Error using datastore on NFS with root squash

P

plh

New Member
Apr 6, 2024
3
1
3
I would like to use the excellent feature of local sync so I can have a copy of my ZFS SSD datastore mirrored to NFS from where it's backed up off-site.

It works on a NFS share which is configured with no_root_squash but the share I want to use has root squash enabled.

The datastore directory on NFS has been changed to be owned by UID:GID 34:34 (backup:backup) and the mode is drwxrwxr-x. If I temporally change the shell for the backup user from /usr/sbin/nologin to /bin/bash and su to that user I can create files and directories in the datastore directory . But when I try to create a data store I get permission error.

Code: 
# proxmox-backup-manager datastore create NFS /mnt/backup_pbs/xxx
TASK ERROR: unable to create chunk store 'NFS' at "/mnt/backup_pbs/xxx" - EACCES: Permission denied
Error: task failed (status unable to create chunk store 'NFS' at "/mnt/backup_pbs/xxx" - EACCES: Permission denied)

I have tried various user changes e.g. to create a user called proxmox with membership of backup and disk groups and make
/usr/lib/x86_64-linux-gnu/proxmox-backup/proxmox-backup-api start up as user proxmox and also as user backup by adding User= and Group= to the service section of the unit file /lib/systemd/system/proxmox-backup.service. But I end up with various other errors.

I have looked at the Rust code by my skills in this language is still not that great.

It seems /usr/lib/x86_64-linux-gnu/proxmox-backup/proxmox-backup-api is creating files as root and changing the ownership afterwards which does not work on NFS shares where root squash is enabled.

Will it be possible to run the datastore creation in a sub shell as user backup in stead of the current approach?

BR
Peter L. Hansen
 
Last edited:
Hi!
When using `root_squash` root is mapped to `nobody:nogroup`, so creating a directory (with root) will work, but using `chown backup:backup` (also with root) will always fail.
Currently this is not possible and the best way would be to simply set `no_root_squash`. If this is something you really need, you could create a feature request on bugzilla (something like "creating datastore with `backup:backup`")!
 
Thanks for your fast answer. For the very short term I will involve the admin of our NFS storage and get "no_root_squash" access whitelisting the promox-backup-server IP address only. Security wise we prefer root squashing as much as possible. I will create a feature request when I find the time.

Best regards
Peter
 
  • Like
Reactions: ggoller
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back