Linux Hardened Repository Unable to Update Immutability or Remove Restore Points due to SGID
The errors in this article may occur for other reasons, this article is specifically relevant to a situation in which these errors occur because the folder where the backup files are stored has an SGID (Set-Group ID) configured.
Example:
[backupsvc@rhel9]$ ls -l total 1 drwxr-sr-x. 2 backupsvc backupsvc 1 Jan 1 00:00 repo
Challenge
A job targetting a Hardened Linux Repository (Immutable) fails with an error about being unable to remove restore points or update immutability (examples below).
-
Failed to delete file '/path/to/storage.vbk': Operation not permitted
-
Failed to perform setting immutability for backup Error: Agent: Failed to process method
-
Failed to delete '.vbk' per retention policy
-
Error: boost::filesystem::remove: Operation not permitted: "/path/to/restorepoint.vib" Agent failed to process method {FileSystem.FileRemove}.
Cause
This problem is caused by the SGID bit set on the backup directory.
Due to the SGID bit, all files created within this directory inherit the directory's group ownership. This conflicts with the verification routine in VBR that ensures the .veeam.lock file belongs to the root user and root group.
As a result of this conflict, errors arise during the processing of the .veeam.lock file.
Solution
In the command examples below, the placeholder '/path/to/repository/' is used to represent the path to the root folder that was specified when the repository was created in Veeam Backup & Replication. You can confirm the path needed by checking the Path column listed for the repository within the Backup Repositories list in the Veeam Backup & Replication Console.
- Open the Backup Infrastructure view.
- In the inventory pane, select the Backup Repositories node.
To resolve this issue, the Linux Administrator must remove the SGID bit from the backup directory and rerun the job to force new .veeam.lock files to be created.
- Disable all jobs targetting the affected Linux repository.
- Connect to the Linux server that hosts the Repository.
- Remove the SGID from the backup directory using this command:
- Enable all disabled jobs from Step 1 and rerun them.
With SGID no longer set for the backup folder, new .veeam.lock files will be created with the correct user (root) during the next job run.
If the issue continues after you complete the steps above, please collect logs and create a Veeam Support case.
While rare, the existing .veeam.local files may need to be removed, a process that requires the immutability attribute to be removed from each .veeam.lock file.
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.