LXD 5.20: rsync errors with lxc copy and files with NTACLs

[MaxRower]

Required information

• Distribution: Ubuntu 22.04.4 LTS
• Distribution version: Ubuntu 22.04.4 LTS
• The output of "snap list --all lxd core20 core22 core24 snapd":

  
  Name    Version       Revision  Tracking       Herausgeber  Hinweise
  core20  20240227      2264      latest/stable  canonical✓   base,deaktiviert
  core20  20240416      2318      latest/stable  canonical✓   base
  core22  20240111      1122      latest/stable  canonical✓   base,deaktiviert
  core22  20240408      1380      latest/stable  canonical✓   base
  lxd     5.12-c63881f  24643     5.20/stable    canonical✓   deaktiviert
  lxd     5.20-f3dd836  27049     5.20/stable    canonical✓   -
  snapd   2.62          21465     latest/stable  canonical✓   snapd,deaktiviert
  snapd   2.63          21759     latest/stable  canonical✓   snapd

 * The output of "lxc info" or if that fails:

config: core.https_address: '[::]:8443' core.trust_password: true images.auto_update_interval: "0" api_extensions:

• storage_zfs_remove_snapshots
• container_host_shutdown_timeout
• container_stop_priority
• container_syscall_filtering
• auth_pki
• container_last_used_at
• etag
• patch
• usb_devices
• https_allowed_credentials
• image_compression_algorithm
• directory_manipulation
• container_cpu_time
• storage_zfs_use_refquota
• storage_lvm_mount_options
• network
• profile_usedby
• container_push
• container_exec_recording
• certificate_update
• container_exec_signal_handling
• gpu_devices
• container_image_properties
• migration_progress
• id_map
• network_firewall_filtering
• network_routes
• storage
• file_delete
• file_append
• network_dhcp_expiry
• storage_lvm_vg_rename
• storage_lvm_thinpool_rename
• network_vlan
• image_create_aliases
• container_stateless_copy
• container_only_migration
• storage_zfs_clone_copy
• unix_device_rename
• storage_lvm_use_thinpool
• storage_rsync_bwlimit
• network_vxlan_interface
• storage_btrfs_mount_options
• entity_description
• image_force_refresh
• storage_lvm_lv_resizing
• id_map_base
• file_symlinks
• container_push_target
• network_vlan_physical
• storage_images_delete
• container_edit_metadata
• container_snapshot_stateful_migration
• storage_driver_ceph
• storage_ceph_user_name
• resource_limits
• storage_volatile_initial_source
• storage_ceph_force_osd_reuse
• storage_block_filesystem_btrfs
• resources
• kernel_limits
• storage_api_volume_rename
• macaroon_authentication
• network_sriov
• console
• restrict_devlxd
• migration_pre_copy
• infiniband
• maas_network
• devlxd_events
• proxy
• network_dhcp_gateway
• file_get_symlink
• network_leases
• unix_device_hotplug
• storage_api_local_volume_handling
• operation_description
• clustering
• event_lifecycle
• storage_api_remote_volume_handling
• nvidia_runtime
• container_mount_propagation
• container_backup
• devlxd_images
• container_local_cross_pool_handling
• proxy_unix
• proxy_udp
• clustering_join
• proxy_tcp_udp_multi_port_handling
• network_state
• proxy_unix_dac_properties
• container_protection_delete
• unix_priv_drop
• pprof_http
• proxy_haproxy_protocol
• network_hwaddr
• proxy_nat
• network_nat_order
• container_full
• candid_authentication
• backup_compression
• candid_config
• nvidia_runtime_config
• storage_api_volume_snapshots
• storage_unmapped
• projects
• candid_config_key
• network_vxlan_ttl
• container_incremental_copy
• usb_optional_vendorid
• snapshot_scheduling
• snapshot_schedule_aliases
• container_copy_project
• clustering_server_address
• clustering_image_replication
• container_protection_shift
• snapshot_expiry
• container_backup_override_pool
• snapshot_expiry_creation
• network_leases_location
• resources_cpu_socket
• resources_gpu
• resources_numa
• kernel_features
• id_map_current
• event_location
• storage_api_remote_volume_snapshots
• network_nat_address
• container_nic_routes
• rbac
• cluster_internal_copy
• seccomp_notify
• lxc_features
• container_nic_ipvlan
• network_vlan_sriov
• storage_cephfs
• container_nic_ipfilter
• resources_v2
• container_exec_user_group_cwd
• container_syscall_intercept
• container_disk_shift
• storage_shifted
• resources_infiniband
• daemon_storage
• instances
• image_types
• resources_disk_sata
• clustering_roles
• images_expiry
• resources_network_firmware
• backup_compression_algorithm
• ceph_data_pool_name
• container_syscall_intercept_mount
• compression_squashfs
• container_raw_mount
• container_nic_routed
• container_syscall_intercept_mount_fuse
• container_disk_ceph
• virtual-machines
• image_profiles
• clustering_architecture
• resources_disk_id
• storage_lvm_stripes
• vm_boot_priority
• unix_hotplug_devices
• api_filtering
• instance_nic_network
• clustering_sizing
• firewall_driver
• projects_limits
• container_syscall_intercept_hugetlbfs
• limits_hugepages
• container_nic_routed_gateway
• projects_restrictions
• custom_volume_snapshot_expiry
• volume_snapshot_scheduling
• trust_ca_certificates
• snapshot_disk_usage
• clustering_edit_roles
• container_nic_routed_host_address
• container_nic_ipvlan_gateway
• resources_usb_pci
• resources_cpu_threads_numa
• resources_cpu_core_die
• api_os
• container_nic_routed_host_table
• container_nic_ipvlan_host_table
• container_nic_ipvlan_mode
• resources_system
• images_push_relay
• network_dns_search
• container_nic_routed_limits
• instance_nic_bridged_vlan
• network_state_bond_bridge
• usedby_consistency
• custom_block_volumes
• clustering_failure_domains
• resources_gpu_mdev
• console_vga_type
• projects_limits_disk
• network_type_macvlan
• network_type_sriov
• container_syscall_intercept_bpf_devices
• network_type_ovn
• projects_networks
• projects_networks_restricted_uplinks
• custom_volume_backup
• backup_override_name
• storage_rsync_compression
• network_type_physical
• network_ovn_external_subnets
• network_ovn_nat
• network_ovn_external_routes_remove
• tpm_device_type
• storage_zfs_clone_copy_rebase
• gpu_mdev
• resources_pci_iommu
• resources_network_usb
• resources_disk_address
• network_physical_ovn_ingress_mode
• network_ovn_dhcp
• network_physical_routes_anycast
• projects_limits_instances
• network_state_vlan
• instance_nic_bridged_port_isolation
• instance_bulk_state_change
• network_gvrp
• instance_pool_move
• gpu_sriov
• pci_device_type
• storage_volume_state
• network_acl
• migration_stateful
• disk_state_quota
• storage_ceph_features
• projects_compression
• projects_images_remote_cache_expiry
• certificate_project
• network_ovn_acl
• projects_images_auto_update
• projects_restricted_cluster_target
• images_default_architecture
• network_ovn_acl_defaults
• gpu_mig
• project_usage
• network_bridge_acl
• warnings
• projects_restricted_backups_and_snapshots
• clustering_join_token
• clustering_description
• server_trusted_proxy
• clustering_update_cert
• storage_api_project
• server_instance_driver_operational
• server_supported_storage_drivers
• event_lifecycle_requestor_address
• resources_gpu_usb
• clustering_evacuation
• network_ovn_nat_address
• network_bgp
• network_forward
• custom_volume_refresh
• network_counters_errors_dropped
• metrics
• image_source_project
• clustering_config
• network_peer
• linux_sysctl
• network_dns
• ovn_nic_acceleration
• certificate_self_renewal
• instance_project_move
• storage_volume_project_move
• cloud_init
• network_dns_nat
• database_leader
• instance_all_projects
• clustering_groups
• ceph_rbd_du
• instance_get_full
• qemu_metrics
• gpu_mig_uuid
• event_project
• clustering_evacuation_live
• instance_allow_inconsistent_copy
• network_state_ovn
• storage_volume_api_filtering
• image_restrictions
• storage_zfs_export
• network_dns_records
• storage_zfs_reserve_space
• network_acl_log
• storage_zfs_blocksize
• metrics_cpu_seconds
• instance_snapshot_never
• certificate_token
• instance_nic_routed_neighbor_probe
• event_hub
• agent_nic_config
• projects_restricted_intercept
• metrics_authentication
• images_target_project
• cluster_migration_inconsistent_copy
• cluster_ovn_chassis
• container_syscall_intercept_sched_setscheduler
• storage_lvm_thinpool_metadata_size
• storage_volume_state_total
• instance_file_head
• instances_nic_host_name
• image_copy_profile
• container_syscall_intercept_sysinfo
• clustering_evacuation_mode
• resources_pci_vpd
• qemu_raw_conf
• storage_cephfs_fscache
• network_load_balancer
• vsock_api
• instance_ready_state
• network_bgp_holdtime
• storage_volumes_all_projects
• metrics_memory_oom_total
• storage_buckets
• storage_buckets_create_credentials
• metrics_cpu_effective_total
• projects_networks_restricted_access
• storage_buckets_local
• loki
• acme
• internal_metrics
• cluster_join_token_expiry
• remote_token_expiry
• init_preseed
• storage_volumes_created_at
• cpu_hotplug
• projects_networks_zones
• network_txqueuelen
• cluster_member_state
• instances_placement_scriptlet
• storage_pool_source_wipe
• zfs_block_mode
• instance_generation_id
• disk_io_cache
• amd_sev
• storage_pool_loop_resize
• migration_vm_live
• ovn_nic_nesting
• oidc
• network_ovn_l3only
• ovn_nic_acceleration_vdpa
• cluster_healing
• instances_state_total
• auth_user
• security_csm
• instances_rebuild
• numa_cpu_placement
• custom_volume_iso
• network_allocations
• storage_api_remote_volume_snapshot_copy
• zfs_delegate
• operations_get_query_all_projects
• metadata_configuration
• syslog_socket
• event_lifecycle_name_and_project
• instances_nic_limits_priority
• disk_initial_volume_configuration
• operation_wait
• cluster_internal_custom_volume_copy
• disk_io_bus
• storage_cephfs_create_missing
• instance_move_config api_status: stable api_version: "1.0" auth: trusted public: false auth_methods:
• tls auth_user_name: root auth_user_method: unix environment: addresses:
  • 10.96.1.3:8443
  • 10.0.3.1:8443 architectures:
  • x86_64
  • i686 certificate: | -----BEGIN CERTIFICATE-----

    ---

    -----END CERTIFICATE----- certificate_fingerprint: *** driver: lxc | qemu driver_version: 5.0.3 | 8.1.3 firewall: nftables kernel: Linux kernel_architecture: x86_64 kernel_features: idmapped_mounts: "true" netnsid_getifaddrs: "true" seccomp_listener: "true" seccomp_listener_continue: "true" uevent_injection: "true" unpriv_fscaps: "true" kernel_version: 6.5.0-41-generic lxc_features: cgroup2: "true" core_scheduling: "true" devpts_fd: "true" idmapped_mounts_v2: "true" mount_injection_file: "true" network_gateway_device_route: "true" network_ipvlan: "true" network_l2proxy: "true" network_phys_macvlan_mtu: "true" network_veth_router: "true" pidfd: "true" seccomp_allow_deny_syntax: "true" seccomp_notify: "true" seccomp_proxy_send_notify_fd: "true" os_name: Ubuntu os_version: "22.04" project: default server: lxd server_clustered: false server_event_mode: full-mesh server_name: backup server_pid: 2276 server_version: "5.20" storage: btrfs storage_version: 5.16.2 storage_supported_drivers:

  • name: cephobject version: 17.2.6 remote: true
  • name: dir version: "1" remote: false
  • name: lvm version: 2.03.11(2) (2021-01-08) / 1.02.175 (2021-01-08) / 4.48.0 remote: false
  • name: zfs version: 2.2.0-0ubuntu1~23.10.2 remote: false
  • name: btrfs version: 5.16.2 remote: false
  • name: ceph version: 17.2.6 remote: true
  • name: cephfs version: 17.2.6 remote: true

   * Kernel version: Linux backup 6.5.0-41-generic #41~22.04.2-Ubuntu SMP PREEMPT_DYNAMIC Mon Jun  3 11:32:55 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
   * LXC version: 5.0.0
   * LXD version: 5.20
   * Storage backend in use: btrfs

# Issue description
After upgrading lxd from 5.12 (24643) to 5.20, there are errors with "lxc copy" using rsync with changed files using NTACLs for samba server.
The remote host has the same configuration (OS and file system)

lxc copy remotehost:samba samba --refresh --instance-only -c boot.autostart=false -q

rsync: [receiver] rsync_xal_set: lsetxattr("/var/snap/lxd/common/lxd/storage-pools/lxd/containers/samba/rootfs/*******","security.NTACL") failed: Operation not permitted (1)

Running the rsync command manually with a dedicated snapshot for rsync does work, e.g.
rsync -e "ssh -i keyfile" -ar --devices --numeric-ids --partial --sparse --xattrs --filter="-x security.selinux" --delete --compress --compress-level=2 root@remotehost:/srv/lxd/containers-snapshots/samba/rsync/ /srv/lxd/containers/samba/

If I run rsync manually, it copies all changed files successfully, and lxc copy has no errors afterwards, until there are changed files with xattrs again (or if I delete some of those files manually on the target).

# Steps to reproduce

 # Information to attach

 - [ ] Any relevant kernel output (`dmesg`)
 - [ ] Container log (`lxc info NAME --show-log`)
 - [ ] Container configuration (`lxc config show NAME --expanded`)

architecture: x86_64 config: boot.autostart: "false" boot.autostart.delay: "60" boot.autostart.priority: "90" boot.stop.priority: "50" security.privileged: "false" volatile.idmap.base: "0" volatile.idmap.current: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]' volatile.idmap.next: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]' volatile.last_state.idmap: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]' volatile.net0.host_name: veth9d792b25 volatile.net0.name: eth0 volatile.uuid: 16e9bc37-6c5d-497e-8e03-ff7cd172e485 volatile.uuid.generation: 16e9bc37-6c5d-497e-8e03-ff7cd172e485 devices: eth0: type: none net0: hwaddr: 00:16:3e:4c:dd:4f nictype: bridged parent: br-lan type: nic root: path: / pool: lxd type: disk ephemeral: false profiles:

• default stateful: false description: ""

 - [ ] Main daemon log (at /var/log/lxd/lxd.log or /var/snap/lxd/common/lxd/logs/lxd.log)
` time="2024-07-07T13:32:50+02:00" level=error msg="Failed migration on target" clusterMoveSourceName= err="Failed creating instance on target: Rsync receive failed: /var/snap/lxd/common/lxd/storage-pools/lxd/containers/samba/: [exit status 23] (rsync: [receiver] rsync_xal_set: lsetxattr(\"/var/snap/lxd/common/lxd/storage-pools/lxd/containers/samba/rootfs/srv/shared/daten/Kinder/Johannes/Java/Java-Projekte/ServerStop\",\"security.NTACL\") failed: Operation not permitted (1)\nrsync: [receiver] rsync_xal_set: lsetxattr(\"/var/snap/lxd/common/lxd/storage-pools/lxd/containers/samba/rootfs/*********\",\"security.NTACL\") failed: Operation not permitted (1)
and many more...`
 - [ ] Output of the client with --debug
 - [ ] Output of the daemon with --debug (alternatively output of `lxc monitor` while reproducing the issue)

[tomponline]

Hi,

Do you still experience this issue using latest/stable (5.21.1) as LXD 5.20 isn't supported anymore?

[MaxRower]

I had a similar problem on other servers copying a nextcloud container (but no NTACLs there), and upgraded the destination server to 5.21.1 LTS. As this didn't help, I didn't upgrade the other ones. But in that case, deleting the files with rsync error on the destination did help, no more error with the next lxc copy. The reason for staying on 5.20 is to keep the possibility of a simple migration to incus, as that seems to support cross platform copies (arm64 to amd64 and vice versa). It's only for backup purposes, no need to run containers on a backup server.

[MaxRower]

I now upgraded both servers to lxd 5.21.1 LTS, but the problem persists.

[tomponline]

Hi @MaxRower apologies ive not had chance to investigate this yet

[tomponline]

@boltmark please can you look into this when you get a chance. Thanks!

[tomponline]

@boltmark hows this going?

[boltmark]

@boltmark hows this going?

Hi @tomponline, this is next on my list after I get through my current bugs.

[boltmark]

Hi @MaxRower,

Can you please check your system logs for any AppArmor denials when you get the Operation not permitted (1) error from rsync?

I believe what is happening here is that rsync is being blocked on the target by the AppArmor profile used in lxd. Since lxd does not provide the CAP_SYS_ADMIN capability to the rsync profile, AppArmor will deny the writes to NTACL-protected files.

I imagine you'll see something like this:

2024-09-01T21:08:08.940946-07:00 host kernel: audit: type=1400 audit(1725250088.939:489): apparmor="DENIED" operation="capable" class="cap" profile="lxd_rsync-29844eaf-e871-436a-b7b4-6513abf8e579" pid=12710 comm="rsync" capability=21  capname="sys_admin"

[tomponline]

Any thoughts on this @mihalicyn ?

[tomponline]

@MaxRower what is the target storage pool driver in this case?

[simondeziel]

LXD grew an Apparmor profile for rsync in LXD 5.14 (https://github.com/canonical/lxd/pull/11510) which is probably why you didn't run into the issue with 5.12.

NT ACLs are saved under security.NTACL extended attributes. All the security.* attributes require CAP_SYS_ADMIN to be to write to them. The Apparmor profile for rsync doesn't let it access that capability causing the receiving end to fail to write that xattr.

Considering that our invocation of rsync includes --xattrs (see https://github.com/canonical/lxd/blob/main/lxd/rsync/rsync.go#L88-L91), we should either:

• allow rsync to use CAP_SYS_ADMIN (riskier) or
• filter out all security.*, not just security.selinux

An alternative that should work (I still have to test) would be to use optimized refresh between identical storage backends (btrfs to btrfs or zfs to zfs) as that would entirely bypass rsync and instead do the replication at the FS level rather than the file level.

[MaxRower]

@MaxRower what is the target storage pool driver in this case?

btrfs for source and target.

[MaxRower]

An alternative that should work (I still have to test) would be to use optimized refresh between identical storage backends (btrfs to btrfs or zfs to zfs) as that would entirely bypass rsync and instead do the replication at the FS level rather than the file level.

With btrfs send and receive it will probably copy the entire subvolume, not only the changes, like rsync? That's why I can only use rsync-based transfers, copying hundreds of GB every day for a backup would be very time consuming, and for remote copies impossible. Sometimes in the past, I had a ticket for exactly that, so that --instance-only uses rsync. My scenario: I use lxc copy daily on multiple hosts to make a backup of all containers to a dedicated backup server, via LAN and WAN/VPN. Snapshots for the backup history are managed there, at btrfs level, not lxd, because all existing snapshots at the target were removed at the next copy with --instance-only. Maybe this has changed after that?

[MaxRower]

Can you please check your system logs for any AppArmor denials when you get the Operation not permitted (1) error from rsync?

I will do that, when the error occurs again.

[simondeziel]

An alternative that should work (I still have to test) would be to use optimized refresh between identical storage backends (btrfs to btrfs or zfs to zfs) as that would entirely bypass rsync and instead do the replication at the FS level rather than the file level.

With btrfs send and receive it will probably copy the entire subvolume, not only the changes, like rsync?

I theory, the btrfs send/receive feature should be able to work out that both FSes are the same but at different points in time. This should let the lxc copy --refresh figure how to do a smart delta-only FS sync. This should be even more efficient than rsync as it would be at the FS level.

Now, since your backup system (the receiving side of the copy) has been "tainted" with rsync, there is no longer any commonality at the FS level between the source and the destination. This means that the refresh has to always happen with rsync due to that accidental/unexpected tainting.

We've had a couple of bugs in our btrfs storage driver preventing it from figuring out that optimized sync should be used. This might be the reason why your setup ended up falling back to rsync transfer, thus causing the initial "tainting" of the destination.

One way to confirm the above explanation would be to start with a fresh copy/destination and see if LXD stops trying to use rsync when doing subsequent refreshes. That's what I'd like to test but haven't got the time to get around doing it just yet.

[mihalicyn]

To set security.* xattr we need to have a CAP_SYS_ADMIN capability in the superblock's owner user namespace (ref https://github.com/torvalds/linux/blob/c763c43396883456ef57e5e78b64d3c259c4babc/security/commoncap.c#L1007 ). So if the filesystem we are trying to write to, is mounted in the initial user namespace (likely it is) then we need to have the CAP_SYS_ADMIN capability in the initial user namespace.

So, to write a security.NTACL we need to have the CAP_SYS_ADMIN on the host.

But there is a trick. Some LSMs can override that behavior and lift that specific requirement. For example, SELinux have a pretty complex logic (ref https://github.com/torvalds/linux/blob/c763c43396883456ef57e5e78b64d3c259c4babc/security/selinux/hooks.c#L3197) and everything depends on the current SELinux setup on the machine.

[mihalicyn]

Hi @MaxRower!

Please, can you show: lxc config show remotehost:samba -e?

[MaxRower]

Hi @MaxRower!

Please, can you show: lxc config show remotehost:samba -e?

architecture: x86_64 config: boot.autostart: "true" boot.autostart.delay: "60" boot.autostart.priority: "90" boot.stop.priority: "50" security.privileged: "false" volatile.idmap.base: "0" volatile.idmap.current: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]' volatile.idmap.next: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]' volatile.last_state.idmap: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]' volatile.last_state.power: RUNNING volatile.net0.host_name: veth3b94386a volatile.net0.name: eth0 volatile.uuid: 16e9bc37-6c5d-497e-8e03-ff7cd172e485 volatile.uuid.generation: 16e9bc37-6c5d-497e-8e03-ff7cd172e485 devices: eth0: type: none net0: hwaddr: 00:16:3e:4c:dd:4f nictype: bridged parent: br-lan type: nic root: path: / pool: lxd type: disk ephemeral: false profiles:

• default stateful: false description: ""

[MaxRower]

The latest copy has six files with that error, but there are only two related DENIED log entries: Sep 21 21:22:30 backup kernel: [ 585.965907] audit: type=1400 audit(1726946550.741:110): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lxd_rsync-5880733e-ad9b-4b7b-8ef1-a83f3cb51fea" pid=3728 comm="apparmor_parser" Sep 21 21:22:32 backup kernel: [ 587.537243] audit: type=1400 audit(1726946552.313:111): apparmor="DENIED" operation="capable" profile="lxd_rsync-5880733e-ad9b-4b7b-8ef1-a83f3cb51fea" pid=3730 comm="rsync" capability=21 capname="sys_admin" Sep 21 21:23:14 backup kernel: [ 630.032696] audit: type=1400 audit(1726946594.810:112): apparmor="DENIED" operation="capable" profile="lxd_rsync-5880733e-ad9b-4b7b-8ef1-a83f3cb51fea" pid=3730 comm="rsync" capability=21 capname="sys_admin"