[SOLVED] Can not backup LXC unprivileged ...

Petr Svacina

Well-Known Member
Oct 1, 2018
33
13
48
47
Hi, I have 3x node PVE Ceph cluster with community edition support. Everything running OK. Backups vm's are ok.
But I can not backup LXC. Backuping LXC generates this error:

INFO: starting new backup job: vzdump 114 --mode snapshot --compress lzo --remove 0 --node pve1 --storage backup-nfs
INFO: Starting Backup of VM 114 (lxc)
INFO: Backup started at 2020-06-24 09:08:04
INFO: status = running
INFO: CT Name: ltsp-admin
INFO: backup mode: snapshot
INFO: ionice priority: 7
INFO: create storage snapshot 'vzdump'
/dev/rbd2
INFO: creating archive '/mnt/pve/backup-nfs/dump/vzdump-lxc-114-2020_06_24-09_08_04.tar.lzo'
INFO: tar: /mnt/pve/backup-nfs/dump/vzdumptmp3043810: Cannot open: Permission denied
INFO: tar: Error is not recoverable: exiting now
INFO: remove vzdump snapshot
Removing snap: 100% complete...done.
ERROR: Backup of VM 114 failed - command 'set -o pipefail && lxc-usernsexec -m u:0:100000:65536 -m g:0:100000:65536 -- tar cpf - --totals --one-file-system -p --sparse --numeric-owner --acls --xattrs '--xattrs-include=user.*' '--xattrs-include=security.capability' '--warning=no-file-ignored' '--warning=no-xattr-write' --one-file-system '--warning=no-file-ignored' '--directory=/mnt/pve/backup-nfs/dump/vzdumptmp3043810' ./etc/vzdump/pct.conf ./etc/vzdump/pct.fw '--directory=/mnt/vzsnap0' --no-anchored '--exclude=lost+found' --anchored '--exclude=./tmp/?*' '--exclude=./var/tmp/?*' '--exclude=./var/run/?*.pid' ./ | lzop >/mnt/pve/backup-nfs/dump/vzdump-lxc-114-2020_06_24-09_08_04.tar.dat' failed: exit code 2
INFO: Failed at 2020-06-24 09:08:05
INFO: Backup job finished with errors
TASK ERROR: job errors


This is nosense:
INFO: creating archive '/mnt/pve/backup-nfs/dump/vzdump-lxc-114-2020_06_24-09_08_04.tar.lzo'
INFO: tar: /mnt/pve/backup-nfs/dump/vzdumptmp3043810: Cannot open: Permission denied

Because this is fully writable ... I saw similar threads here, but no solution ....

Can anyone help ?
 
it obviously is not. note that the backup is running as (unprivileged) user inside the container.
 
root@pve1:~# ls -l /mnt/pve/backup-nfs/
total 56
drwxrwxrwx 258 root root 4096 Jun 17 12:28 backy
-rwxrwxrwx 1 root root 5782 Jun 17 13:11 backy.cfg
drwxrwxrwx 2 root root 36864 Jun 24 09:08 dump
drwxrwxrwx 6 root root 4096 Mar 18 13:46 images
drwxrwxrwx 2 root root 4096 Feb 24 15:58 private
root@pve1:~# ls -l /mnt/pve/
total 124
drwxrwxrwx 7 root root 122880 Jun 18 09:47 backup-nfs
drwxr-xr-x 4 root root 2 Feb 21 16:47 cephfs
root@pve1:~# ls -l /mnt/
total 2
drwxr-xr-x 2 root root 2 Dec 10 2019 hostrun
drwxr-xr-x 4 root root 4 Jan 14 19:10 pve
drwxr-xr-x 2 root root 2 Jun 23 00:28 vzsnap0

This is not OK ?

vzdump is not called by root ?

I am backing to NFS share, I have found that maybe there is solution to use root_squash ... ?
(https://forum.proxmox.com/threads/create-backup-fail-with-error-cannot-open-permission-de.32386/)
 
If anyone else wanders their way in here and the file permissions look fine, and you don't want to use a local temp dir, take a look at this post:

https://blog.doussan.info/posts/container-backup-permission-denied-nfs/

TL;DR - you want to swap your nfs share to map all users, rather than just the root user. In ZFS, you can change this on the NFS share under advanced -> access -> set mapall user to your nfs user, remove maproot user (leave it empty).
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!