Skip to content

Split privileged and nesting variables for the incus module #420

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
cmd-ntrf merged 2 commits into from
Apr 20, 2026
Merged

Split privileged and nesting variables for the incus module #420

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f2f56c6
split privileged and nesting
Apr 15, 2026
414bea8
add note about subuid and subgid for unprivileged containers
Apr 17, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 14 additions & 1 deletion docs/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1152,11 +1152,24 @@ This setting can be enabled on at most one cluster per incus host.
**default value**: true

By default, the LXC containers created by Magic Castle are privileged. It is possible for security reasons
to turn this off by provider `privileged = false` to the Incus module. However, due to kernel restrictions
to turn this off by provider `privileged = false` to the Incus module. However, due to kernel restrictions
designed to prevent unprivileged users from performing privileged operations like initiating mounts,
the following features have to be disabled when running with `privileged = false`:
- NFS server and mounts (`profile::nfs`)

Also make sure that the line `root:1000000:1000000000` exists in both
`/etc/subuid` and `/etc/subgid` when running with `privileged = false`.

**Post build modification effect**: rebuild of all instances at next `terraform apply`.

### nesting (optional)

**default value**: true

By default, the LXC containers created by Magic Castle have nesting enabled.
This allows containers to run workloads that require features such as docker or systemd inside the container.
It is possible, for security or isolation reasons, to disable this by setting `nesting = false` in the Incus module.

**Post build modification effect**: rebuild of all instances at next `terraform apply`.

### shared_filesystems (optional)
Expand Down
5 changes: 5 additions & 0 deletions incus/incus.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,11 @@ variable "privileged" {
default = true
}

variable "nesting" {
description = "When using container, set the config security.nesting to this value"
default = true
}

variable "shared_filesystems" {
description = "Name of filesystems that need to be created and mounted in every instance"
default = []
Expand Down
2 changes: 1 addition & 1 deletion incus/infrastructure.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,7 +93,7 @@ resource "incus_instance" "instances" {
config = {
"cloud-init.user-data" = module.configuration.user_data[each.key]
"security.privileged" = var.privileged
"security.nesting" = var.privileged
"security.nesting" = var.nesting
}

device {
Expand Down
Loading