Merge pull request #420 from ComplianceEnthusiast/feat/nesting

cmd-ntrf · web-flow · commit 30c605f5c676 · 2026-04-20T10:25:34.000-04:00
Split `privileged` and `nesting` variables for the incus module
diff --git a/docs/README.md b/docs/README.md
@@ -1152,11 +1152,24 @@ This setting can be enabled on at most one cluster per incus host.
 **default value**: true
 
 By default, the LXC containers created by Magic Castle are privileged. It is possible for security reasons
-to turn this off by provider `privileged = false` to the Incus module. However, due to kernel restrictions
+to turn this off by provider `privileged = false` to the Incus module. However, due to kernel restrictions
 designed to prevent unprivileged users from performing privileged operations like initiating mounts,
 the following features have to be disabled when running with `privileged = false`:
 - NFS server and mounts (`profile::nfs`)
 
+Also make sure that the line `root:1000000:1000000000` exists in both
+`/etc/subuid` and `/etc/subgid` when running with `privileged = false`.
+
+**Post build modification effect**: rebuild of all instances at next `terraform apply`.
+
+### nesting (optional)
+
+**default value**: true
+
+By default, the LXC containers created by Magic Castle have nesting enabled. 
+This allows containers to run workloads that require features such as docker or systemd inside the container.
+It is possible, for security or isolation reasons, to disable this by setting `nesting = false` in the Incus module. 
+
 **Post build modification effect**: rebuild of all instances at next `terraform apply`.
 
 ### shared_filesystems (optional)
diff --git a/incus/incus.tf b/incus/incus.tf
@@ -13,6 +13,11 @@ variable "privileged" {
   default     = true
 }
 
+variable "nesting" {
+  description = "When using container, set the config security.nesting to this value"
+  default     = true
+}
+
 variable "shared_filesystems" {
   description = "Name of filesystems that need to be created and mounted in every instance"
   default     = []
diff --git a/incus/infrastructure.tf b/incus/infrastructure.tf
@@ -93,7 +93,7 @@ resource "incus_instance" "instances" {
   config = {
     "cloud-init.user-data" = module.configuration.user_data[each.key]
     "security.privileged"  = var.privileged
-    "security.nesting"     = var.privileged
+    "security.nesting"     = var.nesting
   }
 
   device {

Original file line number	Diff line number	Diff line change
`@@ -93,7 +93,7 @@ resource "incus_instance" "instances" {`
`93`	`93`	`config = {`
`94`	`94`	`"cloud-init.user-data" = module.configuration.user_data[each.key]`
`95`	`95`	`"security.privileged" = var.privileged`
`96`		`- "security.nesting" = var.privileged`
	`96`	`+ "security.nesting" = var.nesting`
`97`	`97`	`}`
`98`	`98`
`99`	`99`	`device {`