I currently have the same problem and the only alternative solution that is told everywhere is to uid shift uid 1000 into the container, but that would give access of the entire uid 1000 namespace to the container right?
I have tried chowning with a post-mount hook, with a setuid binary with execve(), but inside the container the file is still nobody:nogroup and chowning inside the container is denied.
What do you mean with “recreating the device”?
Do you not mean mounting,
but using “mknod” or “cp -a” and chowning that?
Edit:
Can confirm that works for getting root:root inside the container,
without uid shifting etc (I guess it actually is a uid shift, by chowning)