ZFS 2.2.0 Released: ID mapping of unprivileged containers during mount

[harvie]

https://github.com/openzfs/zfs/releases/tag/zfs-2.2.0

OpenZFS 2.2.0 - Lists following new features:

Linux container support (#12209, #14070, #14097, #12263) - Added support for Linux-specific container interfaces such as renameat(2), support for overlayfs, idmapped mounts in a user namespace, and namespace delegation support for containers.

This probably means, we can finaly have unprivileged containers without having to remap root UID/GID on disk! That would mean easily switching CTs between privileged/unprivileged mode (without having to do backup/restore to remap file owner IDs)

Will Proxmox implement this solution?

 

[harvie]

Also alternatively there is something called shiftfs, which does similar thing on non-ZFS filesystems and seems to be slowly preparing it's way to the upstream...

https://discuss.linuxcontainers.org/t/trying-out-shiftfs/5155
https://github.com/toby63/shiftfs-dkms

 

[Dunuin]

Would be nice...so many users here that are overwhelmed by manual UID/GID remapping via CLI.

 

[LnxBil]

Will Proxmox implement this solution?

Of course. Just wait a bit. All new ZFS releases have been used in the Proxmox kernel.

The main advantage of this approach could be the ZFS support inside of the LX(C) container, like on FreeBSD, where you can manage ZFS from the inside. That will be a BIG improvement.

 

[Dunuin]

The main advantage of this approach could be the ZFS support inside of the LX(C) container, like on FreeBSD, where you can manage ZFS from the inside. That will be a BIG improvement.

For me, the main advantage would still be that we don't need to explain user remapping anymore

 

[harvie]

Of course. Just wait a bit. All new ZFS releases have been used in the Proxmox kernel.

One thing is to include new version of ZFS to deb repository. Other thing is to actualy actively leverage new features in Proxmox UI.
Proxmox developers have been bringing the cool ZFS stuff to us in the past, so probably this will come as well. But obviously, the task is not as trivial as merely upgrading to newer version. So we can only hope this will get into their scope.

 

[SInisterPisces]

I just installed Proxmox 8.1 a few minutes ago, and noticed that includes has ZFS 2.2 (with some bugfixes backported from ZFS 2.2.1).

It seems like the devs worked pretty fast to get this bundled in. As a newbie who uses LXC containers and already ran into fun issues with switching between privileged and unprivileged LXC containers, I really appreciate the effort.

I'd like to run Docker in an LXC if possible (my hardware is really resource-limited), but I've been holding off because host (Proxmox) ZFS versions prior to 2.2.x have had issues with LXCs running Docker that are (1) not good; and (2) not yet completely understood by me. I do understand that there seemed to be an issue with an interaction with ZFS on the host and the way docker in the LXC uses the overlay filesystem.

Now that ZFS 2.2 is here, are the previous concerns with running Docker via LXC no longer in play, or still a thing?

If the new version does improve things, is a specific setup needed inside the LXC to get Docker working as intended, or will it just work correctly/better now that ZFS is updated on the host?

 

[harvie]

I am not really sure if LXC 5.0.2 (or even latest 5.0.3) can already make use of this new feature that is available in ZFS 2.2.0. I guess that would be a pre-requisite for proxmox to be able to use it. But i cannot really find any info regarding this. But LXC can use some additional layer called shiftfs if it does detect FS without idmapped mount support. So i guess if proxmox would be set up to work correctly with shiftfs, it will work with native ZFS id mapping as soon as support arrives in LXC.

 

[harvie]

Incus (LXD) 6.0 is using the vfs idmapping now. so it should be possible to implement in proxmox as well...