Canonical Juju

juju-db.mongodump snap gets permission denied when backup-dir is changed

Bug #1959705 reported by Tiago Pasqualini da Silva
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Canonical Juju
Invalid
Undecided
Unassigned

Bug Description

Performing a backup after changing the backup-dir config fails with a permission denied from juju-db.mongodump:

$ juju create-backup --no-download
WARNING downloading backup archives is recommended; backups stored remotely are not guaranteed to be available.
ERROR while creating backup archive: while dumping juju state database: error dumping databases: error executing "/snap/bin/juju-db.mongodump": 2022-02-01T16:36:10.579+0000 Failed: error dumping metadata: error creating directory for metadata file /var/tmp/jujuBackup-997733961/juju-backup/dump/juju: mkdir /var/tmp/jujuBackup-997733961/juju-backup/dump/juju: permission denied;

This is caused because juju-db snap confinement is strict, so the command fails even if triggered manually:

$ juju-db.mongodump --ssl --sslAllowInvalidCertificates --authenticationDatabase admin --username machine-0 --password <pass> --out /var/tmp --port 37017
2022-02-01T18:18:50.952+0000 Failed: error dumping metadata: error creating metadata file /var/tmp/juju/spaces.metadata.json: open /var/tmp/juju/spaces.metadata.json: permission denied

Tags: sts
Revision history for this message
Tiago Pasqualini da Silva (tiago.pasqualini) wrote :

I was able to fix this by changing the confinement mode to classic and re-creating the snap. This can be upstreamed, but I'm not sure of the consequences of this.

Revision history for this message
Tiago Pasqualini da Silva (tiago.pasqualini) wrote :

I have created a PR for the 4.0 version, which is the one I tested: https://github.com/juju/juju-db-snap/pull/31

If needed I can create the PR for other versions as well.

tags: added: sts
Revision history for this message
Ian Booth (wallyworld) wrote :

Confined snaps cannot write to /var/tmp by design.

But juju-db can write to ~/snap/juju-db/common and /var/snap/juju-db/common/

So you need to mount a filesystem at a mount point under /var/snap/juju-db/common/ and things should work.

Changed in juju:
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.