This implements the algorithm proposed in
https://github.com/containers/storage/issues/852#issuecomment-798954173,
which is:
1. find available IDs from subuid/subgid file; by subtracting the used
IDs (from other containers) as well as additional IDs, we get the IDs
available to allocate;
2. target ID range is [0, requestedSize), subtract the additional IDs;
3. allocate IDs from range in step 1; the number to allocate is the
number of IDs in step 2;
4. generate a mapping from IDs in step 3 to the ones in step 2.
Closes: https://github.com/containers/storage/issues/852
Signed-off-by: Kan Li <likan@google.com>
The logic of range subtraction [a,b)-[c,d) can be viewed as intersection
of [a,b) with (-inf, c) and [d, +inf), respectively. This makes the
logic simpler, that we no longer need to check 5 different cases.
It also fixes bugs that returns incorrect range.
Closes#763
Signed-off-by: Kan Li <likan@google.com>
when an explicit idmapping is specified, the host id must be taken
from the available range of IDs.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
automatically pick an empty range and create an user namespace for the
container.
For root containers, it is necessary to specify an entry in
the /etc/subuid and /etc/subgid files to use for picking the range of
available IDs. This is necessary to avoid collisions with IDs used
for rootless containers. This setting is ignored for rootless
containers, since it is not possible to use arbitrary IDs, and the
initial set is always picked by the IDs assigned to the rootless
user.
When using auto userns, a container will use a range of IDs that is
not used by any other container user namespace, also those that are
not using auto userns, this is checked at creation time.
A successive container that doesn't use auto userns feature can still
collide with IDs used by an auto userns container.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Kan Li