search

enzingerm / snapborg

Synchronize snapper snapshots to a borg repository
GNU General Public License v3.0
35 stars 6 forks source link

Getting permission denied errors #33

Closed karamanliev closed 4 months ago

karamanliev commented 5 months ago

Hello, thank you for the great tool. I have setup snapper to do automated snapshots of / and I'm trying to backup them up to a remote borg server, but I'm getting this output while doing it. Am I doing something wrong or this is expected? Can I trust these backups if something happend and I need to restore from them?

➜ snapborg backup                                                                                                                                                      at 16:12:38
Backing up snapshots for snapper config 'root'...
Backing up snapshot number 963 from 2024-05-08T16:00:10...
$ borg create --one-file-system --stats --exclude-caches --checkpoint-interval 600 --compression auto,lz4 --timestamp 2024-05-08T16:00:10 --progress REMOTEBORGSERVER:root_backup::root-963-2024-05-08T16:00:10 .
var/cache/ldconfig: dir_open: [Errno 13] Permission denied: 'ldconfig'
var/cache/private: dir_open: [Errno 13] Permission denied: 'private'
var/cache/reflector/mirrorstatus.json: open: [Errno 13] Permission denied: 'mirrorstatus.json'
var/cache/powertop: dir_open: [Errno 13] Permission denied: 'powertop'
var/lib/systemd/coredump/core.zsh.0.0ff28746910c4b3fa13939adb2658f7e.210713.1714768866000000.zst: open: [Errno 13] Permission denied: 'core.zsh.0.0ff28746910c4b3fa13939adb2658f7e.210713.1714768866000000.zst'
var/lib/systemd/random-seed: open: [Errno 13] Permission denied: 'random-seed'000.1f7797bdbaec45febd1df9c6888a18b8.240778.1715161569000000.zst
var/lib/private: dir_open: [Errno 13] Permission denied: 'private'
var/lib/libuuid/clock.txt: open: [Errno 13] Permission denied: 'clock.txt'
var/lib/NetworkManager: dir_open: [Errno 13] Permission denied: 'NetworkManager'
var/lib/udisks2: dir_open: [Errno 13] Permission denied: 'udisks2'
var/lib/AccountsService/users: dir_open: [Errno 13] Permission denied: 'users'
var/lib/gdm: dir_open: [Errno 13] Permission denied: 'gdm'
var/lib/brltty: dir_open: [Errno 13] Permission denied: 'brltty'
var/lib/colord/.cache: dir_open: [Errno 13] Permission denied: '.cache'
var/lib/gnome-remote-desktop: dir_open: [Errno 13] Permission denied: 'gnome-remote-desktop'
var/lib/dkms/mok.key: open: [Errno 13] Permission denied: 'mok.key'
var/lib/sddm: dir_open: [Errno 13] Permission denied: 'sddm'ia/550.78/6.8.9-arch1-1/x86_64/module/nvidia-modeset.ko.zst
var/lib/flatpak/repo/.lock: open: [Errno 13] Permission denied: '.lock'/97/6aecfdab656ec41075ebb6f970864d2679814d95b3f65a8aa1dbdc2478ff3e.file
var/lib/bluetooth: dir_open: [Errno 13] Permission denied: 'bluetooth'lathub/x86_64/1f563ddaa867a2ded209106aacf47905a2ef99420572429139491240c2e0714a/appstream.xml.gz
var/lib/rpcbind: dir_open: [Errno 13] Permission denied: 'rpcbind'
var/tmp/sbctl_backup_keys_1712960525/KEK/KEK.key: open: [Errno 13] Permission denied: 'KEK.key'
var/tmp/sbctl_backup_keys_1712960525/KEK/KEK.pem: open: [Errno 13] Permission denied: 'KEK.pem'
var/tmp/sbctl_backup_keys_1712960525/PK/PK.key: open: [Errno 13] Permission denied: 'PK.key'
var/tmp/sbctl_backup_keys_1712960525/PK/PK.pem: open: [Errno 13] Permission denied: 'PK.pem'
var/tmp/sbctl_backup_keys_1712960525/db/db.key: open: [Errno 13] Permission denied: 'db.key'
var/tmp/sbctl_backup_keys_1712960525/db/db.pem: open: [Errno 13] Permission denied: 'db.pem'
var/tmp/systemd-private-1f7797bdbaec45febd1df9c6888a18b8-systemd-timesyncd.service-uAr5sz: dir_open: [Errno 13] Permission denied: 'systemd-private-1f7797bdbaec45febd1df9c6888a18b8-systemd-timesyncd.service-uAr5sz'
var/tmp/systemd-private-1f7797bdbaec45febd1df9c6888a18b8-dbus-broker.service-ObR6SP: dir_open: [Errno 13] Permission denied: 'systemd-private-1f7797bdbaec45febd1df9c6888a18b8-dbus-broker.service-ObR6SP'
var/tmp/systemd-private-1f7797bdbaec45febd1df9c6888a18b8-bluetooth.service-ZBdHae: dir_open: [Errno 13] Permission denied: 'systemd-private-1f7797bdbaec45febd1df9c6888a18b8-bluetooth.service-ZBdHae'
var/tmp/systemd-private-1f7797bdbaec45febd1df9c6888a18b8-systemd-logind.service-wfqV6L: dir_open: [Errno 13] Permission denied: 'systemd-private-1f7797bdbaec45febd1df9c6888a18b8-systemd-logind.service-wfqV6L'
var/tmp/systemd-private-1f7797bdbaec45febd1df9c6888a18b8-polkit.service-rFGXZQ: dir_open: [Errno 13] Permission denied: 'systemd-private-1f7797bdbaec45febd1df9c6888a18b8-polkit.service-rFGXZQ'
var/tmp/systemd-private-1f7797bdbaec45febd1df9c6888a18b8-colord.service-mPqc5Y: dir_open: [Errno 13] Permission denied: 'systemd-private-1f7797bdbaec45febd1df9c6888a18b8-colord.service-mPqc5Y'
var/tmp/systemd-private-1f7797bdbaec45febd1df9c6888a18b8-upower.service-QWmQLZ: dir_open: [Errno 13] Permission denied: 'systemd-private-1f7797bdbaec45febd1df9c6888a18b8-upower.service-QWmQLZ'
var/tmp/systemd-private-1f7797bdbaec45febd1df9c6888a18b8-systemd-hostnamed.service-ro2T0B: dir_open: [Errno 13] Permission denied: 'systemd-private-1f7797bdbaec45febd1df9c6888a18b8-systemd-hostnamed.service-ro2T0B'
var/db/sudo: dir_open: [Errno 13] Permission denied: 'sudo'
etc/pacman.d/gnupg/secring.gpg: open: [Errno 13] Permission denied: 'secring.gpg'
etc/pacman.d/gnupg/private-keys-v1.d: dir_open: [Errno 13] Permission denied: 'private-keys-v1.d'
etc/pacman.d/gnupg/openpgp-revocs.d: dir_open: [Errno 13] Permission denied: 'openpgp-revocs.d'
etc/pacman.d/gnupg/crls.d: dir_open: [Errno 13] Permission denied: 'crls.d'
etc/crypttab: open: [Errno 13] Permission denied: 'crypttab'g/pubring.gpg
etc/audit/plugins.d: dir_open: [Errno 13] Permission denied: 'plugins.d'
etc/audit/audisp-filter.conf: open: [Errno 13] Permission denied: 'audisp-filter.conf'
etc/audit/audisp-remote.conf: open: [Errno 13] Permission denied: 'audisp-remote.conf'
etc/audit/zos-remote.conf: open: [Errno 13] Permission denied: 'zos-remote.conf'
etc/default/useradd: open: [Errno 13] Permission denied: 'useradd'
etc/credstore: dir_open: [Errno 13] Permission denied: 'credstore'st-source/README
etc/credstore.encrypted: dir_open: [Errno 13] Permission denied: 'credstore.encrypted'
etc/.pwd.lock: open: [Errno 13] Permission denied: '.pwd.lock'
etc/sudoers: open: [Errno 13] Permission denied: 'sudoers'
etc/sudoers.d: dir_open: [Errno 13] Permission denied: 'sudoers.d'
etc/polkit-1/rules.d: dir_open: [Errno 13] Permission denied: 'rules.d'
etc/NetworkManager/system-connections: dir_open: [Errno 13] Permission denied: 'system-connections'
etc/ssh/ssh_host_rsa_key: open: [Errno 13] Permission denied: 'ssh_host_rsa_key'
etc/ssh/ssh_host_ecdsa_key: open: [Errno 13] Permission denied: 'ssh_host_ecdsa_key'
etc/ssh/ssh_host_ed25519_key: open: [Errno 13] Permission denied: 'ssh_host_ed25519_key'
etc/brlapi.key: open: [Errno 13] Permission denied: 'brlapi.key'
etc/snapper/configs/root: open: [Errno 13] Permission denied: 'root'
etc/snapper/configs/home: open: [Errno 13] Permission denied: 'home'
etc/libaudit.conf: open: [Errno 13] Permission denied: 'libaudit.conf'
etc/ipsec.d/private: dir_open: [Errno 13] Permission denied: 'private'
etc/ipsec.secrets: open: [Errno 13] Permission denied: 'ipsec.secrets'
etc/swanctl/bliss: dir_open: [Errno 13] Permission denied: 'bliss'
etc/swanctl/ecdsa: dir_open: [Errno 13] Permission denied: 'ecdsa'
etc/swanctl/pkcs12: dir_open: [Errno 13] Permission denied: 'pkcs12'
etc/swanctl/pkcs8: dir_open: [Errno 13] Permission denied: 'pkcs8'
etc/swanctl/private: dir_open: [Errno 13] Permission denied: 'private'
etc/swanctl/rsa: dir_open: [Errno 13] Permission denied: 'rsa'
etc/swanctl/swanctl.conf: open: [Errno 13] Permission denied: 'swanctl.conf'
etc/ppp/chap-secrets: open: [Errno 13] Permission denied: 'chap-secrets'
etc/ppp/eaptls-client: open: [Errno 13] Permission denied: 'eaptls-client'
etc/ppp/eaptls-server: open: [Errno 13] Permission denied: 'eaptls-server'
etc/ppp/pap-secrets: open: [Errno 13] Permission denied: 'pap-secrets'
etc/gshadow: open: [Errno 13] Permission denied: 'gshadow'
etc/shadow: open: [Errno 13] Permission denied: 'shadow'
etc/gshadow-: open: [Errno 13] Permission denied: 'gshadow-'
etc/shadow-: open: [Errno 13] Permission denied: 'shadow-'
usr/share/factory/etc/crypttab: open: [Errno 13] Permission denied: 'crypttab'ICENCE.qat_firmware
usr/share/factory/etc/gshadow: open: [Errno 13] Permission denied: 'gshadow'
usr/share/factory/etc/shadow: open: [Errno 13] Permission denied: 'shadow'
usr/share/factory/etc/audit/plugins.d: dir_open: [Errno 13] Permission denied: 'plugins.d'
usr/share/factory/etc/audit/audisp-filter.conf: open: [Errno 13] Permission denied: 'audisp-filter.conf'
usr/share/factory/etc/audit/audisp-remote.conf: open: [Errno 13] Permission denied: 'audisp-remote.conf'
usr/share/factory/etc/audit/zos-remote.conf: open: [Errno 13] Permission denied: 'zos-remote.conf'
usr/share/factory/etc/libaudit.conf: open: [Errno 13] Permission denied: 'libaudit.conf'
usr/share/secureboot: dir_open: [Errno 13] Permission denied: 'secureboot'.qm
usr/bin/groupmems: open: [Errno 13] Permission denied: 'groupmems'
usr/lib/dbus-1.0/dbus-daemon-launch-helper: open: [Errno 13] Permission denied: 'dbus-daemon-launch-helper'
usr/lib/ssh/ssh-keysign: open: [Errno 13] Permission denied: 'ssh-keysign'
root: dir_open: [Errno 13] Permission denied: 'root'tudio-code/LICENSES.chromium.html
efi/EFI/Linux/arch-linux.efi: open: [Errno 13] Permission denied: 'arch-linux.efi'
efi/EFI/Linux/arch-linux-fallback.efi: open: [Errno 13] Permission denied: 'arch-linux-fallback.efi'
------------------------------------------------------------------------------
Repository: ssh://REMOTEBORGSERVER/./root_backup
Archive name: root-963-2024-05-08T16:00:10
Archive fingerprint: ARCHIVEFINGERPRINT
Time (start): Wed, 2024-05-08 19:00:10
Time (end):   Wed, 2024-05-08 19:05:53
Duration: 5 minutes 43.94 seconds
Number of files: 182208
Utilization of max. archive size: 0%
------------------------------------------------------------------------------
                       Original size      Compressed size    Deduplicated size
This archive:               12.09 GB              6.71 GB              6.44 GB
All archives:               12.09 GB              6.71 GB              6.44 GB

                       Unique chunks         Total chunks
Chunk index:                  163296               176398
------------------------------------------------------------------------------

Backup results:
OK     root
$ borg prune --list --keep-monthly 0 --keep-last 1 --keep-daily 1 --keep-hourly 0 --keep-weekly 1 --keep-yearly 0 REMOTEBORGSERVER:root_backup
Keeping archive (rule: secondly #1):     root-963-2024-05-08T16:00:10         Wed, 2024-05-08 19:00:10 [ef343f7b4cc36c5698f8192be39972e1b885a5d4cb2fc4ef5bb4c39811fd65a2]

I did this, according to the arch wiki, here's the otuput for the rights of the /.snapshots dir:

➜ stat -c "%U:%G" /.snapshots                                                                                                                                     
root:users
➜ ls -ld /.snapshots                                                                                                                                               
drwxr-xr-x - root  8 May 16:00  /.snapshots/
➜ getent group users                                                                                                                                                  
users:x:984:MYLINUXUSER

Here's also output of my /etc/fstab:

➜ grep /.snapshots /etc/fstab                                                                                                                                        
UUID=51df61b9-3de6-420c-88d6-83fa74eeca1b       /.snapshots     btrfs           rw,relatime,ssd,discard=async,space_cache=v2,subvol=/@snapshots 0 0
enzingerm commented 5 months ago

My first guess would be that the user you run snapborg with doesn't have enough permissions to read those files displayed in the error messages. Even if you can read /.snapshots it doesn't mean you can read all the way through to every file deep down in the file system hierarchy. Maybe you have to run the command via sudo, as a different user or give your user the relevant permissions.

karamanliev commented 5 months ago

Yeah, I copied the ssh keys and config from my user to the root and running snapborg with sudo works as expected.

Is using snapborg to backup the system snapshots intended use of the tool and is it a normal behavior to have these permission issues, or I messed something while configuring snapper, snap-pac and etc? I guess when I enable the systemctl timers, they are run with elevated privileges, therefor there won't be errors?

enzingerm commented 4 months ago

The systemd timers/units are run with root privileges, so that would be an option. I for myself am using snapborg only on servers, also with root privileges. If you want to backup system snapshots I think you will need to opt for one of these methods. Let's see it like this: If your user doesn't have permissions to access specific files, why should your backup solution, run by the same exact user, have those permissions?

karamanliev commented 4 months ago

Thank you very much for your input!

I've tested the systemd timer while following the journalctl logs and there were no errors. After the backups were done I mounted one of them to check the permissions and everything seemed as is.