[PVE-User] UIDs > 65535 not valid in container

Frank Thommen f.thommen at dkfz-heidelberg.de
Fri Mar 13 14:13:54 CET 2020


On 3/12/20 7:58 PM, Frank Thommen wrote:
> On 3/12/20 5:57 PM, Dietmar Maurer wrote:
>>> I fear
>>> this might be a container-related issue but I don't understand it and I
>>> don't know if there is a solution or a workaround.
>>>
>>> Any help or hint is highly appreciated
>>
>> Yes, we only map 65535 IDs for a single container. We cannot allow
>> the full range for security reasons.
> 
> What is the security related impact of higher UIDs?  This is kind of a 
> showstopper for us, as we planned several such minimal services which 
> all need to be able to map all existing UIDs in the AD.
> 
> The idea was to move them away from heavy full VMs to more lightweight 
> containers.

Or the other way round: What are the risks if we change the hardcoded 
limits in /usr/share/perl5/PVE/LXC.pm? (apart from the fact, that we 
will have to port the changes after each update and upgrade)

frank


More information about the pve-user mailing list