Can't backup on NAS (NFS): Permission denied

[X4V1]

Hello,

I have a Synology NAS on which I created a shared drive to host my pve backups. It works fine with VM but I'm getting a permission denied when trying to backup a unpriviledged CT.

The output of the backup is:

INFO: starting new backup job: vzdump 100 --compress zstd --notification-mode auto --storage synology-nas --node pve1 --remove 0 --mode snapshot --notes-template test
INFO: Starting Backup of VM 100 (lxc)
INFO: Backup started at 2024-02-09 13:08:37
INFO: status = stopped
INFO: backup mode: stop
INFO: ionice priority: 7
INFO: CT Name: npm-docker-test
INFO: including mount point rootfs ('/') in backup
INFO: creating vzdump archive '/mnt/pve/synology-nas/dump/vzdump-lxc-100-2024_02_09-13_08_37.tar.zst'
INFO: tar: /mnt/pve/synology-nas/dump/vzdump-lxc-100-2024_02_09-13_08_37.tmp: Cannot open: Permission denied
INFO: tar: Error is not recoverable: exiting now
ERROR: Backup of VM 100 failed - command 'set -o pipefail && lxc-usernsexec -m u:0:100000:65536 -m g:0:100000:65536 -- tar cpf - --totals --one-file-system -p --sparse --numeric-owner --acls --xattrs '--xattrs-include=user.*' '--xattrs-include=security.capability' '--warning=no-file-ignored' '--warning=no-xattr-write' --one-file-system '--warning=no-file-ignored' '--directory=/mnt/pve/synology-nas/dump/vzdump-lxc-100-2024_02_09-13_08_37.tmp' ./etc/vzdump/pct.conf ./etc/vzdump/pct.fw '--directory=/mnt/vzsnap0' --no-anchored '--exclude=lost+found' --anchored '--exclude=./tmp/?*' '--exclude=./var/tmp/?*' '--exclude=./var/run/?*.pid' ./ | zstd '--threads=1' >/mnt/pve/synology-nas/dump/vzdump-lxc-100-2024_02_09-13_08_37.tar.dat' failed: exit code 2
INFO: Failed at 2024-02-09 13:08:37
INFO: Backup job finished with errors
INFO: notified via target `mailjet-smtp`
TASK ERROR: job errors

I already checked on google and in the forum and I found many different suggestions:

• Give all access to everybody on the nas: Working but not secure as everybody has full access to backups.
• Use the squash option set to "Map all users to admin" on the synology nas: Working. But is it really needed to map all users to admin ? can't I set the right for the right user only ?
• Change permission of the nfs mount point on the host: I did not fully understand the goal so I did not test it.
• Configure UID/GID mapping: I don't think it is relevand as the nfs drive is not mounted in the CT (only used for backup)

What is the cleanest solution ? Is there a way to give all access only for the user that is used to do the backups? I'm very new to proxmox (and not a linux expert) so don't hesitate to tell me if I'm going in the wrong direction.

Thank you

 

[fireon]

Normaly it works with mode stopped. If you don't like this, you can change the temppath of to a local target:

cat /etc/vzdump.conf

# vzdump default settings

tmpdir: /my_new_temp_path
#dumpdir: DIR
#storage: STORAGE_ID
#mode: snapshot|suspend|stop
#bwlimit: KBPS
#performance: max-workers=N
#ionice: PRI
#lockwait: MINUTES
#stopwait: MINUTES
#stdexcludes: BOOLEAN
#mailto: ADDRESSLIST
#prune-backups: keep-INTERVAL=N[,...]
#script: FILENAME
#exclude-path: PATHLIST
#pigz: N
#notes-template: {{guestname}}

 

[oz1cw7yymn]

Hey,

As you can see in this forum thread, the reason seems to be that the unprivileged CT backup runs under an unprivileged user (100000). This user doesn't have access to the NFS share, even though root does.

As fabian writes: "make the backup storage writable by the unprivileged user.." - I changed my Synology NFS permission setting for the Proxmox VE IPs to map all users to admin. Now I can make backups to the NFS export. As this is an export only for PVE backups and only open to these IPs, I don't see it as such a big problem, but I might be wrong.

 

[X4V1]

Thank you for your replies I used the solution to only allow one ip (pve) and map all users to admin. Everything works fine

 

[kimsdotcom]

I tried the same but get the error message:
TASK ERROR: could not activate storage 'nas-backup': connection check for storage 'nas-backup' failed - session setup failed: NT_STATUS_LOGON_FAILURE

test via smbclient works absolutely fine. username and password are correct. What is it?!