add namespace check for uid/gid mappings

[Mashimiao]

Signed-off-by: Ma Shimiao mashimiao.fnst@cn.fujitsu.com

[wking]

The phrasing used by existing similar warnings is:

{setting} requires a new {type} namespace to be specified as well

[Mashimiao]

On 08/24/2016 12:50 AM, W. Trevor King wrote:

The phrasing used by existing similar warnings is:

{setting} requires a new {type} namespace to be specified as well

I think container joins into an existing user namespace also can work.
Doesn't it?

[wking]

On Tue, Aug 23, 2016 at 05:58:31PM -0700, Ma Shimiao wrote:

• if (len(spec.Linux.UIDMappings) > 0 || len(spec.Linux.GIDMappings) > 0) && !userExists {

•   msgs = append(msgs, "UID/GID mappings require User namespace exists")
  

08/24/2016 12:50 AM, W. Trevor King:

The phrasing used by existing similar warnings is:

{setting} requires a new {type} namespace to be specified as well

I think container joins into an existing user namespace also can
work. Doesn't it?

The kernel has no problem with join-and-tweak, but the OCI spec does
not allow it at the moment [1,2]. Interestingly, the spec places no
such restriction on namespaces inherited from the host. I've filed
3 to figure out what the runtime-spec maintainers want to do about
that.

[Mashimiao]

Thanks, got it.
Since spec does not allow now, I fixed error message as you suggested.

[wking]

bf50b73 looks good to me. It's taking the (b) approach from 1,
even though the current spec wording doesn't quite match that
interpretation. But it matches the ocitools existing namespace
validation logic, and we can revisit all of that if 1 ends up being
resolved in a different direction.

[mrunalp]

LGTM