Migration Error/Bug - command - 403 Permission check failed (changing feature flags (except nesting) is only allowed for root@pam)

B

b3nw

Active Member
Jul 21, 2017
18
3
43
39
Migrating offline LXC container from single node to cluster.

Migration Error:

Code: 
2024-12-29 12:44:09 remote: started tunnel worker 'UPID:pve-nuc-0:00108181:00814094:67719879:vzmtunnel:903:root@pam!pdm-admin:'
tunnel: -> sending command "version" to remote
tunnel: <- got reply
2024-12-29 12:44:09 local WS tunnel version: 2
2024-12-29 12:44:09 remote WS tunnel version: 2
2024-12-29 12:44:09 minimum required WS tunnel version: 2
2024-12-29 12:44:09 websocket tunnel started
2024-12-29 12:44:09 starting migration of CT 903 to node 'pve-nuc-0' (pve-nuc-0.local)
tunnel: -> sending command "bwlimit" to remote
tunnel: <- got reply
2024-12-29 12:44:09 found local volume 'zfs-ssd:subvol-903-disk-0' (in current VM config)
tunnel: -> sending command "disk-import" to remote
tunnel: <- got reply
tunnel: accepted new connection on '/run/pve/903.storage'
tunnel: requesting WS ticket via tunnel
tunnel: established new WS for forwarding '/run/pve/903.storage'
full send of zfs-ssd/subvol-903-disk-0@__migration__ estimated size is 1.83G
total estimated size is 1.83G
TIME        SENT   SNAPSHOT zfs-ssd/subvol-903-disk-0@__migration__
tunnel: -> sending command "query-disk-import" to remote
tunnel: done handling forwarded connection from '/run/pve/903.storage'
tunnel: <- got reply
2024-12-29 12:44:29 volume 'zfs-ssd:subvol-903-disk-0' is 'zfs-local:subvol-903-disk-0' on the target
2024-12-29 12:44:29 mapped: net0 from vmbr0 to vmbr0
tunnel: -> sending command "config" to remote
tunnel: <- got reply
2024-12-29 12:44:29 ERROR: error - tunnel command '{"conf":"arch: amd64\ncores: 2\nfeatures: keyctl=1,nesting=1\nhostname: home.local\nlock: migrate\nmemory: 1024\nnet0: name=eth0,bridge=vmbr0,hwaddr=BC:24:11:61:54:49,ip=dhcp,ip6=dhcp,type=veth\nonboot: 0\nostype: debian\nrootfs: zfs-local:subvol-903-disk-0,size=3G\nswap: 512\ntags: proxmox-helper-scripts\nunprivileged: 1\n","firewall-config":null,"cmd":"config"}' failed - failed to handle 'config' command - 403 Permission check failed (changing feature flags (except nesting) is only allowed for root@pam)
2024-12-29 12:44:29 aborting phase 1 - cleanup resources
2024-12-29 12:44:29 ERROR: found stale volume copy 'zfs-local:subvol-903-disk-0' on node 'pve-nuc-0'
tunnel: -> sending command "quit" to remote
tunnel: <- got reply
2024-12-29 12:44:30 start final cleanup
2024-12-29 12:44:30 ERROR: migration aborted (duration 00:00:21): error - tunnel command '{"conf":"arch: amd64\ncores: 2\nfeatures: keyctl=1,nesting=1\nhostname: home.local\nlock: migrate\nmemory: 1024\nnet0: name=eth0,bridge=vmbr0,hwaddr=BC:24:11:61:54:49,ip=dhcp,ip6=dhcp,type=veth\nonboot: 0\nostype: debian\nrootfs: zfs-local:subvol-903-disk-0,size=3G\nswap: 512\ntags: proxmox-helper-scripts\nunprivileged: 1\n","firewall-config":null,"cmd":"config"}' failed - failed to handle 'config' command - 403 Permission check failed (changing feature flags (except nesting) is only allowed for root@pam)
TASK ERROR: migration aborted
 
Hi,
the issue is the keyctl feature set in the configuration, which is root-only for security reasons. So the API token does not have the permission to set this on the target during migration. As a workaround you can un-select the feature, migrate and then re-select the feature on the target as root.
 
  • Like
Reactions: jackalltrades101
Thanks @fiona, the 2nd error was apparently if any features are set, the migration will fail. The failed migration also leaves the source LXC in a locked state. I was able to get this working by unsetting nesting/keyct features, then migrating, then re-setting on the new system.

one other note, the migration did not respect the requested ID number in the UI when creating the new LXC container.
 
Last edited:
  • Like
Reactions: jackalltrades101
b3nw said:
Thanks @fiona, the 2nd error was apparently if any features are set, the migration will fail. The failed migration also leaves the source LXC in a locked state. I was able to get this working by unsetting nesting/keyct features, then migrating, then re-setting on the new system.
Click to expand...
Does it also fail if only the nesting feature is enabled and no others? That should work AFAIK.

b3nw said:
one other note, the migration did not respect the requested ID number in the UI when creating the new LXC container.
Click to expand...
For reference: https://bugzilla.proxmox.com/show_bug.cgi?id=6016
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom