[SOLVED] Tape restore failed with API tokens [solved in 2.2]

[Blob]

Hi Proxmox lovers !

I have some Proxmox VE and just discover PBS. As I have a LTO-4 tape reader, I thought it was time to make "real" offline backups ! ;-)

As I have multiple PVE instances, I have multiple Datastores. And to protect all that, I create multiple API tokens, one per PVE.

Everything works fine : backups works great, verification, dump to tape, etc. But, as a backup is never safe until you validate the restore step, I tried, and it fails.

When restoring back from tape, I have this error (with "backup@pbs" as my username and "backup@pbs!home-cluster" as my API token) :

2022-03-12T12:24:32+01:00: TASK ERROR: restore 'vm/202/2022-03-11T13:52:44Z' failed - owner check failed (backup@pbs != backup@pbs!home-cluster)

I can set the owner of the restore target, but only as "backup@pbs" (the user, not the API token). Manual setting to "backup@pbs!home-cluster" is refused.

My main "backup@pbs" account has DatastorePowerUser rights on all DataStores.

Version : Backup Server 2.1-5

I somebody tried a tape backup (and restore) with API token ? Should I remove all tokens and create real users instead ? I prefer the API token idea but I prefer a working backup ! ;-)

Many thanks,
Fred @ Strasbourg, France

 

[Blob]

To investigate, I connect my PVE to my PBS with my real user, not the API Token. And I made a backup of a VM as usual.
In PBS, this backup appears to be owned by my user (other backups are owned by my API token).

Restoring an API token backup failed like that :

2022-03-13T15:38:27+01:00: Mediaset '1820d604-fd12-4225-a3a2-xxxxxxxxxxxx'
2022-03-13T15:38:27+01:00: Pool: MediaPool1
2022-03-13T15:38:27+01:00: WARN: Error during restore, partially restored snapshots will NOT be cleaned up
2022-03-13T15:38:27+01:00: TASK ERROR: restore 'vm/202/2022-03-13T14:15:06Z' failed - owner check failed (backup@pbs != backup@pbs!home-cluster)

Restoring a backup made by my real user works like that :

2022-03-13T15:39:04+01:00: Mediaset '1820d604-fd12-4225-a3a2-xxxxxxxxxxxx'
2022-03-13T15:39:04+01:00: Pool: MediaPool1
2022-03-13T15:39:05+01:00: found snapshot vm/200/2022-03-13T14:15:38Z on TAPE06: file 309
2022-03-13T15:39:05+01:00: Phase 1: temporarily restore snapshots to temp dir
2022-03-13T15:39:05+01:00: Checking for media 'TAPE06' in drive 'LTO-4'
2022-03-13T15:40:53+01:00: found media label TAPE06 (f79de93b-a243-43d2-b72c-xxxxxxxxxxxx)
2022-03-13T15:40:53+01:00: was at file 2, moving to 309
2022-03-13T15:43:11+01:00: now at file 309
2022-03-13T15:43:17+01:00: File 309: snapshot archive Home-Cluster:vm/200/2022-03-13T14:15:38Z
2022-03-13T15:43:35+01:00: all chunks exist already, skipping phase 2...
2022-03-13T15:43:35+01:00: Phase 3: copy snapshots from temp dir to datastores
2022-03-13T15:43:53+01:00: Restore snapshot 'vm/200/2022-03-13T14:15:38Z' done
2022-03-13T15:43:53+01:00: Restore mediaset '1820d604-fd12-4225-a3a2-xxxxxxxxxxxx' done
2022-03-13T15:43:53+01:00: TASK OK

So, with a real user, I can backup to PBS, write to tape, restore from tape.
But with API token, I can do everything except restoring from tape, as the owner of the restored backup can only be a real user.

If it helps to understand what I'm doing wrong, if it's a known limitation or a bug.

Thanks !
Fred

 

[dcsapak]

i guess what is happening is something different:

the owner of the (existing) backup group 'vm/202' is backup@pbs, so only that user can create new snapshots in that group (which restore from tape does)
so if the group would belong to 'backup@pbs!home-cluster' it should work

 

[Blob]

Hi Dominik,

Note : If I'm wrong, please tell me. I think you have more knowledge than me on this topic ! ;-)

Thanks for your reply and idea. But it seams to be a different problem.

Backup is done by my PVE using the API Token. So the backup is owned by "backup@pbs!home-cluster" as shown in the screenshot.



All "vm/202" backups (and others) are owned by my API Token "backup@pbs!home-cluster".
My real user is not used except for supporting the API Tokens (the real user needs to exist and have some rights).

I think the problem comes from a test during tape restoration, checking if the owner of the backup (backup@pbs!home-cluster) is the same as the local user (logged-in user or "owner" set as target).

If a backup as a real user (not an API Token), backup is owned by my user, copy to tape works as usual, and restoration works as well.

For the moment, I backup as my API Token, knowing that I will not be able to restore... but if there is no solution, I'll use my real user/password for PVE connection.

Many thanks for your help. I hope I can give you more details to understand the problem. I'll be happy to be a beta-tester ! ;-)

Frederic

 

[dcsapak]

ah, thanks, now i understand.
that we cannot select tokens to restore seems like a bug
and the "real" user should be able to restore into a backup group of one of its token)

can you maybe open a bug here: https://bugzilla.proxmox.com so we don't lose track of that?

 

[Blob]

Hi Dominik,

Thanks for your expertise ! Of course, if I can help fixing reporting a bug, I'll be happy !

Bug report created : https://bugzilla.proxmox.com/show_bug.cgi?id=3934

Thanks !
Frederic

 

[Blob]

Hello !

Just for your information about this issue.

Ticket : https://bugzilla.proxmox.com/show_bug.cgi?id=3934
It was defined as a bug : "this should use the authid selector not the user one.."

And it's already fixed in the Git !
https://git.proxmox.com/?p=proxmox-backup.git;a=commit;h=80ab05e40c45dbbd9c435253d923161e430e577e

I don't know if I can beta-test that, but let me know, I'll be happy to make some tests and feedback.

Thanks for your work and quick response time !

Fred

 

[Blob]

Hello !

Well fixed in 2.2, available even without subscription. Great job Proxmox team !
(Ok, it's only a one-line fix, but it unlocks tape restoration ! ;-)

Thanks !