On 12/11/2017 8:30 AM, Eric Paris wrote: > On Sat, 2017-12-09 at 10:28 -0800, Casey Schaufler wrote: >> Because a container doesn't have to use namespaces to be a container >> you still need a mechanism for a process to declare that it is in >> fact >> in a container, and to identify the container. > I like the idea but I'm still tossing it around in my head (and > thinking about Casey's statement too). Lets say we have a 'docker-like' > container with pid=100 netns=X,userns=Y,mountns=Z. If I'm on the host > in all init namespaces and I run > nsenter -t 100 -n ip link set eth0 promisc on > How should this be logged? Did this command run in it's own 'container' > unrelated to the 'docker-like' container? Jose Bollo's PTAGS ( https://gitlab.com/jobol/ptags ) would be prefect. Any time you declare something to be a container or enter a namespace you slap a tag on it. Identifying nested containers would be easy, you'd have multiple tags. PTAGS unfortunately needs module stacking, but how hard could that be? > -Eric -- To unsubscribe from this list: send the line "unsubscribe cgroups" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
