apfs snapshot changing after creation?

I probably just don't understand how APFS snapshots work, but this seems odd to me:

~ $ mkdir /private/tmp/snap
~ $ pwd
/Users/dmd
~ $ ls foo
ls: foo: No such file or directory
~ $ tmutil localsnapshot /
Created local snapshot with date: 2020-02-28-191657
~ $ tmutil listlocalsnapshots /
Snapshots for volume group containing disk /:
com.apple.TimeMachine.2020-02-28-191657.local
~ $ mount_apfs -s com.apple.TimeMachine.2020-02-28-191657.local / /private/tmp/snap
mount_apfs: snapshot implicitly mounted readonly
~ $ ls /private/tmp/snap/Users/dmd/foo
ls: /private/tmp/snap/Users/dmd/foo: No such file or directory
~ $ touch /Users/dmd/foo
~ $ ls /private/tmp/snap/Users/dmd/foo
/private/tmp/snap/Users/dmd/foo
~ $ ##### WHAT? WHY IS FOO IN THE SNAPSHOT?  WHY DID THE SNAPSHOT CHANGE?
~ $ rm /Users/dmd/foo
~ $ ls /private/tmp/snap/Users/dmd/foo
ls: /private/tmp/snap/Users/dmd/foo: No such file or directory

Note that the file /Users/dmd/foo is being created on the 'real' disk, but when it is created and deleted those changes are also showing up in the mounted snapshot.

Why?

Solution 1:

I think your conclusion is wrong - even if it looks that way superficially, the snapshot is actually not changed.

The thing that tricks you here is your one of the folders in your path is actually a link. If you're running on pre-Catalina macOS version, you probably have /Users as a symbolic link. If you're running on Catalina, /Users is a firmlink.

This means that when you run ls /private/tmp/snap/Users/dmd/foo to check for the file, you're actually not looking at a file inside the snapshot, but rather the system will traverse the link inside the snapshot and onto your ordinary volume for the actual file.

If you're on Catalina and want to redo your commands without the link interferring with you, you will need to instead use the following command to check for existence of the file inside the snapshot:

ls /private/tmp/snap/System/Volumes/Data/Users/dmd/foo