Prerequisites
Rclone Pre-flight Checklist (if applicable)
Bug Description
After a recent update of Zerobyte, backup jobs targetting volumes mounted via SSHFS fail with metadata warnings. Restic is unable to read certain symlinks (such as Apache configuration files), throwing an operation not permitted (EPERM) error during the archival phase.
Environment & Context
- Mount Type: Remote directory mounted via fuse.sshfs into Zerobyte.
- Mount Options (from container):
rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other
- Target File: The file triggering the issue is an absolute symlink on the remote server.
Cause Analysis
This behavior usually happens when newer versions of sshfs or its underlying FUSE libraries enforce restrictions on symlinks (like the -o contain_symlinks default behavior) to prevent directory traversal. When Restic (running inside the container) attempts a readlink system call on an absolute symlink over this SSHFS mount, the kernel returns EPERM.
Since there are no advanced mount options exposure in the Zerobyte UI, we cannot easily pass flags like -o follow_symlinks or -o no_contain_symlinks to mitigate this.
Steps to Reproduce
Make a backup through SFTP with symlink
Expected Behavior
Suggested Resolution / Feature Request
Since -o contain_symlinks is now enabled by default in recent versions of SSHFS, adding -o no_contain_symlinks to the mount options is required to allow Restic to properly read absolute or relative (..) symlinks.
It would be helpful to either:
- Append
-o no_contain_symlinks by default to the fuse.sshfs flags used by Zerobyte.
- Expose a way for users to pass custom mount flags (or toggle this specific behavior) within the UI / environment variables.
Zerobyte version / commit
v0.40.0
Deployment Method
Docker Compose
Backup/Repository Context
SFTP
Logs / Error Messages
Warning: {"message_type":"error","error":{"message":"incomplete metadata for /var/lib/zerobyte/volumes/6di_G83M/_data/etc/apache2/conf-enabled/adminer.conf: readlink /var/lib/zerobyte/volumes/6di_G83M/_data/etc/apache2/conf-enabled/adminer.conf: operation not permitted"},"during":"archival","item":"/var/lib/zerobyte/volumes/6di_G83M/_data/etc/apache2/conf-enabled/adminer.conf"}
Prerequisites
Rclone Pre-flight Checklist (if applicable)
rclone listremotesandrclone lsd remote:on the host and they workBug Description
After a recent update of Zerobyte, backup jobs targetting volumes mounted via SSHFS fail with metadata warnings. Restic is unable to read certain symlinks (such as Apache configuration files), throwing an
operation not permitted (EPERM)error during the archival phase.Environment & Context
rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_otherCause Analysis
This behavior usually happens when newer versions of
sshfsor its underlying FUSE libraries enforce restrictions on symlinks (like the-o contain_symlinksdefault behavior) to prevent directory traversal. When Restic (running inside the container) attempts areadlinksystem call on an absolute symlink over this SSHFS mount, the kernel returnsEPERM.Since there are no advanced mount options exposure in the Zerobyte UI, we cannot easily pass flags like
-o follow_symlinksor-o no_contain_symlinksto mitigate this.Steps to Reproduce
Make a backup through SFTP with symlink
Expected Behavior
Suggested Resolution / Feature Request
Since
-o contain_symlinksis now enabled by default in recent versions of SSHFS, adding-o no_contain_symlinksto the mount options is required to allow Restic to properly read absolute or relative (..) symlinks.It would be helpful to either:
-o no_contain_symlinksby default to thefuse.sshfsflags used by Zerobyte.Zerobyte version / commit
v0.40.0
Deployment Method
Docker Compose
Backup/Repository Context
SFTP
Logs / Error Messages
Warning: {"message_type":"error","error":{"message":"incomplete metadata for /var/lib/zerobyte/volumes/6di_G83M/_data/etc/apache2/conf-enabled/adminer.conf: readlink /var/lib/zerobyte/volumes/6di_G83M/_data/etc/apache2/conf-enabled/adminer.conf: operation not permitted"},"during":"archival","item":"/var/lib/zerobyte/volumes/6di_G83M/_data/etc/apache2/conf-enabled/adminer.conf"}