[SOLVED] Using vzdump to backup unpriviliged container results in permission errors

R

reckless

Well-Known Member
Feb 5, 2019
79
4
48
So I want to use a tmpdir that has zfs as underlying storage, with sync = disabled. This means that writing the tar to that tmp dir should write straight into RAM, which I think should be much faster.

This is my vzdump.conf:

Code: 
tmpdir: /pool/backup/proxmox/vzdump/tmp/
dumpdir: /pool/backup/proxmox/vzdump
#storage: STORAGE_ID
mode: snapshot
#bwlimit: KBPS
#ionice: PRI
#lockwait: MINUTES
#stopwait: MINUTES
#size: MB
#stdexcludes: BOOLEAN
maxfiles: 6
#script: FILENAME
#exclude-path: PATHLIST
compress: gzip
pigz: 16

Now when I want to backup a small, unpriviliged container, I get this error:

Code: 
INFO: starting new backup job: vzdump 102
INFO: Starting Backup of VM 102 (lxc)
INFO: Backup started at 2020-02-26 15:31:54
INFO: status = running
INFO: CT Name: test
INFO: backup mode: snapshot
INFO: ionice priority: 7
INFO: create storage snapshot 'vzdump'
INFO: creating archive '/pool/backup/proxmox/vzdump/vzdump-lxc-102-2020_02_26-15_31_54.tar.gz'
INFO: tar: /pool/backup/proxmox/vzdump/tmp/vzdumptmp199077: Cannot open: Permission denied
INFO: tar: Error is not recoverable: exiting now
INFO: remove vzdump snapshot
ERROR: Backup of VM 102 failed - command 'set -o pipefail && lxc-usernsexec -m u:0:100000:65536 -m g:0:100000:65536 -- tar cpf - --totals --one-file-system -p --sparse --numeric-owner --acls --xattrs '--xattrs-include=user.*' '--xattrs-include=security.capability' '--warning=no-file-ignored' '--warning=no-xattr-write' --one-file-system '--warning=no-file-ignored' '--directory=/pool/backup/proxmox/vzdump/tmp/vzdumptmp199077' ./etc/vzdump/pct.conf ./etc/vzdump/pct.fw '--directory=/mnt/vzsnap0' --no-anchored '--exclude=lost+found' --anchored '--exclude=./tmp/?*' '--exclude=./var/tmp/?*' '--exclude=./var/run/?*.pid' ./ | pigz -p 38 --rsyncable >/pool/backup/proxmox/vzdump/vzdump-lxc-102-2020_02_26-15_31_54.tar.dat' failed: exit code 2
INFO: Failed at 2020-02-26 15:31:55
INFO: Backup job finished with errors
job errors

I'm guessing the container itself needs access to that temporary folder? Why does it need permission if I run this as the root proxmox user? And how do I give it permission for all the unprivileged containers that I run? The backup runs fine if the tmpdir is set at the default location.

What's the best way to solve this?
 
reckless said:
Why does it need permission if I run this as the root proxmox user?
Click to expand...
for an unprivlieged container, the backup runs in context of root of the unprivileged container

reckless said:
What's the best way to solve this?
Click to expand...
choose a location where the root of the container can read/write

by default the ids are mapped to 100000 and above
(use chown/chmod to achieve this)
 
You say that but it still doesn't allow me to use that tmp folder. The folder I'm trying to use as a tempdir is /pool/backup/proxmox/vzdump/tmp.

Bash: 
root@proxmox:~# lst /pool/backup/proxmox/vzdump/tmp
total 10K
drwxrwxrwx+ 2 100000 100000  2 Feb 28 15:54 ./
drwxr-xr-x  4 root   root   18 Feb 28 15:54 ../

root@proxmox:~# lst /pool/backup/proxmox/vzdump
total 2.1G
drwxr-xr-x  4 root   root     18 Feb 28 15:54 ./
drwx------  7 root   root      7 Dec 26 18:00 ../
drwxr-xr-x  2 root   root      2 Dec 26 18:01 dump/
drwxrwxrwx+ 2 100000 100000    2 Feb 28 15:54 tmp/

root@proxmox:~# getfacl /pool/backup/proxmox/vzdump/tmp
getfacl: Removing leading '/' from absolute path names
# file: pool/backup/proxmox/vzdump/tmp
# owner: 100000
# group: 100000
user::rwx
user:100000:rwx
group::rwx
group:100000:rwx
mask::rwx
other::rwx
default:user::rwx
default:user:100000:rwx
default:group::rwx
default:group:100000:rwx
default:mask::rwx
default:other::---

root@proxmox:~# vzdump 102
INFO: starting new backup job: vzdump 102
INFO: Starting Backup of VM 102 (lxc)
INFO: Backup started at 2020-02-28 15:55:13
INFO: status = running
INFO: CT Name: mqtt
INFO: backup mode: snapshot
INFO: ionice priority: 7
INFO: create storage snapshot 'vzdump'
INFO: creating archive '/pool/backup/proxmox/vzdump/vzdump-lxc-102-2020_02_28-15_55_13.tar.gz'
INFO: tar: /pool/backup/proxmox/vzdump/tmp/vzdumptmp195085: Cannot open: Permission denied
INFO: tar: Error is not recoverable: exiting now
INFO: remove vzdump snapshot
ERROR: Backup of VM 102 failed - command 'set -o pipefail && lxc-usernsexec -m u:0:100000:65536 -m g:0:100000:65536 -- tar cpf - --totals --one-file-system -p --sparse --numeric-owner --acls --xattrs '--xattrs-include=user.*' '--xattrs-include=security.capability' '--warning=no-file-ignored' '--warning=no-xattr-write' --one-file-system '--warning=no-file-ignored' '--directory=/pool/backup/proxmox/vzdump/tmp/vzdumptmp195085' ./etc/vzdump/pct.conf ./etc/vzdump/pct.fw '--directory=/mnt/vzsnap0' --no-anchored '--exclude=lost+found' --anchored '--exclude=./tmp/?*' '--exclude=./var/tmp/?*' '--exclude=./var/run/?*.pid' ./ | pigz -p 38 --rsyncable >/pool/backup/proxmox/vzdump/vzdump-lxc-102-2020_02_28-15_55_13.tar.dat' failed: exit code 2
INFO: Failed at 2020-02-28 15:55:14
INFO: Backup job finished with errors
job errors

I enabled ACLs, did chown and chmod to 777 and it still gives me permission denied...
 
reckless said:
drwx------ 7 root root 7 Dec 26 18:00 ../
Click to expand...
this shows that /pool/backup/proxmox has 700 permissions but at least the execute bit for directories is necessary so that users can go down that path
 
  • Like
Reactions: reckless
That was it - I had to set the execution bits by doing chmod 701 on the parent directories, with the emphasis on the last bits. Thanks for the help.
 
You must log in or register to reply here.
Top Bottom