Was the backup also created from a Btrfs system?

And do you remember if you resized one of the affected VMs while the backup was in progress?

I have exactly the same problem with Qubes 4.1 fully updated today. Also Btrfs install. I have tried various combinations of backups: - AppVMs, templates - single, multiple. Always the same error as m4teh in the original post, on full restore or verify only:
Error: unable to extract files ... Unexpected EOF in archive tar ...

I have tried on multiple Qubes 4.1 Btrfs installs, different laptops all with same error.
Has there been any progress with this issue? - it's quite a major bug, living with no easily restorable backups is asking for trouble.

@tquest1 I assume that (same as for @m4teh) the backup was created from a Btrfs system, and qvm-backup-restore --ignore-size-limit works around the issue?

If someone can post a reproducible way to generate an affected backup file, that would be extremely helpful. (Beware that any backup file also includes the full qubes.xml with metadata about all VMs - not only the backed up ones! - so it's not really safe to share the backup file itself. Unless maybe if it's from a throwaway Qubes system installed just for this purpose.)

I don't really have a 'throwaway' install at the moment - but it does seem that it ALWAYS results in the same error on any Btrfs install - I have tried it on 2 colleagues' Qubes machines - with even a tiny VM of a few MB & it is always the same result from the gui.

Okay I think I found the problem:

When a VM is to be backed up, its disk usage value is queried and recorded in the backup metadata. This value is then used as an extraction limit during restore. But it's easy for the backup system to record a wrong value:

For one thing, the query happens at the beginning of the backup run, but it might take hours until it's that particular VM's turn to be backed up. If more data is saved by the VM in the meantime, it can trigger this bug.

The reason a mismatch would happen more often when backing up from e.g. Btrfs is that the 'file-reflink' driver (as well as the legacy 'file' driver) returns the live disk usage, whereas the 'lvm_thin' driver returns the committed disk usage.

Maybe we could fix this by having storage drivers implement an export_usage() volume method that - like export_end() - would operate on the reference returned by export(), and using an open file descriptor as the reference.

There's also a similar problem for firewall.xml and for any additional files from the backup-get-files event, ugh.

Should the restore code maybe just disable the byte size limit (not necessarily the file count limit) unconditionally, at least for hopefully well-authenticated format v4+ backups?

This looks like it has always been racy, and it might take a while to fully fix, and even then some people will still have their existing backups with wrong size information.

Maybe we could fix this by having storage drivers implement an export_usage() volume method that - like export_end() - would operate on the reference returned by export()

One issue with this idea, is that export() is called much later than the size is needed. That's because (among other reasons), user gets backup summary to accept - that includes those sizes - and only then the backup process can start. I don't want any changes to the system state before doing backup is actually started. Calling export() when preparing this summary would violate this.

But as said above, we can enforce the size limit in some different way (per-file, not per-volume or per-whole-backup). Those reported sizes are approximation anyway, because backup is then compressed.

Just wanted to say I've been experiencing this on a ext4 install as well. It really became a problem when I stopped compressing my backups. Compressing seems to greatly reduce if not eliminate this problem.

It really became a problem when I stopped compressing my backups. Compressing seems to greatly reduce if not eliminate this problem.

Yep, makes sense.

Sorry I haven't gotten around to implementing Marek's suggested per-file size limit yet. But qvm-backup-restore --ignore-size-limit should be fine as a workaround for the moment. (Restore already invokes qfile-dom0-unpacker with an argument that makes it wait if there's less than 500 MiB of free space, instead of completely filling up the disk.)