Hey Nozz, I've tried the exact same setup and run into this problem. I've explained it a bit better here[1]. Since the linux kernel 5.12 there are filesystem id mappings that can be used for that in combination with --private-users=pick. I've written the pull request[0] to include support in nspawn for that. In my opinion this is the best way to share such a socket. There is not yet a systemd release containing the pull request.I'm not sure if the tempfs, where I guess your socket is located, implementation in linux does yet support those mappings, last time I checked (when I wrote the pull request) it didn't. Yes support for filesystem id mappings depends on the source filesystem. You could solve this by moving the socket to another location, for example an ext4 filesystem, until tmpfs supports it as well.
Alternatively you could use extended acls for that. Another option would be to allow access for "other" on the socket, but not the parent folder, and use --bind as is. Best regards, nd [0] https://github.com/systemd/systemd/pull/19828 [1] https://lists.freedesktop.org/archives/systemd-devel/2021-May/046503.html
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
