From f2f56c623dfca8d7808b2549e069865d46150eee Mon Sep 17 00:00:00 2001 From: ComplianceEnthusiast Date: Wed, 15 Apr 2026 10:48:07 -0400 Subject: [PATCH 1/2] split privileged and nesting --- docs/README.md | 10 ++++++++++ incus/incus.tf | 5 +++++ incus/infrastructure.tf | 2 +- 3 files changed, 16 insertions(+), 1 deletion(-) diff --git a/docs/README.md b/docs/README.md index efacfd19..0121b11a 100644 --- a/docs/README.md +++ b/docs/README.md @@ -1159,6 +1159,16 @@ the following features have to be disabled when running with `privileged = false **Post build modification effect**: rebuild of all instances at next `terraform apply`. +### nesting (optional) + +**default value**: true + +By default, the LXC containers created by Magic Castle have nesting enabled. +This allows containers to run workloads that require features such as docker or systemd inside the container. +It is possible, for security or isolation reasons, to disable this by setting `nesting = false` in the Incus module. + +**Post build modification effect**: rebuild of all instances at next `terraform apply`. + ### shared_filesystems (optional) **default value**: `[]` diff --git a/incus/incus.tf b/incus/incus.tf index 77dd62ad..00dabd7a 100644 --- a/incus/incus.tf +++ b/incus/incus.tf @@ -13,6 +13,11 @@ variable "privileged" { default = true } +variable "nesting" { + description = "When using container, set the config security.nesting to this value" + default = true +} + variable "shared_filesystems" { description = "Name of filesystems that need to be created and mounted in every instance" default = [] diff --git a/incus/infrastructure.tf b/incus/infrastructure.tf index 2a96eb99..a7c0927b 100644 --- a/incus/infrastructure.tf +++ b/incus/infrastructure.tf @@ -93,7 +93,7 @@ resource "incus_instance" "instances" { config = { "cloud-init.user-data" = module.configuration.user_data[each.key] "security.privileged" = var.privileged - "security.nesting" = var.privileged + "security.nesting" = var.nesting } device { From 414bea82118dedff30acc22485323131ea642817 Mon Sep 17 00:00:00 2001 From: ComplianceEnthusiast Date: Fri, 17 Apr 2026 11:55:39 -0400 Subject: [PATCH 2/2] add note about subuid and subgid for unprivileged containers --- docs/README.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/docs/README.md b/docs/README.md index 0121b11a..d781c45d 100644 --- a/docs/README.md +++ b/docs/README.md @@ -1152,11 +1152,14 @@ This setting can be enabled on at most one cluster per incus host. **default value**: true By default, the LXC containers created by Magic Castle are privileged. It is possible for security reasons -to turn this off by provider `privileged = false` to the Incus module. However, due to kernel restrictions +to turn this off by provider `privileged = false` to the Incus module. However, due to kernel restrictions designed to prevent unprivileged users from performing privileged operations like initiating mounts, the following features have to be disabled when running with `privileged = false`: - NFS server and mounts (`profile::nfs`) +Also make sure that the line `root:1000000:1000000000` exists in both +`/etc/subuid` and `/etc/subgid` when running with `privileged = false`. + **Post build modification effect**: rebuild of all instances at next `terraform apply`. ### nesting (optional)