Add security.idmap.size support for non-isolated containers
Closed this issue · 0 comments
Hello,
I propose adding support of security.idmap.size for non-isolated containers.
Currently non-isolated containers take all the IDs available in subuid and subgid.
This can be problem when mixing isolated and non-isolated containers.
Isolated containers take each non-overlapping ID ranges starting with ID 65536.
Non-isolated containers take all the range starting with ID 0.
This can be problem because non-isolated can affect ranges of isolated containers.
Ability to use security.idmap.size for non-isolated containers would allow us to restrict them just to first 65536 IDs which are not used by isolated containers and there wouldnt by any overlap.
This way non-isolated containers could affect each other but couldnt affect any isolated containers.
Related forum post: https://discuss.linuxcontainers.org/t/idmap-behavior-when-setting-unisolated-and-isolated-containers/21769/4
Thanks.