Permissions for ZFS datasets inside mountpoint for LXC is forgotten on LXC restart

jarrodsfarrell

New Member
Oct 28, 2022
2
0
1
Aluminum is our host and runs Virtual Environment 7.2-11. It is ZFS-on-root but the storage is on a separate pool, so we have aluminum-os and aluminum-storage as our pools.

documents is a LXC running Debian 11 and a pretty bare configuration with just Samba. It has a mountpoint on /srv that is on the host's /srv/internal.xxx.com/documents.

On Aluminum, /srv/internal.xxx.com/documents is the dataset aluminum-storage/srv/internal.xxx.com/documents. Under that dataset is child datasets company-files, customer-part-files, and incoming-scans.

Whenever the container restarts, company-files, customer-part-files, and incoming-scans have nobody as the user and group—as if the directory was created outside the LXC—and I cannot modify, list, or add any files inside the directory. However on the host it has the correct UID/GID set on the folder. But if I zfs rename the datasets to a temporary name and back, permissions are corrected in the LXC and access works again until the LXC is restarted.

Code:
--- Aluminum (Proxmox)

# zfs get acltype aluminum-storage/srv/internal.xxx.com/documents
NAME                                             PROPERTY  VALUE     SOURCE
aluminum-storage/srv/internal.xxx.com/documents  acltype   posix     inherited from aluminum-storage

# ls -l /srv/internal.xxx.com/documents/
total 3
drwxrwxrwx 2 100000 100000 2 Oct 28 13:06 company-files
drwxrwxrwx 5 100000 100000 5 Oct 27 17:17 customer-part-files
drwxrwxrwx 2 100000 100000 2 Oct 27 18:38 incoming-scans

-- documents (LXC)

root@documents:/srv# ls -l
total 3
drwxr-xr-x 2 nobody nogroup 2 Oct 28 17:39 company-files
drwxr-xr-x 2 nobody nogroup 2 Oct 28 18:00 customer-part-files
drwxr-xr-x 2 nobody nogroup 2 Oct 28 17:40 incoming-scans

-- Aluminum

# zfs rename aluminum-storage/srv/internal.xxx.com/documents/company-files{,_}
# zfs rename aluminum-storage/srv/internal.xxx.com/documents/company-files{_,}
; Repeat for other datasets...

-- documents

root@documents:/srv# ls -l
total 3
drwxrwxrwx 2 root root 2 Oct 28 17:06 company-files
drwxrwxrwx 5 root root 5 Oct 27 21:17 customer-part-files
drwxrwxrwx 2 root root 2 Oct 27 22:38 incoming-scans

Is there some kind of nuance I missed? I'm still generally new to Proxmox and only had a month working with to so far.

Edit: I know the permissions on the directory is really permissive before someone asks. It's on my todo-list.
 
Last edited: