More idmap fixes

cmd/incusd/instance_test.go

@@ -442,13 +442,11 @@ func (suite *containerTestSuite) TestContainer_findIdmap_raw() {
 		suite.Req.Equal(int64(1000), map1.Entries[i].MapRange, "incorrect maprange")
 	}
 
-	for _, i := range []int{1, 4} {
-		suite.Req.Equal(int64(1000), map1.Entries[i].HostID, "hostids don't match")
-		suite.Req.Equal(int64(1000), map1.Entries[i].NSID, "invalid nsid")
-		suite.Req.Equal(int64(1), map1.Entries[i].MapRange, "incorrect maprange")
-	}
+	suite.Req.Equal(int64(1000), map1.Entries[1].HostID, "hostids don't match")
+	suite.Req.Equal(int64(1000), map1.Entries[1].NSID, "invalid nsid")
+	suite.Req.Equal(int64(1), map1.Entries[1].MapRange, "incorrect maprange")
 
-	for _, i := range []int{2, 5} {
+	for _, i := range []int{2, 4} {
 		suite.Req.Equal(host.HostID+1001, map1.Entries[i].HostID, "hostids don't match")
 		suite.Req.Equal(int64(1001), map1.Entries[i].NSID, "invalid nsid")
 		suite.Req.Equal(host.MapRange-1000-1, map1.Entries[i].MapRange, "incorrect maprange")

shared/idmap/entry.go

@@ -8,11 +8,11 @@ import (
 
 // Entry is a single idmap entry (line).
 type Entry struct {
-	IsUID    bool
-	IsGID    bool
-	HostID   int64 // id as seen on the host - i.e. 100000
-	NSID     int64 // id as seen in the ns - i.e. 0
-	MapRange int64
+	IsUID    bool  `json:"Isuid"`
+	IsGID    bool  `json:"Isgid"`
+	HostID   int64 `json:"Hostid"` // id as seen on the host - i.e. 100000
+	NSID     int64 `json:"Nsid"`   // id as seen in the ns - i.e. 0
+	MapRange int64 `json:"Maprange"`
 }
 
 // ToLXCString converts an Entry into its LXC representation.

shared/idmap/set.go

@@ -173,18 +173,20 @@ func (m *Set) ValidRanges() ([]*Range, error) {
 func (m *Set) AddSafe(i Entry) error {
 	result := []Entry{}
 	added := false
+
 	for _, e := range m.Entries {
+		// Check if the existing entry intersects with the new one.
 		if !e.Intersects(i) {
 			result = append(result, e)
 			continue
 		}
 
+		// Fail when the same hostid(s) are used in multiple entries.
 		if e.HostIDsIntersect(i) {
 			return ErrHostIDIsSubID
 		}
 
-		added = true
-
+		// Split the lower part of the entry (ids from begining of existing entry to start of new entry).
 		lower := Entry{
 			IsUID:    e.IsUID,
 			IsGID:    e.IsGID,
@@ -193,6 +195,7 @@ func (m *Set) AddSafe(i Entry) error {
 			MapRange: i.NSID - e.NSID,
 		}
 
+		// Split the upper part of the entry (ids from new entry to end of existing entry).
 		upper := Entry{
 			IsUID:    e.IsUID,
 			IsGID:    e.IsGID,
@@ -201,16 +204,28 @@ func (m *Set) AddSafe(i Entry) error {
 			MapRange: e.MapRange - i.MapRange - lower.MapRange,
 		}
 
+		// If the new entry doesn't completely cover the lower part of
+		// the existing entry, then add that to the set.
 		if lower.MapRange > 0 {
 			result = append(result, lower)
 		}
 
-		result = append(result, i)
+		// Add the new entry in the middle.
+		if !added {
+			// With an entry matching both uid and gid, more than one
+			// intersection is possible, keep track of it to only put it in the set once.
+			added = true
+			result = append(result, i)
+		}
+
+		// If the new entry doesn't completely cover the upper part of
+		// the existing entry, then add that to the set.
 		if upper.MapRange > 0 {
 			result = append(result, upper)
 		}
 	}
 
+	// If no intersection was found, just add the new entry to the set.
 	if !added {
 		result = append(result, i)
 	}