Bind mount of zfs subdirectory binds root device instead

General
1

I’ve installed docker 27.2 on a fairly fresh install of Slackware 15, ext4 root but also with zfs pools. Trying to bind mount a subdirectory in a zfs mount into a container, I’m finding that docker is mounting the underlying root instead. A volume mount of the zfs dataset as a block device does work.

Edit: I’ll add that I did look for other questions about zfs mount issues, but they all report permission errors that I don’t have.

# the existing root and zfs mount
root@nyx:~# mount
/dev/nvme0n1p2 on / type ext4 (rw,relatime,stripe=8191)
sand/data/services on /vol/services type zfs (rw,noatime,xattr,noacl,casesensitive)
root@nyx:~# ls -la /vol/services
total 13
drwxr-xr-x 3 root root    3 Mar 16 20:47 ./
drwxr-xr-x 5 root root 4096 Mar 16 20:14 ../
drwxr-xr-x 5 sshd sshd   12 Mar 16 20:45 linkding/

# bind mount it in a container, it mounts /dev/root instead of sand/data/services
root@nyx:~# docker run --rm -itv /vol/services:/mnt alpine:3.21.3 /bin/sh
/ # mount | grep mnt
/dev/root on /mnt type ext4 (rw,relatime,stripe=8191)
/ # ls /mnt
/ # touch /mnt/bork
/ #

# container didn't write to the zfs dataset but to / instead
root@nyx:~# ls -la /vol/services
total 13
drwxr-xr-x 3 root root    3 Mar 16 20:47 ./
drwxr-xr-x 5 root root 4096 Mar 16 20:14 ../
drwxr-xr-x 5 sshd sshd   12 Mar 16 20:45 linkding/
root@nyx:~# zfs unmount sand/data/services
root@nyx:~# ls -la /vol/services
total 8
drwxr-xr-x 2 root root 4096 Mar 17 06:26 ./
drwxr-xr-x 5 root root 4096 Mar 16 20:14 ../
-rw-r--r-- 1 root root    0 Mar 17 06:26 bork

# try as a block device instead, works
root@nyx:~# docker run --rm -it --mount="type=volume,dst=/mnt,volume-driver=local,volume-opt=device=sand/data/services,volume-opt=type=zfs" alpine:3.21.3 /bin/sh
/ # mount | grep mnt
sand/data/services on /mnt type zfs (rw,relatime,xattr,noacl,casesensitive)
/ # ls /mnt
linkding

Tried setting a bind propagation argument in case that was related, but got the error “docker: Error response from daemon: path /vol/services is mounted on / but it is not a shared or slave mount.”

The main issue seems to be it detecting the wrong block device to mount in the container. Any thoughts on how I could chase this down? Is there a way to have docker report the mount command it’s using or how it’s determining which device to mount?

System information:

root@nyx:~# docker info
Client:
 Version:    27.2.0
 Context:    default
 Debug Mode: false
 Plugins:
  compose: Docker Compose (Docker Inc.)
    Version:  2.33.1
    Path:     /usr/libexec/docker/cli-plugins/docker-compose

Server:
 Containers: 4
  Running: 4
  Paused: 0
  Stopped: 0
 Images: 32
 Server Version: 27.2.0
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 1
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 472731909fa34bd7bc9c087e4c27943f9835f111
 runc version: 2c9f5602f0ba3d9da1c2596322dfc4e156844890
 init version: de40ad0
 Security Options:
  seccomp
   Profile: builtin
 Kernel Version: 6.12.17
 Operating System: Slackware 15.0 x86_64
 OSType: linux
 Architecture: x86_64
 CPUs: 12
 Total Memory: 31.25GiB
 Name: nyx
 ID: b079b06c-45a9-4346-a22b-e79142009a23
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

Cheers,
Jw