/etc/subuid and /etc/subgid need to have at least 65536 entries for the root user or you’ll end up with non-functional containers.
So at a minimum you need something like:
Then if you also need LXD to be able to map the uid 1000 inside of containers, you need to append:
And yeah, that comes with a security downside. Once a container has their raw.idmap setup to make use of that host uid 1000, it will allow the container to run actual processes as that user which means it can use ulimit to apply system-wide restrictions to the uid, potentially impacting processes in other containers or even on the host.
Also, in the unlikely event of a kernel issue allowing an escape from the container, rather than only have uids and gids which are unused on the host and so don’t have write permissions anywhere, you’ll now be able to use that uid 1000 which actually has some amount of write access to the host.
It’s usually not much of a concern as such uid sharing is often done to purposefully expose such writable space over to the container in the first place, but it’s something to keep in mind.