You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
config-linux: Specify relationships for new namespaces
These were contentious [1,2], so they weren't part of the previous
commit. I still think we want to say something about these
relationships.
We already have some of "runtime namespace" conditions (e.g. when a
type is not listed in linux.namespaces[]), so runtimes should already
have implementation-specific wording around what the runtime
namespaces are (we don't explicitly make them implementation-defined,
although we probably should). Anyhow, that's not a new concept added
by this commit.
# Seeded namespaces
For example, if you ask for a new uts namespace but do not set the
optional hostname, having the seed defined means that the hostname in
the container UTS namespace is well-defined (it will be whatever the
hostname was in the runtime UTS namespace).
This is less of an issue for the mount namespace, because with
root.path REQUIRED, there's no way to avoid clobbering whatever mounts
you got from your seed (which makes not asking for a new mount
namespace exciting ;).
# Hierarchical namespaces
I think "I want this container to run in a new user/pid namespace that
is a child of the runtime user/pid namespace" should be something that
has a portable config expression. Otherwise it becomes very unclear
what to put in the hostID field for (u|g)idMappings, because you don't
know what namespace will be used to interpret the hostIDs.
# Namespace ownership
This is another case where I think specified clarity is essential. A
new network namespace will not be very useful if you don't know who
owns it.
[1]: #767 (comment)
[2]: #767 (comment)
Signed-off-by: W. Trevor King <[email protected]>
Copy file name to clipboardExpand all lines: config-linux.md
+3Lines changed: 3 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -40,6 +40,9 @@ The following parameters can be specified to setup namespaces:
40
40
The runtime MUST [generate an error](runtime.md#errors) if `path` is not associated with a namespace of type `type`.
41
41
42
42
If `path` is not specified, the runtime MUST create a new [container namespace](glossary.md#container-namespace) of type `type`.
43
+
For hierarchical namespaces (e.g. `pid`, `user`), the new container namespace MUST be a child of the [runtime namespace](glossary.md#runtime-namespace) of that type.
44
+
For seeded namespaces (e.g. `mount`, `uts`), the new container namespace MUST be seeded by the runtime namespace of that type.
45
+
When `type` is not `user`, new namespaces MUST be owned by the container `user` namespace.
43
46
44
47
If a namespace type is not specified in the `namespaces` array, the container MUST inherit the [runtime namespace](glossary.md#runtime-namespace) of that type.
45
48
If a `namespaces` field contains duplicated namespaces with same `type`, the runtime MUST [generate an error](runtime.md#errors).
0 commit comments