Add a configuration flag option to increase the 65536 subordinate range limit

[ccun-sq]

Need for enhancement:

For legacy reasons, we have to maintain compatibility for a user with large UID, much higher than the 65536 limit [0] which sysbox uses for its allocations. This means that any attempts to chown resources for this user will break. We have experimented with using Docker's userns-remap setting to extend this range, but then we cannot take advantage of sysbox's dynamic allocation.

[0]

sysbox-runc/libsysbox/syscont/spec.go

Line 44 in 24f71da

IdRangeMin uint32 = 65536

Description of enhancement:

The default IdRangeMin would not change. We would follow the best practices for introducing a configuration option that lets us run with an increased range. We would validate that 268435456 divides the setting evenly so that sysbox's overall range can be subdivided evenly.

https://nestybox-support.slack.com/archives/CS7V68QMP/p1740792462742969

[rodnymolina]

Yes, please submit a PR exposing a new sysbox-mgr config knob and adding comments to explain its use-case.

[ccun-sq]

@rodnymolina Before we get started, I wanted to sanity check with you that our approach is acceptable for sysbox.

High-level Proposal

• [sysbox-mgr]

  • Add a new cli.IntFlag, call it --id-range-size, to sysbox-mgr main. Default this to the original 65536 value and fail early if the user-supplied value is < 65536.
    • Reference: main.go L152
  • Propagate the flag value via IPC ContainerConfig.
    • Reference: mgr.go L630

• [sysbox-ipc]

  • Propagate the flag value both directions via ContainerConfig:
    • Reference: grpcServer.go L143
    • Reference: grpcClient.go L99

• [sysbox-runc]

  • Use the newly populated sysMgr.Config.IdRangeSize within syscont/spec.go for default allocations.
  • The constant IdRangeMin is not removed because:
    • It is still used to check that user-submitted mappings via --id-map use sizes of >= 65536.
    • It is referenced in the help text.
    • Reference: spec.go L360

Tests

• [sysbox]

  • Add a new bats test to the sysmgr directory, similar to idAlloc, but:
    • Passes the new CLI flag.
    • Checks for the new flag value instead of 65536.
    • Reference: idAlloc.bats

• [sysbox-runc]

  • Unit test for propagating --id-range-size via ContainerConfig results in a larger range.
    • Reference: spec_test.go L336

Feature Usage

• Example
  • Edit the [Service] section of /lib/systemd/system/sysbox-mgr.service:
    • Modify ExecStart to configure the new flag.

    • ExecStart=/usr/bin/sysbox-mgr --id-range-size 262144