@@ -1,8 +1,8 @@

 #!/bin/sh

 TOMLV_COMMIT=9baf8a8a9f2ed20a8e54160840c492f937eeaf9a

-RUNC_COMMIT=ac031b5bf1cc92239461125f4c1ffb760522bbf2

-CONTAINERD_COMMIT=8517738ba4b82aff5662c97ca4627e7e4d03b531

+RUNC_COMMIT=51371867a01c467f08af739783b8beafc15

+CONTAINERD_COMMIT=03e5862ec0d8d3b3f750e19fca3ee367e13c090e

 TINI_COMMIT=949e6facb77383876aeff8a6944dde66b3089574

 LIBNETWORK_COMMIT=0f534354b813003a754606689722fe253101bc4e

 VNDR_COMMIT=f56bd4504b4fad07a357913687fb652ee54bb3b0

@@ -59,7 +59,7 @@ github.com/miekg/pkcs11 df8ae6ca730422dba20c768ff38ef7d79077a59f

 github.com/docker/go v1.5.1-1-1-gbaf439e

 github.com/agl/ed25519 d2b94fd789ea21d12fac1a4443dd3a3f79cda72c

-github.com/opencontainers/runc ac031b5bf1cc92239461125f4c1ffb760522bbf2 # libcontainer

+github.com/opencontainers/runc 51371867a01c467f08af739783b8beafc15 # libcontainer

 github.com/opencontainers/runtime-spec 1c7c27d043c2a5e513a44084d2b10d77d1402b8c # specs

 github.com/seccomp/libseccomp-golang 32f571b70023028bd57d9288c20efbcb237f3ce0

 # libcontainer deps (see src/github.com/opencontainers/runc/Godeps/Godeps.json)

@@ -96,7 +96,7 @@ google.golang.org/cloud dae7e3d993bc3812a2185af60552bb6b847e52a0

 github.com/docker/docker-credential-helpers f72c04f1d8e71959a6d103f808c50ccbad79b9fd

 # containerd

-github.com/docker/containerd 8517738ba4b82aff5662c97ca4627e7e4d03b531

+github.com/docker/containerd 03e5862ec0d8d3b3f750e19fca3ee367e13c090e

 github.com/tonistiigi/fifo 1405643975692217d6720f8b54aeee1bf2cd5cf4

 # cluster

@@ -598,11 +598,11 @@ void nsexec(void)

 	/*

 	 * Stage 1: We're in the first child process. Our job is to join any

-	 *          provided user namespaces in the netlink payload. If we've been

-	 *          asked to CLONE_NEWUSER, we will unshare the user namespace and

-	 *          ask our parent (stage 0) to set up our user mappings for us.

-	 *          Then, we unshare the rest of the requested namespaces and

-	 *          create a new child (stage 2: JUMP_INIT).  We then send the

+	 *          provided namespaces in the netlink payload and unshare all

+	 *          of the requested namespaces. If we've been asked to

+	 *          CLONE_NEWUSER, we will ask our parent (stage 0) to set up

+	 *          our user mappings for us. Then, we create a new child

+	 *          (stage 2: JUMP_INIT) for PID namespace. We then send the

 	 *          child's PID to our parent (stage 0).

 	 */

 	case JUMP_CHILD: {

@@ -660,7 +660,15 @@ void nsexec(void)

 					bail("failed to sync with parent: SYNC_USERMAP_ACK: got %u", s);

 			}

-			/* TODO: What about non-namespace clone flags that we're dropping here? */

+			/*

+			 * TODO: What about non-namespace clone flags that we're dropping here?

+			 *

+			 * We fork again because of PID namespace, setns(2) or unshare(2) don't

+			 * change the PID namespace of the calling process, because doing so

+			 * would change the caller's idea of its own PID (as reported by getpid()),

+			 * which would break many applications and libraries, so we must fork

+			 * to actually enter the new PID namespace.

+			 */

 			child = clone_parent(&env, JUMP_INIT);

 			if (child < 0)

 				bail("unable to fork: init_func");