- clone一个namespace隔离的进程???
- fork什么意思
MSNOEXEC
no other application is allowed to run inside this systemMS_NOSUID
not allowed to doset-user-ID
orset-group-ID
MS_NODEV
this is a default parameter set for linux
- what is the point, this is like run the command inside the system ?
- the first process inside the container, which PID = 1 is the process init