Summary: problem solved, but I'm not 100% sure why.
After destroying the datasets, I noticed that I had data in various directories such as /opt and /opt/dev/feeds etc. So in my experimentation, I somehow wrote into the mount points, and under the mounted zfs datasets.
So what I did to figure this out was to iterate over a process like this:
| task | command | notes |
| destroy the datasets | HOST (root)# zfs destroy -r zroot/SAFE | nuke the planet from orbit |
| rm the mount points | HOST (root)# rm -rf /opt | same |
| ensure everything is clean, e.g. no datasets and directory /opt does not exist | HOST (root)# find /opt | until i did this, i definitely got confusing results |
| create the datasets | HOST (root)# zfs create -o canmount=off -o mountpoint=/opt zroot/SAFE | see below for further discussion on this |
| populate the datasets with some test data | HOST (root)# touch /opt/dev/feeds/feed1.txt | repeat as nec |
| verify that the HOST(root) account can see the data | HOST (root)# find /opt | |
| verify that the JAIL(root) account can see the data | HOST (root)# jexec -l find /opt | |
| verify that the JAIL(root) account can see the data | HOST (root)# jexec -l -U backup find /opt | |
| | |
Based on
atax1a 's comment, I looked over the
zpool history:
Code:
2026-02-18.00:00:33 zfs create -p -o canmount=off -o mountpoint=/opt zroot/SAFE
2026-02-18.00:00:33 zfs create -p zroot/SAFE/dev
2026-02-18.00:00:34 zfs create -p zroot/SAFE/dev/feeds
2026-02-18.00:00:35 zfs create -p zroot/SAFE/dev/postgres
2026-02-18.00:00:35 zfs create -p zroot/SAFE/stage
2026-02-18.00:00:36 zfs create -p zroot/SAFE/stage/feeds
2026-02-18.00:00:36 zfs create -p zroot/SAFE/stage/postgres
2026-02-18.00:00:36 zfs create -p zroot/SAFE/prod
2026-02-18.00:00:36 zfs create -p zroot/SAFE/prod/feeds
2026-02-18.00:00:37 zfs create -p zroot/SAFE/prod/postgres
Code:
2026-02-18.19:53:36 zfs create -o canmount=off -o mountpoint=/opt zroot/SAFE
2026-02-18.19:53:36 zfs create -o canmount=off zroot/SAFE/dev
2026-02-18.19:53:36 zfs create -o canmount=off zroot/SAFE/stage
2026-02-18.19:53:36 zfs create -o canmount=off zroot/SAFE/prod
2026-02-18.19:54:12 zfs create zroot/SAFE/dev/file
2026-02-18.19:54:12 zfs create zroot/SAFE/dev/db
2026-02-18.19:54:12 zfs create zroot/SAFE/stage/file
2026-02-18.19:54:12 zfs create zroot/SAFE/stage/db
2026-02-18.19:54:12 zfs create zroot/SAFE/prod/file
2026-02-18.19:54:12 zfs create zroot/SAFE/prod/db
For some reason, the
ansible.community.zfs module is creating zfs datasets using the '-p' flag, which causes zfs to ignore any other options passed:
From man(8) zfs-create:
Code:
-p Creates all the non-existing parent datasets. Datasets created in
this manner are automatically mounted according to the mountpoint
property inherited from their parent. Any property specified on
the command line using the -o option is ignored. If the target
filesystem already exists, the operation completes successfully.
So perhaps that was the issue? I'm not sure if was that or the stale data under the mountpoints mentioned above. But it's fixed now. And after 2 days of noodling with zfs on this issue, I just have a better feel for things.
JohnK
re: /etc/jail.conf.d/backitup.conf
That's a great idea. Done! Thx!
BTW - as I have more questions, what's the tradition on this forum? Create new questions to this post or keep appending questions here?