File-Level Restore via CLI without root permissions

T

_Thom_

New Member
Feb 21, 2024
7
2
3
Hello all,

Background: concerned by the bug preventing the use of file restore via GUI (https://forum.proxmox.com/threads/f...nt-failed-or-no-supported-file-system.144225/) on several important VMs, I would like to allow an operator without root permissions to perform restores via CLI.

The process using proxmox-backup-client map is working perfectly with root user.

I was able to work around a few problems with another user by granting permissions on /dev/loop and /run/pbs-loopdev, but I'm now facing the following error when running the command:
Code: 
fuse: failed to exec fusermount3: No such file or directory

Well, it looks like it's trying to use fuse3 but:
  • fusermount3 is not found anywhere, even with root user
  • fuse3 is not installed, libfuse3 is but looks like fusermount3 is part of fuse3
  • it works for root (so without fuse3)
  • if I try to install fuse3, I'm getting a warning that it will break fuse (and I don't want to break anything as it works as root)

I find it rather mysterious... Does anybody have an explanation or an idea on what to try next?

Kernel Version: Linux 6.8.8-2-pve (2024-06-24T09:00Z)
Manager Version: pve-manager/8.2.4/faa83925c9641325
 
you haven't given any details what exactly you are doing.. but I would suggest giving such an operator a VM and letting them do the restore there (then they can also do it as root ;))
 
Thanks Fabian, and sorry: it looks like I was too much in my own head !

I have a PVE cluster with 3 nodes and PBS for backing up (only VMs onboard at that time).

I would like to allow non-root operators to restore VMs files from PBS backups when needed.

Managing permissions for PVE users works just fine but for several VMs we cannot use GUI file restore as stated in the background introduction.

As a workaround and as root user I am mapping backup snapshots with "proxmox-backup-client map" then "qm set" to add the mapped device to a VM and access files there, thru ssh on PVE server. I would like non root operators to be fully autonomous on file restoring even when not possible in GUI, and I didn't find any other way yet.

So I don't know if this is what you understood, I hope it's clearer now... but I don't see what you mean by "giving a VM" to the operator ?

Regards.
 
if you want to fully automate it, you need to do that yourself at the moment. if you want to get around the root problem, you could create a VM and let the operatur run proxmox-backup-client themselves in there in whatever fashion you require.

there is a "flash boot" feature that might give you what you want as well (or at least a building block for it ;)), but it's not yet implemented: https://bugzilla.proxmox.com/show_bug.cgi?id=5187
 
Hello Fabian,
I don't need to automate now, it would be useful but it's not a priority.
With a dedicated VM, the operator sure could run "proxmox-backup-client map" but then how will he be able to add the virtual disk to another VM?

With my initial question I thought somebody would just be able to tell me why "proxmox-backup-client map" is calling "fusermount3" when it is nowhere on the system and how could it work with root user despite this.

I think I will do some tests with restricted sudo also.
Thanks.
 
yeah, the map feature is limited to root by design. the easiest way would probably be to have a wrapper around map and set that just takes the snapshot data and VMID+disk slot as input (and a corresponding wrapper for tearing it down again), but be careful when writing such a thing, sudo is tricky to lock down properly ;)
 
You must log in or register to reply here.
Top Bottom
Back