Borbackup permission denied

[dmpanch]

Describe the bug

When trying to back up data via the web interface according to the manual, the borg cannot perform the backup due to permission problems.

To Reproduce

Steps to reproduce the behavior:

1. Set borgbackup directory as volume or host machine directory in the docker-compose.yml
2. Open https://example.com/manage/backup/
3. Add /app/data/borgbackup as Backup repository
4. Permit backup
5. See celery error in logs

Expected behavior

Successful completion of the backup.

Server configuration and status

• Weblate: 4.1.1
• Django: 3.0.8
• siphashc: 1.3
• Whoosh: 2.7.4
• translate-toolkit: 3.0.0
• lxml: 4.5.2
• Pillow: 7.1.2
• bleach: 3.1.5
• python-dateutil: 2.8.1
• social-auth-core: 3.3.3
• social-auth-app-django: 3.4.0
• django-crispy-forms: 1.9.2
• oauthlib: 3.1.0
• django-compressor: 2.4
• djangorestframework: 3.11.0
• django-filter: 2.3.0
• django-appconf: 1.0.4
• user-agents: 2.1
• filelock: 3.0.12
• setuptools: 40.8.0
• jellyfish: 0.8.2
• openpyxl: 3.0.1
• celery: 4.4.7
• kombu: 4.6.11
• translation-finder: 2.1
• html2text: 2020.1.16
• pycairo: 1.16.2
• pygobject: 3.30.4
• diff-match-patch: 20181111
• requests: 2.24.0
• django-redis: 4.12.1
• hiredis: 1.1.0
• sentry_sdk: 0.15.1
• Cython: 0.29.21
• misaka: 2.1.1
• GitPython: 3.1.7
• borgbackup: 1.1.13
• pyparsing: 2.4.7
• Python: 3.7.3
• Git: 2.20.1
• psycopg2: 2.8.5
• psycopg2-binary: 2.8.5
• phply: 1.2.5
• chardet: 3.0.4
• ruamel.yaml: 0.16.10
• tesserocr: 2.5.1
• akismet: 1.1
• boto3: 1.14.33
• zeep: 3.4.0
• aeidon: 1.7.0
• iniparse: 0.5
• mysqlclient: 2.0.1
• Mercurial: 5.4.2
• git-svn: 2.20.1
• git-review: 1.28.0
• hub: 2.13.0
• lab: 0.16
• Redis server: 4.0.14
• PostgreSQL server: 11.5
• Database backends: django.db.backends.postgresql
• Cache backends: default:RedisCache, avatar:FileBasedCache
• Email setup: django.core.mail.backends.smtp.EmailBackend: smtp.gmail.com
• OS encoding: filesystem=utf-8, default=utf-8
• Celery: redis://cache:6379/1, redis://cache:6379/1, regular
• Platform: Linux 4.15.0-118-generic (x86_64)

Weblate deploy checks
SystemCheckError: System check identified some issues:

CRITICALS:
?: (weblate.C029) There was error while performing backups: missing
HINT: https://docs.weblate.org/en/weblate-4.1.1/admin/backup.html
?: (weblate.E027) The path /app/data/borbackup is owned by different user, check your DATA_DIR settings.
HINT: https://docs.weblate.org/en/weblate-4.1.1/admin/install.html#file-permissions
?: (weblate.E027) The path /app/data/borgbackup is owned by different user, check your DATA_DIR settings.
HINT: https://docs.weblate.org/en/weblate-4.1.1/admin/install.html#file-permissions

WARNINGS:
?: (security.W005) You have not set the SECURE_HSTS_INCLUDE_SUBDOMAINS setting to True. Without this, your site is potentially vulnerable to attack via an insecure connection to a subdomain. Only set this to True if you are certain that all subdomains of your domain should be served exclusively via SSL.

INFOS:
?: (weblate.I021) Error collection is not set up, it is highly recommended for production use
HINT: https://docs.weblate.org/en/weblate-4.1.1/admin/install.html#collecting-errors
?: (weblate.I031) New Weblate version is available, please upgrade to 4.2.2.
HINT: https://docs.weblate.org/en/weblate-4.1.1/admin/upgrade.html

System check identified 6 issues (1 silenced).

-->

Exception traceback

celery-backup stderr | ERROR Failure while executing task
celery-backup stderr | Traceback (most recent call last):
celery-backup stderr |   File "/usr/local/lib/python3.7/dist-packages/weblate/utils/backup.py", line 79, in borg
celery-backup stderr |     universal_newlines=True,
celery-backup stderr |   File "/usr/lib/python3.7/subprocess.py", line 395, in check_output
celery-backup stderr |     **kwargs).stdout
celery-backup stderr |   File "/usr/lib/python3.7/subprocess.py", line 487, in run
celery-backup stderr |     output=stdout, stderr=stderr)
celery-backup stderr | subprocess.CalledProcessError: Command '['borg', '--rsh', '/app/data/ssh/ssh-weblate-wrapper-605e2eb8033ee0bb155e6ab512c148d1', 'init', '--encryption', 'repokey-blake2', '/app/data/borgbackup']' returned non-zero exit status 2.
celery-backup stderr |
celery-backup stderr | During handling of the above exception, another exception occurred:
celery-backup stderr |
celery-backup stderr | Traceback (most recent call last):
celery-backup stderr |   File "/usr/local/lib/python3.7/dist-packages/celery/app/trace.py", line 412, in trace_task
celery-backup stderr |     R = retval = fun(*args, **kwargs)
celery-backup stderr |   File "/usr/local/lib/python3.7/dist-packages/celery/app/trace.py", line 704, in __protected_call__
celery-backup stderr |     return self.run(*args, **kwargs)
celery-backup stderr |   File "/usr/local/lib/python3.7/dist-packages/weblate/wladmin/tasks.py", line 92, in backup_service
celery-backup stderr |     service.ensure_init()
celery-backup stderr |   File "/usr/local/lib/python3.7/dist-packages/weblate/wladmin/models.py", line 162, in ensure_init
celery-backup stderr |     log = initialize(self.repository, self.passphrase)
celery-backup stderr |   File "/usr/local/lib/python3.7/dist-packages/weblate/utils/backup.py", line 96, in initialize
celery-backup stderr |     {"BORG_NEW_PASSPHRASE": passphrase},
celery-backup stderr |   File "/usr/local/lib/python3.7/dist-packages/weblate/utils/backup.py", line 86, in borg
celery-backup stderr |     raise BackupError(error.stdout)
celery-backup stderr | weblate.utils.backup.BackupError: Local Exception
celery-backup stderr | Traceback (most recent call last):
celery-backup stderr |   File "/usr/local/lib/python3.7/dist-packages/borg/archiver.py", line 4565, in main
celery-backup stderr |     exit_code = archiver.run(args)
celery-backup stderr |   File "/usr/local/lib/python3.7/dist-packages/borg/archiver.py", line 4497, in run
celery-backup stderr |     return set_ec(func(args))
celery-backup stderr |   File "/usr/local/lib/python3.7/dist-packages/borg/archiver.py", line 161, in wrapper
celery-backup stderr |     with repository:
celery-backup stderr |   File "/usr/local/lib/python3.7/dist-packages/borg/repository.py", line 188, in __enter__
celery-backup stderr |     self.create(self.path)
celery-backup stderr |   File "/usr/local/lib/python3.7/dist-packages/borg/repository.py", line 272, in create
celery-backup stderr |     with open(os.path.join(path, 'README'), 'w') as fd:
celery-backup stderr | PermissionError: [Errno 13] Permission denied: '/app/data/borgbackup/README'
celery-backup stderr |
celery-backup stderr | Platform: Linux aed384049a86 4.15.0-118-generic #119-Ubuntu SMP Tue Sep 8 12:30:01 UTC 2020 x86_64
celery-backup stderr | Linux: debian 10.4
celery-backup stderr | Borg: 1.1.13  Python: CPython 3.7.3 msgpack: 0.5.6
celery-backup stderr | PID: 747  CWD: /
celery-backup stderr | sys.argv: ['/usr/local/bin/borg', '--rsh', '/app/data/ssh/ssh-weblate-wrapper-605e2eb8033ee0bb155e6ab512c148d1', 'init', '--encryption', 'repokey-blake2', '/app/data/borgbackup']
celery-backup stderr | SSH_ORIGINAL_COMMAND: None

Additional context

Inside the container backup directory created with root:root user:group instead of weblate:weblate:

drwxr-xr-x  2 root    root     4096 Oct  8 13:36 borgbackup

My docker-compose.yml:

version: '3'
services:
  weblate:
    image: weblate/weblate:4.1.1-3
    volumes:
      - weblate-data:/app/data
      - borgbackup:/app/data/borgbackup
    env_file:
      - ./environment
    restart: always
    depends_on:
      - database
      - cache
    environment:
      WEBLATE_ENABLE_HTTPS: 1
      WEBLATE_IP_PROXY_HEADER: HTTP_X_FORWARDED_FOR
  database:
    image: postgres:11-alpine
    env_file:
      - ./environment
    volumes:
      - postgres-data:/var/lib/postgresql/data
    restart: always
  cache:
    image: redis:4-alpine
    container_name: cache
    restart: always
    command: ["redis-server", "--appendonly", "yes"]
    volumes:
      - redis-data:/data
  https-portal:
    image: steveltn/https-portal:1
    ports:
      - '80:80'
      - '443:443'
    restart: always
    environment:
      STAGE: production
      PROXY_READ_TIMEOUT: 3600
    volumes:
      - ssl-certs:/var/lib/https-portal
volumes:
  weblate-data: {}
  postgres-data: {}
  redis-data: {}
  ssl-certs: {}
  borgbackup: {}

Also, I tried to use host machine directory instead of volume for borg backup, it leads to the same error.

[nijel]

Please see the errors reported by Weblate:

?: (weblate.E027) The path /app/data/borbackup is owned by different user, check your DATA_DIR settings.
HINT: https://docs.weblate.org/en/weblate-4.1.1/admin/install.html#file-permissions

Following should fix that:

chown 1000:1000 /app/data/borgbackup

[github-actions]

Thank you for your report, the issue you have reported has just been fixed.

• In case you see a problem with the fix, please comment on this issue.
• In case you see a similar problem, please open a separate issue.
• If you are happy with the outcome, consider supporting Weblate by donating.