[Help] Different backup retention policies per VM

Aug 8, 2023
3
0
6
Hi,

I am using Promox PVE and PBS for more than two years now - also in production environment - 3 HA clusters with one PBS behind to handle backup jobs.

At this moment, backup retention policy is one for all VMs - meaning prune job - Last:0 Hourly:0 Daily:7 Weekly:4 Monthly:12 Yearly:0.
Not every single VM requires so many restoration points (e.g. some will only require last 7 days of restoration points) and I'd like to be able to specify, per VM, how long backup data should be kept.

I have done some research myself, and I have through of creating different namespaces and configuring different prune jobs, but that would also require to create several datastore locations on each HA cluster/node as well and select specific datastore for VM backup. This all seems quite complex and I am wondering if there may be easier way to achieve what I want ?
Main purpose is to optimize backup storage to what is really required.

Any suggestions will be highly appreciated :)

Lukasz
 
you can split your backup job on the PVE side and define stricter pruning settings on one of the jobs, those will be executed directly after the backup
 
you can split your backup job on the PVE side and define stricter pruning settings on one of the jobs, those will be executed directly after the backup
Do you mean configure pruning task on the PVE node instead of the PBS ?

I have deliberately avoided this I must admit - mostly from security point of view.
PBS is managed independently from PVE nodes and user for backup jobs configured on PBS , does have limited access rights on PBS (only two righs):
Datastore.Audit
Datastore.Backup

Intention is that even in case of compromised PVE environment, backups would be safe - as PVE node can create it, but not remove it - so threat actor won't be able to impact the existing backups (e.g. delete these).

Is your suggestion still applicable with the such approach ?
 
no, in such a setup you can only prune on the PBS side. this would require adding filtering to prune jobs, to allow (for example) pruning only groups owned by a particular user, or based on a regex matching on the group name (backup id)
 
Thanks Fabian for your answer.
One more question - is this possible in some way to 'tag' resource which is backed'up on the PVE side, so than this tag can be utilized in purge criteria ?
 
no, that would also require such a filtering mechanism for purge jobs.