On Thu, 2006-12-14 at 09:36 -0600, Serge E. Hallyn wrote: > one container corresponds to one nsproxy which is one set of namespaces. On container has at least one nsproxy associated with it. Did you mean to say here that each container has one and only one nsproxy? > As I said, once a process is in a container, it never leaves that > container. It only enters additional ones. That model fits everyone's > needs, without needing some funky API. This makes logical sense to me. In practice this has the feel of ptracing where the ptracer becomes a temporary parent of the tracee. The process entering a container temporarily becomes a member of that container, but it doesn't completely _stop_ being a member of its container. The real_parent of a process being ptraced may not be doing all of the parental duties during a ptrace, but it doesn't _stop_ being the real_parent. Maybe I'm stretching the analogy too far :) -- Dave