What’s the best practice for uid/gid mapping in different containers? Should they not overlap or it doesn’t matter? E.g.:
Containter 1:
lxc.idmap = u 0 100000 9999
lxc.idmap = g 0 100000 9999Containter 2:
lxc.idmap = u 0 110000 9999
lxc.idmap = g 0 110000 9999
Or I can just use the same mapping for all containers? How safe is it from a security standpoint?
We usually prefer non-overlapping to avoid some issues with shared kernel resources which may cause one container to deplete the entire resource and affect other containers.
There’s no real security concern with re-using the same range but we’d recommend at least using different ranges per tenant if not per container.
We’d also strongly recommend assigning at least 65536 uid/gid per instance to retain POSIX compatibility.