PermissionError: [Errno 13] Permission denied: LXD (lxc container)

Hello,

I have a permissions issue with borg and accessing a borg repository in an lxc container.

I’m asking the question here, because this configuration had been working for months and recently has stopped working on an intermittent basis - and right at the moment - is not working.

I’m asking here rather than on the borg forum, as my feeling is that the permissions issue is something to do with the container, rather than the borg configuration (which I have not changed).

The permissions error which is being reported is:

PermissionError: [Errno 13] Permission denied: 'path/Borg_repository/config

So far I have tried:

  • restarting the LXC container
  • restarting the Ubuntu host
  • re-entering all the commands to setup the permissions when I setup the container

I’m wondering what the next troubleshooting step should be?

The only ‘change’ that I can think of is that there have been a number of Ubuntu updates recently.

Thanks

VW

I’ve worked out what the issue is.

As the error indicates above, for some reason, the container cannot access the config file in the repository

The container has access to the repository directory, but not to the config file and perhaps other files as well.

So, I think that I need to reset permissions on all files and folders in the repository

These were the commands that I originally entered to give the container access to the volume that contains the repository

sudo chown lxdclientrw:lxdclientro /media/zen/REAR-000
sudo chmod 750 /media/zen/REAR-000
sudo chmod g+s /media/zen/REAR-000

sudo -s
echo 'root:300:1' >> /etc/subuid

echo -en "uid 300 0\ngid 300 0" | lxc config set Ubuntu-DR6 raw.idmap -

lxc restart Ubuntu-DR6

lxc config device add Ubuntu-DR6 shareddisk disk source=/media/zen/REAR-000 path=/media/zen/REAR-000

lxc exec Ubuntu-DR6 bash

ls -ld /media/zen/REAR-000

The repository resides in a directory under

/media/zen/REAR-000

Hello,

I have tried the following

sudo chmod -R 755 /media/zen/REAR-000/Repository/
chmod: changing permissions of '/media/zen/REAR-000/Repository/nonce': Operation not permitted
chmod: changing permissions of '/media/zen/REAR-000/Repository/config': Operation not permitted

I then tried

sudo chown $USER: /media/zen/REAR-000/Repository/config
chown: changing ownership of '/media/zen/REAR-000/Repository/config': Operation not permitted

@nixcraft

Would appreciate some suggestions of things to try.

I have done some research, but I don’t know what to try next.

Thanks

VW

Have you tried restarting the LXD service?

I’ve tried restarting the host, which would restart the LXD service.

I’ve also tried restarting the lxc container.

Try debug mode.

lxc monitor --type=logging --pretty

This may help Debugging - LXD documentation

@Raj

I think the issue, at least in the first instance, is identifying the command that should be used to reset the permissions on the files that can no longer be accessed.

I’m not sure if the commands that I have been trying are the correct ones.

If they’re, then possibly the debug mode may provide some insights.

Is 300 UID/GID correct inside your Ubuntu-DR6 for user?

ct="Ubuntu-DR6"
ct_user="nginx" # change me/set correct user here
u="$(lxc exec "$ct" -- id -u $ct_user)"
g="$(lxc exec "$ct" -- id -g $ct_user)"
echo "$u"
echo "$g" 

Here’s the output

$ ct="Ubuntu-DR6"
$ ct_user="root"
$ u="$(lxc exec "$ct" -- id -u $ct_user)"
$ g="$(lxc exec "$ct" -- id -g $ct_user)"
$ echo "$u"
0
$ echo "$g"
0
$ 

Should both $u and $g be 300?

I’m reviewing the commands that I originally used to setup the mapping of the shared disk

This was one of the commands

echo -en "uid 300 0\ngid 300 0" | lxc config set Ubuntu-DR6 raw.idmap -

I’m wondering if I made a mistake here, should it have been?

echo -en "uid 300 100\ngid 300 101" | lxc config set Ubuntu-DR6 raw.idmap -

You need separate user (say nginx or user1 or myapp inside your $ct container) for that. Don’t use the root user. It will create many issues. Then run all your app or scripts as user1/myapp. Remember in your old post we created a new user named myapp How to mount a host directory in an LXC container with write access - #8 by nixcraft?

I can see now that I didn’t setup the container correctly initially, even though it actually worked for sometime.

Let me re-visit the setup.

Thanks

I have now created a container user: zen

with a GID and UID of 1500

I have mapped the container user UID/GID to the host UID/GID of 300

echo -en "uid 300 1500\ngid 300 1500" | lxc config set Ubuntu-DR6 raw.idmap -

Confirmed the mapping from the host

$ ct="Ubuntu-DR6"
$ ct_user="zen"
$ u="$(lxc exec "$ct" -- id -u $ct_user)"
$ g="$(lxc exec "$ct" -- id -g $ct_user)"
$ echo "$u"
1500
$ echo "$g"
1500

However, the container user still has permissions issue

cat: /media/zen/REAR-000/Repo/config: Permission denied
zen@Ubuntu-DR6:/$ chmod -R 755 /media/zen/REAR-000/Repo/
chmod: changing permissions of '/media/zen/REAR-000/Repo/nonce': Operation not permitted
chmod: changing permissions of '/media/zen/REAR-000/Repo/config': Operation not permitted

I can access the files outside of the container. So this is a container / permissions issue

I worked through this article to try and troubleshoot

sudo lsattr /media/zen/REAR-000/Repo/config
[sudo] password for zen: 
lsattr: Permission denied While reading flags on /media/zen/REAR-000/Repo/config

So, I can’t check the attributes

I can create folders in /media/zen/REAR-000, so I do have write access

I can also create files in /media/zen/REAR-000/Repo, so I have write access to the Repo folder.

There just seems to be some issue with these two files. And separately another file in another folder has the same behaviour.

I’ve managed to fix it by re-doing the following:

sudo chown -R lxdclientrw:lxdclientro /media/zen/REAR-000/Repo
sudo chmod -R 750 /media/zen/REAR-000/Repo
sudo chmod -R g+s /media/zen/REAR-000/Repo