Hey all! I have a work around for the above, but I would like some help understanding why the workaround is necessary. I’m trying to better understand the inner workings. All my research leads me to file permissions and (un)priveledged containers, both of which I have ruled out.
If I bind mount a top level directory to an LXC, then no process within can recursively see inside nested ZFS datasets, but can do so with directories.
The work around is to create multiple bind mounts for each sub directory and dataset, but I am not sure why this works.
admin in ~ at lab-dl360 % zfs list
NAME USED AVAIL REFER MOUNTPOINT
test-pool 11.8T 848G 96K /test-pool
test-pool/vm 11.8T 848G 104K /test-pool/vm
test-pool/vm/test-zfs 7.49T 848G 7.49T /test-pool/vm/test-zfs
admin in ~ at lab-dl360 % mkdir /test-pool/vm/test.d
admin in ~ at lab-dl360 % touch /test-pool/vm/test.d/example.file
admin in ~ at lab-dl360 % touch /test-pool/vm/test-zfs/example.file
create any LXC. If I set the mount as such:
no process can see example.file in /host/test-zfs, but have no issues with /host/test.d
I think your work-around is as good as it gets. Each dataset is like its own file system, so nested datasets aren’t treated the same as simple directories. I’ve seen this same behavior with NFS exports on ZFS where I’ve had to mount multiple levels of datasets.