diff --git a/src/condor_daemon_core.V6/condor_daemon_core.h b/src/condor_daemon_core.V6/condor_daemon_core.h

index 3562577..d9d1736 100644

--- a/src/condor_daemon_core.V6/condor_daemon_core.h

+++ b/src/condor_daemon_core.V6/condor_daemon_core.h

@@ -192,6 +192,7 @@ struct FamilyInfo {

 	gid_t* group_ptr;

 #endif

 	const char* glexec_proxy;

+	bool want_pid_namespace;

 	const char* cgroup;

 	FamilyInfo() {

@@ -201,6 +202,7 @@ struct FamilyInfo {

 		group_ptr = NULL;

 #endif

 		glexec_proxy = NULL;

+		want_pid_namespace = false;

 		cgroup = NULL;

 	}

 };

diff --git a/src/condor_daemon_core.V6/daemon_core.cpp b/src/condor_daemon_core.V6/daemon_core.cpp

index e058fd3..74fe8a0 100644

--- a/src/condor_daemon_core.V6/daemon_core.cpp

+++ b/src/condor_daemon_core.V6/daemon_core.cpp

@@ -34,6 +34,7 @@

 #if HAVE_CLONE

 #include <sched.h>

 #include <sys/syscall.h>

+#include <sys/mount.h>

 #endif

 #if HAVE_RESOLV_H && HAVE_DECL_RES_INIT

@@ -112,6 +113,10 @@ CRITICAL_SECTION Big_fat_mutex; // coarse grained mutex for debugging purposes

 #include <sched.h>

 #endif

+#if !defined(CLONE_NEWPID)

+#define CLONE_NEWPID 0x20000000

+#endif

+

 static const char* EMPTY_DESCRIP = "<NULL>";

 // special errno values that may be returned from Create_Process

@@ -6566,7 +6571,9 @@ public:

 	   m_affinity_mask(affinity_mask),

  	   m_fs_remap(fs_remap),

 	   m_wrote_tracking_gid(false),

-	   m_no_dprintf_allowed(false)

+	   m_no_dprintf_allowed(false),

+	   m_clone_newpid_pid(-1),

+	   m_clone_newpid_ppid(-1)

 	{

 	}

@@ -6627,6 +6634,10 @@ private:

 	bool m_wrote_tracking_gid;

 	bool m_no_dprintf_allowed;

 	priv_state m_priv_state;

+	pid_t m_clone_newpid_pid;

+	pid_t m_clone_newpid_ppid;

+

+	pid_t fork(int);

 };

 enum {

@@ -6650,7 +6661,19 @@ pid_t CreateProcessForkit::clone_safe_getpid() {

 		// the pid of the parent process (presumably due to internal

 		// caching in libc).  Therefore, use the syscall to get

 		// the answer directly.

-	return syscall(SYS_getpid);

+

+	int retval = syscall(SYS_getpid);

+

+		// If we were fork'd with CLONE_NEWPID, we think our PID is 1.

+		// In this case, ask the parent!

+	if (retval == 1) {

+		if (m_clone_newpid_pid == -1) {

+			EXCEPT("getpid is 1!");

+		}

+		retval = m_clone_newpid_pid;

+	}

+

+	return retval;

 #else

 	return ::getpid();

 #endif

@@ -6659,12 +6682,115 @@ pid_t CreateProcessForkit::clone_safe_getppid() {

 #if HAVE_CLONE

 		// See above comment for clone_safe_getpid() for explanation of

 		// why we need to do this.

-	return syscall(SYS_getppid);

+	

+	int retval = syscall(SYS_getppid);

+

+		// If ppid is 0, then either Condor is init (DEAR GOD) or we

+		// were created with CLONE_NEWPID; ask the parent!

+	if (retval == 0) {

+		if (m_clone_newpid_ppid == -1) {

+			EXCEPT("getppid is 0!");

+		}

+		retval = m_clone_newpid_ppid;

+	}

+

+	return retval;

 #else

 	return ::getppid();

 #endif

 }

+/**

+ * fork allows one to use certain clone syscall flags, but provides more

+ * familiar POSIX fork semantics.

+ * NOTES:

+ *   - We whitelist the flags you are allowed to pass.  Currently supported:

+ *     - CLONE_NEWPID.  Implies CLONE_NEWNS.

+ *       If the clone succeeds but the remount fails, the child calls _exit(1),

+ *       but the parent will return successfully.

+ *       It would be a simple fix to have the parent return the failure, if

+ *       someone desired.

+ *     Flags are whitelisted to help us adhere to the fork-like semantics (no

+ *     shared memory between parent and child, for example).  If you give other

+ *     flags, they are silently ignored.

+ *   - man pages indicate that clone on i386 is only fully functional when used

+ *     via ASM, not the vsyscall interface.  This doesn't appear to be relevant

+ *     to this particular use case.

+ *   - To avoid linking with pthreads (or copy/pasting lots of glibc code), I 

+ *     don't include integration with threads.  This means various threading

+ *     calls in the child may not function correctly (pre-exec; post-exec

+ *     should be fine), and pthreads might not notice when the child exits.

+ *     Traditional POSIX calls like wait will still function because the 

+ *     parent will receive the SIGCHLD.

+ *     This is simple to fix if someone desired, but I'd mostly rather not link

+ *     with pthreads.

+ */

+

+#define ALLOWED_FLAGS (SIGCHLD | CLONE_NEWPID | CLONE_NEWNS )

+

+pid_t CreateProcessForkit::fork(int flags) {

+

+    // If you don't need any fancy flags, just do the old boring POSIX call

+    if (flags == 0) {

+        return ::fork();

+    }

+

+#if HAVE_CLONE

+

+    int rw[2]; // Communication pipes for the CLONE_NEWPID case.

+

+    flags |= SIGCHLD; // The only necessary flag.

+    if (flags & CLONE_NEWPID) {

+        flags |= CLONE_NEWNS;

+	if (pipe(rw)) {

+		EXCEPT("UNABLE TO CREATE PIPE.");

+	}

+    }

+

+	// fork as root if we have our fancy flags.

+    priv_state orig_state = set_priv(PRIV_ROOT);

+    int retval = syscall(SYS_clone, ALLOWED_FLAGS & flags, 0, NULL, NULL);

+

+	// Child

+    if ((retval == 0) && (flags & CLONE_NEWPID)) {

+

+            // If we should have forked as non-root, make things in life final.

+        set_priv(orig_state);

+

+        if (full_read(rw[0], &m_clone_newpid_ppid, sizeof(pid_t)) != sizeof(pid_t)) {

+            EXCEPT("Unable to write into pipe.");

+        }

+        if (full_read(rw[0], &m_clone_newpid_pid, sizeof(pid_t)) != sizeof(pid_t)) {

+            EXCEPT("Unable to write into pipe.");

+        }

+

+	// Parent

+    } else if (retval > 0) {

+        set_priv(orig_state);

+	pid_t ppid = getpid(); // We are parent, so don't need clone_safe_pid.

+        if (full_write(rw[1], &ppid, sizeof(ppid)) != sizeof(ppid)) {

+            EXCEPT("Unable to write into pipe.");

+        }

+        if (full_write(rw[1], &retval, sizeof(ppid)) != sizeof(ppid)) {

+            EXCEPT("Unable to write into pipe.");

+        }

+    }

+	// retval=-1 falls through here.

+    if (flags & CLONE_NEWPID) {

+        close(rw[0]);

+        close(rw[1]);

+    }

+    return retval;

+

+#else

+

+    // Note we silently ignore flags if there's no clone on the platform.

+    return ::fork();

+

+#endif

+

+}

+

 pid_t CreateProcessForkit::fork_exec() {

 	pid_t newpid;

@@ -6736,7 +6862,11 @@ pid_t CreateProcessForkit::fork_exec() {

 	}

 #endif /* HAVE_CLONE */

-	newpid = fork();

+	int fork_flags = 0;

+	if (m_family_info) {

+		fork_flags |= m_family_info->want_pid_namespace ? CLONE_NEWPID : 0;

+	}

+	newpid = this->fork(fork_flags);

 	if( newpid == 0 ) {

 			// in child

 		enterCreateProcessChild(this);

diff --git a/src/condor_starter.V6.1/vanilla_proc.cpp b/src/condor_starter.V6.1/vanilla_proc.cpp

index 044cb10..8528ca7 100644

--- a/src/condor_starter.V6.1/vanilla_proc.cpp

+++ b/src/condor_starter.V6.1/vanilla_proc.cpp

@@ -360,6 +360,24 @@ VanillaProc::StartJob()

 		}

 	}

+#if defined(LINUX)

+	// On Linux kernel 2.6.24 and later, we can give each

+	// job its own PID namespace

+	if (param_boolean("USE_PID_NAMESPACES", false)) {

+		if (!can_switch_ids()) {

+			EXCEPT("USE_PID_NAMESPACES enabled, but can't perform this "

+				"call in Linux unless running as root.");

+		}

+		fi.want_pid_namespace = true;

+		if (!fs_remap) {

+			fs_remap = new FilesystemRemap();

+		}

+		fs_remap->RemapProc();

+	}

+	dprintf(D_FULLDEBUG, "PID namespace option: %s\n", fi.want_pid_namespace ? "true" : "false");

+#endif

+

+

 	// have OsProc start the job

 	//

 	int retval = OsProc::StartJob(&fi, fs_remap);

diff --git a/src/condor_utils/filesystem_remap.cpp b/src/condor_utils/filesystem_remap.cpp

index e0f2e61..735c744 100644

--- a/src/condor_utils/filesystem_remap.cpp

+++ b/src/condor_utils/filesystem_remap.cpp

@@ -29,7 +29,8 @@

 FilesystemRemap::FilesystemRemap() :

 	m_mappings(),

-	m_mounts_shared()

+	m_mounts_shared(),

+	m_remap_proc(false)

 {

 	ParseMountinfo();

 }

@@ -120,6 +121,9 @@ int FilesystemRemap::PerformMappings() {

 			break;

 		}

 	}

+	if ((!retval) && m_remap_proc) {

+		retval = mount("proc", "/proc", "proc", 0, NULL);

+	}

 #endif

 	return retval;

 }

@@ -148,6 +152,10 @@ std::string FilesystemRemap::RemapDir(std::string target) {

 	return target;

 }

+void FilesystemRemap::RemapProc() {

+	m_remap_proc = true;

+}

+

 /*

   Sample mountinfo contents (from http://www.kernel.org/doc/Documentation/filesystems/proc.txt):

   36 35 98:0 /mnt1 /mnt2 rw,noatime master:1 - ext3 /dev/root rw,errors=continue

diff --git a/src/condor_utils/filesystem_remap.h b/src/condor_utils/filesystem_remap.h

index 5e9362d..2e17476 100644

--- a/src/condor_utils/filesystem_remap.h

+++ b/src/condor_utils/filesystem_remap.h

@@ -74,6 +74,12 @@ public:

 	 */

 	std::string RemapFile(std::string);

+	/**

+	 * Indicate that we should remount /proc in the child process.

+	 * Necessary for PID namespaces.

+	 */

+	void RemapProc();

+

 private:

 	/**

@@ -89,6 +95,7 @@ private:

 	std::list<pair_strings> m_mappings;

 	std::list<pair_str_bool> m_mounts_shared;

	std::list<pair_strings> m_mounts_autofs;

+	bool m_remap_proc;

 };

 #endif