containers.<name>.privateUsers
Whether to give the container its own private UIDs/GIDs space (user namespacing).
Disabled by default (no).
If set to a number (usually above host's UID/GID range: 65536), user namespacing is enabled and the container UID/GIDs will start at that number.
If set to identity, mostly equivalent to 0, this will only provide
process capability isolation (no UID/GID isolation, as they are the same as host).
If set to pick, user namespacing is enabled and the UID/GID range is automatically chosen,
so that no overlapping UID/GID ranges are assigned to multiple containers.
This is the recommanded option as it enhances container security massively and operates fully automatically in most cases.
See https://www.freedesktop.org/software/systemd/man/latest/systemd-nspawn.html#--private-users= for details.
- Type
32 bit unsigned integer; between 0 and 4294967295 (both inclusive) or one of "no", "identity", "pick"- Default
"no"- Declared
- <nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>