Why use a "nested process namespace"? (podman on Windows)

[JasonSFuller]

I recently installed Podman for Windows. No issues so far, just silly newbie questions, like "how does this work" and "why?"

The tutorial doesn't really go into this, but when I drop into the installed Fedora distro (Windows Terminal > podman-machine-default), I get a helpful message explaining:

You will be automatically entered into a nested process namespace where
systemd is running. If you need to access the parent namespace, hit ctrl-d
or type exit. This also means to log out you need to exit twice.

BTW, I'm not questioning the design choice or need for the container Inception or separate namespace. I'm sure there are good reasons the stack looks like this:

• Windows 10 or 11 (Hyper-V)
  • Microsoft's lightweight Linux VM (Mariner, I think)
    • WSL2 distro/container "podman-machine-default" (Fedora 36 "Remix" custom image installed via podman machine init)
      • another Fedora 36 "Remix" custom container (started when you podman machine start)

...but don't understand WHY.
...or, perhaps, enough to interpret what the message above is plainly telling me...?

Can someone explain the "container with a container" setup and bit about namespaces?

• Is it related to the WSL2 stack and need for systemd (and the various hoops you have to jump through to run it inside a container)?
• Does it have something to do with the rootless vs rootful functionality?
• Is it for namespace separation and keeping things neat and tidy?
• Something else?

BTW, I'm still learning about containers and namespaces, so please assume I have no idea what I'm talking about. =) And apologies if this has been answered somewhere, but my Google-fu and search of the Github discussion/issues has failed me.

Thanks in advance!

[rhatdan]

@n1hility PTAL

[davdr]

The stack looks like that because this is how WSL2 was designed by Microsoft. The podman-machine-default is a WSL2 distro managed by Podman on Wndows (podman machine) to have a standardized Linux environment to run Podman in. Now, a consequence of the WSL2 design is that Windows wants an init process to be "pid 0" (pid = process ID) in the distro. Inconvenient for Systemd, because it also wants exactly that, which is not possible: pids are unique. Hence the clever trick with the "nested process namespace:": in this namespace systemd runs as pid 0 as it needs, but this actually is a different pid seen from the WSL2 distro (the real pid is mapped to pid 0 in the nested process namespace)..

In the meantime recent WSL2 versions provide a setting to be able to run systemd without needing this nested namespace, but I believe podman machine isn't yet compatible with that. If you run your own distro with Podman, this can be of help though.

[n1hility]

@davdr great answer

[JasonSFuller]

Awesome! Thank you, @davdr!

@n1hility, is the new WSL systemd feature being considered? Will it give you the functionality needed for podman? Too soon to say?

[n1hility]

Yes the plan is to move to the new built-in systemd support as the preferred model, provided there are no secondary issues.

BTW just a small correction to your sequence:

It actually looks like this:

• Windows 10/11
  • HyperV VM running CBL Mariner (WSL Host)
    • Linux namespace for WSL distro - Custom Fedora 36 with Podman Packages (Microsoft WSL reuses the host, each distro gets its own namespace)
      • Nested Linux Namespace for Systemd
        • Container namespace for each container launched by podman (internally uses a Linux namespace)

So no matter what you have multiple nested linux namespaces. The only difference is we can get rid of the extra namespace for systemd

[JasonSFuller]

Got it. Makes sense. Good luck in your efforts! Looking forward to seeing what the team comes up with.

And again, thanks for the explanations, everyone.