Duplicati access denied errors

[Gorf]

I'm experimenting with Duplicati as a backup solution and I am finding that running it from within a jail with the pool mounted as a mountpoint in it is posing some challenges for permissions. I'm hoping to find some advice on starting Duplicati as root so that it can backup data with minimal issues. I've seen some kinda hacky stuff about adding additional GID's and stuff but I'm not really interested in that scale of a solution. Is it easier to directly compile Duplicati on the system itself outside of the jail?

 

[sretalla]

If you're using the plugin, the tools are right there in the rc.d file (/usr/local/etc/rc.d/duplicati)

Code:

# Enable duplicati:
# sysrc duplicati_enable="YES"
#
# Optional parameters:
# sysrc duplicati_user="<user to run as>"
# Default: duplicati
# sysrc duplicati_group="<group to run as>"
# Default: duplicati
# sysrc duplicati_web_pass="<password>" **Don't use quotes
# Default: duplicati
# sysrc duplicati_data_dir="<folder for server data>"
# Default: /config
# sysrc duplicati_port="<port to listen on>"
# Default: 8200

sysrc duplicati_user="<user to run as>" at the jail console should do it... maybe set the group to wheel also.

 

[Gorf]

I found that myself as well. However attempting to set it to "root" and "wheel" causes the service not to start. And I'm struggling to get it to produce logfiles to tell me why. Is there some constraint that prevents the services from running as root?

 

[sretalla]

You probably need to assign ownership of the program (/usr/local/share/duplucati, or something like that) and maybe also the pid file.

 

[Gorf]

Seems to be more than that though. The WebUI won't start, there is nothing listening on port 8200, etc. And when I attempt to revert the configuration back to it's original state, the service basically never comes back to life and I end up having to destroy the jail and start over.

Edit: system logs show that they service supposedly starts correctly:

Code:

[2022/07/21 12:15:26] (DEBUG) iocage.__start_jail__():255 - Default IPv6 Gateway: none
[2022/07/21 12:15:26] (INFO) iocage.callback():71 - * Starting Duplicati
[2022/07/21 12:15:41] (INFO) iocage.callback():71 -   + Started OK
[2022/07/21 12:15:41] (INFO) iocage.callback():71 -   + Using devfs_ruleset: 1000 (iocage generated default)
[2022/07/21 12:15:49] (INFO) iocage.callback():71 -   + Configuring VNET OK
[2022/07/21 12:15:49] (INFO) iocage.callback():71 -   + Using IP options: vnet
[2022/07/21 12:16:01] (INFO) iocage.callback():71 -   + Starting services OK
[2022/07/21 12:16:02] (INFO) iocage.callback():71 -   + Executing poststart OK
[2022/07/21 12:16:02] (INFO) iocage.callback():71 -   + DHCP Address: 192.168.8.85/24

but if I attempt to hand start it from the shell, it starts and runs just fine.

 

[sretalla]

Probably the config directory too

Those logs are the jail, not the service

 

[Gorf]

Even though I can get it running manually, it's still throwing the Access Denied error without any logs to show for it.

 

[sretalla]

I doubt it will fix the Access Denied, but if you want to run as root, you need to edit the rc.d file (/usr/local/etc/rc.d/duplicati) to add the PATH:

Code:

duplicati_precmd() {
        export XDG_CONFIG_HOME=${duplicati_data_dir}
        export USER=${duplicati_user}
        export PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/root/bin

Also to keep handy for a reinstall:
chown -R root:wheel /usr/local/etc/rc.d/duplicati /usr/local/share/duplicati/ /config /var/mail/duplicati /tmp/HttpServer

 

[sretalla]

it's still throwing the Access Denied error

What rights are assigned to the files you're backing up?

 

[Nordlicht-13]

I'm experimenting with Duplicati as a backup solution and I am finding that running it from within a jail with the pool mounted as a mountpoint in it is posing some challenges for permissions. I'm hoping to find some advice on starting Duplicati as root so that it can backup data with minimal issues. I've seen some kinda hacky stuff about adding additional GID's and stuff but I'm not really interested in that scale of a solution. Is it easier to directly compile Duplicati on the system itself outside of the jail?

You might want to check this out:

Dupliact in FreeNAS Jail - User/Permissions

I went ahead and tried my proposal, and it works quite well. Here’s a step-by-step. Identify the groups to which the directories you want to backup belong. FreeNAS > Storage > {dataset you want to backup} > : (3 dots) > {Edit Permissions or Edit ACL}. Copy (write down) the group name from...

forum.duplicati.com

I set up Duplicati this way, and it works just fine.

 

[Gorf]

I figured out the Access Denied error. Duplicati helpfully fails to log that the error was coming back from S3. The underlying java throws an exception because, by default, Duplicati doesn't use TLS so S3 throws back a HTTP 403 because it isn't configured that way. Duplicati bubbles that up as a generic "Access Denied" error.

 

[Gorf]

I doubt it will fix the Access Denied, but if you want to run as root, you need to edit the rc.d file (/usr/local/etc/rc.d/duplicati) to add the PATH:

Code:

duplicati_precmd() {
        export XDG_CONFIG_HOME=${duplicati_data_dir}
        export USER=${duplicati_user}
        export PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/root/bin

Also to keep handy for a reinstall:
chown -R root:wheel /usr/local/etc/rc.d/duplicati /usr/local/share/duplicati/ /config /var/mail/duplicati /tmp/HttpServer

I didn't have to alter ownership on anything to get this to run the way I wanted now. I mean, its running as the superuser, why would it need any underlying permissions changes for this, right?

Also thanks for the export hint. That was the last key I needed to get this to start as a service and run as root. So far so good.