Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add security.idmap.size support for non-isolated containers #1305

Closed
foxtrotcz opened this issue Oct 14, 2024 · 0 comments
Closed

Add security.idmap.size support for non-isolated containers #1305

foxtrotcz opened this issue Oct 14, 2024 · 0 comments
Assignees
@stgraber
Labels
Documentation Documentation needs updating Easy Good for new contributors
Milestone
incus-6.7

Comments

@foxtrotcz
Copy link
Contributor

foxtrotcz commented Oct 14, 2024
edited
Loading

Hello,
I propose adding support of security.idmap.size for non-isolated containers.

Currently non-isolated containers take all the IDs available in subuid and subgid.
This can be problem when mixing isolated and non-isolated containers.

Isolated containers take each non-overlapping ID ranges starting with ID 65536.
Non-isolated containers take all the range starting with ID 0.

This can be problem because non-isolated can affect ranges of isolated containers.

Ability to use security.idmap.size for non-isolated containers would allow us to restrict them just to first 65536 IDs which are not used by isolated containers and there wouldnt by any overlap.

This way non-isolated containers could affect each other but couldnt affect any isolated containers.

Related forum post: https://discuss.linuxcontainers.org/t/idmap-behavior-when-setting-unisolated-and-isolated-containers/21769/4

Thanks.
@stgraber stgraber added Documentation Documentation needs updating Feature labels Oct 18, 2024
@stgraber stgraber added this to the incus-6.7 milestone Oct 18, 2024
@stgraber stgraber added the Easy Good for new contributors label Oct 18, 2024
@stgraber stgraber self-assigned this Oct 21, 2024
@hallyn hallyn closed this as completed in 0ca8dd5 Oct 22, 2024
stgraber added a commit that referenced this issue Dec 4, 2024
@stgraber
incusd/isntance/lxc: Respect restrict.idmap.size on un-isolated conta…
96061d9 
…iners

Closes #1305

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>
bketelsen pushed a commit to bketelsen/incus that referenced this issue Feb 4, 2025
@stgraber @bketelsen
incusd/isntance/lxc: Respect restrict.idmap.size on un-isolated conta…
133cc0e 
…iners

Closes lxc#1305

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@stgraber stgraber

Labels
Documentation Documentation needs updating Easy Good for new contributors
Milestone
incus-6.7
Development

No branches or pull requests
2 participants
@stgraber @foxtrotcz