These were contentious [1,2], so they weren't part of the previous
commit.  I still think we want to say something about these
relationships.

For example, if you ask for a new uts namespace but do not set the
optional hostname, having the seed defined means that the hostname in
the container UTS namespace is well-defined (it will be whatever the
hostname was in the runtime UTS namespace).

This is less of an issue for the mount namespace, because with
root.path REQUIRED, there's no way to avoid clobbering whatever mounts
you got from your seed (which makes not asking for a new mount
namespace exciting ;).

We already have some of "runtime namespace" conditions (e.g. when
linux.namespaces[].path is unset), so runtimes should already have
implementation-specific wording around what the runtime namespaces are
(we don't explicitly make them implementation-defined, although we
probably should).  Anyhow, that's not a new concept added by this
commit.

If we want to explicitly make the parent / seed implementation-defined
and not tied to the implementation-defined runtime namespaces, I guess
we could do that (by rejecting this commit).  But I think "I want this
container to run in a new user/pid namespace that is a child of the
runtime user/pid namespace" should be something that has a portable
config expression.  Otherwise it becomes very unclear what to put in
the hostID field for (u|g)idMappings, because you don't know what
namespace will be used to interpret the hostIDs.

[1]: opencontainers#767 (comment)
[2]: opencontainers#767 (comment)

Signed-off-by: W. Trevor King <wking@tremily.us>

These were contentious [1,2], so they weren't part of the previous
commit.  I still think we want to say something about these
relationships.

We already have some of "runtime namespace" conditions (e.g. when a
type is not listed in linux.namespaces[]), so runtimes should already
have implementation-specific wording around what the runtime
namespaces are (we don't explicitly make them implementation-defined,
although we probably should). Anyhow, that's not a new concept added
by this commit.

# Seeded namespaces

For example, if you ask for a new uts namespace but do not set the
optional hostname, having the seed defined means that the hostname in
the container UTS namespace is well-defined (it will be whatever the
hostname was in the runtime UTS namespace).

This is less of an issue for the mount namespace, because with
root.path REQUIRED, there's no way to avoid clobbering whatever mounts
you got from your seed (which makes not asking for a new mount
namespace exciting ;).

# Hierarchical namespaces

I think "I want this container to run in a new user/pid namespace that
is a child of the runtime user/pid namespace" should be something that
has a portable config expression. Otherwise it becomes very unclear
what to put in the hostID field for (u|g)idMappings, because you don't
know what namespace will be used to interpret the hostIDs.

# Namespace ownership

This is another case where I think specified clarity is essential. A
new network namespace will not be very useful if you don't know who
owns it.

[1]: opencontainers#767 (comment)
[2]: opencontainers#767 (comment)

Signed-off-by: W. Trevor King <wking@tremily.us>

For more background on hierarchical namespaces, see [1].  For more
background on the owning user namespace idea, see [2,3,4]).

These were contentious [5,6], so they weren't part of the previous
commit.  I still think we want to say something about these
relationships.

We already have some of "runtime namespace" conditions (e.g. when a
type is not listed in linux.namespaces[]), so runtimes should already
have implementation-specific wording around what the runtime
namespaces are (we don't explicitly make them implementation-defined,
although we probably should). Anyhow, that's not a new concept added
by this commit.

# Seeded namespaces

For example, if you ask for a new uts namespace but do not set the
optional hostname, having the seed defined means that the hostname in
the container UTS namespace is well-defined (it will be whatever the
hostname was in the runtime UTS namespace).

This is less of an issue for the mount namespace, because with
root.path REQUIRED, there's no way to avoid clobbering whatever mounts
you got from your seed (which makes not asking for a new mount
namespace exciting ;).

# Hierarchical namespaces

I think "I want this container to run in a new user/pid namespace that
is a child of the runtime user/pid namespace" should be something that
has a portable config expression. Otherwise it becomes very unclear
what to put in the hostID field for (u|g)idMappings, because you don't
know what namespace will be used to interpret the hostIDs.

# Namespace ownership

This is another case where I think specified clarity is essential. A
new network namespace will not be very useful if you don't know who
owns it.

[1]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a7306ed8d94af729ecef8b6e37506a1c6fc14788
     nsfs: add ioctl to get a parent namespace, 2016-09-06
[2]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6786741dbf99e44fb0c0ed85a37582b8a26f1c3b
     nsfs: add ioctl to get owning user namespace for ns file
     descriptor, 2016-09-06
[3]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e5ff5ce6e20ee22511398bb31fb912466cf82a36
     nsfs: Add an ioctl() to return the namespace type, 2017-01-25
[4]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d95fa3c76a66b6d76b1e109ea505c55e66360f3c
     nsfs: Add an ioctl() to return owner UID of a userns, 2017-01-25
[5]: opencontainers#767 (comment)
[6]: opencontainers#767 (comment)

Signed-off-by: W. Trevor King <wking@tremily.us>

For more background on hierarchical namespaces, see [1].  For more
background on the owning user namespace idea, see [2,3,4]).

These were contentious [5,6], so they weren't part of the previous
commit.  I still think we want to say something about these
relationships.

We already have some of "runtime namespace" conditions (e.g. when a
type is not listed in linux.namespaces[]), so runtimes should already
have implementation-specific wording around what the runtime
namespaces are (we don't explicitly make them implementation-defined,
although we probably should). Anyhow, that's not a new concept added
by this commit.

# Seeded namespaces

For example, if you ask for a new uts namespace but do not set the
optional hostname, having the seed defined means that the hostname in
the container UTS namespace is well-defined (it will be whatever the
hostname was in the runtime UTS namespace).

This is less of an issue for the mount namespace, because with
root.path REQUIRED, there's no way to avoid clobbering whatever mounts
you got from your seed (which makes not asking for a new mount
namespace exciting ;).

# Hierarchical namespaces

I think "I want this container to run in a new user/pid namespace that
is a child of the runtime user/pid namespace" should be something that
has a portable config expression. Otherwise it becomes very unclear
what to put in the hostID field for (u|g)idMappings, because you don't
know what namespace will be used to interpret the hostIDs.

# Namespace ownership

This is another case where I think specified clarity is essential. A
new network namespace will not be very useful if you don't know who
owns it.

[1]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a7306ed8d94af729ecef8b6e37506a1c6fc14788
     nsfs: add ioctl to get a parent namespace, 2016-09-06
[2]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6786741dbf99e44fb0c0ed85a37582b8a26f1c3b
     nsfs: add ioctl to get owning user namespace for ns file
     descriptor, 2016-09-06
[3]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e5ff5ce6e20ee22511398bb31fb912466cf82a36
     nsfs: Add an ioctl() to return the namespace type, 2017-01-25
[4]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d95fa3c76a66b6d76b1e109ea505c55e66360f3c
     nsfs: Add an ioctl() to return owner UID of a userns, 2017-01-25
[5]: opencontainers#767 (comment)
[6]: opencontainers#767 (comment)

Signed-off-by: W. Trevor King <wking@tremily.us>

For more background on hierarchical namespaces, see [1].  For more
background on the owning user namespace idea, see [2,3,4]).

These were contentious [5,6], so they weren't part of the previous
commit.  I still think we want to say something about these
relationships.

We already have some of "runtime namespace" conditions (e.g. when a
type is not listed in linux.namespaces[]), so runtimes should already
have implementation-specific wording around what the runtime
namespaces are (we don't explicitly make them implementation-defined,
although we probably should). Anyhow, that's not a new concept added
by this commit.

# Seeded namespaces

For example, if you ask for a new uts namespace but do not set the
optional hostname, having the seed defined means that the hostname in
the container UTS namespace is well-defined (it will be whatever the
hostname was in the runtime UTS namespace).

This is less of an issue for the mount namespace, because with
root.path REQUIRED, there's no way to avoid clobbering whatever mounts
you got from your seed (which makes not asking for a new mount
namespace exciting ;).

# Hierarchical namespaces

I think "I want this container to run in a new user/pid namespace that
is a child of the runtime user/pid namespace" should be something that
has a portable config expression. Otherwise it becomes very unclear
what to put in the hostID field for (u|g)idMappings, because you don't
know what namespace will be used to interpret the hostIDs.

# Namespace ownership

This is another case where I think specified clarity is essential. A
new network namespace will not be very useful if you don't know who
owns it.

# Glossary changes

In review, Mrunal and others pointed out that the new config-linux
entries overlapped with the existing glossary entry [7].  I've
addressed that in this commit by trimming the glossary entries down to
fix them (namespaces are not all hierarchical and processes aren't
always in leaves).  I've also dropped the handwavy and incorrect
"children" sentence in favor of a link back to config-linux.md and the
more specific RFC 2119 language from this commit.

[1]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a7306ed8d94af729ecef8b6e37506a1c6fc14788
     nsfs: add ioctl to get a parent namespace, 2016-09-06
[2]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6786741dbf99e44fb0c0ed85a37582b8a26f1c3b
     nsfs: add ioctl to get owning user namespace for ns file
     descriptor, 2016-09-06
[3]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e5ff5ce6e20ee22511398bb31fb912466cf82a36
     nsfs: Add an ioctl() to return the namespace type, 2017-01-25
[4]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d95fa3c76a66b6d76b1e109ea505c55e66360f3c
     nsfs: Add an ioctl() to return owner UID of a userns, 2017-01-25
[5]: opencontainers#767 (comment)
[6]: opencontainers#767 (comment)
[7]: http://ircbot.wl.linuxfoundation.org/meetings/opencontainers/2017/opencontainers.2017-05-10-21.03.log.html#l-115
     But I was talking so my log entries are sparse :/.

Signed-off-by: W. Trevor King <wking@tremily.us>