[lxc-users] unprivileged container with zfs backing

Adam Gold awg1 at gmx.com
Wed Feb 4 09:58:04 UTC 2015 

I'm trying to set up an unprivileged container with user lxcd using a
zfs filesystem (equivalent of btrfs sub volume) for each container.  I'm
aware that for unprivilged container creation, zfs has to be manually
created.  My zfs file system is:

zfs (the pool)
zfs/lxc
zfs/lxc/containers


The above has been created using the 'zfs create ...' and I have run
chown -R lxcd:lxcd ./lxc.  The umask is the default 022.

In ~/.config/lxc/lxc.conf I have: 'lxc.lxcpath = /zpool1/lxc/containers'
In ~/.config/lxc/default.conf I have:
lxc.id_map = u 0 100000 65536
lxc.id_map = g 0 100000 65536
lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.network.flags = up
lxc.network.name = eth0
lxc.network.hwaddr = 00:16:3e:xx:xx:xx

Here's the problem: I try to create a container c1 with the zfs
filesystem already in place so the first thing I do is run, as root,
'zfs create zfs/lxc/containers/c1' and then chown -R lxcd:lxcd ./c1.

I then run 'lxc-create -t download -n c1 -B dir — –dist ubuntu –release
trusty –arch amd64' and get the following error:
lxc_container: lxccontainer.c: create_partial: 164 Permission denied -
Erorr creating partial file
lxc_container: lxc_create.c: main: 271 Error creating container c1

When I check, c1 directory is empty.

I think this is zfs-lxc related (as opposed to just lxc) because if I
remove the zfs/lxc/containers/c1 filesystem and run the same command
which now attempts to create the container on a simple dir backing store
there is no problem.

I've also tried manually creating the directory rootfs underneath c1 and
then running 'lxc-create -t download -n c1 -B dir --dir
/zfs/lxc/containers/c1/rootfs — –dist ubuntu –release trusty –arch
amd64' but I get the same error messages.

I guess then, the only time it works in zfs, is when the location for
creating containers is specified in ~/.config/lxc/lxc.conf and the
rootfs directory of the new container is two dirs down from the root of
the nearest zfs filesystem (in my example which works:
zfs/lxc/containers is the specified location, the container rootfs is
zfs/lxc/containers/c1/rootfs).

In summary, I would like each unprivileged container to run on top of a
new zfs filesystem which I create as root and assign relevant ownership
to. Is this possible?

More information about the lxc-users mailing list