in the same memory space. In particular, memory writes performed by the calling process or by the child process are also visible in the other process. Moreover, any memory mapping or unmapping performed with mmap(2) or munmap(2) by the child or calling process also affects the other process.

If CLONE_VM is not set, the child process runs in a separate copy of the memory space of the calling process at the time of clone(). Memory writes or file mappings/unmappings performed by one of the processes do not affect the other, as with fork(2).

sys_clone

The sys_clone system call corresponds more closely to fork(2) in that execution in the child continues from the point of the call. Thus, sys_clone only requires the flags and child_stack arguments, which have the same meaning as for clone(). (Note that the order of these arguments differs from clone().)

Another difference for sys_clone is that the child_stack argument may be zero, in which case copy-on-write semantics ensure that the child gets separate copies of stack pages when either process modifies the stack. In this case, for correct operation, the CLONE_VM option should not be specified.

In Linux 2.4 and earlier, clone() does not take arguments ptid, tls, and ctid.

RETURN VALUE

On success, the thread ID of the child process is returned in the caller's thread of execution. On failure, −1 is returned in the caller's context, no child process will be created, and errno will be set appropriately.

ERRORS

EAGAIN

Too many processes are already running.

EINVAL

CLONE_SIGHAND was specified, but CLONE_VM was not. (Since Linux 2.6.0-test6.)

EINVAL

CLONE_THREAD was specified, but CLONE_SIGHAND was not. (Since Linux 2.5.35.)

EINVAL

Both CLONE_FS and CLONE_NEWNS were specified in flags.

EINVAL

Both CLONE_NEWIPC and CLONE_SYSVSEM were specified in flags.

EINVAL

Both CLONE_NEWPID and CLONE_THREAD were specified in flags.

EINVAL

Returned by clone() when a zero value is specified for child_stack.

EINVAL

CLONE_NEWIPC was specified in flags, but the kernel was not configured with the CONFIG_SYSVIPC and CONFIG_IPC_NS options.

EINVAL

CLONE_NEWNET was specified in flags, but the kernel was not configured with the CONFIG_NET_NS option.

EINVAL

CLONE_NEWPID was specified in flags, but the kernel was not configured with the CONFIG_PID_NS option.

EINVAL

CLONE_NEWUTS was specified in flags, but the kernel was not configured with the CONFIG_UTS option.

ENOMEM

Cannot allocate sufficient memory to allocate a task structure for the child, or to copy those parts of the caller's context that need to be copied.

EPERM

CLONE_NEWIPC, CLONE_NEWNET, CLONE_NEWNS, CLONE_NEWPID, or CLONE_NEWUTS was specified by an unprivileged process (process without CAP_SYS_ADMIN).

EPERM

CLONE_PID was specified by a process other than process 0.

VERSIONS

There is no entry for clone() in libc5. glibc2 provides clone() as described in this manual page.

CONFORMING TO

The clone() and sys_clone calls are Linux-specific and should not be used in programs intended to be portable.

NOTES

In the kernel 2.4.x series, CLONE_THREAD generally does not make the parent of the new thread the same as the parent of the calling process. However, for kernel versions 2.4.7 to 2.4.18 the CLONE_THREAD flag implied the CLONE_PARENT flag (as in kernel 2.6).

For a while there was CLONE_DETACHED (introduced in 2.5.32): parent wants no child-exit signal. In 2.6.2 the need to give this together with CLONE_THREAD disappeared. This flag is still defined, but has no effect.

On i386, clone() should not be called through vsyscall, but directly through int $0x80.

On ia64, a different system call is used:

int __clone2( int (*fn)(void *),
  void *child_stack_base,
  size_t stack_size,
  int flags,
  void *arg,
  ... /* pid_t *ptid, struct user_desc *tls, pid_t *ctid */);
 

The __clone2() system call operates in the same way as clone(), except that child_stack_base points to the lowest address of the child's stack area, and stack_size specifies the size of the stack pointed to by child_stack_base.

BUGS

Versions of the GNU C library that include the NPTL threading library contain a wrapper function for getpid(2) that performs caching of PIDs. This caching relies on support in the glibc wrapper for clone(), but as currently implemented, the cache may not be up to date in some circumstances. In particular, if a signal is delivered to the child immediately after the clone() call, then a call to getpid() in a handler for the signal may return the PID of the calling process ("the parent"), if the clone wrapper has not yet had a chance to update the PID cache in the child. (This discussion ignores the case where the child was created using CLONE_THREAD, when getpid() should return the same value in the child and in the process that called clone(), since the caller and the child are in the same thread group. The stale-cache problem also does not occur if the flags argument includes CLONE_VM.) To get the truth, it may be necessary to use code such as the following:

    #include <syscall.h>

    pid_t mypid;

    mypid = syscall(SYS_getpid);

SEE ALSO

fork(2), futex(2), getpid(2), gettid(2), set_thread_area(2), set_tid_address(2), tkill(2), unshare(2), wait(2), capabilities(7), pthreads(7)

COLOPHON

This page is part of release 3.24 of the Linux man-pages project. A description of the project, and information about reporting bugs, can be found at http://www.kernel.org/doc/man-pages/.


Copyright (c) 1992 Drew Eckhardt <drewcs.colorado.edu>, March 28, 1992
and Copyright (c) Michael Kerrisk, 2001, 2002, 2005
May be distributed under the GNU General Public License.
Modified by Michael Haardt <michaelmoria.de>
Modified 24 Jul 1993 by Rik Faith <faithcs.unc.edu>
Modified 21 Aug 1994 by Michael Chastain <mecshell.portal.com>:
  New man page (copied from 'fork.2').
Modified 10 June 1995 by Andries Brouwer <aebcwi.nl>
Modified 25 April 1998 by Xavier Leroy <Xavier.Leroyinria.fr>
Modified 26 Jun 2001 by Michael Kerrisk
    Mostly upgraded to 2.4.x
    Added prototype for sys_clone() plus description
Added CLONE_THREAD with a brief description of thread groups
Added CLONE_PARENT and revised entire page remove ambiguity
between "calling process" and "parent process"
Added CLONE_PTRACE and CLONE_VFORK
Added EPERM and EINVAL error codes
Renamed "__clone" to "clone" (which is the prototype in <sched.h>)
various other minor tidy ups and clarifications.
Modified 26 Jun 2001 by Michael Kerrisk <mtk.manpagesgmail.com>
Updated notes for 2.4.7+ behavior of CLONE_THREAD
Modified 15 Oct 2002 by Michael Kerrisk <mtk.manpagesgmail.com>
Added description for CLONE_NEWNS, which was added in 2.4.19
Slightly rephrased, aeb.
Modified 1 Feb 2003 - added CLONE_SIGHAND restriction, aeb.
Modified 1 Jan 2004 - various updates, aeb
Modified 2004-09-10 - added CLONE_PARENT_SETTID etc. - aeb.
2005-04-12, mtk, noted the PID caching behavior of NPTL's getpid()
wrapper under BUGS.
2005-05-10, mtk, added CLONE_SYSVSEM, CLONE_UNTRACED, CLONE_STOPPED.
2005-05-17, mtk, Substantially enhanced discussion of CLONE_THREAD.
2008-11-18, mtk, order CLONE_* flags  alphabetically
2008-11-18, mtk, document CLONE_NEWPID
2008-11-19, mtk, document CLONE_NEWUTS
2008-11-19, mtk, document CLONE_NEWIPC
2008-11-19, Jens Axboe, mtk, document CLONE_IO

FIXME Document CLONE_NEWUSER, which is new in 2.6.23
      (also supported for unshare()?)
FIXME . 2.6.25 marks the unused CLONE_STOPPED as obsolete, and it will
      probably be removed in the future.