PBS Sync-Job : Pre- and Post-Hook Support for Sync Jobs in Proxmox Backup Server

M

msalese

New Member
Apr 22, 2025
4
0
1
Hello everyone,

I am currently working with Proxmox Backup Server (PBS) and I have a situation where I would like to automatically change ZFS dataset properties (e.g., setting readonly=off) before a sync job starts, and then set them back (e.g., readonly=on) after the sync job finishes.

However, it seems that sync jobs currently do not offer any option for pre- or post-execution hooks.

My questions are:

Is there any hidden method or workaround to run pre/post scripts for sync jobs?

Is native pre/post hook support for sync jobs planned for future versions of PBS?

If not, would it be possible to request this feature for future releases?

This functionality would be extremely useful for dynamically managing the environment before and after large data sync operations.

Thanks a lot for your help and for the fantastic work on PBS!

Best regards,
Massimo
 
msalese said:
Hello everyone,

I am currently working with Proxmox Backup Server (PBS) and I have a situation where I would like to automatically change ZFS dataset properties (e.g., setting readonly=off) before a sync job starts, and then set them back (e.g., readonly=on) after the sync job finishes.

However, it seems that sync jobs currently do not offer any option for pre- or post-execution hooks.

My questions are:

Is there any hidden method or workaround to run pre/post scripts for sync jobs?

Is native pre/post hook support for sync jobs planned for future versions of PBS?

If not, would it be possible to request this feature for future releases?

This functionality would be extremely useful for dynamically managing the environment before and after large data sync operations.

Thanks a lot for your help and for the fantastic work on PBS!

Best regards,
Massimo
Click to expand...
I have used this workaround:
Since PBS does not support pre- or post-execution hooks for sync jobs, and you cannot delay sync start from inside the GUI, this shell script solves the problem by:

Turning readonly=off on the target ZFS dataset
Manually running the sync job via CLI
Waiting for it to complete
Re-enabling readonly=on to protect the target again

Important:
You must create the sync job from the PBS GUI, but do not schedule it.
This script is meant to be scheduled separately, e.g. via cron or systemd timer

Bash: 
#!/bin/bash

# === CONFIGURATION ===
ZFS_DATASET="iscsi_disk_dataset_name"
PBS_SYNC_JOB_ID="sync-job-id"
LOGDIR="/var/log"
LOGFILE="${LOGDIR}/pbs_sync_zfs_$(date +'%Y%m%d_%H%M%S').log"

echo "[INFO] $(date) - Setting readonly=off on ZFS dataset ${ZFS_DATASET}" | tee -a "$LOGFILE"
zfs set readonly=off ${ZFS_DATASET}

echo "[INFO] $(date) - Starting PBS sync job with ID: ${PBS_SYNC_JOB_ID}" | tee -a "$LOGFILE"
proxmox-backup-manager sync-job run --id ${PBS_SYNC_JOB_ID} >> "$LOGFILE" 2>&1

if [ $? -eq 0 ]; then
    echo "[INFO] $(date) - Sync job completed successfully" | tee -a "$LOGFILE"
else
    echo "[ERROR] $(date) - Sync job failed" | tee -a "$LOGFILE"
fi

echo "[INFO] $(date) - Setting readonly=on on ZFS dataset ${ZFS_DATASET}" | tee -a "$LOGFILE"
zfs set readonly=on ${ZFS_DATASET}

echo "[INFO] $(date) - Script execution finished" | tee -a "$LOGFILE"
 
_gabriel said:
What is the use case ?
Click to expand...
It's about reducing the attack surface.
Another option would be if the disks used for the sync job are iSCSI targets:
in that case, you could also think about hiding the target behind a firewall, using CHAP authentication, and mounting the datastore only right before starting the sync job.
 
So you Sync local datastore A to local datastore Z where Z is a ZFS dataset over iscsi ?
The recommended way attach ZFS dataset over iscsi to another PBS which PULL data from PBS with datastore A.
The another PBS will have diff creds and can be turned on only for Sync or hardened firewall.
 
msalese said:
It's about reducing the attack surface.
Another option would be if the disks used for the sync job are iSCSI targets:
in that case, you could also think about hiding the target behind a firewall, using CHAP authentication, and mounting the datastore only right before starting the sync job.
Click to expand...
To prote
_gabriel said:
So you Sync local datastore A to local datastore Z where Z is a ZFS dataset over iscsi ?
The recommended way attach ZFS dataset over iscsi to another PBS which PULL data from PBS with datastore A.
The another PBS will have diff creds and can be turned on only for Sync or hardened firewall.
Click to expand...

Yes, I am aware of the recommended method, but I work in a small to medium business where budget limitations exist.
At the moment, deploying a second PBS is not feasible, so I need to find a solution to duplicate backups locally using a single PBS equipped with both internal storage and additional storage connected via iSCSI.
For this second storage, I want to reduce the attack surface by using the ZFS readonly property, so that most of the time no modifications are possible.
The readonly property is set to off only a few seconds before the sync job starts.
Additionally, I would like to add another layer of protection by ensuring that the PBS does not permanently mount the iSCSI disks, but only mounts them just before the sync job begins.
 
You must log in or register to reply here.
Top Bottom