[SOLVED] Using vzdump to backup unpriviliged container results in permission errors

[reckless]

So I want to use a tmpdir that has zfs as underlying storage, with sync = disabled. This means that writing the tar to that tmp dir should write straight into RAM, which I think should be much faster.

This is my vzdump.conf:

tmpdir: /pool/backup/proxmox/vzdump/tmp/
dumpdir: /pool/backup/proxmox/vzdump
#storage: STORAGE_ID
mode: snapshot
#bwlimit: KBPS
#ionice: PRI
#lockwait: MINUTES
#stopwait: MINUTES
#size: MB
#stdexcludes: BOOLEAN
maxfiles: 6
#script: FILENAME
#exclude-path: PATHLIST
compress: gzip
pigz: 16

Now when I want to backup a small, unpriviliged container, I get this error:

INFO: starting new backup job: vzdump 102
INFO: Starting Backup of VM 102 (lxc)
INFO: Backup started at 2020-02-26 15:31:54
INFO: status = running
INFO: CT Name: test
INFO: backup mode: snapshot
INFO: ionice priority: 7
INFO: create storage snapshot 'vzdump'
INFO: creating archive '/pool/backup/proxmox/vzdump/vzdump-lxc-102-2020_02_26-15_31_54.tar.gz'
INFO: tar: /pool/backup/proxmox/vzdump/tmp/vzdumptmp199077: Cannot open: Permission denied
INFO: tar: Error is not recoverable: exiting now
INFO: remove vzdump snapshot
ERROR: Backup of VM 102 failed - command 'set -o pipefail && lxc-usernsexec -m u:0:100000:65536 -m g:0:100000:65536 -- tar cpf - --totals --one-file-system -p --sparse --numeric-owner --acls --xattrs '--xattrs-include=user.*' '--xattrs-include=security.capability' '--warning=no-file-ignored' '--warning=no-xattr-write' --one-file-system '--warning=no-file-ignored' '--directory=/pool/backup/proxmox/vzdump/tmp/vzdumptmp199077' ./etc/vzdump/pct.conf ./etc/vzdump/pct.fw '--directory=/mnt/vzsnap0' --no-anchored '--exclude=lost+found' --anchored '--exclude=./tmp/?*' '--exclude=./var/tmp/?*' '--exclude=./var/run/?*.pid' ./ | pigz -p 38 --rsyncable >/pool/backup/proxmox/vzdump/vzdump-lxc-102-2020_02_26-15_31_54.tar.dat' failed: exit code 2
INFO: Failed at 2020-02-26 15:31:55
INFO: Backup job finished with errors
job errors

I'm guessing the container itself needs access to that temporary folder? Why does it need permission if I run this as the root proxmox user? And how do I give it permission for all the unprivileged containers that I run? The backup runs fine if the tmpdir is set at the default location.

What's the best way to solve this?

 

[reckless]

Anybody have an idea on how to fix this?

 

[dcsapak]

Why does it need permission if I run this as the root proxmox user?

for an unprivlieged container, the backup runs in context of root of the unprivileged container

What's the best way to solve this?

choose a location where the root of the container can read/write

by default the ids are mapped to 100000 and above
(use chown/chmod to achieve this)

 

[reckless]

You say that but it still doesn't allow me to use that tmp folder. The folder I'm trying to use as a tempdir is /pool/backup/proxmox/vzdump/tmp.

root@proxmox:~# lst /pool/backup/proxmox/vzdump/tmp
total 10K
drwxrwxrwx+ 2 100000 100000  2 Feb 28 15:54 ./
drwxr-xr-x  4 root   root   18 Feb 28 15:54 ../

root@proxmox:~# lst /pool/backup/proxmox/vzdump
total 2.1G
drwxr-xr-x  4 root   root     18 Feb 28 15:54 ./
drwx------  7 root   root      7 Dec 26 18:00 ../
drwxr-xr-x  2 root   root      2 Dec 26 18:01 dump/
drwxrwxrwx+ 2 100000 100000    2 Feb 28 15:54 tmp/

root@proxmox:~# getfacl /pool/backup/proxmox/vzdump/tmp
getfacl: Removing leading '/' from absolute path names
# file: pool/backup/proxmox/vzdump/tmp
# owner: 100000
# group: 100000
user::rwx
user:100000:rwx
group::rwx
group:100000:rwx
mask::rwx
other::rwx
default:user::rwx
default:user:100000:rwx
default:group::rwx
default:group:100000:rwx
default:mask::rwx
default:other::---

root@proxmox:~# vzdump 102
INFO: starting new backup job: vzdump 102
INFO: Starting Backup of VM 102 (lxc)
INFO: Backup started at 2020-02-28 15:55:13
INFO: status = running
INFO: CT Name: mqtt
INFO: backup mode: snapshot
INFO: ionice priority: 7
INFO: create storage snapshot 'vzdump'
INFO: creating archive '/pool/backup/proxmox/vzdump/vzdump-lxc-102-2020_02_28-15_55_13.tar.gz'
INFO: tar: /pool/backup/proxmox/vzdump/tmp/vzdumptmp195085: Cannot open: Permission denied
INFO: tar: Error is not recoverable: exiting now
INFO: remove vzdump snapshot
ERROR: Backup of VM 102 failed - command 'set -o pipefail && lxc-usernsexec -m u:0:100000:65536 -m g:0:100000:65536 -- tar cpf - --totals --one-file-system -p --sparse --numeric-owner --acls --xattrs '--xattrs-include=user.*' '--xattrs-include=security.capability' '--warning=no-file-ignored' '--warning=no-xattr-write' --one-file-system '--warning=no-file-ignored' '--directory=/pool/backup/proxmox/vzdump/tmp/vzdumptmp195085' ./etc/vzdump/pct.conf ./etc/vzdump/pct.fw '--directory=/mnt/vzsnap0' --no-anchored '--exclude=lost+found' --anchored '--exclude=./tmp/?*' '--exclude=./var/tmp/?*' '--exclude=./var/run/?*.pid' ./ | pigz -p 38 --rsyncable >/pool/backup/proxmox/vzdump/vzdump-lxc-102-2020_02_28-15_55_13.tar.dat' failed: exit code 2
INFO: Failed at 2020-02-28 15:55:14
INFO: Backup job finished with errors
job errors

I enabled ACLs, did chown and chmod to 777 and it still gives me permission denied...

 

[dcsapak]

drwx------ 7 root root 7 Dec 26 18:00 ../

this shows that /pool/backup/proxmox has 700 permissions but at least the execute bit for directories is necessary so that users can go down that path

 

[reckless]

That was it - I had to set the execution bits by doing chmod 701 on the parent directories, with the emphasis on the last bits. Thanks for the help.