“Permission denied” or “Unable to connect”
Error:
When attempting to perform a Guest Files restore to a virtual machine, the Restore Job may fail with an error similar to the following:
For a Windows VM: “Cannot create destination directory [C:\example_restore\] inside guest virtual machine [ubsi-example-client-1]. [Permission to perform this operation was denied.]”
For a Linux VM: “Unable to connect to guest virtual machine [ubsi-example-client-1] as [PSU\testuser1], please check the user name and password.“
Or, when attempting to browse for a Destination path, you may receive the error “Permission to perform this operation was denied.”, and the “Select a path” window may show “No items were found.”
REASON:
This error occurs when you attempt a restore to a VM without an installed file system agent. Install the file system agent in “restore-only” mode on the VM, and then try the restore again.
If you are prompted to enter “Virtual machine login” information (“User name” and “Password”), then the restore will fail. Commvault is attempting to log into your system’s operating system directly, and is being blocked by our security rules as intended.
If you press “SUBMIT” while the screen looks like this, the restore will fail:
If the file system agent is installed in your VM, and you have the correct “Destination client” selected, then you will NOT be prompted to enter login information. You should be able to browse for a destination path without errors, and then the restore should succeed:
DETAIL:
We’ve chosen to limit risk by preventing our UBSi-Commvault infrastructure from connecting directly into your system’s operating system. Our outbound firewall rules intentionally prevent this traffic. In the event that the Commvault environment became compromised, this would limit the impact to other Penn State services.
Unfortunately, the Commvault software doesn’t realize we’re configured this way. So it still offers you the option to enter “Virtual machine login” credentials, even though it won’t work.
Instead, our intent is that you will install the file system agent software in “restore-only” mode on the system(s) where you need to perform restores. You probably don’t need to do this on all of your systems – a management host or one node in each cluster may be sufficient, depending on your needs.
The client software will initiate an outbound connection to the UBSi-Commvault infrastructure. Once established, that connection can be used to trigger restores and other functions. If you ever needed to prevent UBSi-Commvault from connecting to your system, you could simply disable or remove the Commvault software on your local system; no firewall changes would be required.
Once you have a file system agent available, you can select it as the “Destination Client” for the restore. You shouldn’t be prompted for credentials; just the destination path.
When installing the file system agent, be sure to register it to the same tenant (“company”) that already contains the VM. The file system agent should automatically merge into the existing VM client. Then, whenever you attempt a restore for that VM, it will automatically select the filesystem agent as the destination client.
If you registered the file system agent to the wrong tenant, a duplicate client will be created. One client will contain the VM agent only, and the other will contain the file system agent only. That won’t directly break anything, but it will mean that you need to manually select the correct “Destination Client” when performing a restore (as you would if restoring to a different system), since it won’t be done for you automatically.
See also the “Restoring files from a VM backup” section of VM Hosting Backups and Restores.