runtime-config-linux: Specify host mount namespace for namespace paths

wking · wking · commit f1146ed2ae56 · 2015-12-18T10:55:48.000-08:00
Avoid trouble with situations like: # mount --bind /mnt/test /mnt/test # mount --make-rprivate /mnt/test # touch /mnt/test/mnt /mnt/test/user # mount --bind /proc/123/ns/mnt /mnt/test/mnt # mount --bind /proc/123/ns/user /mnt/test/user # nsenter --mount=/proc/123/ns/mnt --user /proc/123/ns/user sh which uses the required private mount for binding mount namespace references [1,2,3]. We want to avoid: 1. Runtime opens /mnt/test/mnt as fd 3. 2. Runtime joins the mount namespace referenced by fd 3. 3. Runtime fails to open /mnt/test/user, because /mnt/test is not visible in the current mount namespace. and instead get runtime authors to setup flows like: 1. Runtime opens /mnt/test/mnt as fd 3. 2. Runtime opens /mnt/test/user as fd 4. 3. Runtime joins the mount namespace referenced by fd 3. 4. Runtime joins the user namespace referenced by fd 4. This also applies to new namespace creation. We want to avoid: 1. Runtime clones a container process with a new mount namespace. 2c. Container process fails to open /mnt/test/user, because /mnt/test is not visible in the current mount namespace. in favor of something like: 1. Runtime opens /mnt/test/user as fd 3. 2. Runtime clones a container process with a new mount namespace. 3h. Host process closes unneeded fd 3. 3c. Container process joins the user namespace referenced by fd 3. [1]: http://karelzak.blogspot.com/2015/04/persistent-namespaces.html [2]: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=4ce5d2b1a8fde84c0eebe70652cf28b9beda6b4e [3]: http://mid.gmane.org/87haeahkzc.fsf@xmission.com Signed-off-by: W. Trevor King <wking@tremily.us>
diff --git a/runtime-config-linux.md b/runtime-config-linux.md
@@ -17,7 +17,7 @@ The following parameters can be specified to setup namespaces:
     * **`uts`** the container will be able to have its own hostname and domain name
     * **`user`** the container will be able to remap user and group IDs from the host to local users and groups within the container
 
-* **`path`** *(string, optional)* - path to namespace file
+* **`path`** *(string, optional)* - path to namespace file in the host mount namespace
 
 If a path is specified, that particular file is used to join that type of namespace.
 Also, when a path is specified, a runtime MUST assume that the setup for that particular namespace has already been done and error out if the config specifies anything else related to that namespace.
