Ubuntu 20.04.2 LTS

[ccrssaa]

Hi, nice tool, thanks a lot

tried it in Ubuntu 20.04.2 LTS

1. apparmor issues - libvirtd not allowed to create sockets in /var/tmp

2021-04-20 17:38:50 INFO common - printVersion: Version: 0.17 Arguments: /usr/local/bin/virtnbdbackup -d vm-template -l full -o /mnt/backup/vm-template
2021-04-20 17:38:50 INFO virtnbdbackup - main: Domain has 1 disks attached which support changed block tracking.
2021-04-20 17:38:50 INFO virtnbdbackup - main: Looking for checkpoints
2021-04-20 17:38:50 INFO virtnbdbackup - main: Using checkpoint name: virtnbdbackup
2021-04-20 17:38:50 INFO virtnbdbackup - main: Temporary scratch file target directory: /var/tmp
2021-04-20 17:38:50 INFO virtnbdbackup - main: Starting backup job.
2021-04-20 17:38:50 WARNING libvirthelper - startBackup: Guest agent is not responding: QEMU guest agent is not connected
2021-04-20 17:38:50 ERROR virtnbdbackup - main: internal error: unable to execute QEMU command 'nbd-server-start': Failed to bind socket to /var/tmp/virtnbdbackup.868194: Permission denied

obvious workaround is to disable apparmor

extenthandler.py:
def _setRequestAligment(self):
align = self._nbdFh.get_block_size(0)
if align == 0:
align = self._align
return self._maxRequestBlock - align + 1

Ubuntu has libnbd 1.2.2 with missing get_block_size()
is it safe to skip get_block_size() and use self._align if no get_block_size() available ?

[abbbi]

hi,

tried it in Ubuntu 20.04.2 LTS
2021-04-20 17:38:50 ERROR virtnbdbackup - main: internal error: unable to execute QEMU command 'nbd-server-start': Failed to bind socket to /var/tmp/virtnbdbackup.868194: Permission denied

obvious workaround is to disable apparmor

nice catch, i will add it to the FAQ.

extenthandler.py:
def _setRequestAligment(self):
align = self._nbdFh.get_block_size(0)
if align == 0:
align = self._align
return self._maxRequestBlock - align + 1

Ubuntu has libnbd 1.2.2 with missing get_block_size()
is it safe to skip get_block_size() and use self._align if no get_block_size() available ?

i think it is. I cant recall completely the usage here, i think it has to do with a NDB Server can deny
requests from a client if not both client and server are using the same block aligment.

From the Description of get_block_size():

If non-zero, this will be a power of 2 between 1 and 64k; any client
 request that is not aligned in length or offset to this size is likely
to fail with C<EINVAL>.  The image size will generally also be a
multiple of this value (if not, the final few bytes are inaccessible
while obeying alignment constraints).  If zero, it is safest to
 assume a minimum block size of 512, 

so i think it would be save to assume 512 like it does if the function is missing entirely.
I have however not tested any older libnbd version, so there might be other issues or incompatibilities too.

[juliyvchirkov]

@abbbi seems it should be enough to add /var/tmp/virtnbdbackup.* rw, to the end of /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper config to get rid of Failed to bind socket [. . .] Permission denied error instead of disabling apparmor with aa-teardown completely

testing on Ubuntu 20.04

[juliyvchirkov]

@abbbi I'm back with details after the thorough testing

To get rid of Failed to bind socket [. . .] Permission denied error error, one should put 2 following lines

   /var/tmp/virtnbdbackup.* rw,
   /var/tmp/backup.* rw,

to 3 config files /etc/apparmor.d/local/abstractions/libvirt-qemu, /etc/apparmor.d/local/usr.sbin.libvirtd and /etc/apparmor.d/local/usr.lib.libvirt.virt-aa-helper (these files are empty by default)

Also I've designed and tested the bash bootstrap /usr/bin/kvmbackup to implement non-interactive backup operations cycle for active kvm machines with your virtnbdbackup tool

The first backup of every vm on every new month is forced to be full size, the rest backups on the month are incremental. Every backup is processed with lz4 compression 'cause this feature really saves the host drive space a lot. The bootstrap keeps reporting the flow logs on stdout if one runs it from console, in crontab these reports can be silenced in standard way

1 2 * * * root bash /usr/bin/kvmbackup >/dev/null 2>&1

I've uploaded the sources to review on my gist

Please feel free to utilize the above info and the bootstrap in your next releases, and thank you for the great simple tool for kvm backups!

[abbbi]

Please feel free to utilize the above info and the bootstrap in your next releases, and thank you for the great simple tool for kvm backups!

thanks for your feedback! i will have a look and update the README accordingly!

[tuomotalvitie]

As a side note for the AppArmor discussion, in Ubuntu 22.04 the sockets did not work just by adding the config files mentioned (and reloading apparmor) unless I made some error I could not catch at the time (despite checking things a few times)

I did get it working by: installed apparmor-profiles (and reloaded apparmor) (Note: I'm guessing that this was not necessary, but I'm including it here for completeness)

/etc/apparmor.d/abstractions/libvirt-qemu

# Site-specific additions and overrides. See local/README for details.

  include <local/abstractions/libvirt-qemu>

and set the config in
/etc/apparmor.d/local/abstractions/libvirt-qemu to

/var/tmp/virtnbdbackup.* rw,
/var/tmp/backup.* rw,

I may be able to later confirm this on another machine. (Especially if the apparmor-profiles was needed, or some other sunspot activity affected the results.)

(Once I got the socket working I found out that my images were qcow2, but progress is progress)

[tuomotalvitie]

Tested on another Ubuntu 22.04.

/etc/apparmor.d/local/abstractions/libvirt-qemu with contents of

/var/tmp/virtnbdbackup.* rw,
/var/tmp/backup.* rw,

and then reloading apparmor

service apparmor reload

was everything that was required for the creation of socket