Fix <65535 IDs available to nested containers

Fixes: #3

Signed-off-by: Chris Evich <cevich@redhat.com>

setup.sh

@@ -69,9 +69,12 @@ useradd -M -u 1001 -g runner runner
 chmod 770 /home/runner
 
 # Overwrite defaults, only user 'podman' permited to have a user-namespace
-# Split the namespaced ID's around the containers root (ID 0) and the user
-# IDs 1000 and 1001 (defined above) to prevent hijacking from a nested container.
-echo -e "podman:1:999\npodman:1002:64533" | tee /etc/subuid > /etc/subgid
+# Split the namespaced ID's around the containers root (ID 0), podman (ID 1000), and
+# runner (ID 1001) such that the user-namespace of any nested containers cannot
+# read or write any files owned by these users (and/or hijack nested container processes).
+# N/B: The range-end (999+64536) ensures a total of 65535 IDs are available for nested-containers.
+#      This requires the host provide a sufficiently large range, i.e. `pipglr:<start>:65539`
+echo -e "podman:1:999\npodman:1002:64536" | tee /etc/subuid > /etc/subgid
 # Host volume mount necessary for nested-podman to use overlayfs2 for container & volume storage.
 mkdir -p /home/podman/.local/share/containers
 # Nested-container's local container-cache volume mount, recommended by gitlab-runner docs.