Problem with restoring backups from PBS (Proxmox Backup Server).

[Slavickox]

How many hops away is the PVE from the PBS? Do you get the same error always on the same point? Can you restore on a independent PVE host or do you get the same error?

1 hop. Yes, I always get the same error at the same point, and I don't have another independent host.

 

[Chris]

1 hop. Yes, I always get the same error at the same point, and I don't have another independent host.

Is this snapshot encrypted? If so, did you setup the encryption keys accordingly on the PVE side?

 

[Slavickox]

Is this snapshot encrypted? If so, did you setup the encryption keys accordingly on the PVE side?

No, I didn't set anything up.

 

[Chris]

What hardware sits between your PVE and PBS host? Any router, switches ecc. which might fiddle with e.g. the MTU? How does your network configuration look like on the PVE side and how on the PBS side? Please post cat /etc/network/interfaces for both hosts.

 

[Slavickox]

What hardware sits between your PVE and PBS host? Any router, switches ecc. which might fiddle with e.g. the MTU? How does your network configuration look like on the PVE side and how on the PBS side? Please post cat /etc/network/interfaces for both hosts.

PBS:

root@pbs:~# cat /etc/network/interfaces
auto lo
iface lo inet loopback

auto ens3
iface ens3 inet static
        address 192.168.1.197/24
        gateway 192.168.1.1

source /etc/network/interfaces.d/*

PVE:

root@Proxmox:~# cat /etc/network/interfaces
# network interface settings; autogenerated
# Please do NOT modify this file directly, unless you know what
# you're doing.
#
# If you want to manage parts of the network configuration manually,
# please utilize the 'source' or 'source-directory' directives to do
# so.
# PVE will preserve these directives, but will NOT read its network
# configuration from sourced files, so do not attempt to move any of
# the PVE managed interfaces into external files!

auto lo
iface lo inet loopback

iface enp2s0 inet manual

auto vmbr0
iface vmbr0 inet static
        address 192.168.1.198/24
        gateway 192.168.1.1
        bridge-ports enp2s0
        bridge-stp off
        bridge-fd 0

iface wlp3s0 inet manual

source /etc/network/interfaces.d/*

Only my router

 

[Chris]

And the traffic is routed correctly via the enp2s0 interface? What is the default route for the PVE host? Please post ip r & ip a

 

[Slavickox]

@Chris

And the traffic is routed correctly via the enp2s0 interface? What is the default route for the PVE host? Please post ip r & ip a

PVE:

root@Proxmox:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute
       valid_lft forever preferred_lft forever
2: enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr0 state UP group default qlen 1000
    link/ether 40:c2:ba:dd:82:82 brd ff:ff:ff:ff:ff:ff
3: wlp3s0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether d0:39:57:7d:e7:95 brd ff:ff:ff:ff:ff:ff
4: vmbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 40:c2:ba:dd:82:82 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.198/24 scope global vmbr0
       valid_lft forever preferred_lft forever
    inet6 fe80::42c2:baff:fedd:8282/64 scope link
       valid_lft forever preferred_lft forever
root@Proxmox:~# ip r
default via 192.168.1.1 dev vmbr0 proto kernel onlink
192.168.1.0/24 dev vmbr0 proto kernel scope link src 192.168.1.198

PBS:

root@pbs:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute
       valid_lft forever preferred_lft forever
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 02:11:32:2c:5c:21 brd ff:ff:ff:ff:ff:ff
    altname enp0s3
    inet 192.168.1.197/24 scope global ens3
       valid_lft forever preferred_lft forever
    inet6 fe80::11:32ff:fe2c:5c21/64 scope link
       valid_lft forever preferred_lft forever
root@pbs:~# ip r
default via 192.168.1.1 dev ens3 proto kernel onlink
192.168.1.0/24 dev ens3 proto kernel scope link src 192.168.1.197

Yes

 

[Slavickox]

@Chris May I ask for special attention, please, as Proxmox has been down for two days now, and I can't start from scratch. I need it to be working as soon as possible, ideally by yesterday. (Please take this as a request and not in any other way)

 

[Chris]

@Chris May I ask for special attention, please, as Proxmox has been down for two days now, and I can't start from scratch. I need it to be working as soon as possible, ideally by yesterday. (Please take this as a request and not in any other way)

If the issue is so critical, you could try to download the whole container root filesystem content from the PBS WebUI, or use single file restore to restore a subset of the data. Another thing might be to exclude the router altogether, by directly connecting the PVE and PBS via a patch cable...

 

[Slavickox]

If the issue is so critical, you could try to download the whole container root filesystem content from the PBS WebUI, or use single file restore to restore a subset of the data. Another thing might be to exclude the router altogether, by directly connecting the PVE and PBS via a patch cable...

I can download it, but that's not a solution.

 

[Chris]

I can download it, but that's not a solution.

But that shows that the archive on the PBS side is actually fine and the issue is either your router (network) or there is still a misconfiguration.

Also, as a workaround you could use the pxar archive to restore the filesystem to a mounted container rootfs on the PVE host, by first cloning/creating the container (the config is also accessible or can be downloaded if needed), mounting it via pct mount <VMID>, delete the old contents and restore via lxc-usernsexec -m u:0:100000:65536 -m g:0:100000:65536 -- /usr/bin/pxar extract /path/to/root.pxar /var/lib/lxc/<VMID>/rootfs --allow-existing-dirs. Then unmount via pct unmount <VMID>.

Note, for this to work the downloaded archive must be accessible by the user with uid 100000, as that is what your container root user will be mapped to. You can place it e.g. into /tmp and set ownership via chown 100000:100000 /tmp/root.pxar

 

[AFrenchCompany]

I'm currently having the same issue. Initially I wanted to restore a privileged to unprivileged.
The WebUI fails on that so I added added the necessary parameters in CLI but it throws the same errors as OP.

lxc-usernsexec -m u:0:100000:65536 -m g:0:100000:65536 -- /usr/bin/proxmox-backup-client restore '--crypt-mode=none' ct/111/2024-10-19T12:35:44Z root.pxar /var/lib/lxc/111/rootfs --allow-existing-dirs --ignore-extract-device-errors 1 --overwrite 1 --ignore-acls 1 --repository root@pam@redacted:backup-vms

storing login ticket failed: $XDG_RUNTIME_DIR (`/run/user/0`) must be accessible by the current user (error: Permission denied (os error 13))
Error: error extracting archive - encountered unexpected error during extraction: error at "/bin": error at entry "bin": failed to extract symlink: EACCES: Permission denied

edit: it would seem that the last two error lines do not point to the actual issue. As I don't have any networking/certificate issues. 10Gb NICs, single switch between, and successful access logs on PBS.

 

[Chris]

I'm currently having the same issue. Initially I wanted to restore a privileged to unprivileged.
The WebUI fails on that so I added added the necessary parameters in CLI but it throws the same errors as OP.

lxc-usernsexec -m u:0:100000:65536 -m g:0:100000:65536 -- /usr/bin/proxmox-backup-client restore '--crypt-mode=none' ct/111/2024-10-19T12:35:44Z root.pxar /var/lib/lxc/111/rootfs --allow-existing-dirs --ignore-extract-device-errors 1 --overwrite 1 --ignore-acls 1 --repository root@pam@redacted:backup-vms

storing login ticket failed: $XDG_RUNTIME_DIR (`/run/user/0`) must be accessible by the current user (error: Permission denied (os error 13))
Error: error extracting archive - encountered unexpected error during extraction: error at "/bin": error at entry "bin": failed to extract symlink: EACCES: Permission denied

edit: it would seem that the last two error lines do not point to the actual issue. As I don't have any networking/certificate issues. 10Gb NICs, single switch between, and successful access logs on PBS.

Hi,
I guess you are invoking the client directly? If so, have you actually mounted the containers root filesystem before starting the restore? I do not think you are seeing the same issue, there does not seem to be a TLS connection problem involved.

Edit: Can you perform the actual restore via the WebUI? If not, please post the full restore task log.

 

[AFrenchCompany]

Hi,
I guess you are invoking the client directly? If so, have you actually mounted the containers root filesystem before starting the restore? I do not think you are seeing the same issue, there does not seem to be a TLS connection problem involved.

Edit: Can you perform the actual restore via the WebUI? If not, please post the full restore task log.

Thanks for the reply.

> have you actually mounted the containers root filesystem before starting the restore

I did not.

I ended up dumping a backup on a basic folder storage, to be able to use pct restore, which did work.