ZFS backend with unprivileged containers?

I’ve create a ZFS pool for all my containers and would like to store unprivileged ones there as well. I’ve found a few discussions about this, but nothing that seems straight forward.

I tried manually creating a ZFS dataset where lxc-create would and chowning it to the uid I expect the container root to have. However, this doesn’t get me far:

 $ lxc-create -n unpriv -B zfs -t download -- -d alpine -r 3.6 -a amd64
 $ Unprivileged users cannot create zfs containers.`

Is this possible to get right, or is it a hack that’s hard to maintain and more trouble than it’s worth?

Might creating a privileged container with ZFS backend and converting that to an unpriviliged one work?

Any ideas (or guides) welcome!

Ok, I figured out that I can just use the “dir” backend and pass the path to a ZFS dataset that has user (host) permissions. That seems to work:

sudo zfs create tank/lxc/unpriv1
sudo chown user:user tank/lxc/unpriv1
lxc-create -n unpriv1 --dir /tank/lxc/unpriv1 -t download -- -d alpine…

lxc-create appears to automatically change ownership of the ZFS dataset to e.g. 100000:100000.

However, does my example actually do the right thing? Doesn’t LXC make special use of the knowledge that the container is on a particular storage backend, and now thinks I used the plain “dir” model. Or is the -B (--bdev) flag solely there to simplify container creation but irrelevant thereafter?

Please let me know.

LXC itself has limited added logic for specific storage backends.

Snapshots would be the main place where storage backend specific logic would apply, but since an unprivileged user also can’t create a zfs snapshot, that’d fail if you were using the zfs backend. So in your case, using dir is the right thing to do.