Hi all, As an example, the following command virt-sandbox-service create --network dhcp,source=default --unitfile sshd.service mysshd -i 512 generates a container definition containing these filesystems (in the same order): <filesystem type='file' accessmode='passthrough'> <source file='/var/lib/libvirt/images/mysshd.raw'/> <target dir='/var/lib/libvirt/filesystems/mysshd'/> </filesystem> <filesystem type='bind' accessmode='passthrough'> <source dir='/var/lib/libvirt/filesystems/mysshd/var'/> <target dir='/var'/> </filesystem> Since /var/lib/libvirt/filesystems/mysshd contains nothing, the second FS needs the first one to be mounted for the source directory to exist. The problem comes with lxcContainerResolveSymlinks() being run before any file system is actually mounted. So the container can't be started and we get the following error: Failed to access '/var/lib/libvirt/filesystems/mysshd/var': No such file or directory This would work if the symlinks were resolved right before mounting the FS instead of before mounting any of them. Any strong opinion against it?