You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
config-linux: Specify relationships for new namespaces
These were contentious [1,2], so they weren't part of the previous
commit. I still think we want to say something about these
relationships.
For example, if you ask for a new uts namespace but do not set the
optional hostname, having the seed defined means that the hostname in
the container UTS namespace is well-defined (it will be whatever the
hostname was in the runtime UTS namespace).
This is less of an issue for the mount namespace, because with
root.path REQUIRED, there's no way to avoid clobbering whatever mounts
you got from your seed (which makes not asking for a new mount
namespace exciting ;).
We already have some of "runtime namespace" conditions (e.g. when
linux.namespaces[].path is unset), so runtimes should already have
implementation-specific wording around what the runtime namespaces are
(we don't explicitly make them implementation-defined, although we
probably should). Anyhow, that's not a new concept added by this
commit.
If we want to explicitly make the parent / seed implementation-defined
and not tied to the implementation-defined runtime namespaces, I guess
we could do that (by rejecting this commit). But I think "I want this
container to run in a new user/pid namespace that is a child of the
runtime user/pid namespace" should be something that has a portable
config expression. Otherwise it becomes very unclear what to put in
the hostID field for (u|g)idMappings, because you don't know what
namespace will be used to interpret the hostIDs.
[1]: #767 (comment)
[2]: #767 (comment)
Signed-off-by: W. Trevor King <[email protected]>
Copy file name to clipboardExpand all lines: config-linux.md
+3Lines changed: 3 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -40,6 +40,9 @@ The following parameters can be specified to setup namespaces:
40
40
The runtime MUST [generate an error](runtime.md#errors) if `path` is not associated with a namespace of type `type`.
41
41
42
42
If `path` is not specified, the runtime MUST create a new [container namespace](glossary.md#container-namespace) of type `type`.
43
+
For hierarchical namespaces (e.g. `pid`, `user`), the new container namespace MUST be a child of the [runtime namespace](glossary.md#runtime-namespace) of that type.
44
+
For seeded namespaces (e.g. `mount`, `uts`), the new container namespace MUST be seeded by the runtime namespace of that type.
45
+
When `type` is not `user`, new namespaces MUST be owned by the container `user` namespace.
43
46
44
47
If a namespace type is not specified in the `namespaces` array, the container MUST inherit the [runtime namespace](glossary.md#runtime-namespace) of that type.
45
48
If a `namespaces` field contains duplicated namespaces with same `type`, the runtime MUST [generate an error](runtime.md#errors).
0 commit comments