Skip to content

Commit

Permalink
config-linux: Extend no-tweak requirement to runtime namespaces
Browse files Browse the repository at this point in the history 
Since [1] we've required runtimes to error out if a configuration
joins an existing namespace and adjusts it somehow (e.g. joining an
existing UTC namespace and setting 'hostname', [2]).  However, the
wording from [1] (which survives untouched in the current master) only
talked about "when a path is specified".  I see two possible
approaches for internal consistency:

a. Lift the OCI restriction and allow join-and-tweak [3] where the
   kernel supports it.  When we landed the current restriction, the
   main issues seemed to be "we don't have a clear use-case for join
   and tweak" [4] (although see [5]) and "this is a foot gun [6,7]"
   (I'd rather leave policy to higher-level config linters).

b. Extend the OCI restriction to all cases where the runtime does not
   create a new namespace.  Besides the already covered "namespace
   entry exists and includes 'path'", we'd also want to forbid configs
   that were missing the relevant namespace(s) entirely (in which case
   the container inherits the host namespace(s)).

I'm partial to (a) in the long run, but (b) is less of a shift from
the current spec and likely a better choice for a pending 1.0.

This commit implements (b).

It also makes it explicit that not listing a namespace type will cause
the container to inherit the runtime namespace of that type.

[1]: opencontainers#158
     Subject: Clarify behavior around namespaces paths
[2]: opencontainers#214
     Subject: config: Require a new UTS namespace for config.json's hostname
[3]: opencontainers#158 (comment)
[4]: opencontainers#158 (comment)
[5]: opencontainers#305
     Subject: [Tracker] Live Container Updates
[6]: opencontainers#158 (comment)
[7]: opencontainers#537 (comment)
     Subject: [linux] Tweaking host namespaces?

Signed-off-by: W. Trevor King <wking@tremily.us>
  • Loading branch information
@wking
wking committed Aug 24, 2016
1 parent 8095e4e commit 01c2d55
Showing 1 changed file with 2 additions and 1 deletion.
3 changes: 2 additions & 1 deletion config-linux.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,8 @@ The following parameters can be specified to setup namespaces:
* **`path`** *(string, optional)* - path to namespace file in the [runtime mount namespace](glossary.md#runtime-namespace)

If a path is specified, that particular file is used to join that type of namespace.
Also, when a path is specified, a runtime MUST assume that the setup for that particular namespace has already been done and error out if the config specifies anything else related to that namespace.
If a namespace type is not specified in the `namespaces` array, the container MUST inherit the [runtime namespace](glossary.md#runtime-namespace) of that type.
If a new namespace is not created (because the namespace type is not listed, or because it is listed with a `path`), runtimes MUST assume that the setup for that namespace has already been done and error out if the config specifies anything else related to that namespace.

###### Example

Expand Down

0 comments on commit 01c2d55

Please sign in to comment.