Why do bind mounts prevent snapshots?

[karypid]

Hello,

I'm new to proxmox. Today I tried to take my first snapshot of an unprivileged container. Instead I found the button disabled and the message "The current guest configuration does not support taking new snapshots". After reading up in these forums, I saw references to this storage documentation indicating it was due mounting directories from the host into mount points in my container:

This backend assumes that the underlying directory is POSIX compatible, but nothing else. This implies that you cannot create snapshots at the storage level.

I find this restriction strange. I ended up stopping the container, removing the mount points, taking a snapshot and finally re-adding the container.

Can anyone explain why this was designed like this? I'd expect snapshots to work, but just ignore the "external" directories. Similar to how if you were taking a snapshot of a VM that has a CIFS or NFS mount inside it, its content would just be ignored.

 

[fiona]

Hi,
some people would be surprised if the snapshot would just silently exclude things. The difference with an internal VM mount point is that that's not a PVE configuration, while bind mounts are. There is an open feature request to allow explicitly setting bind mounts to be excluded from snapshots.

 

[Moxxorp]

"Skip replication"
"No backup"
...
"Skip snapshots"

In the meantime, we have to remove pass-through data drives to do snapshot, then add them again.

 

[Moxxorp]

To snapshot,
1. Shutdown machine
2. Backup /etc/pve/nodes/eno/qemu-server/ VMID .conf
3. Detatch the offending drives
4. Snapshot
5. Add detached drive entries into conf
6. Boot

 

[Dunuin]

I also would like to see a checkbox to ignore the bind-mounted folders. Because unprivileged LXCs can't mount SMB shares I need to mount them on the host and bind-mount the SMB mountpoints into the LXC. So there is really no need to snapshot the bind-mounts and even if it would be possible to include them I wouldn't want that, because the SMB shares are already snapshoted on my TrueNAS server.

 

[MountainMan]

I'm new to Proxmox also and just ran into this do to a bind mount I need between a couple containers. TBH it's making me re-think things a bit, as I definitely want automated snapshots/backups of the containers themselves. Personally I wouldn't find it odd that the bind mount isn't included, as I had to add it manually to begin with. (no way in the UI I could see?) and that xfs dataset can be taken care of on its own. Is signing on to that Bugzilla ticket the best way to show support?

Thanks!

 

[servada]

We would also really appreciate being able to create snapshots from containers with bind mounts. I guess adding the no-snapshot option as suggested above inside storage settings per bind-mount and then allowing to do so if all mp's have such switch set seems like a good compromise.

 

[leesteken]

A work-around is to not use bind mount points but add lxc.mount.entry: /directory/on/host directory/in/container none bind,rw 0 0 to the container configuration file. Then you can do snapshots and the mounted directory is exempt and ignored.

 

[servada]

A work-around is to not use bind mount points but add lxc.mount.entry: /directory/on/host directory/in/container none bind,rw 0 0 to the container configuration file. Then you can do snapshots and the mounted directory is exempt and ignored.

That sounds like a valid workaround. Does this workaround not mess with things like ACL?

 

[LnxBil]

Does this workaround not mess with things like ACL?

It's technically the same, so no.

 

[servada]

A work-around is to not use bind mount points but add lxc.mount.entry: /directory/on/host directory/in/container none bind,rw 0 0 to the container configuration file. Then you can do snapshots and the mounted directory is exempt and ignored.

This workaround does not seem to work for me. I get an LXC attach error if I leave out the slash just before the second directory (in container), if I include the forward slash the container starts but does not contain the directory/bind mount.

I am trying to mount two cephfses and one tmpfs on two separate unprivileged containers. So I guess it's not a regular directory/mount and requires some more trickery to get going.

 

[leesteken]

This workaround does not seem to work for me. I get an LXC attach error if I leave out the slash just before the second directory (in container), if I include the forward slash the container starts but does not contain the directory/bind mount.

I don't know what to say. lxc.mount.entry: /srv/mythtv var/lib/mythtv none bind 0 0 works for me on PVE 7.2. Make sure both directories exist (and have the right owner).

I am trying to mount two cephfses and one tmpfs on two separate unprivileged containers. So I guess it's not a regular directory/mount and requires some more trickery to get going.

If the tmpfs is already mounted on the Proxmox host, it works exactly the same: just bind mount (as above) the location where the tmpfs is mounted. I have no experience with cephfs.

 

[adalle]

It seems like it would be better for Proxmox to support snapshots with bind mounts, even if they have to introduce a new skip_snapshot flag or something. I do already have backup=0 for shared mounts, since I'd only want to back it up (or snapshot it) on the host system for which it is native.

The downside to this workaround is that it is not evident that a container is using those shared resources when looking at the Resources tab in the UI or API, but only when you look at the lxc config file, or mounted filesystems in the running container.

However, it is working well for me in PVE 7.3, and I have auto-snapshotting working for these containers now, which is the main thing.

 

[ivenae]

Works for me
Beware of the missing leading slash on the second path argument for the path inside the lxc container.

 

[alexdelprete]

Works for me
Beware of the missing leading slash on the second path argument for the path inside the lxc container.

Works for me, but exactly like it was described by @leesteken in post #8: without the leading slash on the second path).
Initially, I thought it was a mistake, but with the leading slash it doesn't work. Works perfectly without it, and finally I can enable snapshots.

Here's what I added to ALL my containers, replacing the bind mount:

lxc.mount.entry: /mnt/nas mnt/nas none bind,rw 0 0

Thanks a lot @leesteken.

 

[alexdelprete]

It's technically the same, so no.

Just implemented this, and it works as described, thanks for confirming it's actually the same thing.

Out of curiosity: if it's technically the same, so it's just a way of doing a bind mount in a different way, why does this allow snapshots and the other doesn't? I mean it's just some code in PVE that checks for the presence of the other way (mpX), and doesn't check for lxc.mount.entry? A bit weird...

I also wonder why the feature request of 2016 still doesn't get addressed, I've seen a lot of requests for this while searching. Wonder if the problem is technical or of other nature.

 

[Porencephaly13]

lxc.mount.entry: /mnt/nas mnt/nas none bind,rw 0 0

I just implemented this as well and just wanted to confirm that this still works and allows snapshots in 8.1.4. It's interesting that (for me anyway), the bind mount does NOT show up in the GUI under the resources tab despite the actual mount working the same in function. I'm guessing this has something to do with my snapshots are allowed and it seems to imply that the two methods are different.

 

[das1996]

Using the lxc.mount.entry method in unpriveldged containers, do you still need to do the gui/uid remapping?

Here's a snippet of my container.conf. IIRC, i needed to pass gui/uid of 864 and 865 to get permissions to work correctly.

mp0: /mnt/pve/nas1-scratch,mp=/mnt/scratch
mp1: /mnt/pve/nas1-media,mp=/mnt/media
unprivileged: 1
lxc.idmap: u 0 100000 864
lxc.idmap: g 0 100000 864
lxc.idmap: u 864 864 2
lxc.idmap: g 864 864 1
lxc.idmap: u 866 100866  64670
lxc.idmap: g 865 100865  64671

 

[timdonovan]

What is the difference between using mp0 (bind mounts) and lxc.mount.entry?

 

[LnxBil]

What is the difference between using mp0 (bind mounts) and lxc.mount.entry?

mp0 are checked in the PVE logic, lxc.mount.entry are not.