Problem/Justification
Ability to map a user in the container to a user in truenas for permissiong disks. Today the idmap user is common across all instances.
For example mapping root in a container to user 3001 in truenas. Having that user be a named user/group on dataset permissions.
This would increase visibility of which container has access to what filesystem resources.
This would reduce the chance of cross-instance ‘confusion’ where the user in one instance gets access to the file system of another instance stored in a dataset or path used by both instances.
It would also allow differention of users for both assigning permissions and logging - for example root in a file downloader instance could have r/w permissions while the same user in the serving instance (say root in both cases) would have only r to the same data set. It would be in logs which container performed what action. Today any logs would just show ‘apps’ did it.
Impact
By default there should be no impact, the default behaviour we have today in fangtooh can be maintained. This would optionall allow users to give each instance its own idmap and avoid the current generic user that is applied.
In terms of development impact this leverages pre-exisiting idmap features of incus. These features cannot be used today because if idmaps are configured at the command line the custom ix-systems incus orchestrator overwrites them. This could be rolled out by first just changing that behaviour in phase 1 with an ‘allow custom id maps’ option that would allow it to be set by CLI and not over written. Later phases could add UI. Later still would be better workflow to create the users to do this in the truenas UI.
User Story
Create one instance where root (user 0) in container A is mapped to user 3001
Create second instance where root (user 0) in container B is mapped to user 3002
These users would have no login permissions and no truenas user permissions.
on a dataset to be mounted in both containers allow the dataset to be owned by user 3001 who has rwx rights. Add user 3002 to same dataset permissions as rw.