Debian 12, Podman & ZFS

I’m using Debian 12, ZFS 2.1.1 and am trying to use podman inside of a incus container, and I get stuck with the following error message:

root@podmantest:~# podman run hello-world
ERRO[0000] [graphdriver] prior storage driver overlay failed: 'overlay' is not supported over zfs, a mount_program is required: backing file system is unsupported for this graph driver 
Error: 'overlay' is not supported over zfs, a mount_program is required: backing file system is unsupported for this graph driver

(I have set security.nesting set to true)

If I try to create a zfsvol

root@initial:/etc/apt# incus storage volume create default podman zfs.block_mode=true size=5GiB
Storage volume podman created
root@initial:/etc/apt# incus config device add podmantest docker disk pool=default source=podman path=/var/lib/docker
Device docker added to podmantest

…I still get the same message.

Any pointers for making this work?

I should add that setting security.nesting to true was enough to get Docker going, but not podman.

I can’t find ZFS in backports anymore so I can’t upgrade either…

Does podman have an equivalent to the vfs driver in Docker?
I believe that in the same situation Docker would have fallback to vfs instead of overlay2.

I experienced this before, I can’t check right now how I solved it. Try installing containers-storage, it’s suggested by Podman 4.3.1 on Debian 12. It includes the config in /usr/share/containers/storage.conf.

I’m running podman with incus (Ubuntu 24.04, zfs storage) in an Debian trixie container, with this config in an profile:

config:
  limits.cpu: "2"
  limits.memory: 4GB
  limits.memory.swap: "false"
  raw.lxc: lxc.apparmor.profile=unchanged
  security.nesting: "true"
  security.syscalls.intercept.mknod: "true"
  security.syscalls.intercept.setxattr: "true"

Output of podman info (partial):

host:
  arch: amd64
  buildahVersion: 1.37.5
  cgroupControllers:
  - cpuset
  - cpu
  - io
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
...
  distribution:
    codename: trixie
    distribution: debian
...
  graphDriverName: overlay
...
graphStatus:
    Backing Filesystem: zfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Supports shifting: "false"
    Supports volatile: "true"
    Using metacopy: "false"
...
version:
  APIVersion: 5.2.5
  Built: 1729890366
  BuiltTime: Fri Oct 25 21:06:06 2024
  GitCommit: ""
  GoVersion: go1.23.2
  Os: linux
  OsArch: linux/amd64
  Version: 5.2.5

When installing podman in that container, I also installed containers-storage.

/thomas

Oh the solution was quite silly!

I had to mount the storage volume to /var/lib/containers to make podman work! I had mounted it to /var/lib/docker when testing this.

So if anyone finds this thread, below is a working setup for me:

$ incus launch images:debian/12/cloud podmantest --profile default 
$ incus config set podmantest security.nesting true
$ incus storage volume create default podman zfs.block_mode=true size=5GiB
$ incus config device add podmantest docker disk pool=default source=podman path=/var/lib/containers

I thought I had gone over everything several times…

1 Like