v3.4 to v4.1 OpenVZ backup restore permission errors

[Craig]

Hi,

I am experiencing a problem restoring a backup of OpenVZ container from v3.4 to v4.1 lxc.

The restore completed without any errors, I then reconfigure the network and the container comes online as expected. When I look into the services, e.g. apt-cacher , I see errors listed that specify that the container has a write / access permission problem.

I have read through all the posts and I don't see any similar errors anywhere. I even tried the apparmor "fix" by disabling it on the host with no success and also adding the lxc.aa_profile = unconfined line to the lxc config file as below.

arch: amd64
cpulimit: 1
cpuunits: 1024
hostname: cache.server
memory: 512
nameserver: 192.168.1.6
net0: bridge=vmbr1,hwaddr=02:81:AF:7B:38:33,ip=dhcp,name=eth0,tag=1,type=veth
onboot: 0
ostype: ubuntu
rootfs: nfs-storage:103/vm-103-disk-1.raw,size=20G
searchdomain: server.local
swap: 1024
lxc.aa_profile = unconfined

Logs from the server as follows:

Thu Dec 17 13:48:08 2015|error [2360]: Failed to open/create /var/cache/apt-cacher/headers/security.ubuntu.com_ubuntu_dists_trusty-security_universe_binary-amd64_Packages.bz2: Permission denied at /usr/sbin/apt-cacher line 704, <GEN85> line 12.
Thu Dec 17 13:48:08 2015|error [2361]: Failed to open/create /var/cache/apt-cacher/headers/security.ubuntu.com_ubuntu_dists_trusty-security_main_binary-i386_Packages.bz2: Permission denied at /usr/sbin/apt-cacher line 704, <GEN86> line 12.
Thu Dec 17 13:48:08 2015|error [2362]: Failed to open/create /var/cache/apt-cacher/headers/security.ubuntu.com_ubuntu_dists_trusty-security_universe_binary-i386_Packages.bz2: Permission denied at /usr/sbin/apt-cacher line 704, <GEN87> line 11.
Thu Dec 17 13:48:09 2015|error [2356]: Failed to open/create /var/cache/apt-cacher/packages/archive.canonical.com_ubuntu_dists_trusty_Release.gpg for return: Permission denied at /usr/sbin/apt-cacher line 713, <GEN81> line 11.
Thu Dec 17 13:48:09 2015|error [2364]: Failed to open/create /var/cache/apt-cacher/packages/archive.canonical.com_ubuntu_dists_trusty_Release for return: Permission denied at /usr/sbin/apt-cacher line 713, <GEN89> line 7.

I have kept the server on both the v3.4 and the v4.1 hosts. On the v4.1 I get this error, on the v3.4 I get no errors.

Can you please assist in finding this problem? Please also advise on what other information is required to assist. I posted what I thought was relevant.

 

[Craig]

I have done further testing as follows:

I created two containers from stock ubuntu-14.04 x64 templates on a 3.4 (test2.server) and a 4.1 (test.server) host.

I followed the exact same steps on both containers during creation. The only difference is the IP addresses.

I then fully updated both servers and installed the apt-cacher app to test for differences. I used a third test server to test update caching from test.server and test2.server and both download and update the client as expected, both containers worked on both hosts without any errors.

config options changed from default for the apt-cacher on both is:

cache_dir = /var/cache/apt-cacher
log_dir = /var/log/apt-cacher
daemon_port = 3142
group = www-data
user = www-data
allowed_hosts = *
ubuntu_release_names = dapper, edgy, feisty, gutsy, hardy, intrepid, jaunty, karmic, lucid, maverick, natty, oneiric, precise, quantal

I then shut down the container on the 3.4 host (test2.server), created a backup and restored the backup on the 4.1 host.

I added the "lxc.aa_profile = unconfined" option to the config of the restored container (test2.server)and it started up as expected.

I then performed the same update test from the same client on which the restored container (test2.server) fails with the same error as above.

see attached screen shot as well.


This seems to be a migration problem between OpenVZ and lxc.

Can someone please replicate what I have done here and advise if the same errors are seen?

As a note, I have tested the restore of test2.server to a NFS share and a local drive with the same error result on both.

edit: I just tested on PVE 4.0-48 with the same error.

 

[Craig]

Can someone please test the above and see if they are experiencing the same problems?

 

[windinternet]

Hello @Craig,

You are probably dealing with the default ACL permissions problem on 4.1 here.

Try setfacl -b -R / on the new container before starting any of your own services and group write enable all socket files that you can find in your service if they are already created.

See also:
https://forum.proxmox.com/threads/lxc-containers-have-extended-permissions-acl-by-default.25367/

Patch has been sent to the bugzilla for Proxmox