systemd-nspawn: file-system permissions for a bound folder

Question

What I have:

A Gentoo host and an Ubuntu container.

What I want:

Mount /home from the host to the container and use it there as normal.

What I'm doing:

Start the container with -U --bind=/home flags.

What I get:

In the container I have my /home directory but it has been mounted with nobody:nogroup owner:

scratch:5:0:/home/vkirsano> ll /home 
total 24
drwxr-xr-x  3 nobody nogroup  4096 Sep 19 17:39 krokoziabla
drwx------  2 nobody nogroup 16384 Oct 20  2016 lost+found
drwxr-xr-x 56 nobody nogroup  4096 Sep 20 22:15 vkirsano

So effectively I only have read-only access to the contents of the /home directory which is not what I want. Say, I've created user vkirsano in the container with the same UID:GID as in the host so I would like systemd-nspawn to just keep the original info about files' ownership while binding the directory.

What I'm asking

What is the usual practice (if there is one) of mounting folders like /home with keeping the ability to work normally with them in the container?

Answer 1

AFAIK, -U is mostly incompatible with rw --bind. From the docs:

Note that when this option is used in combination with --private-users, the resulting mount points will be owned by the nobody user. That's because the mount and its files and directories continue to be owned by the relevant host users and groups, which do not exist in the container, and thus show up under the wildcard UID 65534 (nobody). If such bind mounts are created, it is recommended to make them read-only, using --bind-ro=.

I've used nspawn to make Ubuntu-based containers for building Yocto on my Arch Linux host. When Arch's kernel enabled CONFIG_USER_NS=y, I needed to set PrivateUsers=off in my /etc/systemd/nspawn/foo.nspawn files. (Also, I add a user with the same UID in both the host and container, so I can Bind= and access it the same way in both the container and host.)