LXD 5.20: rsync errors with lxc copy and files with NTACLs

[MaxRower]

Required information

• Distribution: Ubuntu 22.04.4 LTS
• Distribution version: Ubuntu 22.04.4 LTS
• The output of "snap list --all lxd core20 core22 core24 snapd":

 Name    Version       Revision  Tracking       Herausgeber  Hinweise
core20  20240227      2264      latest/stable  canonical✓   base,deaktiviert
core20  20240416      2318      latest/stable  canonical✓   base
core22  20240111      1122      latest/stable  canonical✓   base,deaktiviert
core22  20240408      1380      latest/stable  canonical✓   base
lxd     5.12-c63881f  24643     5.20/stable    canonical✓   deaktiviert
lxd     5.20-f3dd836  27049     5.20/stable    canonical✓   -
snapd   2.62          21465     latest/stable  canonical✓   snapd,deaktiviert
snapd   2.63          21759     latest/stable  canonical✓   snapd

• The output of "lxc info" or if that fails:

 config:
  core.https_address: '[::]:8443'
  core.trust_password: true
  images.auto_update_interval: "0"
api_extensions:
- storage_zfs_remove_snapshots
- container_host_shutdown_timeout
- container_stop_priority
- container_syscall_filtering
- auth_pki
- container_last_used_at
- etag
- patch
- usb_devices
- https_allowed_credentials
- image_compression_algorithm
- directory_manipulation
- container_cpu_time
- storage_zfs_use_refquota
- storage_lvm_mount_options
- network
- profile_usedby
- container_push
- container_exec_recording
- certificate_update
- container_exec_signal_handling
- gpu_devices
- container_image_properties
- migration_progress
- id_map
- network_firewall_filtering
- network_routes
- storage
- file_delete
- file_append
- network_dhcp_expiry
- storage_lvm_vg_rename
- storage_lvm_thinpool_rename
- network_vlan
- image_create_aliases
- container_stateless_copy
- container_only_migration
- storage_zfs_clone_copy
- unix_device_rename
- storage_lvm_use_thinpool
- storage_rsync_bwlimit
- network_vxlan_interface
- storage_btrfs_mount_options
- entity_description
- image_force_refresh
- storage_lvm_lv_resizing
- id_map_base
- file_symlinks
- container_push_target
- network_vlan_physical
- storage_images_delete
- container_edit_metadata
- container_snapshot_stateful_migration
- storage_driver_ceph
- storage_ceph_user_name
- resource_limits
- storage_volatile_initial_source
- storage_ceph_force_osd_reuse
- storage_block_filesystem_btrfs
- resources
- kernel_limits
- storage_api_volume_rename
- macaroon_authentication
- network_sriov
- console
- restrict_devlxd
- migration_pre_copy
- infiniband
- maas_network
- devlxd_events
- proxy
- network_dhcp_gateway
- file_get_symlink
- network_leases
- unix_device_hotplug
- storage_api_local_volume_handling
- operation_description
- clustering
- event_lifecycle
- storage_api_remote_volume_handling
- nvidia_runtime
- container_mount_propagation
- container_backup
- devlxd_images
- container_local_cross_pool_handling
- proxy_unix
- proxy_udp
- clustering_join
- proxy_tcp_udp_multi_port_handling
- network_state
- proxy_unix_dac_properties
- container_protection_delete
- unix_priv_drop
- pprof_http
- proxy_haproxy_protocol
- network_hwaddr
- proxy_nat
- network_nat_order
- container_full
- candid_authentication
- backup_compression
- candid_config
- nvidia_runtime_config
- storage_api_volume_snapshots
- storage_unmapped
- projects
- candid_config_key
- network_vxlan_ttl
- container_incremental_copy
- usb_optional_vendorid
- snapshot_scheduling
- snapshot_schedule_aliases
- container_copy_project
- clustering_server_address
- clustering_image_replication
- container_protection_shift
- snapshot_expiry
- container_backup_override_pool
- snapshot_expiry_creation
- network_leases_location
- resources_cpu_socket
- resources_gpu
- resources_numa
- kernel_features
- id_map_current
- event_location
- storage_api_remote_volume_snapshots
- network_nat_address
- container_nic_routes
- rbac
- cluster_internal_copy
- seccomp_notify
- lxc_features
- container_nic_ipvlan
- network_vlan_sriov
- storage_cephfs
- container_nic_ipfilter
- resources_v2
- container_exec_user_group_cwd
- container_syscall_intercept
- container_disk_shift
- storage_shifted
- resources_infiniband
- daemon_storage
- instances
- image_types
- resources_disk_sata
- clustering_roles
- images_expiry
- resources_network_firmware
- backup_compression_algorithm
- ceph_data_pool_name
- container_syscall_intercept_mount
- compression_squashfs
- container_raw_mount
- container_nic_routed
- container_syscall_intercept_mount_fuse
- container_disk_ceph
- virtual-machines
- image_profiles
- clustering_architecture
- resources_disk_id
- storage_lvm_stripes
- vm_boot_priority
- unix_hotplug_devices
- api_filtering
- instance_nic_network
- clustering_sizing
- firewall_driver
- projects_limits
- container_syscall_intercept_hugetlbfs
- limits_hugepages
- container_nic_routed_gateway
- projects_restrictions
- custom_volume_snapshot_expiry
- volume_snapshot_scheduling
- trust_ca_certificates
- snapshot_disk_usage
- clustering_edit_roles
- container_nic_routed_host_address
- container_nic_ipvlan_gateway
- resources_usb_pci
- resources_cpu_threads_numa
- resources_cpu_core_die
- api_os
- container_nic_routed_host_table
- container_nic_ipvlan_host_table
- container_nic_ipvlan_mode
- resources_system
- images_push_relay
- network_dns_search
- container_nic_routed_limits
- instance_nic_bridged_vlan
- network_state_bond_bridge
- usedby_consistency
- custom_block_volumes
- clustering_failure_domains
- resources_gpu_mdev
- console_vga_type
- projects_limits_disk
- network_type_macvlan
- network_type_sriov
- container_syscall_intercept_bpf_devices
- network_type_ovn
- projects_networks
- projects_networks_restricted_uplinks
- custom_volume_backup
- backup_override_name
- storage_rsync_compression
- network_type_physical
- network_ovn_external_subnets
- network_ovn_nat
- network_ovn_external_routes_remove
- tpm_device_type
- storage_zfs_clone_copy_rebase
- gpu_mdev
- resources_pci_iommu
- resources_network_usb
- resources_disk_address
- network_physical_ovn_ingress_mode
- network_ovn_dhcp
- network_physical_routes_anycast
- projects_limits_instances
- network_state_vlan
- instance_nic_bridged_port_isolation
- instance_bulk_state_change
- network_gvrp
- instance_pool_move
- gpu_sriov
- pci_device_type
- storage_volume_state
- network_acl
- migration_stateful
- disk_state_quota
- storage_ceph_features
- projects_compression
- projects_images_remote_cache_expiry
- certificate_project
- network_ovn_acl
- projects_images_auto_update
- projects_restricted_cluster_target
- images_default_architecture
- network_ovn_acl_defaults
- gpu_mig
- project_usage
- network_bridge_acl
- warnings
- projects_restricted_backups_and_snapshots
- clustering_join_token
- clustering_description
- server_trusted_proxy
- clustering_update_cert
- storage_api_project
- server_instance_driver_operational
- server_supported_storage_drivers
- event_lifecycle_requestor_address
- resources_gpu_usb
- clustering_evacuation
- network_ovn_nat_address
- network_bgp
- network_forward
- custom_volume_refresh
- network_counters_errors_dropped
- metrics
- image_source_project
- clustering_config
- network_peer
- linux_sysctl
- network_dns
- ovn_nic_acceleration
- certificate_self_renewal
- instance_project_move
- storage_volume_project_move
- cloud_init
- network_dns_nat
- database_leader
- instance_all_projects
- clustering_groups
- ceph_rbd_du
- instance_get_full
- qemu_metrics
- gpu_mig_uuid
- event_project
- clustering_evacuation_live
- instance_allow_inconsistent_copy
- network_state_ovn
- storage_volume_api_filtering
- image_restrictions
- storage_zfs_export
- network_dns_records
- storage_zfs_reserve_space
- network_acl_log
- storage_zfs_blocksize
- metrics_cpu_seconds
- instance_snapshot_never
- certificate_token
- instance_nic_routed_neighbor_probe
- event_hub
- agent_nic_config
- projects_restricted_intercept
- metrics_authentication
- images_target_project
- cluster_migration_inconsistent_copy
- cluster_ovn_chassis
- container_syscall_intercept_sched_setscheduler
- storage_lvm_thinpool_metadata_size
- storage_volume_state_total
- instance_file_head
- instances_nic_host_name
- image_copy_profile
- container_syscall_intercept_sysinfo
- clustering_evacuation_mode
- resources_pci_vpd
- qemu_raw_conf
- storage_cephfs_fscache
- network_load_balancer
- vsock_api
- instance_ready_state
- network_bgp_holdtime
- storage_volumes_all_projects
- metrics_memory_oom_total
- storage_buckets
- storage_buckets_create_credentials
- metrics_cpu_effective_total
- projects_networks_restricted_access
- storage_buckets_local
- loki
- acme
- internal_metrics
- cluster_join_token_expiry
- remote_token_expiry
- init_preseed
- storage_volumes_created_at
- cpu_hotplug
- projects_networks_zones
- network_txqueuelen
- cluster_member_state
- instances_placement_scriptlet
- storage_pool_source_wipe
- zfs_block_mode
- instance_generation_id
- disk_io_cache
- amd_sev
- storage_pool_loop_resize
- migration_vm_live
- ovn_nic_nesting
- oidc
- network_ovn_l3only
- ovn_nic_acceleration_vdpa
- cluster_healing
- instances_state_total
- auth_user
- security_csm
- instances_rebuild
- numa_cpu_placement
- custom_volume_iso
- network_allocations
- storage_api_remote_volume_snapshot_copy
- zfs_delegate
- operations_get_query_all_projects
- metadata_configuration
- syslog_socket
- event_lifecycle_name_and_project
- instances_nic_limits_priority
- disk_initial_volume_configuration
- operation_wait
- cluster_internal_custom_volume_copy
- disk_io_bus
- storage_cephfs_create_missing
- instance_move_config
api_status: stable
api_version: "1.0"
auth: trusted
public: false
auth_methods:
- tls
auth_user_name: root
auth_user_method: unix
environment:
  addresses:
  - 10.96.1.3:8443
  - 10.0.3.1:8443
  architectures:
  - x86_64
  - i686
  certificate: |
    -----BEGIN CERTIFICATE-----
    **************
    -----END CERTIFICATE-----
  certificate_fingerprint: ***************************
  driver: lxc | qemu
  driver_version: 5.0.3 | 8.1.3
  firewall: nftables
  kernel: Linux
  kernel_architecture: x86_64
  kernel_features:
    idmapped_mounts: "true"
    netnsid_getifaddrs: "true"
    seccomp_listener: "true"
    seccomp_listener_continue: "true"
    uevent_injection: "true"
    unpriv_fscaps: "true"
  kernel_version: 6.5.0-41-generic
  lxc_features:
    cgroup2: "true"
    core_scheduling: "true"
    devpts_fd: "true"
    idmapped_mounts_v2: "true"
    mount_injection_file: "true"
    network_gateway_device_route: "true"
    network_ipvlan: "true"
    network_l2proxy: "true"
    network_phys_macvlan_mtu: "true"
    network_veth_router: "true"
    pidfd: "true"
    seccomp_allow_deny_syntax: "true"
    seccomp_notify: "true"
    seccomp_proxy_send_notify_fd: "true"
  os_name: Ubuntu
  os_version: "22.04"
  project: default
  server: lxd
  server_clustered: false
  server_event_mode: full-mesh
  server_name: backup
  server_pid: 2276
  server_version: "5.20"
  storage: btrfs
  storage_version: 5.16.2
  storage_supported_drivers:
  - name: cephobject
    version: 17.2.6
    remote: true
  - name: dir
    version: "1"
    remote: false
  - name: lvm
    version: 2.03.11(2) (2021-01-08) / 1.02.175 (2021-01-08) / 4.48.0
    remote: false
  - name: zfs
    version: 2.2.0-0ubuntu1~23.10.2
    remote: false
  - name: btrfs
    version: 5.16.2
    remote: false
  - name: ceph
    version: 17.2.6
    remote: true
  - name: cephfs
    version: 17.2.6
    remote: true

• Kernel version: Linux backup 6.5.0-41-generic Incomplete documentation for getting the project running. #41~22.04.2-Ubuntu SMP PREEMPT_DYNAMIC Mon Jun 3 11:32:55 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
• LXC version: 5.0.0
• LXD version: 5.20
• Storage backend in use: btrfs

Issue description

After upgrading lxd from 5.12 (24643) to 5.20, there are errors with "lxc copy" using rsync with changed files using NTACLs for samba server.
The remote host has the same configuration (OS and file system)

lxc copy remotehost:samba samba --refresh --instance-only -c boot.autostart=false -q

rsync: [receiver] rsync_xal_set: lsetxattr("/var/snap/lxd/common/lxd/storage-pools/lxd/containers/samba/rootfs/*******","security.NTACL") failed: Operation not permitted (1)

Running the rsync command manually with a dedicated snapshot for rsync does work, e.g.
rsync -e "ssh -i keyfile" -ar --devices --numeric-ids --partial --sparse --xattrs --filter="-x security.selinux" --delete --compress --compress-level=2 root@remotehost:/srv/lxd/containers-snapshots/samba/rsync/ /srv/lxd/containers/samba/

If I run rsync manually, it copies all changed files successfully, and lxc copy has no errors afterwards, until there are changed files with xattrs again (or if I delete some of those files manually on the target).

Steps to reproduce

Information to attach

• Any relevant kernel output (dmesg)
• Container log (lxc info NAME --show-log)
• Container configuration (lxc config show NAME --expanded)

 architecture: x86_64
config:
  boot.autostart: "false"
  boot.autostart.delay: "60"
  boot.autostart.priority: "90"
  boot.stop.priority: "50"
  security.privileged: "false"
  volatile.idmap.base: "0"
  volatile.idmap.current: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
  volatile.idmap.next: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
  volatile.last_state.idmap: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
  volatile.net0.host_name: veth9d792b25
  volatile.net0.name: eth0
  volatile.uuid: 16e9bc37-6c5d-497e-8e03-ff7cd172e485
  volatile.uuid.generation: 16e9bc37-6c5d-497e-8e03-ff7cd172e485
devices:
  eth0:
    type: none
  net0:
    hwaddr: 00:16:3e:4c:dd:4f
    nictype: bridged
    parent: br-lan
    type: nic
  root:
    path: /
    pool: lxd
    type: disk
ephemeral: false
profiles:
- default
stateful: false
description: ""

• Main daemon log (at /var/log/lxd/lxd.log or /var/snap/lxd/common/lxd/logs/lxd.log)
  time="2024-07-07T13:32:50+02:00" level=error msg="Failed migration on target" clusterMoveSourceName= err="Failed creating instance on target: Rsync receive failed: /var/snap/lxd/common/lxd/storage-pools/lxd/containers/samba/: [exit status 23] (rsync: [receiver] rsync_xal_set: lsetxattr(\"/var/snap/lxd/common/lxd/storage-pools/lxd/containers/samba/rootfs/srv/shared/daten/Kinder/Johannes/Java/Java-Projekte/ServerStop\",\"security.NTACL\") failed: Operation not permitted (1)\nrsync: [receiver] rsync_xal_set: lsetxattr(\"/var/snap/lxd/common/lxd/storage-pools/lxd/containers/samba/rootfs/*********\",\"security.NTACL\") failed: Operation not permitted (1) and many more...
• Output of the client with --debug
• Output of the daemon with --debug (alternatively output of lxc monitor while reproducing the issue)

[tomponline]

Hi,

Do you still experience this issue using latest/stable (5.21.1) as LXD 5.20 isn't supported anymore?

[MaxRower]

I had a similar problem on other servers copying a nextcloud container (but no NTACLs there), and upgraded the destination server to 5.21.1 LTS. As this didn't help, I didn't upgrade the other ones. But in that case, deleting the files with rsync error on the destination did help, no more error with the next lxc copy.
The reason for staying on 5.20 is to keep the possibility of a simple migration to incus, as that seems to support cross platform copies (arm64 to amd64 and vice versa). It's only for backup purposes, no need to run containers on a backup server.

[MaxRower]

I now upgraded both servers to lxd 5.21.1 LTS, but the problem persists.

[tomponline]

Hi @MaxRower apologies ive not had chance to investigate this yet

[tomponline]

@boltmark please can you look into this when you get a chance. Thanks!

[tomponline]

@boltmark hows this going?

[boltmark]

@boltmark hows this going?

Hi @tomponline, this is next on my list after I get through my current bugs.

[boltmark]

Hi @MaxRower,

Can you please check your system logs for any AppArmor denials when you get the Operation not permitted (1) error from rsync?

I believe what is happening here is that rsync is being blocked on the target by the AppArmor profile used in lxd. Since lxd does not provide the CAP_SYS_ADMIN capability to the rsync profile, AppArmor will deny the writes to NTACL-protected files.

I imagine you'll see something like this:

2024-09-01T21:08:08.940946-07:00 host kernel: audit: type=1400 audit(1725250088.939:489): apparmor="DENIED" operation="capable" class="cap" profile="lxd_rsync-29844eaf-e871-436a-b7b4-6513abf8e579" pid=12710 comm="rsync" capability=21  capname="sys_admin"

[tomponline]

Any thoughts on this @mihalicyn ?

[tomponline]

@MaxRower what is the target storage pool driver in this case?

[simondeziel]

LXD grew an Apparmor profile for rsync in LXD 5.14 (#11510) which is probably why you didn't run into the issue with 5.12.

NT ACLs are saved under security.NTACL extended attributes. All the security.* attributes require CAP_SYS_ADMIN to be to write to them. The Apparmor profile for rsync doesn't let it access that capability causing the receiving end to fail to write that xattr.

Considering that our invocation of rsync includes --xattrs (see https://github.com/canonical/lxd/blob/main/lxd/rsync/rsync.go#L88-L91), we should either:

• allow rsync to use CAP_SYS_ADMIN (riskier) or
• filter out all security.*, not just security.selinux

An alternative that should work (I still have to test) would be to use optimized refresh between identical storage backends (btrfs to btrfs or zfs to zfs) as that would entirely bypass rsync and instead do the replication at the FS level rather than the file level.

[MaxRower]

@MaxRower what is the target storage pool driver in this case?

btrfs for source and target.

[MaxRower]

An alternative that should work (I still have to test) would be to use optimized refresh between identical storage backends (btrfs to btrfs or zfs to zfs) as that would entirely bypass rsync and instead do the replication at the FS level rather than the file level.

With btrfs send and receive it will probably copy the entire subvolume, not only the changes, like rsync? That's why I can only use rsync-based transfers, copying hundreds of GB every day for a backup would be very time consuming, and for remote copies impossible. Sometimes in the past, I had a ticket for exactly that, so that --instance-only uses rsync.
My scenario: I use lxc copy daily on multiple hosts to make a backup of all containers to a dedicated backup server, via LAN and WAN/VPN. Snapshots for the backup history are managed there, at btrfs level, not lxd, because all existing snapshots at the target were removed at the next copy with --instance-only. Maybe this has changed after that?

[MaxRower]

Can you please check your system logs for any AppArmor denials when you get the Operation not permitted (1) error from rsync?

I will do that, when the error occurs again.

[simondeziel]

An alternative that should work (I still have to test) would be to use optimized refresh between identical storage backends (btrfs to btrfs or zfs to zfs) as that would entirely bypass rsync and instead do the replication at the FS level rather than the file level.

With btrfs send and receive it will probably copy the entire subvolume, not only the changes, like rsync?

I theory, the btrfs send/receive feature should be able to work out that both FSes are the same but at different points in time. This should let the lxc copy --refresh figure how to do a smart delta-only FS sync. This should be even more efficient than rsync as it would be at the FS level.

Now, since your backup system (the receiving side of the copy) has been "tainted" with rsync, there is no longer any commonality at the FS level between the source and the destination. This means that the refresh has to always happen with rsync due to that accidental/unexpected tainting.

We've had a couple of bugs in our btrfs storage driver preventing it from figuring out that optimized sync should be used. This might be the reason why your setup ended up falling back to rsync transfer, thus causing the initial "tainting" of the destination.

One way to confirm the above explanation would be to start with a fresh copy/destination and see if LXD stops trying to use rsync when doing subsequent refreshes. That's what I'd like to test but haven't got the time to get around doing it just yet.

[mihalicyn]

To set security.* xattr we need to have a CAP_SYS_ADMIN capability in the superblock's owner user namespace (ref https://github.com/torvalds/linux/blob/c763c43396883456ef57e5e78b64d3c259c4babc/security/commoncap.c#L1007 ). So if the filesystem we are trying to write to, is mounted in the initial user namespace (likely it is) then we need to have the CAP_SYS_ADMIN capability in the initial user namespace.

So, to write a security.NTACL we need to have the CAP_SYS_ADMIN on the host.

But there is a trick. Some LSMs can override that behavior and lift that specific requirement. For example, SELinux have a pretty complex logic (ref https://github.com/torvalds/linux/blob/c763c43396883456ef57e5e78b64d3c259c4babc/security/selinux/hooks.c#L3197) and everything depends on the current SELinux setup on the machine.

[mihalicyn]

Hi @MaxRower!

Please, can you show:
lxc config show remotehost:samba -e?

[MaxRower]

Hi @MaxRower!

Please, can you show: lxc config show remotehost:samba -e?

architecture: x86_64
config:
boot.autostart: "true"
boot.autostart.delay: "60"
boot.autostart.priority: "90"
boot.stop.priority: "50"
security.privileged: "false"
volatile.idmap.base: "0"
volatile.idmap.current: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
volatile.idmap.next: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
volatile.last_state.idmap: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
volatile.last_state.power: RUNNING
volatile.net0.host_name: veth3b94386a
volatile.net0.name: eth0
volatile.uuid: 16e9bc37-6c5d-497e-8e03-ff7cd172e485
volatile.uuid.generation: 16e9bc37-6c5d-497e-8e03-ff7cd172e485
devices:
eth0:
type: none
net0:
hwaddr: 00:16:3e:4c:dd:4f
nictype: bridged
parent: br-lan
type: nic
root:
path: /
pool: lxd
type: disk
ephemeral: false
profiles:

• default
  stateful: false
  description: ""