Permission denied when creating backups on NFS from Proxmox Backup Server

S

Smoochii

New Member
Jun 2, 2024
14
2
3
I have a NAS (truenas scale) set up with an SMB shared directory called Backups. I added the SMB share to PVE using the web GUI. I also have Proxmox Backup Server running as an LXC in PVE. I created a bind mount to get the share to the LXC.

So far everything is working and I can access the samba share from the PBS shell but when I go to create a data store for the backups, I get permission denied.

The owner of the folder on PBS I think is nobody in nogroup.

What do I need to do to be able to create the datastore?
 
Hi,

The main process for handling backups and datastores runs as the backup user, which is normally resolved to uid 34 – you can check your system using the id backup command.

You need to ensure that this user can access the mount. If the container you set up is an unprivileged container you need also to deal with the UID mappings.

See e.g. this post for a basic tutorial for doing such things:
T

[TUTORIAL] Thread 'Tutorial: Unprivileged LXCs - Mount CIFS shares'

Since unprivileged LXCs are not allowed to mount CIFS shares and priviliged LXCs are considered unsafe (for a reason) I was scraping my head around how to still have my NAS shares available in my LXCs, f.e. (Jellyfin, Plex, ...).

The solution provided by the Proxmox Wiki would require many changes to the PVE host config, which I was not willing to do.
https://pve.proxmox.com/wiki/Unprivileged_LXC_containers#Using_local_directory_bind_mount_points

Thanks to the following source I was able to assemble a solution that should work for everyone in under 10 minutes...
  • Like
 
Hi Thomas,

So I followed the tutorial and created a new group (lxc_shares) and user (pbs) on the LXC. I was able to correctly mount everything and could create a datastore in PBS. I did have to modify the permissions to 777 on the mount to be able to read the .chunks folder but everything seems to be okay.

The problem that I'm running into now is that when I go to run a backup it says that the user I used to create the storage in datacenter, root@pam (also the owner of the datastore in PBS) does not have access to write to the directory.

Do I somehow need to create the datastore and storage with this user?

Thanks!
 
Hi Thomas,

I got this mostly working, I am able to read/write to the NAS with the `backup` user but it looks like the script is trying to `chown` something in the directory but since the datastore is owned by root, I'm getting permission denied.

Is there any solution to this?

Thanks.
 
The datastore (from the POV of the Container) must be owned by the backup user, i.e. id 34 (again, from inside the CT, the ID on the outside might be another one). That's why a simple chmod 777 cannot work, and is potentially unsafe as it allows all programs/users on a system to modify and delete backup data.

Maybe you can ensure that the UID of the mount point matches the one from the backup user from the inner CT using something like:

https://unix.stackexchange.com/questions/530038/remap-uid-in-samba-share

I'm sorry that I cannot be of specific help here, it's a while ago that I set a share up in a CT and I won't be able to test this for time reasons, I'm afraid.

Maybe someone else can step in here and help you though.
 
Hi Thomas,

Thanks so much for all of your help, I really appreciate it!

I was actually able to get this working by setting the user and group of the mount in the fstab of the host to 100034:101000 which then made the owner in the container backup:lxc_shares. I was then successfully able to perform backups.

I'm not sure if this is the recommended approach but I think what you're alluding to.

Thanks again!
 
  • Like
Reactions: t.lamprecht
You must log in or register to reply here.
Top Bottom