fix(wsl): rshared root + /dev/{net/tun,fuse} pre-sysinit; dedupe sysusers/tmpfiles

Root cause: WSL2's /init mounts / private, so systemd's per-unit
mount(NULL, "/", NULL, MS_REC|MS_SLAVE, NULL) returns EOPNOTSUPP and
NAMESPACE setup fails for any unit using PrivateTmp/ProtectSystem/etc.
That cascade is what we've been seeing as cockpit.service status=226/
NAMESPACE AND every Quadlet (mios-forge, mios-ai, mios-aichat-build)
failing rootless network/storage setup -- slirp4netns can't open
/dev/net/tun and fuse-overlayfs can't mount /dev/fuse, both of which
are missing because systemd-udevd is condition-gated off on WSL2
(ConditionPathIsReadWrite=/sys is false there).

mios-wsl-early.service is the new pre-sysinit fixup unit. Runs once
per boot, no sandboxing (it's what makes sandboxing possible for
everything else), gated on ConditionVirtualization=wsl. Two ops:

  1. mount --make-rshared /
  2. mknod /dev/net/tun (c 10:200) and /dev/fuse (c 10:229) if missing

Ordering: After=systemd-tmpfiles-setup-dev.service systemd-remount-fs
.service / Before=sysinit.target basic.target shutdown.target. That
puts it before any unit with hardening directives or rootless podman
plumbing, so cockpit-certificate-ensure's NAMESPACE step succeeds and
fuse-overlayfs/slirp4netns can find their device nodes.

Defense-in-depth on cockpit.service.d/10-mios-container.conf: also
reset BindPaths/BindReadOnlyPaths/TemporaryFileSystem/Extension*/
RootDirectory/RootImage/MountAPIVFS/DynamicUser/RestrictFileSystems.
With rshared root these are unnecessary, but a future cockpit-ws unit
file bump that adds any of them would otherwise re-trigger NAMESPACE
setup. Cheap insurance.

Boot warnings cleanup (same journal):
  * usr/lib/sysusers.d/10-mios.conf -- drop `g input - -` (declared in
    00-coreos-static.conf) and `g dialout - -` (declared in setup.conf)
    so the per-boot "Conflict ... ignoring line" lines disappear.
  * usr/lib/tmpfiles.d/mios.conf -- drop redundant `d /var/home/mios`
    line (mios-user.conf already owns it via `C` + `Z`).
  * usr/lib/tmpfiles.d/mios-grd.conf -- drop `d /var/lib/gnome-remote-
    desktop` (declared in upstream gnome-remote-desktop tmpfiles).
  * usr/lib/tmpfiles.d/mios-infra.conf -- drop `d /etc/pam.d` (declared
    in upstream pam tmpfiles).

90-mios.preset: enable mios-wsl-early.service (must come before mios-
wsl-firstboot/init/runtime-dir; comment block in the preset spells out
why it's first). Existing .gitignore whitelists already cover both
new files (usr/libexec/mios/** and mios-*.service).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: Kabuki94

usr/lib/systemd/system-preset/90-mios.preset

@@ -68,6 +68,11 @@ enable cloud-final.service
 enable qemu-guest-agent.service
 
 # --- WSL2 fallback & initialization (ConditionVirtualization=wsl gated) ---
+# mios-wsl-early MUST stay first: it makes / rshared and creates
+# /dev/{net/tun,fuse} before any unit with sandboxing or rootless
+# podman fires. Without it, cockpit fails 226/NAMESPACE and every
+# Quadlet fails fuse-overlayfs/slirp4netns at boot.
+enable mios-wsl-early.service
 enable mios-wsl-firstboot.service
 enable mios-wsl-init.service
 enable mios-wsl-runtime-dir.service

usr/lib/systemd/system/cockpit.service.d/10-mios-container.conf

@@ -75,3 +75,16 @@ DeviceAllow=
 ReadWritePaths=
 ReadOnlyPaths=
 InaccessiblePaths=
+# These also trigger exec_needs_mount_namespace() in src/core/exec-invoke.c.
+# Resetting them is cheap insurance against a future cockpit-ws unit-file
+# bump that adds any of them upstream:
+BindPaths=
+BindReadOnlyPaths=
+TemporaryFileSystem=
+ExtensionDirectories=
+ExtensionImages=
+RootDirectory=
+RootImage=
+MountAPIVFS=no
+DynamicUser=no
+RestrictFileSystems=

usr/lib/systemd/system/mios-wsl-early.service

@@ -0,0 +1,19 @@
+[Unit]
+Description='MiOS' WSL2 pre-sysinit fixups (rshared root + /dev/{net/tun,fuse})
+Documentation=https://github.com/MiOS-DEV/MiOS
+ConditionVirtualization=wsl
+DefaultDependencies=no
+After=systemd-tmpfiles-setup-dev.service systemd-remount-fs.service
+Before=sysinit.target basic.target shutdown.target
+Conflicts=shutdown.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/libexec/mios/wsl-early
+# Intentionally no sandboxing: this unit is what makes sandboxing possible
+# for everything else. Setting any of {PrivateTmp, ProtectSystem,
+# ReadWritePaths, ...} here would deadlock on the very issue we're fixing.
+
+[Install]
+WantedBy=sysinit.target

usr/lib/sysusers.d/10-mios.conf

@@ -13,8 +13,9 @@ g kvm 36 -
 g video 39 -
 g render 105 -
 g libvirt - -
-g input - -
-g dialout - -
+# 'input' is declared in 00-coreos-static.conf and 'dialout' in setup.conf;
+# omitting them here avoids per-boot "Conflict ... ignoring line" warnings.
+# `m mios input` / `m mios dialout` below still resolve via NSS.
 g docker - -
 g mios 1000
 

usr/lib/tmpfiles.d/mios-grd.conf

@@ -1,2 +1,3 @@
-d /var/lib/gnome-remote-desktop 0770 gnome-remote-desktop gnome-remote-desktop -
+# /var/lib/gnome-remote-desktop is created by upstream's gnome-remote-desktop
+# tmpfiles.d (also at 0770 grd:grd), so we don't re-declare it here.
 d /var/lib/mios 0755 root root -

usr/lib/tmpfiles.d/mios-infra.conf

@@ -62,7 +62,8 @@ d /etc/cdi                    0755 root root -
 d /etc/greenboot              0755 root root -
 
 # -- PAM & Auth ---------------------------------------------------------------
-d /etc/pam.d                  0755 root root -
+# /etc/pam.d is shipped by the pam RPM and declared in upstream tmpfiles;
+# re-declaring it here triggers a duplicate-line warning at boot.
 d /etc/sudoers.d              0750 root root -
 
 # -- Cloud-Init & Multipath ---------------------------------------------------

usr/lib/tmpfiles.d/mios.conf

@@ -24,7 +24,8 @@ d /srv/ai/outputs          0755 mios-ai   mios-ai   -  -
 d /srv/ai/collections      0755 mios-ai   mios-ai   -  -
 
 # --- bootc linting compliance ---
-d /var/home/mios           0755 mios      mios      -  -
+# /var/home/mios is owned by mios-user.conf (C+Z lines that copy /etc/skel
+# and chown). Keeping it here too caused a duplicate-line warning at boot.
 d /var/lib/AccountsService 0775 root      root      -  -
 d /var/lib/AccountsService/icons 0775 root root      -  -
 d /var/lib/AccountsService/users 0700 root root      -  -

usr/libexec/mios/wsl-early

@@ -0,0 +1,70 @@
+#!/usr/bin/env bash
+# MiOS -- wsl-early: WSL2 pre-sysinit fixups.
+#
+# Runs as PID 1's child with full root caps BEFORE basic.target and BEFORE
+# any service that creates a mount namespace. Fixes two WSL2-specific gaps
+# that cause cascading failures across cockpit and rootless podman:
+#
+#   1. Root mount propagation -- WSL2's /init mounts / private, which makes
+#      systemd's per-unit `mount(NULL, "/", NULL, MS_REC|MS_SLAVE, NULL)`
+#      return EOPNOTSUPP. That's the actual cause of `cockpit.service:
+#      Failed to set up mount namespacing: Operation not supported` and
+#      every "status=226/NAMESPACE" failure on WSL. Marking root rshared
+#      lets every subsequent unit's PrivateTmp/ProtectSystem/etc. clone
+#      a private mount namespace cleanly.
+#
+#   2. /dev/net/tun and /dev/fuse -- the WSL2 kernel builds tun + fuse
+#      in-tree, but systemd-udevd is condition-gated off (ConditionPathIs
+#      ReadWrite=/sys fails because /sys is RO under WSL2's /init), so
+#      nothing auto-creates the char device nodes. Without /dev/net/tun
+#      slirp4netns can't open its tap fd; without /dev/fuse fuse-overlayfs
+#      reports "cannot mount: No such file or directory" and rootless
+#      podman storage init fails entirely. We mknod them by hand here.
+#
+# Why this script and not tmpfiles.d:
+#   * `c!` lines in tmpfiles.d would work in theory, but tmpfiles is run
+#     after some early namespace-using units have already failed, and
+#     because tmpfiles itself uses sandboxing on some unit paths, mknod
+#     can return EPERM under the same propagation lock that bites cockpit.
+#     Doing it from a no-sandbox oneshot before basic.target avoids both.
+set -euo pipefail
+
+_log() { logger -t mios-wsl-early "$*" 2>/dev/null || true; echo "[wsl-early] $*" >&2; }
+
+# Hard gate: only on WSL.
+if [[ ! -f /proc/sys/fs/binfmt_misc/WSLInterop && ! -d /run/WSL ]]; then
+    case "$(systemd-detect-virt 2>/dev/null || echo unknown)" in
+        wsl) ;;
+        *)   _log "not running under WSL; nothing to do"; exit 0 ;;
+    esac
+fi
+
+# 1. Make / rshared so per-unit mount namespaces can MS_SLAVE-propagate.
+#    Idempotent: a second --make-rshared on an already-shared mount is a no-op.
+if mount --make-rshared / 2>/dev/null; then
+    _log "mount --make-rshared / OK"
+else
+    _log "WARN: mount --make-rshared / failed (continuing -- some namespace setups may still fail)"
+fi
+
+# 2. Ensure /dev/net/tun (c 10:200) and /dev/fuse (c 10:229) exist.
+#    Both are kernel-builtin on the microsoft-standard-WSL2 kernel; the
+#    nodes only need to be present in /dev for slirp4netns and
+#    fuse-overlayfs to open them.
+mkdir -p /dev/net 2>/dev/null || true
+if [[ ! -e /dev/net/tun ]]; then
+    if mknod /dev/net/tun c 10 200 2>/dev/null && chmod 0666 /dev/net/tun 2>/dev/null; then
+        _log "mknod /dev/net/tun (c 10:200) OK"
+    else
+        _log "WARN: /dev/net/tun mknod failed (slirp4netns may not work)"
+    fi
+fi
+if [[ ! -e /dev/fuse ]]; then
+    if mknod /dev/fuse c 10 229 2>/dev/null && chmod 0666 /dev/fuse 2>/dev/null; then
+        _log "mknod /dev/fuse (c 10:229) OK"
+    else
+        _log "WARN: /dev/fuse mknod failed (fuse-overlayfs may not work)"
+    fi
+fi
+
+_log "WSL2 early fixups complete"