backup owner check failed when trying to perform local backup

M

MGSteve

New Member
Nov 1, 2023
15
0
1
I appreciate there are a ton (or tonne) of threads relating to this errors, but I couldn't find a solution for this exact situation I've got.

I've installed PMS along side 3 PME nodes - the VMs backup no problem at all.

We have a datastore of around 1TB of data, made up of around 23m files. As I didn't fancy trying to back these up over the LAN, I rsync'd a copy of the datastore to a local SSD on the PBS so it can simply backup from the local copy. The rsync part works well, the sync is actually pretty quick, all things considered!

However, when I try and create the backup for this, with the API Key, I get the error. This is despite (as far as I know) setting the permissions correctly for the token 'user' account.

1704709970158.png

1704710085652.png

The command line I'm using is below and the token secret is stored in the environment variable PBS_PASSWORD.

Code: 
root@engage-pmbak:/mnt/engage_fs_mir# proxmox-backup-client backup engage_fs.pxar:/etc/webmin --repository sysadmin@pbs\!backups@engage-pmbak:Backups -ns EngageData                                       
Starting backup: [EngageData]:host/engage-pmbak/2024-01-08T10:39:37Z                                                                                                                                               
Client name: engage-pmbak                                                                                                                                                                                         
Starting backup protocol: Mon Jan  8 10:39:37 2024                                                                                                                                                                 
Error: backup owner check failed (sysadmin@pbs!backups != sysadmin@pbs)

Surely a backup can be created by someone else other than the user that created the backup store, especially when they've specifically got the permissions to do so?
 
Hi,
MGSteve said:
I've installed PMS along side 3 PME nodes - the VMs backup no problem at all.

We have a datastore of around 1TB of data, made up of around 23m files. As I didn't fancy trying to back these up over the LAN, I rsync'd a copy of the datastore to a local SSD on the PBS so it can simply backup from the local copy. The rsync part works well, the sync is actually pretty quick, all things considered!
Click to expand...

I am not 100% sure I understand your intention with the rsync of the datastore but maybe local sync jobs introduced with PBS v3.1 might cover what you are looking for to achieve this, see the sync jobs docs https://pbs.proxmox.com/docs/managing-remotes.html#sync-jobs.

MGSteve said:
The command line I'm using is below and the token secret is stored in the environment variable PBS_PASSWORD.

Code: 
root@engage-pmbak:/mnt/engage_fs_mir# proxmox-backup-client backup engage_fs.pxar:/etc/webmin --repository sysadmin@pbs\!backups@engage-pmbak:Backups -ns EngageData
Starting backup: [EngageData]:host/engage-pmbak/2024-01-08T10:39:37Z
Client name: engage-pmbak
Starting backup protocol: Mon Jan 8 10:39:37 2024
Error: backup owner check failed (sysadmin@pbs!backups != sysadmin@pbs)
Surely a backup can be created by someone else other than the user that created the backup store, especially when they've specifically got the permissions to do so?
Click to expand...
as seen in the screenshots you posted, the owner of the backup group is sysadmin@pbs and not sysadmin@pbs!backups, therefore you will have to change ownership of the group accordingly, as described here https://pbs.proxmox.com/docs/backup-client.html#changing-backup-owner.
 
Sorry - I should have been clear - the "datastore" is what I've called a 1TB mass of files used by the CRM, nothing to do with a PBS "datastore". I simply rsync a copy of those files onto a disk on the PBS so that it's accessible locally for the backup client. I didn't fancy trying to run the backup on PBS over a mounted NFS share.

as seen in the screenshots you posted, the owner of the backup group is sysadmin@pbs and not sysadmin@pbs!backups, therefore you will have to change ownership of the group accordingly, as described here https://pbs.proxmox.com/docs/backup-client.html#changing-backup-owner.
Click to expand...

But will this then cause issues for the PVE backups which are linked with the non-API user? i.e. will the error now appear on the PVEs when they do their VM backups?
 
MGSteve said:
Sorry - I should have been clear - the "datastore" is what I've called a 1TB mass of files used by the CRM, nothing to do with a PBS "datastore". I simply rsync a copy of those files onto a disk on the PBS so that it's accessible locally for the backup client. I didn't fancy trying to run the backup on PBS over a mounted NFS share.
Click to expand...
Ah I see now, thanks for the clarification.

MGSteve said:
But will this then cause issues for the PVE backups which are linked with the non-API user? i.e. will the error now appear on the PVEs when they do their VM backups?
Click to expand...
But host based backups are in a different backup group as compared to the vm backups, host/<hostname> as compared to vm/<vmid.. In your case even in a different namespace, or not? Or are there other host level backups which you would like to write to the same backup group within the same namespace?

Just to clarify, you will have to change the ownership for the backup group the client wants to write to, so in your case the host/engage-pmbak located in the EngageData namespace.
 
Chris said:
But host based backups are in a different backup group as compared to the vm backups, host/<hostname> as compared to vm/<vmid.. In your case even in a different namespace, or not? Or are there other host level backups which you would like to write to the same backup group within the same namespace?

Just to clarify, you will have to change the ownership for the backup group the client wants to write to, so in your case the host/engage-pmbak located in the EngageData namespace.
Click to expand...

There may be other host backups in the future, but they'd sit under the same namespace as this one anyway.

I'm actually running the local backup under the sysadmin user at the moment, if once complete, I change the ownership of that backup, will then be able to use the api user for subsequent backups?

Or can I just set the owner of the EngageData namespace itself (and the existing backup?) and that will sort it out?
 
I had a quick look at the code, and what is checked is the following: If the backup is owned by the API token, the user to which the token is assigned is considered an owner, but not the other way around, see [0].

So if you set the backup group to be owned by the token, the user is still considered to be owner and the check will pass. The other way around, or if there are 2 different api tokens in use, that this check will fail. In that case you can place the groups into different namespaces however.

[0] https://git.proxmox.com/?p=proxmox-...21030d3a21354afd0e4803017c91f1521;hb=HEAD#l41
 
  • Like
Reactions: MGSteve
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom