Debian LXC Container with Docker Fails to restore

[dude]

Hey guys,

Please let me introduce myself first since this is my first post here.

I have been in the IT industry for 15 years, 99% of the time on Microsoft technologies and since last year i started to delve in the Open Source world (never too late man!)

So, i've got a Proxmox lab, created an unprivileged CT with debian 10 and proceed to install docker-CE, why? cause i wanted to try Nginx Proxy Manager and it's only available in docker.. anyway, everything works as expected, BUT i wanted to try the backup and restore of the CT, wich failed, the error?:

extracting archive '/mnt/pve/Local-Storage/dump/vzdump-lxc-104-2021_02_01-10_53_35.tar.zst'
tar: ./var/lib/docker/overlay2/aef29de8ddf4de5cb1fe6fb4ee5bd5c407573124e646c941319ca17d6212d127/diff/tmp/openresty: Cannot mknod: Operation not permitted
tar: ./var/lib/docker/overlay2/aef29de8ddf4de5cb1fe6fb4ee5bd5c407573124e646c941319ca17d6212d127/diff/tmp/install-openresty: Cannot mknod: Operation not permitted
tar: ./var/lib/docker/overlay2/aef29de8ddf4de5cb1fe6fb4ee5bd5c407573124e646c941319ca17d6212d127/diff/tmp/lua: Cannot mknod: Operation not permitted
tar: ./var/lib/docker/overlay2/aef29de8ddf4de5cb1fe6fb4ee5bd5c407573124e646c941319ca17d6212d127/diff/tmp/luarocks: Cannot mknod: Operation not permitted
tar: ./var/lib/docker/overlay2/aef29de8ddf4de5cb1fe6fb4ee5bd5c407573124e646c941319ca17d6212d127/diff/tmp/install-lua: Cannot mknod: Operation not permitted
tar: ./var/lib/docker/overlay2/aef29de8ddf4de5cb1fe6fb4ee5bd5c407573124e646c941319ca17d6212d127/diff/usr/include/gnumake.h: Cannot mknod: Operation not permitted
tar: ./var/lib/docker/overlay2/aef29de8ddf4de5cb1fe6fb4ee5bd5c407573124e646c941319ca17d6212d127/diff/usr/bin/make: Cannot mknod: Operation not permitted
tar: ./var/lib/docker/overlay2/4934c85552b0a44fb9cc435a4d99184e382b3ff9d5b015905a8fbe7423e09f80/diff/etc/services.d/frontend: Cannot mknod: Operation not permitted
tar: ./var/lib/docker/overlay2/4934c85552b0a44fb9cc435a4d99184e382b3ff9d5b015905a8fbe7423e09f80/diff/etc/nginx/conf.d/dev.conf: Cannot mknod: Operation not permitted
tar: ./var/lib/docker/overlay2/911288585ba74af1f4d638ceedbb2c935d8f99d2b9611a026e9b59cbdb3fb88f/diff/tmp/install-s6: Cannot mknod: Operation not permitted
Total bytes read: 2642227200 (2.5GiB, 324MiB/s)
tar: Exiting with failure status due to previous errors
Logical volume "vm-105-disk-0" successfully removed
TASK ERROR: unable to restore CT 105 - command 'lxc-usernsexec -m u:0:100000:65536 -m g:0:100000:65536 -- tar xpf - --zstd --totals --one-file-system -p --sparse --numeric-owner --acls --xattrs '--xattrs-include=user.*' '--xattrs-include=security.capability' '--warning=no-file-ignored' '--warning=no-xattr-write' -C /var/lib/lxc/105/rootfs --skip-old-files --anchored --exclude './dev/*'' failed: exit code 2

I believe it is related to having docker inside the unprivileged container (the permits error), since it's a test environment i can create a new CT with extra options if needed to be able to restore an unprivileged CT with docker images inside, but what would that be? is it posible at all?


Thanks all for this great piece of software and please bear with me, im new to all this

Something to have in mind:

Yes it was created as an unprivileged CT from the start
Restoring it as privileged would not be the best scenario i believe, it would be losing the unprivileged CT "extra security" right?

 

[Moayad]

Hi,

I not use Docker inside CT but may you can try to restore it as privileged then convert it to unprivileged by adding (unprivileged: 1) into the config file; not sure it will works

 

[H4R0]

I just tried a restore of a lxc container running docker unprivileged.

Works without any issues for me.

 

[fiona]

Hi,

Hey guys,

Please let me introduce myself first since this is my first post here.

I have been in the IT industry for 15 years, 99% of the time on Microsoft technologies and since last year i started to delve in the Open Source world (never too late man!)

So, i've got a Proxmox lab, created an unprivileged CT with debian 10 and proceed to install docker-CE, why? cause i wanted to try Nginx Proxy Manager and it's only available in docker.. anyway, everything works as expected, BUT i wanted to try the backup and restore of the CT, wich failed, the error?:





I believe it is related to having docker inside the unprivileged container (the permits error), since it's a test environment i can create a new CT with extra options if needed to be able to restore an unprivileged CT with docker images inside, but what would that be? is it posible at all?


Thanks all for this great piece of software and please bear with me, im new to all this

Something to have in mind:

Yes it was created as an unprivileged CT from the start
Restoring it as privileged would not be the best scenario i believe, it would be losing the unprivileged CT "extra security" right?

how recent is your kernel? Please try upgrading to pve-kernel-5.4.78-2-pve and see if it works then.

 

[dude]

Hi,

how recent is your kernel? Please try upgrading to pve-kernel-5.4.78-2-pve and see if it works then.

i'm at "Linux 5.4.73-1-pve #1 SMP PVE 5.4.73-1 (Mon, 16 Nov 2020 10:52:16 +0100)"

i'll give it a try at the next scheduled maintenance window (after a full backup of course)

Hi,

I not use Docker inside CT but may you can try to restore it as privileged then convert it to unprivileged by adding (unprivileged: 1) into the config file; not sure it will works

i'll try this one in the Development Proxmox and let you know!

Thank you all for your replies, i wasn't expecting such a fast response!!