sytemd-nspawn Bind cannot bind mount with dev option

[Markus328]

I have an issue about systemd-nspawn containers and --placement on-host. It seems like systemd-nspawn cannot bind mount with dev option a path within a nodev /run

Firstly, I was not using --placement on-host and it worked fine, but I want to use nspawn with --private-users=pick and I got permission issues of devices created on /dev/input. seatd rejects inputs with messed ownership even though it has read permission (libinput debug-events works very well, but sway cannot enumerate any device because seatd doesn't want to).

I tried many ways of mounting /dev/input with dev, but I cannot afford to do it while using idmap mounts (to fix ownership). I found out a way that simply mounts a tmpfs on /run/.../dev-input with dev option and here systemd-nspawn copies those options in container, and I can have access to input devices on container.

mkdir -p /run/vuinputd/vuinput/dev-input
mount -t tmpfs -o rw,dev tmpfs /run/vuinputd/vuinput/dev-input

and the passing Bind in nspawn I could get a valid /dev/input inside container.

[joleuger]

Hi @Markus328 , thanks a lot for digging into this and for documenting your findings so clearly. I guess what is missing is appropriate documentation. Currently, it is only written down as a side note under https://github.com/joleuger/vuinputd/blob/main/docs/USAGE.md#--placement-on-host :

run/vuinputd/{devname}/dev-input must have the mount option dev

I guess explicitly mentioning the option of mounting a tmpfs or providing an example systemd service file would have helped you a lot. For this reason I have added a warning message ( see code ). Seems it was not helpful.

Another option seems to be to create the device with the uid and gid of the parent directory. I actually plan to checkin such a solution, but I haven't managed it yet to do my test setup to confirm that such a solution is working.

pub fn acquire_gid_and_uid_of_path(path: &str) -> anyhow::Result<()> {
    let path = Path::new(path);

    // 1. Get the raw UID/GID of the directory from the Host's perspective
    //    This returns the mapped ID (e.g., 100000), not the container ID (0).
    let metadata = fs::metadata(path)?;
    let target_uid = metadata.uid();
    let target_gid = metadata.gid();

    // 2. Temporarily switch filesystem identity
    //    We use libc directly here. Note: setfsgid usually needs to happen before setfsuid
    //    because changing UID might drop privileges to change GID.
    unsafe {
        libc::setfsgid(target_gid);
        libc::setfsuid(target_uid);
    }
    Ok(())
}

Thanks again for the detailed report. Do you mind to attach your service files? Those might help other users having similar issues.