If you had a storage appliance that ran proxmox backup server as a VM and exposed the storage appliance’s local storage, would you use that? (this is a kind of tangent I’m working on for a video because it enables a cool disaster recovery option)
Just kidding I use the native Proxmox backup feature to backup VM’s to external storage. It is the simplest approach in my experience even though it does tend to eat though disk space depending on how you set it up. My personal preference is 1-2 full backups on external storage with snapshots on the backup device.
With that being said I don’t really care much about backups on a VM level. My stuff is all containerized on the guests so I just backup the storage for the containers and the relevant configuration files. If something goes wrong or I accidentally delete a VM (done that) I can just rebuild the VM and start over. This process is easy to automate with Ansible although I haven’t gotten that far yet. Network Chuck has a video about using Ansible to create a VM from a template and then setting it up automatically. (You can use Ansible to get the IP from Proxmox and then run playbooks against the newly created VM in a automated fashion)
My main cluster is a proxmox based cluster with ZFS and Ceph for guests and ZFS+Samba for file storage. I had a look at the Proxmox backup server when it first came out, but seemed a bit incomplete at the time. Their block based approach for backups seems pretty useful, but because I’m pretty heavy on ZFS I never gave it more than just a look. Plus my main backup target is a physical machine I like to turn off, at the time turning PBS off caused some configuration troubles (I don’t know if that still the case)
My current solution is:
Some guests live on Ceph, the backup to a ZFS target in the cluster
the ZFS file storage is sent via syncoid or manually to a ZFS target on a different server. This then includes backups of Ceph based guests and my other file storage.
One kinda important consideration for me is that I know ZFS so in case of disaster I know I can get to my files without needing a new proxmox cluster or something.
If you had a storage appliance that ran proxmox backup server as a VM and exposed the storage appliance’s local storage, would you use that?
I considered setting that up myself, but part of what is important to me of the last part of my backups is that they are minimal fuss, and adding more layers of abstraction doesn’t always fit that bill
Why Samba? Not that it is bad or anything but it isn’t unix focused. Wouldn’t it be better to use NFS or even iSCSI?
I personally am looking into using FreeIPA to do device level authorization with NFS. The idea is that I can grant NFS access to only the stuff that needs it.
Yes, and I refuse to use Proxmox backup because it’s a “Push-Only” system: you have to give ACL access to your backup server to all your servers!
In CyberSec, we do not allow such blasphemy! When ransomware hits, your backup servers would most likely get hit as well.
Instead, your backup server should be isolated with zero access from any of your routers and servers.
You could either stage your files onto a centralized storage and then grant the backup server ACL rights to that one server to “pull” from. If that one server gets compromised, only the most recent backups are compromised.
The other option is to grant ACL rights from your backup server to all of your servers to “reach into and pull” the backups. I prefer this “centralized” approach in my Proxmox setup, as I can log into one centralized backup server and see everything I am pulling, listed in one spot. Usually running a bunch of rsync and ZFS clone (pull) jobs on the backup server.
Technically, I have another virtualized layer on top of all of this: I actually run three TrueNAS instances on two proxmox nodes (KISS):
TrueNAS-A for zfs-only management of the data: disks, pools, recovery, and shares. This is considered the “source of truth” of all data, and even a few iSCSCI’s on isolated networks there.
TrueNAS-B for all of my apps, docker, jobs, plex, and other funsies. Purely transient: all data is mounted from TrueNAS-A.
TrueNAS-Backup running on the backup server, that has ACL rights to TrueNAS A and B to “pull” data from (as well as the router, switches, etc).
The underlying Proxmox nodes are all dumb, just running the TrueNAS and virtualized router VM setups. I try not to grant access to the Proxmox nodes from the TrueNAS virtualized layers in case something gets compromised at either end.