config-linux: Extend no-tweak requirement to runtime namespaces

wking · wking · commit 01c2d55fac8e · 2016-08-24T10:41:50.000-07:00
Since [1] we've required runtimes to error out if a configuration joins an existing namespace and adjusts it somehow (e.g. joining an existing UTC namespace and setting 'hostname', [2]). However, the wording from [1] (which survives untouched in the current master) only talked about "when a path is specified". I see two possible approaches for internal consistency: a. Lift the OCI restriction and allow join-and-tweak [3] where the kernel supports it. When we landed the current restriction, the main issues seemed to be "we don't have a clear use-case for join and tweak" [4] (although see [5]) and "this is a foot gun [6,7]" (I'd rather leave policy to higher-level config linters). b. Extend the OCI restriction to all cases where the runtime does not create a new namespace. Besides the already covered "namespace entry exists and includes 'path'", we'd also want to forbid configs that were missing the relevant namespace(s) entirely (in which case the container inherits the host namespace(s)). I'm partial to (a) in the long run, but (b) is less of a shift from the current spec and likely a better choice for a pending 1.0. This commit implements (b). It also makes it explicit that not listing a namespace type will cause the container to inherit the runtime namespace of that type. [1]: #158 Subject: Clarify behavior around namespaces paths [2]: #214 Subject: config: Require a new UTS namespace for config.json's hostname [3]: #158 (comment) [4]: #158 (comment) [5]: #305 Subject: [Tracker] Live Container Updates [6]: #158 (comment) [7]: #537 (comment) Subject: [linux] Tweaking host namespaces? Signed-off-by: W. Trevor King <wking@tremily.us>
diff --git a/config-linux.md b/config-linux.md
@@ -38,7 +38,8 @@ The following parameters can be specified to setup namespaces:
 * **`path`** *(string, optional)* - path to namespace file in the [runtime mount namespace](glossary.md#runtime-namespace)
 
 If a path is specified, that particular file is used to join that type of namespace.
-Also, when a path is specified, a runtime MUST assume that the setup for that particular namespace has already been done and error out if the config specifies anything else related to that namespace.
+If a namespace type is not specified in the `namespaces` array, the container MUST inherit the [runtime namespace](glossary.md#runtime-namespace) of that type.
+If a new namespace is not created (because the namespace type is not listed, or because it is listed with a `path`), runtimes MUST assume that the setup for that namespace has already been done and error out if the config specifies anything else related to that namespace.
 
 ###### Example
 
