On Monday, December 11, 2017 11:30:57 AM EST Eric Paris wrote:

quoted

Because a container doesn't have to use namespaces to be a container
you still need a mechanism for a process to declare that it is in
fact
in a container, and to identify the container.

I like the idea but I'm still tossing it around in my head (and
thinking about Casey's statement too). Lets say we have a 'docker-like'
container with pid=100  netns=X,userns=Y,mountns=Z. If I'm on the host
in all init namespaces and I run
  nsenter -t 100 -n ip link set eth0 promisc on
How should this be logged?

If it is a normal process, then everything would match the init name space and 
you wouldn't have entered a container. If it were a container, any generated 
event should have the container ID from registration attached to it.

Did this command run in it's own 'container' unrelated to the 'docker-like'
container?

That should be determined by what's in the task struct.

-Steve