I am running multiple Podman containers on a host system, each of which requires its own isolated set of virtual input devices created by Xorg (or PCoIP agent). The application running inside these containers creates several virtual input devices (e.g., event0, mouse0, etc.) that must be confined within each container's environment for the application to work properly. These input devices are located under /dev/input/.
The Problem: Rather than being confined within each container's namespace, all input devices created by Xorg are being added to the host's /dev/input directory. This becomes problematic when running multiple containers because:
Namespace Overlap: Input devices from different containers are all created in the host's /dev/input/, leading to device conflicts between containers.
Xorg Device Access Collision: When multiple containers try to access input devices, Xorg attempts to mount all available input devices (from the host), resulting in the application crashing due to resource conflicts.
What I've Tried:
Bind Mounts: I have attempted using the --volume flag to mount the required devices and have access to /dev/input inside each container:
Example: --volume /dev/input:/dev/input
This allows the container to see the input devices, but since the virtual devices are not isolated per container, Xorg ends up mounting all input devices across all containers, creating conflicts and causing the application to crash.
Device Control with --device: I've also tried passing specific devices using the --device flag, such as --device /dev/input/event0:/dev/input/event0, but this doesn't solve the issue when running multiple containers since devices are still being managed at the host level and conflict arises.
Attempted to Use tmpfs:
Mounting the /dev/input directory with tmpfs using the --mount type=tmpfs,destination=/dev/input option isolates the directory, but it doesn’t ensure that the container-specific virtual input devices are created inside this isolated /dev/input. Instead, they default to the host again.
Goal: I need each container to have its own isolated /dev/input directory, where the virtual input devices created by Xorg inside a container are only visible and accessible within that specific container, without being shared between containers or leaking into the host’s /dev/input.
Key Constraints:
Multiple Containers: I need to run multiple containers simultaneously, each with its own set of isolated virtual input devices.
Container Stability: The solution shouldn't crash or result in Xorg attempting to mount all virtual devices from other containers.
Questions:
How can I ensure that virtual input devices created by Xorg are confined inside each container's own /dev/input directory without being created on the host's /dev/input?
Is there a way to isolate /dev/input per container or virtualize /dev/input in such a way that allows each container to have its own device namespace for creating input devices?
Would changing Podman’s container configuration (or using a specific driver configuration) enable containerized device isolation specific to the input devices?
System Details:
Container Runtime: Podman Application: Xorg, PCoIP Agents Host System: 6.8.0-40-generic 22.04.3-Ubuntu
