Snapshot fails due to wrong storage path

kenphused · June 29, 2022, 6:36pm

Command: lxc snapshot dse-t76548-dc1-1s test

Error: Create instance snapshot: Failed to run: rsync -a -HA --sparse --devices --delete --checksum --numeric-ids --xattrs --filter=-x security.selinux -q /var/snap/lxd/common/lxd/storage-pools/3tb/containers/dse-t76548-dc1-1s/ /var/snap/lxd/common/lxd/storage-pools/3tb/containers-snapshots/dse-t76548-dc1-1s/test: rsync: rsync_xal_set: lremovexattr("/var/snap/lxd/common/lxd/storage-pools/3tb/containers-snapshots/dse-t76548-dc1-1s/test/rootfs/var/log/journal/.system.journal.hcz3P1",“trusted.SGI_ACL_FILE”) failed: No data available (61) rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1207) [sender=3.1.3]

Observation: The rsync command is using the source path of /var/snap/lxd/common/lxd/storage-pools/3tb which does not exist. The 3tb storage pool directory is: /data/lxd-storage. If I run the rsync command using the correct source path, the command works as expected. My hypothesis is that snapshots is incorrectly assembling the source path and the rsync command fails.

root@big-lab]# lxc storage list
+---------+--------+------------------------------------------------+-------------+---------+---------+
|  NAME   | DRIVER |                     SOURCE                     | DESCRIPTION | USED BY |  STATE  |
+---------+--------+------------------------------------------------+-------------+---------+---------+
| 3tb     | dir    | /data/lxd-storage                              |             | 11      | CREATED |
+---------+--------+------------------------------------------------+-------------+---------+---------+
| default | dir    | /var/snap/lxd/common/lxd/storage-pools/default |             | 0       | CREATED |
+---------+--------+------------------------------------------------+-------------+---------+---------+

When I run: lxd sql global .dump | egrep storage_pools | egrep "3tb|default"
It looks like the path from above the storage list did not make it to the storage_pools_config table (but default did).

INSERT INTO storage_pools VALUES(2,'default','dir','',1);
INSERT INTO storage_pools VALUES(4,'3tb','dir','3TB Drive',1);
INSERT INTO storage_pools_config VALUES(2,2,1,'source','/var/snap/lxd/common/lxd/storage-pools/default');

LXC/LXD versions (error in both versions: 5.2 & 5.3)

[root@big-lab]# cat /etc/redhat-release
Rocky Linux release 8.6 (Green Obsidian)

[root@big-lab]# rsync --version
rsync version 3.1.3 protocol version 31

/data is an xfs file system

tomp · June 30, 2022, 12:20pm

Hi,

So I think there is a bit of a misunderstanding here. The path being used is not incorrect.
What happens is that the specified source path /data/lxd-storage is bind mounted (in the snap package’s mount namespace) to LXD’s /var/snap/lxd/common/lxd/storage-pools/3tb path. So the rsync behaviour you are seeing is correct.

The question that needs answering is why is rsync failing to transfer some of the file/attrs of your instance.

tomp · June 30, 2022, 12:23pm

Perhaps the underlying filesystem does not support extended attributes or something like selinux is blocking it? Are you able to remove that file and try the snapshot again?

tomp · June 30, 2022, 12:32pm

Sounds similar to this:

github.com/lxc/lxd

zfs to lvm transfer failure

opened 10:16PM - 01 Jul 20 UTC

closed 05:00PM - 03 Jul 20 UTC

Delurkdotcom

Incomplete

# Required information * Distribution: CENTOS * Distribution version: 8.2 * The output of "lxc info" or if that fails: config: core.https_address: '[::]:8443' core.trust_password: true api_extensions: - storage_zfs_remove_snapshots - container_host_shutdown_timeout - container_stop_priority - container_syscall_filtering - auth_pki - container_last_used_at - etag - patch - usb_devices - https_allowed_credentials - image_compression_algorithm - directory_manipulation - container_cpu_time - storage_zfs_use_refquota - storage_lvm_mount_options - network - profile_usedby - container_push - container_exec_recording - certificate_update - container_exec_signal_handling - gpu_devices - container_image_properties - migration_progress - id_map - network_firewall_filtering - network_routes - storage - file_delete - file_append - network_dhcp_expiry - storage_lvm_vg_rename - storage_lvm_thinpool_rename - network_vlan - image_create_aliases - container_stateless_copy - container_only_migration - storage_zfs_clone_copy - unix_device_rename - storage_lvm_use_thinpool - storage_rsync_bwlimit - network_vxlan_interface - storage_btrfs_mount_options - entity_description - image_force_refresh - storage_lvm_lv_resizing - id_map_base - file_symlinks - container_push_target - network_vlan_physical - storage_images_delete - container_edit_metadata - container_snapshot_stateful_migration - storage_driver_ceph - storage_ceph_user_name - resource_limits - storage_volatile_initial_source - storage_ceph_force_osd_reuse - storage_block_filesystem_btrfs - resources - kernel_limits - storage_api_volume_rename - macaroon_authentication - network_sriov - console - restrict_devlxd - migration_pre_copy - infiniband - maas_network - devlxd_events - proxy - network_dhcp_gateway - file_get_symlink - network_leases - unix_device_hotplug - storage_api_local_volume_handling - operation_description - clustering - event_lifecycle - storage_api_remote_volume_handling - nvidia_runtime - container_mount_propagation - container_backup - devlxd_images - container_local_cross_pool_handling - proxy_unix - proxy_udp - clustering_join - proxy_tcp_udp_multi_port_handling - network_state - proxy_unix_dac_properties - container_protection_delete - unix_priv_drop - pprof_http - proxy_haproxy_protocol - network_hwaddr - proxy_nat - network_nat_order - container_full - candid_authentication - backup_compression - candid_config - nvidia_runtime_config - storage_api_volume_snapshots - storage_unmapped - projects - candid_config_key - network_vxlan_ttl - container_incremental_copy - usb_optional_vendorid - snapshot_scheduling - container_copy_project - clustering_server_address - clustering_image_replication - container_protection_shift - snapshot_expiry - container_backup_override_pool - snapshot_expiry_creation - network_leases_location - resources_cpu_socket - resources_gpu - resources_numa - kernel_features - id_map_current - event_location - storage_api_remote_volume_snapshots - network_nat_address - container_nic_routes - rbac - cluster_internal_copy - seccomp_notify - lxc_features - container_nic_ipvlan - network_vlan_sriov - storage_cephfs - container_nic_ipfilter - resources_v2 - container_exec_user_group_cwd - container_syscall_intercept - container_disk_shift - storage_shifted - resources_infiniband - daemon_storage - instances - image_types - resources_disk_sata - clustering_roles - images_expiry - resources_network_firmware - backup_compression_algorithm - ceph_data_pool_name - container_syscall_intercept_mount - compression_squashfs - container_raw_mount - container_nic_routed - container_syscall_intercept_mount_fuse - container_disk_ceph - virtual-machines - image_profiles - clustering_architecture - resources_disk_id - storage_lvm_stripes - vm_boot_priority - unix_hotplug_devices - api_filtering - instance_nic_network - clustering_sizing - firewall_driver - projects_limits - container_syscall_intercept_hugetlbfs - limits_hugepages - container_nic_routed_gateway - projects_restrictions - custom_volume_snapshot_expiry - volume_snapshot_scheduling - trust_ca_certificates - snapshot_disk_usage - clustering_edit_roles - container_nic_routed_host_address - container_nic_ipvlan_gateway - resources_usb_pci - resources_cpu_threads_numa - resources_cpu_core_die - api_os - container_nic_routed_host_table - container_nic_ipvlan_host_table - container_nic_ipvlan_mode - resources_system - images_push_relay - network_dns_search - container_nic_routed_limits - instance_nic_bridged_vlan - network_state_bond_bridge - usedby_consistency api_status: stable api_version: "1.0" auth: trusted public: false auth_methods: - tls environment: addresses: - 172.16.1.4:8443 architectures: - x86_64 - i686 driver: lxc driver_version: 4.0.3 firewall: xtables kernel: Linux kernel_architecture: x86_64 kernel_features: netnsid_getifaddrs: "true" seccomp_listener: "false" seccomp_listener_continue: "false" shiftfs: "false" uevent_injection: "true" unpriv_fscaps: "true" kernel_version: 4.18.0-193.6.3.el8_2.x86_64 lxc_features: cgroup2: "true" mount_injection_file: "true" network_gateway_device_route: "true" network_ipvlan: "true" network_l2proxy: "true" network_phys_macvlan_mtu: "true" network_veth_router: "true" pidfd: "true" seccomp_notify: "true" os_name: CentOS Linux os_version: "8" project: default server: lxd server_clustered: false server_name: P-D1-CENTOS1 server_pid: 1302 server_version: "4.2" storage: lvm | zfs storage_version: 2.02.176(2) (2017-11-03) / 1.02.145 (2017-11-03) / 4.39.0 | 0.8.4-1 * Kernel version: Linux P-D1-CENTOS1 4.18.0-193.6.3.el8_2.x86_64 #1 SMP Wed Jun 10 11:09:32 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux * LXD version: 4.0.3 * Storage backend in use: ZFS # Issue description I'm trying to move CT from a ZFS current backend storage to a LVM new backend storage. # Steps to reproduce 1. Create a LVM storage : lxc storage create pool1b lvm size=100GB 2. Edit the FS : lxc storage set pool1b volume.block.filesystem xfs 2. Moving CT to new storage : lxc move P-D1-TOOLBOX-pool P-D1-TOOLBOX --storage=pool1b --instance-only 3. Fail with this output : rsync: rsync_xal_set: lremovexattr(""/var/snap/lxd/common/lxd/storage-pools/pool1b/containers/P-D1-TOOLBOX1/rootfs/home/user/partage/vid\#303\#251os/Nicky Larson/.S1 EP 06 - La d\#303\#251livrance - Nicky Larson-13615694.mp4.WlvZrs"","security.selinux") failed: Permission denied (13) rsync: write failed on "/var/snap/lxd/common/lxd/storage-pools/pool1b/containers/P-D1-TOOLBOX1/rootfs/home/user/partage/vid\#303\#251os/Nicky Larson/S1 EP 07 - La petite fille sur la balan\#303\#247oire - Nicky Larson-13615695.mp4": No space left on device (28) rsync error: error in file IO (code 11) at receiver.c(393) [receiver=3.1.2] ) Rsync receive failed: /var/snap/lxd/common/lxd/storage-pools/pool1b/containers/P-D1-TOOLBOX1/: [exit status 11] ()] # Information to attach - [ ] Any relevant kernel output (`dmesg`) [ 2448.764038] XFS (dm-4): Mounting V5 Filesystem [ 2448.767053] XFS (dm-4): Ending clean mount [ 2448.784645] XFS (dm-4): Unmounting Filesystem [ 2448.844858] XFS (dm-4): Mounting V5 Filesystem [ 2448.848842] XFS (dm-4): Ending clean mount [ 2450.108082] CPU0: Core temperature above threshold, cpu clock throttled (total events = 13307) [ 2450.108083] CPU2: Core temperature above threshold, cpu clock throttled (total events = 13307) [ 2450.108084] CPU1: Package temperature above threshold, cpu clock throttled (total events = 13307) [ 2450.108085] CPU3: Package temperature above threshold, cpu clock throttled (total events = 13307) [ 2450.108086] CPU2: Package temperature above threshold, cpu clock throttled (total events = 13307) [ 2450.108089] CPU0: Package temperature above threshold, cpu clock throttled (total events = 13307) [ 2450.112002] CPU2: Core temperature/speed normal [ 2450.112003] CPU0: Core temperature/speed normal [ 2450.112004] CPU1: Package temperature/speed normal [ 2450.112005] CPU3: Package temperature/speed normal [ 2450.112005] CPU0: Package temperature/speed normal [ 2450.112007] CPU2: Package temperature/speed normal [ 2753.962062] CPU2: Core temperature above threshold, cpu clock throttled (total events = 18870) [ 2753.962063] CPU0: Core temperature above threshold, cpu clock throttled (total events = 18870) [ 2753.962064] CPU3: Package temperature above threshold, cpu clock throttled (total events = 18870) [ 2753.962066] CPU1: Package temperature above threshold, cpu clock throttled (total events = 18870) [ 2753.962067] CPU0: Package temperature above threshold, cpu clock throttled (total events = 18870) [ 2753.962070] CPU2: Package temperature above threshold, cpu clock throttled (total events = 18870) [ 2753.971074] CPU1: Package temperature/speed normal [ 2753.971075] CPU3: Package temperature/speed normal [ 2753.971101] CPU0: Core temperature/speed normal [ 2753.971101] CPU2: Core temperature/speed normal [ 2753.971103] CPU0: Package temperature/speed normal [ 2753.971104] CPU2: Package temperature/speed normal [ 2784.315644] XFS (dm-4): Unmounting Filesystem - [ ] Container log (`lxc info NAME --show-log`) Name: P-D1-TOOLBOX1-pool Location: none Remote: unix:// Architecture: x86_64 Created: 2020/04/07 09:42 UTC Status: Stopped Type: container Profiles: default Snapshots: s7-smokeping-parametrage (taken at 2019/04/29 14:27 UTC) (stateless) s8-migre-et-ajour (taken at 2020/02/21 09:17 UTC) (stateless) Log: lxc P-D1-TOOLBOX1 20200701135131.250 WARN cgfsng - cgroups/cgfsng.c:mkdir_eexist_on_last:1153 - File exists - Failed to create directory "/sys/fs/cgroup/cpuset//lxc.monitor.P-D1-TOOLBOX1" lxc P-D1-TOOLBOX1 20200701135131.251 WARN cgfsng - cgroups/cgfsng.c:mkdir_eexist_on_last:1153 - File exists - Failed to create directory "/sys/fs/cgroup/cpuset//lxc.payload.P-D1-TOOLBOX1" lxc P-D1-TOOLBOX1 20200701135131.252 ERROR utils - utils.c:lxc_can_use_pidfd:1834 - Kernel does not support pidfds lxc P-D1-TOOLBOX1 20200701135349.795 ERROR commands - commands.c:lxc_cmd_get_init_pidfd_callback:445 - Failed to send init pidfd lxc P-D1-TOOLBOX1 20200701135350.519 WARN cgfsng - cgroups/cgfsng.c:cgfsng_monitor_destroy:1110 - Success - Failed to initialize cpuset /sys/fs/cgroup/cpuset//lxc.pivot/lxc.pivot - [ ] Container configuration (`lxc config show NAME --expanded`) Name: P-D1-TOOLBOX1-pool Location: none Remote: unix:// Architecture: x86_64 Created: 2020/04/07 09:42 UTC Status: Stopped Type: container Profiles: default Snapshots: s7-smokeping-parametrage (taken at 2019/04/29 14:27 UTC) (stateless) s8-migre-et-ajour (taken at 2020/02/21 09:17 UTC) (stateless) Log: lxc P-D1-TOOLBOX1 20200701135131.250 WARN cgfsng - cgroups/cgfsng.c:mkdir_eexist_on_last:1153 - File exists - Failed to create directory "/sys/fs/cgroup/cpuset//lxc.monitor.P-D1-TOOLBOX1" lxc P-D1-TOOLBOX1 20200701135131.251 WARN cgfsng - cgroups/cgfsng.c:mkdir_eexist_on_last:1153 - File exists - Failed to create directory "/sys/fs/cgroup/cpuset//lxc.payload.P-D1-TOOLBOX1" lxc P-D1-TOOLBOX1 20200701135131.252 ERROR utils - utils.c:lxc_can_use_pidfd:1834 - Kernel does not support pidfds lxc P-D1-TOOLBOX1 20200701135349.795 ERROR commands - commands.c:lxc_cmd_get_init_pidfd_callback:445 - Failed to send init pidfd lxc P-D1-TOOLBOX1 20200701135350.519 WARN cgfsng - cgroups/cgfsng.c:cgfsng_monitor_destroy:1110 - Success - Failed to initialize cpuset /sys/fs/cgroup/cpuset//lxc.pivot/lxc.pivot [root@P-D1-CENTOS1 ~]# lxc config show P-D1-TOOLBOX1-pool --expanded architecture: x86_64 config: image.architecture: amd64 image.description: ubuntu 18.04 LTS amd64 (release) (20181029) image.label: release image.os: ubuntu image.release: bionic image.serial: "20181029" image.version: "18.04" volatile.base_image: 30b9f587eb6fb50566f4183240933496d7b787f719aafb4b58e6a341495a38ad volatile.eth0.hwaddr: 00:16:3e:87:2d:a1 volatile.idmap.base: "0" volatile.idmap.current: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]' volatile.idmap.next: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]' volatile.last_state.idmap: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]' volatile.last_state.power: STOPPED devices: eth0: name: eth0 nictype: bridged parent: bridge0 type: nic root: path: / pool: storage1 type: disk ephemeral: false profiles: - default stateful: false description: "" - [ ] Main daemon log (at /var/log/lxd/lxd.log or /var/snap/lxd/common/lxd/logs/lxd.log) t=2020-07-02T00:03:45+0200 lvl=info msg="Creating container" ephemeral=false name=P-D1-TOOLBOX1 project=default t=2020-07-02T00:03:45+0200 lvl=info msg="Created container" ephemeral=false name=P-D1-TOOLBOX1 project=default t=2020-07-02T00:09:21+0200 lvl=info msg="Deleting container" created=2020-07-02T00:03:45+0200 ephemeral=false name=P-D1-TOOLBOX1 project=default used=1970-01-01T01:00:00+0100 t=2020-07-02T00:09:21+0200 lvl=info msg="Deleted container" created=2020-07-02T00:03:45+0200 ephemeral=false name=P-D1-TOOLBOX1 project=default used=1970-01-01T01:00:00+0100 - [ ] Output of the client with --debug - [ ] Output of the daemon with --debug (alternatively output of `lxc monitor` while reproducing the issue)

Which ended up having a fix for selinux:

But in this case it looks like that file has a different extended attribute trusted.SGI_ACL_FILE which is related to XFS. It would be interesting to see if this problem resolves itself by disabling selinux, at least then you’d know its related to selinux.

kenphused · June 30, 2022, 3:58pm

Thank you for the prompt reply.

I disabled selinux in my home lab:

[ken@big-lab ~]$ getenforce
Disabled

[ken@big-lab ~]$ cat /etc/selinux/config 

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

I put single quotes around --filter=-x security.selinux and the rsync command worked as expected with the non-snap file path.

If I understand correctly, the /var/snap/lxd/common/lxd/storage-pools/3tb directory should be “linked” to the 3tb storage pool? How can we test that the bind mount works as expected? I looked at the snap mount points in /etc/systemd/system, but that was not informative.

tomp · June 30, 2022, 6:34pm

So does lxc snapshot work with SELINUX disabled (as it sounded like you were running the rsync command manually in your last reply).

You should be able to see the bind mount by running:

sudo nsenter --mount=/run/snapd/ns/lxd.mnt -- mount

Also if it wasn’t working you would get a totally different error than the rsync one you’re getting.

kenphused · July 1, 2022, 7:21pm

It appears the container in question is the only container which errors when creating a snapshot. I created snapshots on every other container without issue. Snapshotting this container was for convenience and not critical.

Thank you very much for the prompt replies and pointers. I agree that the rsync error is a symptom of something other than the storage path being wrong.