Permissions for ZFS datasets inside mountpoint for LXC is forgotten on LXC restart

J

jarrodsfarrell

New Member
Oct 28, 2022
2
0
1
Aluminum is our host and runs Virtual Environment 7.2-11. It is ZFS-on-root but the storage is on a separate pool, so we have aluminum-os and aluminum-storage as our pools.

documents is a LXC running Debian 11 and a pretty bare configuration with just Samba. It has a mountpoint on /srv that is on the host's /srv/internal.xxx.com/documents.

On Aluminum, /srv/internal.xxx.com/documents is the dataset aluminum-storage/srv/internal.xxx.com/documents. Under that dataset is child datasets company-files, customer-part-files, and incoming-scans.

Whenever the container restarts, company-files, customer-part-files, and incoming-scans have nobody as the user and group—as if the directory was created outside the LXC—and I cannot modify, list, or add any files inside the directory. However on the host it has the correct UID/GID set on the folder. But if I zfs rename the datasets to a temporary name and back, permissions are corrected in the LXC and access works again until the LXC is restarted.

Code: 
--- Aluminum (Proxmox)

# zfs get acltype aluminum-storage/srv/internal.xxx.com/documents
NAME                                             PROPERTY  VALUE     SOURCE
aluminum-storage/srv/internal.xxx.com/documents  acltype   posix     inherited from aluminum-storage

# ls -l /srv/internal.xxx.com/documents/
total 3
drwxrwxrwx 2 100000 100000 2 Oct 28 13:06 company-files
drwxrwxrwx 5 100000 100000 5 Oct 27 17:17 customer-part-files
drwxrwxrwx 2 100000 100000 2 Oct 27 18:38 incoming-scans

-- documents (LXC)

root@documents:/srv# ls -l
total 3
drwxr-xr-x 2 nobody nogroup 2 Oct 28 17:39 company-files
drwxr-xr-x 2 nobody nogroup 2 Oct 28 18:00 customer-part-files
drwxr-xr-x 2 nobody nogroup 2 Oct 28 17:40 incoming-scans

-- Aluminum

# zfs rename aluminum-storage/srv/internal.xxx.com/documents/company-files{,_}
# zfs rename aluminum-storage/srv/internal.xxx.com/documents/company-files{_,}
; Repeat for other datasets...

-- documents

root@documents:/srv# ls -l
total 3
drwxrwxrwx 2 root root 2 Oct 28 17:06 company-files
drwxrwxrwx 5 root root 5 Oct 27 21:17 customer-part-files
drwxrwxrwx 2 root root 2 Oct 27 22:38 incoming-scans

Is there some kind of nuance I missed? I'm still generally new to Proxmox and only had a month working with to so far.

Edit: I know the permissions on the directory is really permissive before someone asks. It's on my todo-list.
 
Last edited:
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back