Allow to exclude xattrs (or specific xattr namespaces) when restoring

[tesshuflower]

Output of restic version

restic 0.17.1
compiled with go1.22.5 on linux/amd64

What should restic do differently? Which functionality do you think we should add?

First off, restic is an amazing tool! Thanks for all your great work. We've been using restic in VolSync (https://github.com/backube/volsync) to perform backups in kubernetes environments.

This one is a bit complicated - Essentially we're running restic in a kubernetes pod and hit an issue with v0.17.1. I think this was always here, but the error would be ignored, but this fix means restoring xattrs as UID 0 will now fail the restore: #4958

The issue comes from the fact that we have some scenarios where we run as UID 0 so that we can restore UIDs and GIDs, but when extended attributes in the trusted. or system. namespace are restored, this will fail as we don't have the CAP_SYS_ADMIN capability. Additionally it seems that even with this capability, we may not be allowed to modify the security.selinux xattr on a file (in Openshift this is definitely an issue, perhaps it will happen on other kubernetes envs too). We don't hit this issue when not running as UID 0 as the error is ignored by restic.

Would it be possible to allow for excluding xattrs (perhaps with a pattern, or perhaps exclude specific xattr namespaces) at restore time? If it makes sense for consistency we could also do this at backup - but my main concern atm is restore.

Please let me know if you'd be open for such a change - I'd be happy to contribute a PR.

What are you trying to do? What problem would this solve?

Did restic help you today? Did it make you happy in any way?

[MichaelEischer]

I guess we have four possible approach which we could follow here:

• either add an option the not restore any extended attributes
• add an option to ignore errors while restoring extended attributes
• or adding a filter to not restore certain extended attributes. That filter could also be used to ignore all extended attributes. The first thing that comes to my mind would be to have a --omit-xattrs glob-pattern option (there are probably better names for that option) that can be specified multiple times.
• Hardcode some error filters for well known problematic xattrs. Could you provide more details on the error that occurs when the xattr cannot be restored? This last option would be the easiest to use from a user perspective.

What I'm wondering is how other backup tools handle this situation.

Regarding backup versus restore time: I'm preferring to just capture everything during backup and then decide at restore time whether to ignore some part of that data. That way one won't accidentally loose some metadata.

[tesshuflower]

Thanks for your response @MichaelEischer .

Here's an example of errors when restoring as UID 0:

...
ignoring error for /sys: xattr.LSet /data/sys security.selinux: permission denied
ignoring error for /test: xattr.LSet /data/test security.selinux: permission denied
ignoring error for /undo_001: xattr.LSet /data/undo_001 security.selinux: permission denied
ignoring error for /undo_002: xattr.LSet /data/undo_002 security.selinux: permission denied
Summary: Restored 1 / 7 files/dirs (0 B / 0 B) in 0:01, skipped 184 files/dirs 212.168 MiB
Fatal: There were 191 errors

In this case every single file being restored fails as I believe the files are initially written with the security.selinux settings that belong to the kubernetes namespace being restored to. Then when the xattr is modified to the security.selinux setting from the backup, it fails with permission denied as it's not allowed to modify that xattr. This is happening in an OpenShift environment, this may work differently in different kubernetes environments.

I can also get it to fail with any other security.* xattr I set on the source. But in the case of those, I think I could avoid this if I give the pod CAP_SYS_ADMIN capability. Looking at the capabilities man page, I think security and trusted xattrs will require this capability. I'd rather not grant this to my restore pod however, I only use the UID 0 in this special case when a user wants to restore UIDs and GIDs from their backup.

Note that granting CAP_SYS_ADMIN doesn't solve the problem with the security.selinux xattr I mentioned above, but works for xattrs I just tried creating manually like security.test.

Ultimately I think I'd prefer option 2 or 3 from your above list (option to ignore xattr restore errs or exclude specific ones) as I'm not sure my case applies universally.

[konidev20]

What I'm wondering is how other backup tools handle this situation.

I was looking at how tar handles it: Tar - Extended File Attributes

Attribute names are strings prefixed by a namespace name and a dot. Currently, four namespaces exist: ‘user’, ‘trusted’, ‘security’ and ‘system’. By default, when ‘--xattrs’ is used, all names are stored in the archive (with ‘--create’), but only ‘user’ namespace is extracted (if using ‘--extract’). The reason for this behavior is that any other, system defined attributes don’t provide us sufficient compatibility promise. Storing all attributes is safe operation for the archiving purposes.

Two more flags are provided:
--xattrs-include-pattern and --xattrs-exclude-pattern

We can take a similar approach of extracting only the user namespace as a sensible default, then allowing the user to specify other namespaces as patterns to allow restore with warnings.

[tesshuflower]

Thanks for that extra information @konidev20 ! I've created a draft PR for the moment, just to see if this would be workable: #5129

Would still need unit tests etc.

Right now it does this:

• Adds --exclude-xattr and --include-xattr mutually exclusive cmd flags to restic restore. (These names can be changed of course, I tried to keep it consistent with current cmd line flag naming).
• Currently just re-uses code from the filter package to do the pattern matching, which ultimately uses filepath. I thought this would be easiest, but technically I guess these are not filepaths we are matching.
• This also sets the default (if not flags are passed) to only match user.* xattrs. This can be changed if I should maintain current behaviour of trying to restore all xattrs.

[elpepino89]

@tesshuflower Thank you for your pull request!

I just had a similar problem when restoring a backup onto a podman volume with z-mode (e.g. -v cerbot-data:/data:z). The z/Z option tells podman to relabel the content of the volume with selinux.

With this option in place, selinux automatically adds security.selinux="system_u:object_r:container_file_t:s0" on restored files and restic fails to remove/change them, because it does not have the permissions from inside the container:
ignoring error for /accounts/meta.json: xattr.LRemove /accounts/meta.json security.selinux: permission denied

Is this problem (failing on xattr removal) also covered by your pull request?

[tesshuflower]

@tesshuflower Thank you for your pull request!

I just had a similar problem when restoring a backup onto a podman volume with z-mode (e.g. -v cerbot-data:/data:z). The z/Z option tells podman to relabel the content of the volume with selinux.

With this option in place, selinux automatically adds security.selinux="system_u:object_r:container_file_t:s0" on restored files and restic fails to remove/change them, because it does not have the permissions from inside the container: ignoring error for /accounts/meta.json: xattr.LRemove /accounts/meta.json security.selinux: permission denied

Is this problem (failing on xattr removal) also covered by your pull request?

@elpepino89 With my PR it is attempting to allow new flags on the restore cmd to either include or exclude specific xattrs. It would exclude setting the xattr, but then should also not remove the xattr if it already exists on the file in question.

Note that right now I'm not sure what the default will be in the end - possibly for linux we default to only restoring user namespaced xattrs (i.e. xattrs starting with user.*). If this is the case it should fix your issue without any changes, however if the default is to include all xattrs to maintain current behaviour, then you would need to pass in one of the new flags. Will try to update here once it's decided.