I tested this the xenial-proposed kernel (4.4.0-23) on a machine that was showing the exact symptoms described by the original reporter in Xenial. Here's the sequence of commands on the -proposed kernel:
root@bonnetmaker:~# uname -a
Linux bonnetmaker 4.4.0-23-lowlatency #41-Ubuntu SMP PREEMPT Mon May 16 23:55:11 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
root@bonnetmaker:~# zfs create lxd/test -o mountpoint=/tmp/test
root@bonnetmaker:~# zfs set acltype=posixacl lxd/test
root@bonnetmaker:~# cd /tmp/test/
root@bonnetmaker:/tmp/test# mkdir a
root@bonnetmaker:/tmp/test# setfacl -m default:user:100100:rwX a
root@bonnetmaker:/tmp/test# setfacl -m user:100100:rwX a
root@bonnetmaker:/tmp/test# getfacl -n a
# file: a
# owner: 0
# group: 0
user::rwx
user:100100:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:100100:rwx
default:group::r-x
default:mask::rwx
default:other::r-x
root@bonnetmaker:/tmp/test# lxc-usernsexec -m u:0:100000:65536 -m g:0:100000:65536 -- /bin/bash
bash: /root/.bashrc: Permission denied
root@bonnetmaker:/tmp/test# ls -lh
total 512
drwxrwxr-x+ 2 nobody nogroup 2 May 23 16:24 a
root@bonnetmaker:/tmp/test# getfacl -n a
# file: a
# owner: 65534
# group: 65534
user::rwx
user:100:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:100:rwx
default:group::r-x
default:mask::rwx
default:other::r-x
I tested this the xenial-proposed kernel (4.4.0-23) on a machine that was showing the exact symptoms described by the original reporter in Xenial. Here's the sequence of commands on the -proposed kernel:
root@bonnetmaker:~# uname -a /tmp/test r:/tmp/ test# mkdir a r:/tmp/ test# setfacl -m default: user:100100: rwX a r:/tmp/ test# setfacl -m user:100100:rwX a r:/tmp/ test# getfacl -n a user:100100: rwx
Linux bonnetmaker 4.4.0-23-lowlatency #41-Ubuntu SMP PREEMPT Mon May 16 23:55:11 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
root@bonnetmaker:~# zfs create lxd/test -o mountpoint=
root@bonnetmaker:~# zfs set acltype=posixacl lxd/test
root@bonnetmaker:~# cd /tmp/test/
root@bonnetmake
root@bonnetmake
root@bonnetmake
root@bonnetmake
# file: a
# owner: 0
# group: 0
user::rwx
user:100100:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:
default:group::r-x
default:mask::rwx
default:other::r-x
root@bonnetmake r:/tmp/ test# lxc-usernsexec -m u:0:100000:65536 -m g:0:100000:65536 -- /bin/bash r:/tmp/ test# ls -lh r:/tmp/ test# getfacl -n a user:100: rwx
bash: /root/.bashrc: Permission denied
root@bonnetmake
total 512
drwxrwxr-x+ 2 nobody nogroup 2 May 23 16:24 a
root@bonnetmake
# file: a
# owner: 65534
# group: 65534
user::rwx
user:100:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:
default:group::r-x
default:mask::rwx
default:other::r-x
root@bonnetmake r:/tmp/ test#
Numbers check out - looks like it's working now!