From 0ca8dd5174a02b11960fae72ce7ee0d4bdcc9b91 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Graber?= Date: Mon, 21 Oct 2024 15:57:30 -0400 Subject: [PATCH] incusd/isntance/lxc: Respect restrict.idmap.size on un-isolated containers MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Closes #1305 Signed-off-by: Stéphane Graber --- internal/server/instance/drivers/driver_lxc.go | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/internal/server/instance/drivers/driver_lxc.go b/internal/server/instance/drivers/driver_lxc.go index a2595d92a43..89f4447fc81 100644 --- a/internal/server/instance/drivers/driver_lxc.go +++ b/internal/server/instance/drivers/driver_lxc.go @@ -479,9 +479,27 @@ func findIdmap(s *state.State, cName string, isolated bool, configBase string, c } if !isolated { + // Create a new set based from the global one. newIdmapset := idmap.Set{Entries: make([]idmap.Entry, len(s.OS.IdmapSet.Entries))} copy(newIdmapset.Entries, s.OS.IdmapSet.Entries) + // Restrict the range sizes if specified. + if configSize != "" { + size, err := idmapSize(s, isolated, configSize) + if err != nil { + return nil, 0, err + } + + for k, ent := range newIdmapset.Entries { + if ent.MapRange < size { + continue + } + + newIdmapset.Entries[k].MapRange = size + } + } + + // Apply the raw idmap entries. for _, ent := range rawMaps.Entries { err := newIdmapset.AddSafe(ent) if err != nil && err == idmap.ErrHostIDIsSubID {