Idmap behavior when setting unisolated and isolated containers

Incus
1

Hi,
just want to ask if these two behaviors of mapping UIDs and GIDs are by design.

  1. Minimum subuid range for working isolated containers is: 65536 + (65536 * number of isolated containers) + 1
    I understand that 65536 is minimum to get unisolated containers working because 65536 is minimum for container to be POSIX compliant and work correctly as described here in docs.
    I would expect that 65536 is also minimum range for each isolated container. So for example for two isolated containers I would expect first range 65536 be taken by unisolated containers and next 2 * 65536 for two isolated. Total range would then be 3 * 65536 = 196608.
    But if I set root:100000:196608 in subuid and subgid Incus cant run the second isolated container. I need to set root:100000:196609 for second container to work. Is this correct? I just dont understand where that +1 in range comes from.

  2. If I set root:100000:196609 and run both unisolated and isolated containers then inside unisolated container config /run/incus/container/lxc.conf I see setting lxc.idmap = u 0 1000000 196609
    This seems to me like by default unisolated container can use the same UIDs as isolated ones and therefore can affect them. Is this by design?
    I thought unisolated containers would be all set as lxc.idmap = u 0 1000000 65536 by default so they would be able to affect other unisolated containers but not isolated containers.

Thanks.

2
  1. That feels like a bug. Would be worth filing it at https://github.com/lxc/incus/isues so we can keep track of it.
  2. Is correct, unisolated containers get the entire allocation, so you usually don’t want to mix and match both types, if going isolated you want everything on the system to be isolated.
3

  1. I filled issue and actually discovered another. Strange behavior of idmapping for unprivileged isolated containers · Issue #1294 · lxc/incus · GitHub

  2. I think this could be solved by being able to set security.idmap.size of unisolated containers so they dont go into range of isolated. This way there would be no probem mixing them.
    Is this something you would consider? I can file feature request.

Thanks.

4

Yeah, having security.idmap.size still apply to non-isolated would be fine.
Feel free to file a feature request for that.