config: Explicit container namespace for uid, gid, and additionalGids #412
Conversation
wking
force-pushed
the
explicit-uid-namespace
branch
2 times, most recently
from
9348822
to
8a567d9
Compare
|
We should make some concrete note about userns in Linux either in the glossary or as an example here. I understand the context from the PR but the doc here is a bit insufficient. |
wking
force-pushed
the
explicit-uid-namespace
branch
2 times, most recently
from
c373fc4
to
c87e78a
Compare
wking
force-pushed
the
explicit-uid-namespace
branch
from
c87e78a
to
5ba66f9
Compare
| | *B* | *A* | 45 | 90 | | ||
| | *C* | *B* | 0 | 1 | | ||
|
|
||
| where the container process was launched in a new [PID namespace][pid_namespaces.7], namespace *C* (in which the container process is executing) would be the container PID namespace. | ||
|
|
There was a problem hiding this comment.
im not sure if we want to have nested user namespace clarification / education here. Seems much better to link to the kernel pages instead http://man7.org/linux/man-pages/man7/user_namespaces.7.html
There was a problem hiding this comment.
On Wed, May 11, 2016 at 10:23:57AM -0700, Daniel, Dao Quang Minh wrote:
im not sure if we want to have nested user namespace clarification /
education here. Seems much better to link to the kernel pages
instead http://man7.org/linux/man-pages/man7/user_namespaces.7.html
I don't currently talk about user namespaces at all in this entry, and
a link to namespaces(7) is already in this section. The goal with the
changes here was to make “container namespace” a clearer idea. If the
previous docs accomplished that, then I'm fine dropping this addition
;).
wking
force-pushed
the
explicit-uid-namespace
branch
from
5ba66f9
to
8a567d9
Compare
|
On Wed, May 04, 2016 at 10:23:31AM -0700, Brandon Philips wrote:
After a few unappealing attempts at improved docs, we backed off of |
In the degenerate case where the container does not create a user namespace, the "container namespace" distinction is unimportant, but the phrasing is still accurate (the container and runtime namespaces are the same). Signed-off-by: W. Trevor King <wking@tremily.us>
wking
force-pushed
the
explicit-uid-namespace
branch
from
8a567d9
to
08908d6
Compare
|
LGTM |
1 similar comment
|
LGTM |
Through 303c03a (Merge pull request opencontainers#412 from wking/explicit-uid-namespace, 2016-06-03). Signed-off-by: W. Trevor King <wking@tremily.us>
Through 303c03a (Merge pull request opencontainers#412 from wking/explicit-uid-namespace, 2016-06-03). Signed-off-by: W. Trevor King <wking@tremily.us>
Through 303c03a (Merge pull request opencontainers#412 from wking/explicit-uid-namespace, 2016-06-03). Signed-off-by: W. Trevor King <wking@tremily.us>
The note is from 7c9daeb (Introducing Solaris in OCI, 2016-04-25, opencontainers#411), but as I pointed out there [1], this is also true for Linux. 08908d6 (config: Explicit container namespace for uid, gid, and additionalGids, 2016-04-29, opencontainers#412) landed in parallel with more explicit namepacing for these fields, so we no longer need the overly-specific Solaris note. [1]: opencontainers#411 (comment) Signed-off-by: W. Trevor King <wking@tremily.us>
In the degenerate case where the container does not create a user
namespace, the "container namespace" distinction is unimportant, but
the phrasing is still accurate (the container and runtime namespaces
are the same).