Immutable Backups

S

sysadminbb

New Member
Oct 10, 2023
10
1
3
Hello everyone,

I have been poking around on other posts regarding this and need a more specific answer/solution to make this work for my org.

I want immutable backups, but to make that work the protection can't be removed (easy enough with modifying permissions and locking root account) and I need backups to automatically be marked as protected.

Maybe I didn't dig deep enough, but I just want to clarify here before I make any changes to our environment.

If I go to etc/vzdump.conf and add protected: true will that mark all backups sent to the proxmox backup server as protected?

Really this is all I need, whether that works, or we need a script to manually mark them as protected as they are made. I just need these backups to be automatically marked as protected once they are sent to proxmox backup server - from there I can lock down permissions they are are unable to be modified and set retention periods.

Thanks for the help!
 
Hey,

not really. Backups can't be modified, they are either corrupted, or equivalent to when they were taken. They can only be deleted or their owner can be changed, but the backup itself can't be modified. Also, protected here just means the protected backup won't be pruned, and if you mark all of them as protected, nothing will be pruned.
 
sysadminbb said:
If I go to etc/vzdump.conf and add protected: true will that mark all backups sent to the proxmox backup server as protected?
Click to expand...
The defaults in /etc/vzdump.conf are only applied for backup invocations that do not explicitly override the setting, i.e. a user can still set protected: false if they can edit a backup job or during manual backup.
sysadminbb said:
Really this is all I need, whether that works, or we need a script to manually mark them as protected as they are made. I just need these backups to be automatically marked as protected once they are sent to proxmox backup server - from there I can lock down permissions they are are unable to be modified and set retention periods.
Click to expand...
So you might be better off with a server-side script.
 
fiona said:
The defaults in /etc/vzdump.conf are only applied for backup invocations that do not explicitly override the setting, i.e. a user can still set protected: false if they can edit a backup job or during manual backup.

So you might be better off with a server-side script.
Click to expand...
Got it, that makes sense.

So protected prevents backups from being pruned/deleted.

So in my case, the best way to go about this might be marking all backups as protected (vzdump.conf) on each node, and then setting up prune policies, and to accompany those policies we have a script that will remove the protected mark after a set period of time, allowing prune to drop these backups.

Has anyone done this before? Can someone point me in the right direction for marking/unmarking backups as protected on the backup server? I can easily enough remove users permissions to remove backups or change protection status.

Thanks everyone
 
The newest version of PBS will allow you to sync to a different local data store so you could just sync the backups to that data store with a different pruning schedule.

If you're looking for a way to protect those backups from accidental deletion. I have a couple of PBS that I sync the backups to.
 
Darkk said:
The newest version of PBS will allow you to sync to a different local data store so you could just sync the backups to that data store with a different pruning schedule.

If you're looking for a way to protect those backups from accidental deletion. I have a couple of PBS that I sync the backups to.
Click to expand...
I see - syncing to another PBS would keep the status if it were protected or not, correct?

Also, can someone confirm for me that setting protected: true in vzdump.conf automatically makes all backups going to PBS protected?

Thanks
 
sysadminbb said:
Also, can someone confirm for me that setting protected: true in vzdump.conf automatically makes all backups going to PBS protected?
Click to expand...
No, it does not. As already mentioned, it is just a default value and can be overwritten by individual jobs/manual backups.
 
fiona said:
No, it does not. As already mentioned, it is just a default value and can be overwritten by individual jobs/manual backups.
Click to expand...
Understood - I misread that previous reply.

So is there a way for me to change protected status through CLI or API? This would be once the backup has made it to PBS.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back