On Monday, December 11, 2017 11:30:57 AM EST Eric Paris wrote: > > Because a container doesn't have to use namespaces to be a container > > you still need a mechanism for a process to declare that it is in > > fact > > in a container, and to identify the container. > > I like the idea but I'm still tossing it around in my head (and > thinking about Casey's statement too). Lets say we have a 'docker-like' > container with pid=100 netns=X,userns=Y,mountns=Z. If I'm on the host > in all init namespaces and I run > nsenter -t 100 -n ip link set eth0 promisc on > How should this be logged? If it is a normal process, then everything would match the init name space and you wouldn't have entered a container. If it were a container, any generated event should have the container ID from registration attached to it. > Did this command run in it's own 'container' unrelated to the 'docker-like' > container? That should be determined by what's in the task struct. -Steve -- To unsubscribe from this list: send the line "unsubscribe cgroups" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html