bindmount ZFS dataset and children to unprivileged LXC

[m_l_s]

On my host I have a ZFS dataset looking like this:

NAME                               MOUNTPOINT
Data                            /Data
Data/Nas                        /Data/Nas
Data/Nas/Documents              /Data/Nas/Documents
Data/Nas/Photos                    /Data/Nas/Photos

I have a LXC with a user whose Id 1000 is mapped to 1000 and which has /Data/Nas mounted:

excerpt from lxc config
mp0: /Data/Nas,mp=/mnt/Data
unprivileged: 1
lxc.idmap: u 0 100000 1000
lxc.idmap: g 0 100000 1000
lxc.idmap: u 1000 1000 1
lxc.idmap: g 1000 1000 1
lxc.idmap: u 1001 101001 64535
lxc.idmap: g 1001 101001 64535

This user now has access to everything in the /Data/Nas directory of the host, just not to the directories where the child-datasets are mounted. The ownership on the host is set correctly:

# ls -l /Data/Nas
total 56
drwxr-xr-x 3 1000 1000 3 Jan 24 18:55 Documents
drwxr-xr-x 2 1000 1000 2 Jan 24 16:40 Images
drwxr-xr-x 2 1000 1000 2 Jan 24 16:40 Test

but on the guest I get:

# ls -l /mnt/Data
total 56
drwxr-xr-x 3 nobody nogroup 3 Jan 24 18:55 Documents
drwxr-xr-x 2 nobody nogroup 2 Jan 24 16:40 Images
drwxr-xr-x 2 1000      1000 2 Jan 24 16:40 Test

I realize this must have something to do with the folders actually being ZFS mountpoints, but I don't know how to fix the issue. Is there anything I can do besides mounting each child-dataset as its own mountpoint?

 

[mfederanko]

You can either mount every dataset individually, using something like this:

mp0: /Data/Nas,mp=/mnt/Data
mp1: /Data/Nas/Documents,mp=/mnt/Data/Docuements
mp2: /Data/Nas/Pictures,mp=/mnt/Data/Pictures

or specify a lxc mount entry:

lxc.mount.entry: /Data/Nas Data none rbind 0 0

in /etc/pve/lxc/<yourid>.conf

References

* man 5 lxc.container.conf lxc.mount.entry option
* man mount search for rbind, which recursively bind-mounts all sub-mounts
* https://forum.proxmox.com/threads/lxc-mount-zfs-pool.147428/