doc: mistake in restricted.containers.privilege documentation

[p-ouellette]

When set to isolated, this option prevents setting security.privileged and security.idmap.isolated to true.

I think that should say something like "When set to isolated, security.idmap.isolated must be set to true if security.privileged is set to true."

---

Document: reference/projects.md

[tomponline]

I agree the docs as they are currently could certainly be clarified.
However the proposed change here is not correct.

When security.privileged is enabled, this disables the user namespace which will have the effect of ignoring the security.idmap and raw.idmap themed settings.

The project's restricted.containers.privilege=isolated means to only allow containers to run with their own isolated idmap range (rather than a shared range), and should be used without enabling security.privileged.

My understanding is that the reason why security.privileged and the idmap related settings can be enabled at the same time is to accommodate using the idmap settings in a profile and then selectively enabling privileged mode on just selected container(s).

However I think we can do better around validation of security.privileged and the idmap settings when both are coming from a profile.

[p-ouellette]

However the proposed change here is not correct.

Yes, I misread the code. I think this would be accurate: "When set to isolated, security.idmap.isolated must be set to true and security.privileged cannot be set to true." As it is now, I understood it to mean that both options must not be set to true.