Mounting ZVOL securely in container


#1

I am struggling to mount a ZVOL securely but r/w in a container. I tried device unix-block, disk with not luck.

I created a zvol: zfs create -s -V 200GB pool1/lxd-zvol/backup

Next I tried adding it directly (using unix-block) with no luck running fdisk from guest:

lxc config device add backup data unix-block path=/data source=/dev/zd16

Next I created a partition from the host and did:

lxc config device add backup data unix-block path=/data source=/dev/zd16p1
and also
lxc config device add backup data unix-block path=/dev/zd16p1

Both seem to have similar weird behavior and I cannot read the partition content from guest.

So I tried:
lxc config device add backup data disk path=/data source=/dev/zd16p1

I can then read partition content from /data but not write to it. I am pretty much stuck.

I just want a ZVOL mounted in a container as ext4 with userquota support enabled at mount time.


(Stéphane Graber) #2

So the normal way to do this goes along the lines of:

  • zfs create -s -V 200GB pool1/lxd-zvol/backup
  • mkfs.ext4 /dev/zd16
  • mount /dev/zd16 /mnt
  • chown 1000000:1000000 /mnt
  • umount /mnt
  • lxc config device add backup data disk path=/data source=/dev/zd16

The chown step is necessary to have the filesystem be owned by root inside the container (you may have to change the uid/gid to match that of the container), at that point the container should perfectly happily write to it.


#3

It works thanks. Uid is 10000 as shown by lxc config show backup (“Hostid”:100000). Other containers also have the same Hostid, is it secured? I mean can other containers access that ZVOL in anyway ?


#4

And also what is the proper way to set the mount options to add usrjquota=aquota.user,jqfmt=vfsv1 ?


#5

@stgraber after hours and hours of searching I still cannot figure out how to set mount option for the secondary drive. Is it even possible ? LXC can do it, but can LXD ?


#6

Follow up