search

oetiker / znapzend

zfs backup with remote capabilities and mbuffer integration.
www.znapzend.org
GNU General Public License v3.0
609 stars 137 forks source link

Solaris: insufficient permission during backup. Can't mount child datasets #559

Closed syswipe closed 2 years ago

syswipe commented 3 years ago

Hi. I tried to setup a backup task with znapzend on Solaris 11.4 and I observe a bit of strange behavior. What exactly I do. I created separate unprivileged user: backup Source host settings:

SRC: data/enc/backup
zfs allow permissions:
Local+Descendent permissions:
        user backup destroy,hold,mount,send,snapshot,userprop
DST: data/enc/backup
zfs allow permissions:
Local+Descendent permissions:
        user backup create,destroy,mount,receive,userprop

also, I added the next extended ACL on the DST host as described in Solaris ZFS documentation:

ls -vd backup
drwxr-xr-x+  2 root     root           2 Sep  6 10:05 backup
     0:user:backup:list_directory/read_data/add_file/write_data
         /add_subdirectory/append_data/execute:file_inherit/dir_inherit
         :allow

Backup plan:

znapzendzetup create --mbuffer=/opt/bin/mbuffer:9000 --recursive SRC '1h=>10min' data/enc/backup DST '1h=>10min' backup@backup-main.domain.local:data/enc/backup

When i run a runonce backup all is OK, but when I created a child dataset on the source I got the next

[Tue Sep  7 04:19:28 2021] [info] znapzend (PID=25303) starting up ...
[Tue Sep  7 04:19:28 2021] [info] refreshing backup plans...
[Tue Sep  7 04:19:30 2021] [info] found a valid backup plan for data/enc/backup...
[Tue Sep  7 04:19:30 2021] [info] znapzend (PID=25303) initialized -- resuming normal operations.
[Tue Sep  7 04:19:30 2021] [debug] snapshot worker for data/enc/backup spawned (25374)
[Tue Sep  7 04:19:30 2021] [info] creating recursive snapshot on data/enc/backup
[Tue Sep  7 04:19:38 2021] [debug] snapshot worker for data/enc/backup done (25374)
[Tue Sep  7 04:19:38 2021] [debug] send/receive worker for data/enc/backup spawned (25999)
[Tue Sep  7 04:19:38 2021] [info] starting work on backupSet data/enc/backup
[Tue Sep  7 04:19:38 2021] [debug] sending snapshots from data/enc/backup to backup@backup-main.domain.local:data/enc/backup
[Tue Sep  7 04:19:38 2021] [debug] receive process on backup-main.domain.local spawned (26061)
[Tue Sep  7 04:19:46 2021] [debug] receive process on backup-main.domain.local done (26061)
[Tue Sep  7 04:19:46 2021] [debug] sending snapshots from data/enc/backup/child to backup@backup-main.domain.local:data/enc/backup/child
cannot open 'data/enc/backup/child': filesystem does not exist
[Tue Sep  7 04:19:47 2021] [debug] receive process on backup-main.domain.local spawned (26532)
cannot mount 'data/enc/backup/child' on '/data/enc/backup/child': Insufficient privileges
cannot mount after receive: mount failed
[Tue Sep  7 04:19:51 2021] [debug] receive process on backup-main.domain.local done (26532)
Mojo::Reactor::Poll: I/O watcher failed:  at /opt/znapzend/lib/Mojo/IOLoop.pm line 23.
[Tue Sep  7 04:19:52 2021] [debug] cleaning up snapshots on backup@backup-main.domain.local:data/enc/backup
[Tue Sep  7 04:19:52 2021] [debug] cleaning up snapshots on backup@backup-main.domain.local:data/enc/backup/child
[Tue Sep  7 04:19:52 2021] [debug] cleaning up snapshots on data/enc/backup
[Tue Sep  7 04:19:52 2021] [debug] cleaning up snapshots on data/enc/backup/child
[Tue Sep  7 04:19:52 2021] [info] done with backupset data/enc/backup in 14 seconds
[Tue Sep  7 04:19:52 2021] [debug] send/receive worker for data/enc/backup done (25999)

The result is: znapzend clears extended ACLs on destination data/enc/backup, so the backup user can't mount subdirs:

ls -ldV /data/enc/backup
drwxr-xr-x   2 root     root           2 Sep  6 10:05 /data/enc/backup
                 owner@:rwxp-DaARWcCos:-------:allow
                 group@:r-x---a-R-c--s:-------:allow
              everyone@:r-x---a-R-c--s:-------:allow

It may prevent child datasets to be backed up.

stale[bot] commented 2 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

jimklimov commented 2 years ago

Hi, regarding ACL's in the destination filesystem (that you applied to files/dirs), these are likely overwritten by the snapshots you received - if they did not have similar ACLs on the source. I am not sure if the same applies to all or some dataset properties (including the "allow" one) - it may be that you'd have to add "receive" and "hold" on the origin as well.

One alternative may be to create a destination dataset where you have applied all the needed inheritable rights for "backup" to manipulate (maybe it and) its children, and then receive regular replications into a child dataset.

stale[bot] commented 2 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.