Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add security.idmap.size support for non-isolated containers #1305

Closed
foxtrotcz opened this issue Oct 14, 2024 · 0 comments
Closed

Add security.idmap.size support for non-isolated containers #1305

foxtrotcz opened this issue Oct 14, 2024 · 0 comments
Assignees
Labels
Documentation Documentation needs updating Easy Good for new contributors Feature New feature, not a bug
Milestone

Comments

@foxtrotcz
Copy link

foxtrotcz commented Oct 14, 2024

Hello,
I propose adding support of security.idmap.size for non-isolated containers.

Currently non-isolated containers take all the IDs available in subuid and subgid.
This can be problem when mixing isolated and non-isolated containers.

Isolated containers take each non-overlapping ID ranges starting with ID 65536.
Non-isolated containers take all the range starting with ID 0.

This can be problem because non-isolated can affect ranges of isolated containers.

Ability to use security.idmap.size for non-isolated containers would allow us to restrict them just to first 65536 IDs which are not used by isolated containers and there wouldnt by any overlap.

This way non-isolated containers could affect each other but couldnt affect any isolated containers.

Related forum post: https://discuss.linuxcontainers.org/t/idmap-behavior-when-setting-unisolated-and-isolated-containers/21769/4

Thanks.

@stgraber stgraber added Documentation Documentation needs updating Feature New feature, not a bug labels Oct 18, 2024
@stgraber stgraber added this to the incus-6.7 milestone Oct 18, 2024
@stgraber stgraber added the Easy Good for new contributors label Oct 18, 2024
@stgraber stgraber self-assigned this Oct 21, 2024
@hallyn hallyn closed this as completed in 0ca8dd5 Oct 22, 2024
stgraber added a commit that referenced this issue Dec 4, 2024
…iners

Closes #1305

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Documentation Documentation needs updating Easy Good for new contributors Feature New feature, not a bug
Development

No branches or pull requests

2 participants