PBS in unprivileged Container: UID mapping problem

[gno]

I installed PBS in an unprivileged Container.

The HDD I want to use for the backup is mounted on the host

cat /etc/fstab
...
LABEL="Backup_Proxmox" /mnt/backup/    ext4    defaults        0 2

I created a directory /mnt/backup/pbs/store1 on the HDD, changed the permission to backup:backup and mounted it in the container

ls -la /mnt/backup/pbs/
total 12
drwxr-xr-x 3 root   root   4096 Oct 16 08:19 .
drwxr-xr-x 7 guido  root   4096 Oct 16 08:12 ..
drwxr-xr-x 2 backup backup 4096 Oct 16 14:11 store1

pct set 102 -mp0 /mnt/backup/pbs/store1,mp=/backup/store1

Then I added the UID/GID mapping for the "backup" user in /etc/pve/lxc/102.conf

lxc.idmap: u 0 100000 34
lxc.idmap: u 34 34 1
lxc.idmap: u 35 100035 65501
lxc.idmap: g 0 100000 34
lxc.idmap: g 34 34 1
lxc.idmap: g 35 100035 65501

And added root:34:1 to /etc/subuid and /etc/subgid

Now my mountpoint in PBS looks like this:

ls -la /backup
total 13
drwxr-xr-x  3 root   root      3 Oct 16 06:30 .
drwxr-xr-x 18 root   root     24 Oct 16 13:26 ..
drwxr-xr-x  2 backup backup 4096 Oct 16 12:11 store1

When I try to create the datastore as root I get an error:

proxmox-backup-manager datastore create store1 /backup/store1

thread 'main' panicked at 'called `Result::unwrap()` on an `Err` value: unable to read "/etc/proxmox-backup/authkey.key" - Permission denied (os error 13)', src/auth_helpers.rs:182:65
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

Also as root it is not possible to ls

root@pbs:/backup# ls -la /etc/proxmox-backup/authkey.key
ls: cannot access '/etc/proxmox-backup/authkey.key': Permission denied

When I remove the UID/GID mappings the ls command works, but then I can not access the mounted directory.

 

[Dunuin]

Changing the user/group remapping won't touch already exising files. You changed the UID of the LXCs backup user from 100034 to 34. So now that user got a UID of 34 but all files previously owned by that user are still owned by UID 100034 so the user can't access them anymore.

So you need either to:
a) start from scratch and do your remapping before starting the LXC for the first time so all stuff gets created using UID 34 and not 100034.
b) use "pct mount" to mount the LXCs filesystem on the PVE host, then "chown" every file and folder from UID/GID 1000034 to 34 and unmount it.
c) restore a backup from before doing the UID/GID remapping and then simply chown your /mnt/backup to UID:GID 100034:100034 instead of 34:34 and completely ignore the remapping

 

[gno]

Thank you very much @Dunuin

I tried taking the hard way using b)

pct stop 102
pct mount 102

cd /var/lib/lxc/102/rootfs

chown 34:34 etc/proxmox-backup/
chown -R :34 etc/proxmox-backup/
chown 34:34 etc/proxmox-backup/.acl.lck
chown 34:34 etc/proxmox-backup/.datastore.lck
chown 34:34 etc/proxmox-backup/tfa.json.lock
chown 34:34 etc/proxmox-backup/.user.lck

chown 34:34 var/lib/proxmox-backup/
chown -R 34:34 var/lib/proxmox-backup/jobstates/
chown -R 34:34 var/lib/proxmox-backup/rrdb
chown -R 34:34 var/lib/proxmox-backup/tape

chown -R 34:34 var/log/proxmox-backup/

cd /
pct unmount 102
pct start 102

PBS could be started again

and tadaahhh

proxmox-backup-manager datastore create store1 /backup/store1
Chunkstore create: 1%
Chunkstore create: 2%
...
Chunkstore create: 98%
Chunkstore create: 99%
TASK OK