BTRFS experimental storage PVE 4.4-13 testing & issues & patch

EuroDomenii

EuroDomenii

Renowned Member
Sep 30, 2016
145
32
68
Slatina
www.domenii.eu
First of all, kudos to Wolfgang Bumiller for the “hot” summer btrfs patches. It surpassed my expectations, it really works, except several issues, perfectly normal for an experimental phase.

Related proxmox forum posts
https://forum.proxmox.com/threads/proxmox-ve-5-0-beta1-released.33731/page-2#post-165741
https://forum.proxmox.com/threads/p...possible-licensing-issues-zfs-on-linux.32561/

I imagine the release of 5.0 is very resource consuming for Proxmox team, but if the below permission denied issue could be solved, this would unlock the extensive testing on btrfs LXC.

I am aware that I should split this in several issues, but I don’t know where to report, in the devel mail list ( as separate mails) or in https://bugzilla.proxmox.com/ ? For the moment, I prefer to report bulk, in proxmox forum.

ENVIRONMENT

The implementation was done on PVE 4.4-13

For compatibitily with btrfs-progs, btrfs-tools 4.6.1-1~bpo8+1, the latest pach v3 was used https://www.mail-archive.com/pve-devel@pve.proxmox.com/msg18776.html

Patches:
https://www.mail-archive.com/pve-devel@pve.proxmox.com/msg18777.html v3 storage backend
https://www.mail-archive.com/pve-devel@pve.proxmox.com/msg18747.html LXC subvolume
https://github.com/Blub/pve-manager/compare/btrfs for GUI

After applying the GUI patches with make dinstall, the btrfs options showed at Datacenter > Storage > Add, but not working.

BTW, “apt install pve-doc-generator “ should be added to instructions https://git.proxmox.com/?p=pve-common.git;a=blob_plain;f=README.dev;hb=HEAD

No problem, I could add the storage from cli. ( afterwards GUI btrfs storage edit works)

Code: 
cat /etc/pve/storage.cfg
btrfs: btrfspatch
       path /unt
       content rootdir,iso,backup,vztmpl,images
       maxfiles 0
       shared 0


WHAT’S WORKING

Creating + starting LXC/ KVM works. Clean up subvolumes upon deletion ( monitoring with “btrfs subvolume list -a /unt” )

MY FIRST POTENTIAL PROXMOX LUCKY PATCH

Since adding storage from interface failed, I considered there was a missing GUI patch for snapshots, so I have tried from command line.

Later on, I was pleasantly surprised that the Proxmox plugin system is so well designed, that you don’t need any other patches, for snapshots interface to work.

Code: 
pct snapshot 101 snap1
Can't use string ("1") as a HASH ref while "strict refs" in use at /usr/share/perl5/PVE/Storage/BTRFSPlugin.pm line 451

Comparing with ZFS implementation at /usr/share/perl5/PVE/Storage/ZFSPoolPlugin.pm, I have tried a lucky patch, that worked.

Code: 
diff --git a/PVE/Storage/BTRFSPlugin.pm b/PVE/Storage/BTRFSPlugin.pm
index 25c2555..69cdc30 100644
--- a/PVE/Storage/BTRFSPlugin.pm
+++ b/PVE/Storage/BTRFSPlugin.pm
@@ -448,7 +448,7 @@ sub volume_has_feature {
         $key =  $isBase ? 'base' : 'current';
     }

-    return 1 if defined($features->{$feature}->{$key}->{$format});
+    return 1 if defined($features->{$feature}->{$key});

     return undef;
 }


WHAT’S WORKING RELOADED

After the dummy patch, all the snapshots features are working, inclusive from GUI: Take snapshot, rollback, edit description, backup in snapshot mode. Removing snapshots from GUI properly removes subvolumes from btrfs backend. ( tested tracking dummy files)

BTW, I love the ability of BTRFS to restore from older snapshots (not only latest as ZFS limitation) . Confirmed by https://github.com/lxc/lxd/blob/master/doc/storage-backends.md#feature-comparison

The GUI listings for images ( raw + subvolumes) works

Backup and restore to/from btrfs storage backend works.

LXC mount points works.

Tested both KVM/LXC.

OTHER LOW PRIORITY ISSUES

Deleting lxc container doesn’t delete the his snapshots volumes

LXC resize rootfs from GUI fails with
Code: 
TASK ERROR: btrfs error: ERROR: invalid qgroupid or subvolume path: 0/0/289


LXC RANDOM PERMISSION DENIED ISSUE - RELEASE BLOCKING

Only after setting up the public network for lxc container and start playing with it, random permission issues appeared.

First , in Ubuntu Xenial LXC apt update triggers
Code: 
W: Can't drop privileges for downloading as file '/var/lib/apt/lists/partial/eu.archive.ubuntu.com_ubuntu_dists_xenial_InRelease' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)

Second, Debian Jessie 8.7 logs
Code: 
Mar 29 05:53:53 bpatchdebian rsyslogd: imklog: cannot open kernel log(/proc/kmsg): Permission denied.
Mar 29 05:53:53 bpatchdebian rsyslogd-2145: activation of module imklog failed [try http://www.rsyslog.com/e/2145 ]
Mar 29 05:53:53 bpatchdebian cron[959]: (CRON) INFO (pidfile fd = 3)
Mar 29 05:53:53 bpatchdebian cron[964]: (CRON) STARTUP (fork ok)
Mar 29 05:53:53 bpatchdebian cron[964]: (CRON) INFO (Running @reboot jobs)
Mar 29 05:53:53 bpatchdebian dbus[974]: [system] org.freedesktop.DBus.Error.AccessDenied: Failed to set fd limit to 65536: Operation not permitted
Mar 29 05:53:54 bpatchdebian postfix/master[1124]: fatal: open lock file /var/lib/postfix/master.lock: cannot open file: Permission denied
Mar 29 05:54:13 bpatchdebian init: Trying to re-exec init
Mar 29 05:54:23 bpatchdebian dbus[974]: [system] Unable to reload configuration: Failed to open "/etc/dbus-1/system.conf": Permission denied
Mar 29 06:08:52 bpatchdebian rsyslogd: [origin software="rsyslogd" swVersion="8.4.2" x-pid="878" x-info="http://www.rsyslog.com"] start
Mar 29 06:08:52 bpatchdebian rsyslogd: imklog: cannot open kernel log(/proc/kmsg): Permission denied.
Mar 29 06:08:52 bpatchdebian rsyslogd-2145: activation of module imklog failed [try http://www.rsyslog.com/e/2145 ]
Mar 29 06:08:53 bpatchdebian dbus[1062]: [system] org.freedesktop.DBus.Error.AccessDenied: Failed to set fd limit to 65536: Operation not permitted
Mar 29 06:08:53 bpatchdebian cron[1073]: (CRON) INFO (pidfile fd = 3)
Mar 29 06:08:53 bpatchdebian cron[1076]: (CRON) STARTUP (fork ok)
Mar 29 06:08:53 bpatchdebian cron[1076]: (CRON) INFO (Running @reboot jobs)
Mar 29 06:08:53 bpatchdebian postfix/master[1232]: fatal: open lock file /var/lib/postfix/master.lock: cannot open file: Permission denied
Mar 29 06:13:01 bpatchdebian CRON[5713]: (root) CMD (test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ))
Mar 29 06:13:01 bpatchdebian postfix/postdrop[5839]: warning: unable to look up public/pickup: No such file or directory

Installing Apache on debian works, but fails to serve from browser. This is not a firewall/port issue, because ssh remote and nginx works in the same container.

Even further, after backing up the very same debian container and restoring to a ZFS backend, apache works on public port, without any modifications.

INVESTIGATING SECURITY OPTIONS

Privileged container won’t work.

lxc.aa_profile = unconfined and even systemctl stop apparmor won’t work

Commenting out from /usr/share/lxc/config/common.conf the Seccomp policy won’t work.
Code: 
#lxc.seccomp = /usr/share/lxc/config/common.seccomp


THE RANDOM PERMISSION DENIED ISSUE AFFECTS ONLY LXC SUBVOL, FOR KVM RAW WORKS. MOUNT OPTIONS

On host
Code: 
cat /etc/fstab  | grep btrfs
UUID="4e228036-92cb-4e07-805a-624063818047" /unt btrfs defaults,autodefrag,noatime 0 0

Mount Inside KVM
Code: 
/bssd/images/115/vm-115-disk-1.raw on / type ext4 (rw,relatime,data=ordered)

Inside LXC
Code: 
mount | grep btrfs
/dev/sdb on / type btrfs (rw,noatime,space_cache,autodefrag,subvolid=257,subvol=/images/101/vm-101-disk-1.subvol)

BTW, is it ok to have all this mount options with a subvol mount ? See https://btrfs.wiki.kernel.org/index.php/FAQ#Can_I_mount_subvolumes_with_different_mount_options.3F, some of them are in development.

On the other hand, testing further with LXD showed the same mount options.

COMPARING WITH UBUNTU LXD

Simply mount a Btrfs filesystem under /var/lib/lxd and it works.

Inside LXC
Code: 
root@myxenial:~# mount | grep btrfs
/dev/sdb on / type btrfs (rw,noatime,space_cache,autodefrag,subvolid=259,subvol=/containers/myxenial/rootfs)
/dev/sdb on /dev/lxd type btrfs (rw,noatime,space_cache,autodefrag,subvolid=5,subvol=/devlxd)
/dev/sdb on /dev/.lxd-mounts type btrfs (rw,noatime,space_cache,autodefrag,subvolid=5,subvol=/shmounts/myxenial)

The seccomp/apparmor profiles seems to be the same.

The LXC versions
Code: 
lxd                                 2.0.7-0ubuntu1~16.04.2
lxc-pve                          2.0.7-4 
lxcfs                              2.0.6-pve1

On LXD, all the previous tests apt/apache work flawless.

Thank you!
 
Thanks for the feedback. I haven't checked the gui patches in a while, it's possible they're not fully compatible currently.
Do you get AppArmor logs on the host when permission denied errors happen?

The qgroup error and snapshot issue should be fixed in the branch on github[1].
If you'd like to see your change as a separate commit I'd need it on the mailing list `git format-patch` formatted (but see the developer documentation[2] first, specifically the license section) (the github branch is a force-push branch since 90% of the time it's just being rebased on the current state, so I just squashed the changes in for now.)

[1] https://github.com/Blub/pve-storage/tree/btrfs
[2] http://pve.proxmox.com/wiki/Developer_Documentation
 
  • Like
Reactions: EuroDomenii
If you'd like to see your change as a separate commit I'd need it on the mailing list `git format-patch` formatted
Click to expand...
This is lucky strike patch, when I get serious, I post it to mail devel. Don't waste your time, you should commit directly.

Do you get AppArmor logs on the host when permission denied errors happen?
Click to expand...
Rebooted the proxmox node, replicate the errors, I don't have denied message.

Code: 
root@pdevel:~# dmesg | grep apparmor
[    5.125309] audit: type=1400 audit(1490862924.304:2): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lxc-container-default" pid=869 comm="apparmor_parser"
[    5.126717] audit: type=1400 audit(1490862924.308:3): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lxc-container-default-cgns" pid=869 comm="apparmor_parser"
[    5.128261] audit: type=1400 audit(1490862924.308:4): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lxc-container-default-with-mounting" pid=869 comm="apparmor_parser"
[    5.129782] audit: type=1400 audit(1490862924.308:5): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lxc-container-default-with-nesting" pid=869 comm="apparmor_parser"
[    5.145747] audit: type=1400 audit(1490862924.324:6): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/lxc-start" pid=869 comm="apparmor_parser"

Anyway, the permission issue are present even with systemctl stop apparmor

BTW, tried on 2 different proxmox nodes.
 
Last edited:
Oh, the disappointment this morning when I installed 5.0 beta1 and BTRFS wasn't listed in the options for installing Proxmox. I chose ZFS Raid0 instead.

Is there some oversight that BTRFS isn't in the list? Seems like the OS supports BTRFS just fine. I'd prefer not risking my customers getting sued in the future over licensing issues with ZFS _and_ I'd like to see BTRFS shine in it's integration with such a fine product as Proxmox.

Regards,
Joe Baker
 
Do you get AppArmor logs on the host when permission denied errors happen?
Click to expand...

With Ubuntu lxc on btrfs I don't get denied, but with Debian lxc btrfs i got the following.
Code: 
root@pdevel:/etc/pve/lxc# dmesg | grep DENIED
[50081.659090] audit: type=1400 audit(1490913001.247:7): apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default-cgns" name="/sys/fs/pstore/" pid=22634 comm="mount" fstype="pstore" srcname="pstore"
[50081.662180] audit: type=1400 audit(1490913001.255:8): apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default-cgns" name="/sys/fs/pstore/" pid=22634 comm="mount" fstype="pstore" srcname="pstore" flags="ro"
[50082.573678] audit: type=1400 audit(1490913002.163:9): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=22744 comm="mount" flags="rw, remount, silent"
[50082.588786] audit: type=1400 audit(1490913002.179:10): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=22745 comm="mount" flags="rw, remount, noatime"
[50082.654011] audit: type=1400 audit(1490913002.243:11): apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default-cgns" name="/run/" pid=22800 comm="mount" flags="rw, nosuid, noexec, remount, relatime"
[50082.662858] audit: type=1400 audit(1490913002.251:12): apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default-cgns" name="/run/lock/" pid=22811 comm="mount" flags="rw, nosuid, nodev, noexec, remount, relatime"
[50082.716126] audit: type=1400 audit(1490913002.307:13): apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default-cgns" name="/run/shm/" pid=22892 comm="mount" flags="rw, nosuid, nodev, noexec, remount, relatime"
[50082.723030] audit: type=1400 audit(1490913002.311:14): apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default-cgns" name="/dev/pts/" pid=22900 comm="mount" flags="rw, nosuid, noexec, remount, relatime"

I guess those denied are legitimate, according to apparmor policy. I get this all the time for Debian lxc on ZFS and everything works.

Anyway, it should work with apparmor disabled or lxc unconfined, but it doesn't.
 
I’ve done some 2 experiments, in order to narrow down the issue

USE CASE 1

Debian Container with rootfs local directory ext4 and mount point btrfs.

Code: 
root@pdevel:~# cat /etc/pve/lxc/104.conf
...
mp0: bunt2:104/vm-104-disk-2.subvol,mp=/var/www/html/btrfs,size=1G
rootfs: local:104/vm-104-disk-1.raw,size=15G
…

Code: 
mount
/var/lib/vz/images/104/vm-104-disk-1.raw on / type ext4 (rw,relatime,data=ordered)
/dev/sdb on /var/www/html/btrfs type btrfs (rw,noatime,space_cache,autodefrag,subvolid=294,subvol=/images/104/vm-104-disk-2.subvol)

Results:

Forbidden You don't have permission to access /btrfs/ on this server.
Apache/2.4.10 (Debian) Server at XXXXXXX Port 80

Any other file mounted in /var/ww/html works.

USE CASE 2

Debian Container with rootfs btrfs and docroot mounted at local directory ext4.

Code: 
cat /etc/pve/lxc/103.conf
...
mp0: local:103/vm-103-disk-1.raw,mp=/var/www/html,size=8G
rootfs: bunt2:103/vm-103-disk-1.subvol,size=15G
...

Code: 
root@debian:/# mount
/dev/sdb on / type btrfs (rw,noatime,space_cache,autodefrag,subvolid=261,subvol=/images/103/vm-103-disk-1.subvol)
/var/lib/vz/images/103/vm-103-disk-1.raw on /var/www/html type ext4 (rw,relatime,data=ordered)

Even docroot is mounted on ext4, apache doesn’t serve anything.

NGINX works on btrfs directly.
 
USE CASE 2

Code: 
/var/log/apache2/error.log
[Fri Mar 31 08:36:29.521373 2017] [core:error] [pid 925:tid 139909948708608] (13)Permission denied: [client XXXXXXXX:64636] AH00035: access to /btrfs/index.html denied (filesystem path '/var/www/html/btrfs/index.html') because search permissions are missing on a component of the path

Apache works with chmod 755 /var/www/html/btrfs/

USE CASE 1

Can't be fixed even with chmod 777 on all files. Same with general case, when rootfs is on btrfs.

Something is fishy here, I should compare, deeper under the hood, LXD Ubuntu btrfs mounted at /var/lib/lxd ( where everything works) with proxmox setup.

Do you have a clue where to look?
 
Last edited:
Comparing proxmox lxc-pve with ubuntu lxd, I considered the potential incompatibility of newer btrfs-progs with LXC packages. It’s not the case … btrfs-progs 4.7.3-1 plays well with lxc 2.0.7, so even 4.6.1-1~bpo8+1 should.

PROXMOX 4.4.13
btrfs-progs 4.6.1-1~bpo8+1
lxc-pve 2.0.7-4
lxcfs 2.0.6-pve1
Tested- permission issues

LXD UBUNTU 16.04
Lxd 2.0.7-0ubuntu1~16.04.2
Lxcfs 2.0.6-0ubuntu1~16.04.1
btrfs-progs 4.4-1
Tested- no permission issues

LXD UBUNTU 16.10
Lxd 2.0.7-0ubuntu1~16.10.2
Lxcfs 2.0.6-0ubuntu1~16.10.1
btrfs-progs 4.7.3-1
Tested- no permission issues
 
  • Like
Reactions: Joe Baker
Actually it should be `0/289`, not `0/0/289` - but that's fixed if you built from github recently.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back