I've created a systemd-nspawn container in which /dev/fb1
from the host is bound as /dev/fb0
. I've set PrivateUsers=off
in the .nspawn config file, and the file ownership and permissions of /dev/fb0
in the container appear to be the same as /dev/fb1
on the host. Running cat /dev/urandom >/dev/fb1
on the host works as expected ('no space left on device' error), but if I boot the container, and log in to it as root (with machinectl
) cat /dev/urandom >/dev/fb0
fails with 'Operation not permitted'. I also tried to write to it using dd -if /dev/urandom -of /dev/fb0
, and that gave the error 'dd: failed to open '/dev/fb0': Operation not permitted'. I've tested other commands that would require root access, such as chmod
and chown
, and my root user in the container is able to run those.
If I bind /dev/fb1
as itself (i.e. just Bind=/dev/fb1
), then the write operation is permitted.
Does anyone know why I can't open the file for writes from within the container?
This is the .nspawn config:
[Exec]
Capability=CAP_SYS_ADMIN
PrivateUsers=off
[Files]
Bind=/dev/fb1:/dev/fb0
Bind=/srv
This is the systemd-nspawn service override file for the container:
[Service]
DeviceAllow=/dev/fb0 rw
DeviceAllow=char-input rw
DeviceAllow=char-drm rw
(I'm sure some of this config is unnecessary -- I've just been chucking in everything I can think of to solve my problem.)