TASK ERROR: restoring 'mp0' to bind mount is only possible for root

[roosei]

Hello,

when trying to restore LXC container with defined NFS mount (via mp0 in cfg) to different container it ends with:

TASK ERROR: restoring 'mp0' to bind mount is only possible for root

Any ideas how to restore container?

I tried to setup same mountpoint it the target container, but it's same.

 

[fabian]

please post the output of "pveversion -v", the container configuration in the backup (you can view it in the GUI or with "pvesm extractconfig") and how you restore (GUI, "pct restore"?)

 

[roosei]

Hi, thanks for reply.

I'm using GUI with this configuration

arch: amd64
cpulimit: 8
cpuunits: 100
hostname: intranet.nux.cz
memory: 8192 mp0: /mnt/store/intranet,mp=/mnt/intranet,acl=0 net0: bridge=vmbr0,gw=<IP>,hwaddr=32:34:33:64:63:62,ip=<ip>,name=eth0,type=veth
onboot: 1
ostype: debian
protection: 1
rootfs: zfs.local:subvol-101-disk-1,acl=0,size=20G
swap: 2048

on

proxmox-ve: 4.3-71 (running kernel: 4.4.21-1-pve)
pve-manager: 4.3-9 (running version: 4.3-9/f7c6f0cd)
pve-kernel-4.4.13-1-pve: 4.4.13-56
pve-kernel-4.4.8-1-pve: 4.4.8-52
pve-kernel-4.4.13-2-pve: 4.4.13-58
pve-kernel-4.4.21-1-pve: 4.4.21-71
pve-kernel-4.4.15-1-pve: 4.4.15-60
pve-kernel-4.2.8-1-pve: 4.2.8-41
pve-kernel-4.4.16-1-pve: 4.4.16-64
pve-kernel-4.4.19-1-pve: 4.4.19-66
pve-kernel-4.4.10-1-pve: 4.4.10-54
lvm2: 2.02.116-pve3
corosync-pve: 2.4.0-1
libqb0: 1.0-1
pve-cluster: 4.0-46
qemu-server: 4.0-92
pve-firmware: 1.1-10
libpve-common-perl: 4.0-79
libpve-access-control: 4.0-19
libpve-storage-perl: 4.0-68
pve-libspice-server1: 0.12.8-1
vncterm: 1.2-1
pve-docs: 4.3-12
pve-qemu-kvm: 2.7.0-4
pve-container: 1.0-80
pve-firewall: 2.0-31
pve-ha-manager: 1.0-35
ksm-control-daemon: 1.2-1
glusterfs-client: 3.5.2-2+deb8u2
lxc-pve: 2.0.5-1
lxcfs: 2.0.4-pve2
criu: 1.6.0-1
novnc-pve: 0.5-8
smartmontools: 6.5+svn4324-1~pve80
zfsutils: 0.6.5.8-pve13~bpo80

 

[fabian]

are you doing this as root@pam user? it is not allowed for other users (for security reasons, adding bind mounts is also only allowed for this user)

 

[roosei]

Oh, no I'm not root, but the LDAP user with admin privilege (Datastore.Allocate Datastore.AllocateSpace Datastore.AllocateTemplate Datastore.Audit Group.Allocate Permissions.Modify Pool.Allocate Realm.Allocate Realm.AllocateUser Sys.Audit Sys.Console Sys.Modify Sys.PowerMgmt Sys.Syslog User.Modify VM.Allocate VM.Audit VM.Backup VM.Clone VM.Config.CDROM VM.Config.CPU VM.Config.Disk VM.Config.HWType VM.Config.Memory VM.Config.Network VM.Config.Options VM.Console VM.Migrate VM.Monitor VM.PowerMgmt VM.Snapshot).

Root is forbidden, we're using LDAP + OAUTH. Is this a problem?

 

[fabian]

Oh, no I'm not root, but the LDAP user with admin privilege (Datastore.Allocate Datastore.AllocateSpace Datastore.AllocateTemplate Datastore.Audit Group.Allocate Permissions.Modify Pool.Allocate Realm.Allocate Realm.AllocateUser Sys.Audit Sys.Console Sys.Modify Sys.PowerMgmt Sys.Syslog User.Modify VM.Allocate VM.Audit VM.Backup VM.Clone VM.Config.CDROM VM.Config.CPU VM.Config.Disk VM.Config.HWType VM.Config.Memory VM.Config.Network VM.Config.Options VM.Console VM.Migrate VM.Monitor VM.PowerMgmt VM.Snapshot).

Root is forbidden, we're using LDAP + OAUTH. Is this a problem?

it's currently only allowed for root - like editing the configuration file directly for initially setting a bind mount. the reason is that any user could otherwise mount arbitrary host directories into containers - which would be very dangerous!

how did you add the bind mount initially?

 

[roosei]

Yes I did it as root before. Than we tried to make infrastructure more secured and we disable root account.

 

[fabian]

if your regular users have sudo access you can restore with "pct restore", otherwise you have to restore with the API without the bind mount (see advanced mode at http://pve.proxmox.com/pve-docs/pve-admin-guide.html#_backup_and_restore ) and add the bind mount manually afterwards as root (or with "pct set").

 

[roosei]

Well my need is to set internal process just through GUI - and it's probably impossible if the container you need restore has mount point, right?

 

[fabian]

Well my need is to set internal process just through GUI - and it's probably impossible if the container you need restore has mount point, right?

there is no way to add bind or device mounts or change their source via the GUI, except for root@pam via restore (but then the initial adding of the mount must have happened somehow else). I'd like to change this in the next major release by integrating them better into the storage model, but this is a long term plan.

 

[blogbasti]

Hi Fabian,

I'm currently trying to setup bindmounts via REST API as limited user and run into the described limitations above. It would be nice to see a hint within API documentation about the fact, that only root@pam is allowed to setup bind mounts.

 

[fabian]

Hi Fabian,

I'm currently trying to setup bindmounts via REST API as limited user and run into the described limitations above. It would be nice to see a hint within API documentation about the fact, that only root@pam is allowed to setup bind mounts.

patch on pve-devel, thanks for the hint

 

[Proxygen]

is it possible to edit the contents of the vzdump file to remove the mountpoint?

 

[fabian]

is it possible to edit the contents of the vzdump file to remove the mountpoint?

it's a (compressed) tar with the config file + data. so yes, but you're on your own