Skip to content

Commit c373fc4

Browse files
wkingwking
committed
config: Explicit container namespace for uid, gid, and additionalGids
In the degenerate case where the container does not create a user namespace, the "container namespace" distinction is unimportant, but the phrasing is still accurate (the container and runtime namespaces are the same). Signed-off-by: W. Trevor King <[email protected]>
1 parent 7ab816a commit c373fc4

File tree

1 file changed

+9
-3
lines changed

1 file changed

+9
-3
lines changed

config.md

Lines changed: 9 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -112,9 +112,10 @@ The user for the process is a platform-specific structure that allows specific c
112112

113113
For Linux-based systems the user structure has the following fields:
114114

115-
* **`uid`** (int, required) specifies the user id.
116-
* **`gid`** (int, required) specifies the group id.
117-
* **`additionalGids`** (array of ints, optional) specifies additional group ids to be added to the process.
115+
* **`uid`** (int, required) specifies the user ID in the [container namespace][container-namespace].
116+
For example, if a user has UID 1000 in their current namespace, and [starts][start] a container with a new [user namespace][namespaces] [mapping][user-namespace-mappings] the [runtime-namespace][] UID 1000 to the [container-namespace][] UID 0, they should set `uid` to 0 to have the process execute as 0 in container namespace (which will be 1000 in the runtime namespace).
117+
* **`gid`** (int, required) specifies the group ID in the [container namespace][container-namespace].
118+
* **`additionalGids`** (array of ints, optional) specifies additional group IDs (in the [container namespace][container-namespace]) to be added to the process.
118119

119120
_Note: symbolic name for uid and gid, such as uname and gname respectively, are left to upper levels to derive (i.e. `/etc/passwd` parsing, NSS, etc)_
120121

@@ -637,5 +638,10 @@ Here is a full example `config.json` for reference.
637638
}
638639
```
639640

641+
[container-namespace]: glossary.md#container-namespace
642+
[namespaces]: config-linux.md#namespaces
643+
[runtime-namespace]: glossary.md#runtime-namespace
644+
[start]: runtime.md#start
645+
[user-namespace-mappings]: config-linux#user-namespace-mappings
640646

641647
[uts-namespace]: http://man7.org/linux/man-pages/man7/namespaces.7.html

0 commit comments

Comments
 (0)