Using ZFS commands inside LXC container

[veltsob]

Hi,

I am trying to set up a debian 13 LXC container on Proxmox 9.0.11 from which I can manage ZFS pools. I managed to bind the ZFS storage to the container, however, now I am struggling to get ZFS commands to work inside the container. When I try to use a ZFS command, I get

zpool status
Failed to initialize the libzfs library.

What I have done so far is that I added the proxmox repos inside the container, so the ZFS packages inside the container are the same version as on the proxmox host, as the packages from the debian repos were a few versions behind. Furthermore, I added this to the LXC config file:

lxc.cgroup.devices.allow: c 10:249 rwm
lxc.mount.entry: /dev/zfs dev/zfs none bind,create=file 0 0
lxc.mount.entry: /dev/fuse dev/fuse none bind,create=file 0 0
lxc.mount.entry: /sys/class sys/class none bind,rw,create=dir 0 0
lxc.mount.entry: /sys/devices sys/devices none bind,rw,create=dir 0 0
lxc.apparmor.profile: unconfined
lxc.cap.drop:
lxc.mount.auto: proc:mixed sys:mixed

From my understanding, binding /lib/modules to the container should solve the issue, but using

lxc.mount.entry: /lib/modules /lib/modules none rbind,ro,create=dir 0 0

is not doing anything and the container starts up with no error message.
Those are the ZFS related packages that I have installed inside the container:

libzfs6linux/stable,now 2.3.4-pve1 amd64 [installed]
zfs-dkms/stable,now 2.3.2-2 all [installed]
zfs-initramfs/stable,now 2.3.4-pve1 all [installed]
zfs-zed/stable,now 2.3.4-pve1 amd64 [installed]
zfsutils-linux/stable,now 2.3.4-pve1 amd64 [installed]

Maybe I am overlooking something obvious or someone has an idea where to start troubleshooting this.

Thanks for your help!

 

[nuttervm]

Were you ever able to figure this out? I have a similar use case.

In my case it is relatively simple - I bind mount a external USB hard drive that is formatted as ZFS to a LXC running Debian 13, and would like to execute ZFS commands from within the LXC on the bind mounted device.

 

[news]

No, you will isolation in VM and LXC from the Hardwarelevel.
And ZFS Commands need root access!

 

[nuttervm]

Is that the case for both privileged LXCs as well as unprivileged LXCs?

 

[louie1961]

Did you install zfsutils-linux in the Debian LXC? Leaving aside the issues of a non privileged container, a Debian LXC won't have the user space tools installed until you install the zfsutils-linux package through apt in your LXC.

 

[beren12]

No, you will isolation in VM and LXC from the Hardwarelevel.
And ZFS Commands need root access!

I just wanted to let you know that you do not need root access with delegation, except for mounting and unmounting (It's a linux restriction not zfs)

I'm looking to setup something like this as well. I have a few linux boxes that I want to shift to lxc and being able to do admin stuff from inside would be very useful.

 

[alexskysilk]

I'm looking to setup something like this as well. I have a few linux boxes that I want to shift to lxc and being able to do admin stuff from inside would be very useful.

I'm curious- what would be the use case for this? in my view containers exist to isolate an application from the underlying hardware. if a container has access it loses its purpose to exist.

 

[beren12]

I'm curious- what would be the use case for this? in my view containers exist to isolate an application from the underlying hardware. if a container has access it loses its purpose to exist.

Your view is flawed. You're not giving the container access to the underlying hardware, you are giving the container the ability to manage it's own files. The container can make datasets, snapshots, do it's own backups if needed, change it's recordsize, etc. For a single application it may not be as important, but if you are using the containers as a lightweight vm it's far more attractive. I'm going to combine a bunch of machines into 1 server, most are fairly specialized: home automation, plex/jellyfin, general light terminal use, etc and containers are much easier to share resources.

Sure, i could setup sanoid on proxmox directly, but then I have to keep up with dataset names, and if they get moved to another host the snapshotting and backups dont, the uid/gid get all screwed up if they are unpriv. containers, etc.

 

[alexskysilk]

Your view is flawed.

I Imagine you're very popular with you peers.

. I'm going to combine a bunch of machines into 1 server, most are fairly specialized: home automation, plex/jellyfin, general light terminal use, etc and containers are much easier to share resources.

Why bother with a hypervisor then? just set up docker and linux and you're done...

 

[beren12]

I Imagine you're very popular with you peers.

I'm sorry I didn't sugarcoat it. If you are looking at something incorrectly what do you call it?

Why bother with a hypervisor then? just set up docker and linux and you're done...

Well. That's what I have. I want to combine multiple machines onto one as well as with VMs. Not everything runs in docker, either. I am bothering setting up a hypervisor to supervise things together on one box. What do you use hypervisors for? Something different? If you aren't familiar with the features and power of zfs I'm not surprised why you wouldn't get the desire for delegation. It's really powerful.

 

[alexskysilk]

If you are looking at something incorrectly what do you call it?

Ignorance. although I usually leave room for the possibility the ignorance is mine. there is no more certainty in being wrong then not allowing for a different perspective. believing you're right and being, err, forceful about it says more about you then you perhaps intend.

zfs I'm not surprised why you wouldn't get the desire for delegation. It's really powerful.

ZFS is powerful. its also a tool. you dont need pve to use it.

What do you use hypervisors for? Something different?

different then you? most certainly. it's to create hardware separated namespaces. zfs can function as a mechanism to allow that, but in all honesty I dont use zfs as its failure domain is too narrow for high availability. If hardware seperation isnt necessary or desirable a hypervisor is unnecessary complexity.

 

[beren12]

Ignorance. although I usually leave room for the possibility the ignorance is mine. there is no more certainty in being wrong then not allowing for a different perspective. believing you're right and being, err, forceful about it says more about you then you perhaps intend.


ZFS is powerful. its also a tool. you dont need pve to use it.


different then you? most certainly. it's to create hardware separated namespaces. zfs can function as a mechanism to allow that, but in all honesty I dont use zfs as its failure domain is too narrow for high availability. If hardware seperation isnt necessary or desirable a hypervisor is unnecessary complexity.

So I want (more) hardware separation than is currently offered, but is possible with existing tools. I care about data integrity, transparent compression, and instant snapshots that can be send to other machines more than HA. And you still missed the meaning of my comment, delegated datasets un-abstract a container from the hardware as much as making a new directory does. It doesn't at all. In fact, currently, there is a *larger* lack of separation between the containers and hardware than it would be with delegation. As I've already said, currently many maintenance tasks and settings can only be done on the host and they wouldn't move with the container.

 

[alexskysilk]

So I want (more) hardware separation than is currently offered, but is possible with existing tools.

Bingo. why arent you using those?

 

[beren12]

Bingo. why arent you using those?

Because they are tucked away in proxmox and I'm asking for them to be exposed to be more easily usable. You seem to be stuck on your way is the only correct way.