search

openSUSE / snapper

Manage filesystem snapshots and allow undo of system modifications
http://snapper.io/
GNU General Public License v2.0
849 stars 122 forks source link

using snapper with samba and vfs_snapper #917

Open stefangweichinger opened 1 week ago

stefangweichinger commented 1 week ago

I try to set up snapper for providing snapshots to be used with the samba vfs_snapper module ( https://www.samba.org/samba/docs/current/man-html/vfs_snapper.8.html )

The server is a debian-12.5 box, using snapper-0.10.4

I have these btrfs-subvolumes related to the samba-share:

# btrfs su li .
ID 256 gen 3051 top level 5 path samba
ID 257 gen 3858 top level 256 path samba/daten
ID 475 gen 3859 top level 257 path .snapshots
ID 476 gen 3859 top level 475 path .snapshots/1/snapshot

# mount
/dev/sda on /mnt/pool1/samba type btrfs (rw,relatime,ssd,space_cache=v2,subvolid=256,subvol=/samba)

# smb.conf share
[Daten]
comment = Samba Daten
path = /mnt/pool1/samba/daten
#veto files = ./.snapshots
vfs objects = acl_xattr snapper
writable = yes
browseable = yes

The snapper-config contains:

SUBVOLUME="/mnt/pool1/samba/daten"
FSTYPE="btrfs"

# users and groups allowed to work with config
ALLOW_USERS=sgw
ALLOW_GROUPS=domain\ admins domain\ users root

# sync users and groups from ALLOW_USERS and ALLOW_GROUPS to .snapshots
# directory
SYNC_ACL="yes"

snapper creates snapshots but:

2024-06-19 14:14:42 MIL libsnapper(253871) snapperd.cc(main):283 - Requesting DBus name
2024-06-19 14:14:42 MIL libsnapper(253871) snapperd.cc(main):298 - Loading snapper configs
2024-06-19 14:14:42 MIL libsnapper(253871) Snapper.cc(getConfigs):299 - Snapper get-configs
2024-06-19 14:14:42 MIL libsnapper(253871) Snapper.cc(getConfigs):300 - libsnapper version 0.10.4
2024-06-19 14:14:42 MIL libsnapper(253871) AsciiFile.cc(reload):922 - loading file /etc/default/snapper
2024-06-19 14:14:42 MIL libsnapper(253871) AsciiFile.cc(get_value):1078 - key:SNAPPER_CONFIGS value:samba_daten
2024-06-19 14:14:42 MIL libsnapper(253871) AsciiFile.cc(reload):922 - loading file /etc/snapper/configs/samba_daten
2024-06-19 14:14:42 MIL libsnapper(253871) AsciiFile.cc(get_value):1078 - key:SUBVOLUME value:/mnt/pool1/samba/daten
2024-06-19 14:14:42 MIL libsnapper(253871) snapperd.cc(main):311 - Listening for method calls and signals
2024-06-19 14:14:42 MIL libsnapper(253871) Snapper.cc(Snapper):95 - Snapper constructor
2024-06-19 14:14:42 MIL libsnapper(253871) Snapper.cc(Snapper):96 - libsnapper version 0.10.4
2024-06-19 14:14:42 MIL libsnapper(253871) Snapper.cc(Snapper):97 - config_name:samba_daten disable_filters:false
2024-06-19 14:14:42 MIL libsnapper(253871) AsciiFile.cc(reload):922 - loading file /etc/snapper/configs/samba_daten
2024-06-19 14:14:42 MIL libsnapper(253871) AsciiFile.cc(get_value):1078 - key:SUBVOLUME value:/mnt/pool1/samba/daten
2024-06-19 14:14:42 MIL libsnapper(253871) AsciiFile.cc(get_value):1078 - key:FSTYPE value:btrfs
2024-06-19 14:14:42 MIL libsnapper(253871) AsciiFile.cc(get_value):1078 - key:QGROUP value:
2024-06-19 14:14:42 MIL libsnapper(253871) AsciiFile.cc(get_value):1078 - key:SYNC_ACL value:yes
2024-06-19 14:14:42 MIL libsnapper(253871) Snapper.cc(Snapper):130 - subvolume:/mnt/pool1/samba/daten filesystem:btrfs
2024-06-19 14:14:42 MIL libsnapper(253871) Snapper.cc(loadIgnorePatterns):204 - number of ignore patterns:8
2024-06-19 14:14:42 MIL libsnapper(253871) Snapshot.cc(read):288 - found 2 snapshots
2024-06-19 14:14:42 WAR libsnapper(253871) FileUtils.cc(SDir):91 - THROW: open failed path:/mnt/pool1/samba/daten/.snapshots/2 errno:2 (No such file or directory)
2024-06-19 14:14:42 WAR libsnapper(253871) Btrfs.cc(checkSnapshot):482 - CAUGHT: open failed path:/mnt/pool1/samba/daten/.snapshots/2 errno:2 (No such file or directory)
2024-06-19 14:14:46 WAR libsnapper(253871) FileUtils.cc(SDir):66 - THROW: open failed path:/usr/lib/snapper/plugins errno:2 (No such file or directory)
2024-06-19 14:14:46 WAR libsnapper(253871) Hooks.cc(run_scripts):64 - CAUGHT: open failed path:/usr/lib/snapper/plugins errno:2 (No such file or directory)

why does it warn?

# /mnt/pool1/samba/daten/.snapshots# ls -la
total 8
drwxr-x---+ 1 root   root           4 Jun 19 14:14 .
drwxrwx---  1 nobody domain users 478 Apr 15 08:01 ..
drwxr-xr-x  1 root   root          32 Jun 19 14:01 1
drwxr-xr-x  1 root   root          32 Jun 19 14:14 2

In windows there are no "previous versions" shown. I assume this is related to the ACLs/permissions ... so I would like to know why snapper doesn't apply them or what I can do to allow this.

I know this crosses multiple layers, I already asked on the samba-ML as well. Thanks for any help ... thanks for your work.

ddiss commented 1 week ago

I'll leave the Snapper log for somebody more knowledgeable to look at.

to me it seems that no ACLs are applied: ... drwxr-x---+ 1 root root 4 Jun 19 14:14 .

The + here indicates that an ACL is present. getfactl should tell you whether the .snapshots directory carries ALLOW_GROUPS entries.

In windows there are no "previous versions" shown

One thing to keep in mind is that Windows Explorer will only show Previous Versions for file snapshots with unique modification-time values. If all snapshots of a file have the same mtime as the file in the base share then no snapshots will be shown in the Previous Versions list.

stefangweichinger commented 1 week ago 
# /mnt/pool1/samba/daten# getfacl .snapshots/
# file: .snapshots/
# owner: root
# group: root
user::rwx
group::r-x
mask::r-x
other::---

Doesn't look as intended ;-)

ddiss commented 1 week ago 
# /mnt/pool1/samba/daten# getfacl .snapshots/
# file: .snapshots/
# owner: root
# group: root
user::rwx
group::r-x
mask::r-x
other::---

Doesn't look as intended ;-)

Indeed, assuming your Samba users are mapped to domain admins or domain users (without a domain prefix: is winbind use default domain configured?) this will block access. I'm don't know why snapper isn't correctly processing ALLOW_GROUPS here.

aschnell commented 1 week ago

Is snapper compiled with xattrs support? Please check with using snapper debug.

stefangweichinger commented 1 week ago

Yes:

# snapper debug
server:
    pid:260597
clients:
    name:':1.53754', uid:0, myself
backgrounds:
meta-snappers:
    name:'samba_daten'
compile options:
    version 0.10.4
    flags btrfs,lvm,no-ext4,xattrs,rollback,btrfs-quota,no-selinux

Ad other q: 

winbind use default domain = Yes

Maybe I miss some library or package or so.

Although I see the domain users and groups when I use "ls" for example: the files in the shared directory belong to AD users/groups.

The snapper log entries look strange to me but I don't see what to change.

2024-06-20 07:00:00 MIL libsnapper(260269) Snapper.cc(Snapper):96 - libsnapper version 0.10.4
2024-06-20 07:00:00 MIL libsnapper(260269) Snapper.cc(Snapper):97 - config_name:samba_daten disable_filters:false
2024-06-20 07:00:00 MIL libsnapper(260269) AsciiFile.cc(reload):922 - loading file /etc/snapper/configs/samba_daten
2024-06-20 07:00:00 MIL libsnapper(260269) AsciiFile.cc(get_value):1078 - key:SUBVOLUME value:/mnt/pool1/samba/daten
2024-06-20 07:00:00 MIL libsnapper(260269) AsciiFile.cc(get_value):1078 - key:FSTYPE value:btrfs
2024-06-20 07:00:00 MIL libsnapper(260269) AsciiFile.cc(get_value):1078 - key:QGROUP value:
2024-06-20 07:00:00 MIL libsnapper(260269) AsciiFile.cc(get_value):1078 - key:SYNC_ACL value:yes
2024-06-20 07:00:00 MIL libsnapper(260269) Snapper.cc(Snapper):130 - subvolume:/mnt/pool1/samba/daten filesystem:btrfs
2024-06-20 07:00:00 MIL libsnapper(260269) Snapper.cc(loadIgnorePatterns):204 - number of ignore patterns:8
2024-06-20 07:00:00 MIL libsnapper(260269) Snapshot.cc(read):288 - found 19 snapshots
2024-06-20 07:00:00 WAR libsnapper(260269) FileUtils.cc(SDir):91 - THROW: open failed path:/mnt/pool1/samba/daten/.snapshots/19 errno:2 (No such file or directory)
2024-06-20 07:00:00 WAR libsnapper(260269) Btrfs.cc(checkSnapshot):482 - CAUGHT: open failed path:/mnt/pool1/samba/daten/.snapshots/19 errno:2 (No such file or directory)
2024-06-20 07:00:00 WAR libsnapper(260269) FileUtils.cc(SDir):66 - THROW: open failed path:/usr/lib/snapper/plugins errno:2 (No such file or directory)
2024-06-20 07:00:00 WAR libsnapper(260269) Hooks.cc(run_scripts):64 - CAUGHT: open failed path:/usr/lib/snapper/plugins errno:2 (No such file or directory)
2024-06-20 07:00:30 MIL libsnapper(260269) Snapper.cc(~Snapper):142 - Snapper destructor
2024-06-20 07:01:00 MIL libsnapper(260269) snapperd.cc(main):315 - Exiting
2024-06-20 07:52:00 MIL libsnapper(260597) snapperd.cc(main):283 - Requesting DBus name
2024-06-20 07:52:00 MIL libsnapper(260597) snapperd.cc(main):298 - Loading snapper configs
2024-06-20 07:52:00 MIL libsnapper(260597) Snapper.cc(getConfigs):299 - Snapper get-configs
2024-06-20 07:52:00 MIL libsnapper(260597) Snapper.cc(getConfigs):300 - libsnapper version 0.10.4
2024-06-20 07:52:00 MIL libsnapper(260597) AsciiFile.cc(reload):922 - loading file /etc/default/snapper
2024-06-20 07:52:00 MIL libsnapper(260597) AsciiFile.cc(get_value):1078 - key:SNAPPER_CONFIGS value:samba_daten
2024-06-20 07:52:00 MIL libsnapper(260597) AsciiFile.cc(reload):922 - loading file /etc/snapper/configs/samba_daten
2024-06-20 07:52:00 MIL libsnapper(260597) AsciiFile.cc(get_value):1078 - key:SUBVOLUME value:/mnt/pool1/samba/daten
2024-06-20 07:52:00 MIL libsnapper(260597) snapperd.cc(main):311 - Listening for method calls and signals
2024-06-20 07:53:00 MIL libsnapper(260597) snapperd.cc(main):315 - Exiting

And as long as the snapshots aren't created correctly, vfs_snapper can't display them correctly, I assume.

aschnell commented 1 week ago

Place the values for ALLOW_* in quotes and check with '''snapper get-config'''.

stefangweichinger commented 1 week ago

Did so.

The config is "samba_daten".

Getting:

# grep ALLO samba_daten
ALLOW_USERS="sgw"
ALLOW_GROUPS="domain\ admins domain\ users"

# snapper get-config samba_daten 
The config 'root' does not exist. Likely snapper is not configured.
See 'man snapper' for further instructions.

What do I miss? Another config called root ? thanks!

aschnell commented 1 week ago

If the config is not root you have to provide the name like snapper -c samba_daten get-config.

stefangweichinger commented 1 week ago

Ah, sorry, my mistake.

OK, looks like this:

# snapper -c samba_daten get-config
Key                    | Value                       
-----------------------+-----------------------------
ALLOW_GROUPS           | domain\ admins domain\ users
ALLOW_USERS            | sgw             
BACKGROUND_COMPARISON  | yes                         
EMPTY_PRE_POST_CLEANUP | yes                         
EMPTY_PRE_POST_MIN_AGE | 1800                        
FREE_LIMIT             | 1.2                         
FSTYPE                 | btrfs                       
NUMBER_CLEANUP         | yes                         
NUMBER_LIMIT           | 50                          
NUMBER_LIMIT_IMPORTANT | 10                          
NUMBER_MIN_AGE         | 1800                        
QGROUP                 |                             
SPACE_LIMIT            | 1.5                         
SUBVOLUME              | /mnt/pool1/samba/daten      
SYNC_ACL               | yes                         
TIMELINE_CLEANUP       | yes                         
TIMELINE_CREATE        | yes                         
TIMELINE_LIMIT_DAILY   | 10                          
TIMELINE_LIMIT_HOURLY  | 10                          
TIMELINE_LIMIT_MONTHLY | 10                          
TIMELINE_LIMIT_WEEKLY  | 0                           
TIMELINE_LIMIT_YEARLY  | 10                          
TIMELINE_MIN_AGE       | 1800

new snapshots still belong to "root:root", no ACLs:

# getfacl /mnt/pool1/samba/daten/.snapshots/24
getfacl: Removing leading '/' from absolute path names
# file: mnt/pool1/samba/daten/.snapshots/24
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
aschnell commented 1 week ago

Try snapper -c samba_daten ls. The ACLs are only synced during some commands.

stefangweichinger commented 1 week ago

@aschnell thanks, tried. Takes quite a while, I see no difference. Is it correct to look at this path:

# getfacl /mnt/pool1/samba/daten/.snapshots/26
getfacl: Removing leading '/' from absolute path names
# file: mnt/pool1/samba/daten/.snapshots/26
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

?

aschnell commented 1 week ago

AFIAR you should look at /mnt/pool1/samba/daten/.snapshots.

stefangweichinger commented 1 week ago

Looks promising:

# getfacl /mnt/pool1/samba/daten/.snapshots
getfacl: Removing leading '/' from absolute path names
# file: mnt/pool1/samba/daten/.snapshots
# owner: root
# group: root
user::rwx
user:sgw:r-x
group::r-x
group:domain\040admins:r-x
group:domain\040users:r-x
mask::r-x
other::---

I mailed their admin to look into "previous versions" now (I don't have a domain member PC at hand right now).

stefangweichinger commented 1 week ago

Side question: do I have to exclude ".snapshots" from snapper somehow? just wondering if it would snapshot the snapshots (I assume it does NOT as it is a separate subvolume etc). Thanks!

ddiss commented 1 week ago

Side question: do I have to exclude ".snapshots" from snapper somehow? just wondering if it would snapshot the snapshots (I assume it does NOT as it is a separate subvolume etc). Thanks!

There's no need - Btrfs snapshots aren't recursive, so the nested .snapshots directory can be ignored.

stefangweichinger commented 1 week ago

The windows system sees snapshots, but without content. The underlying linux-fs (btrfs) shows snapshots with content.

I assume the actual snapshot might also need the ACLs applied?

# getfacl /mnt/pool1/samba/daten/.snapshots/30
getfacl: Removing leading '/' from absolute path names
# file: mnt/pool1/samba/daten/.snapshots/30
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

737 seems to be the issue

ddiss commented 1 week ago

The snapshot should carry the same permissions as the base share, i.e. if the Samba users have access to the base share for I/O then they should also (with an appropriate .snapshots ACL) have permission to view previous versions. Did you confirm differing modification-times between base and snapshots, as discussed earlier? Feel free to raise a bugzilla.samba.org ticket if you think the issue is now samba/vfs_snapper related.

stefangweichinger commented 1 week ago

Look at this. Sounds familiar.