Uid/gid mapping in different containers

What’s the best practice for uid/gid mapping in different containers? Should they not overlap or it doesn’t matter? E.g.:

Containter 1:
lxc.idmap = u 0 100000 9999
lxc.idmap = g 0 100000 9999

Containter 2:
lxc.idmap = u 0 110000 9999
lxc.idmap = g 0 110000 9999

Or I can just use the same mapping for all containers? How safe is it from a security standpoint?

We usually prefer non-overlapping to avoid some issues with shared kernel resources which may cause one container to deplete the entire resource and affect other containers.

There’s no real security concern with re-using the same range but we’d recommend at least using different ranges per tenant if not per container.

We’d also strongly recommend assigning at least 65536 uid/gid per instance to retain POSIX compatibility.