When the config reuses an existing userns:
"namespaces": [
{
"type": "user",
"path": "/proc/1234/ns/user"
},It is unclear how mappings should be specified:
"uidMappings": [
{
"containerID": 0,
"hostID": 1000,
"size": 32000
}
],
If the existing userns already has mappings configured, the runtime will not be able to write to /proc/$$/uid_map again (see man 7 user_namespaces).
Questions for the runtimes:
- Should the runtime ignore any
uidMappings or gidMappings sections when a path is specified for userns?
- Or should it check that the current mappings are already configured exactly as specified in
config.json?
- Or should it return an error when it fails to configure the mappings again?
- Should runtimes support using existing userns with unconfigured mappings? (That does not seem useful to me because how would several containers share the same userns? That seems racy.)
Questions for the users:
- Should users avoid specifying the
uidMappings or gidMappings sections?
- Or should they specify the mappings and ensure the specified
path refers to a userns with the same mappings?
Note that runtimes might need to know the mappings for mounting some tmpfs with options like ,uid=1000,gid=1000.
When the config reuses an existing userns:
It is unclear how mappings should be specified:
If the existing userns already has mappings configured, the runtime will not be able to write to
/proc/$$/uid_mapagain (see man 7 user_namespaces).Questions for the runtimes:
uidMappingsorgidMappingssections when apathis specified for userns?config.json?Questions for the users:
uidMappingsorgidMappingssections?pathrefers to a userns with the same mappings?Note that runtimes might need to know the mappings for mounting some tmpfs with options like
,uid=1000,gid=1000.