Kurgan's latest activity
-
KKurgan reacted to bbgeek17's post in the thread [TUTORIAL] Understanding QCOW2 Risks with QEMU cache=none in Proxmox with
Like.
Hi @Kurgan, Your question reminded me of another advantage of LVM: its volatile metadata doesn't reside in a user-land address space, so a process kill can't put it into a state that leads to data loss. Blockbridge : Ultra low latency... -
KKurgan replied to the thread [TUTORIAL] Understanding QCOW2 Risks with QEMU cache=none in Proxmox.Thank you very much for your answer and the time you spent researching it.
-
KKurgan reacted to bbgeek17's post in the thread [TUTORIAL] Understanding QCOW2 Risks with QEMU cache=none in Proxmox with Like.
Hi @Kurgan, Based on a quick review, LVM-thin appears to offer better durability characteristics than QCOW2 for a few reasons: LVM-thin stores its metadata in a B-tree and applies updates transactionaly (though not via a traditional journal)...
-
KKurgan reacted to bbgeek17's post in the thread [TUTORIAL] Understanding QCOW2 Risks with QEMU cache=none in Proxmox with Like.
Hi @Kurgan, Thanks for the great question. LVM is considerably more sophisticated than QEMU/QCOW, though I'm not an expert in its internal architecture. My assumption is that it uses a mix of demand-based and timer-based flushing. I'll try to...
-
KKurgan replied to the thread [TUTORIAL] Understanding QCOW2 Risks with QEMU cache=none in Proxmox.Thanks a lot. I have read quite a lot of your website articles and while I'm not a Blockbridge customer and I'll probably never be (much smaller setup here) I have appreciated your KB articles a lot. But now a question has arisen: Is LVM-Thin...
-
KKurgan reacted to bbgeek17's post in the thread [TUTORIAL] Understanding QCOW2 Risks with QEMU cache=none in Proxmox with Like.
Hey everyone, A few recent developments prompted us to examine QCOW2’s behavior and reliability characteristics more closely: 1. Community feedback There are various community discussions questioning the reliability of QCOW2. We have customers...
-
KKurgan reacted to fabian's post in the thread PBS integrity check: is the hash computed on PVE or on PBS? with Like.
there are actually multiple checksums. chunks contain a CRC (verified on each read of the chunk) and have a digest (that the chunk is referenced by). both are calculated on the client side, the CRC is verified by the server upon upload, the...
-
KKurgan replied to the thread [SOLVED] Ransomware protection?.About backup encryption abuse, see this: https://forum.proxmox.com/threads/verification-of-encryption-integrity.168204/
-
KKurgan replied to the thread [SOLVED] Ransomware protection?.Of course I have offline backups, a management network that's not the same as the users network, restricted access (you need a vpn to access the management from the LAN), etc. Still I'm thinking of the issues if someone somehow becomes root on...
-
KKurgan replied to the thread PBS integrity check: is the hash computed on PVE or on PBS?.Thanks a lot for the explanation, it's very clear and I like the fact that this protects the best part of the backup chain of hardware and software. This means that if the PVE host does not corrupt data, then any further corruption, even in the...
-
KKurgan reacted to UdoB's post in the thread PBS integrity check: is the hash computed on PVE or on PBS? with Like.
It is (first) calculated on PVE. Then this checksum is transmitted to PBS - only the checksum, no data. If a chunk with that checksum already exists on PBS then some references are updated to reflect this new backup. Only if that checksum is...
-
KKurgan posted the thread PBS integrity check: is the hash computed on PVE or on PBS? in Proxmox Backup: Installation and configuration.I'm looking for an information I cannot find. When a backup is made to PBS, I understand that all the blocks have an hash that allows for integrity checks to be done later, and they indeed are done on the PBS host multiple times. (there is a...
-
KKurgan replied to the thread Verification of encryption integrity.Setting an alert on the PBS side is indeed a good idea. If the threat actor has compromised the PVE server (the host, I mean) but for some reason not the PBS server, then we can get an alert for this anomaly in the backup chain. While I'm sure...
-
KIf we set threshold-based warnings on the PBS side, then the treshold value will only be known to the PBS administrator. It certainly makes no sense to substitute the role of SIEM, so IMHO I consider threshold-based warnings to be sufficient...
-
KHi folks, I tested changing the encryption key for PBS backups. Unfortunately, the backup job and verification job did not notify me that the key had been changed. This is the behavior of PVE/PBS as I understand it from the documentation. No...
-
KKurgan reacted to yorilouz's post in the thread Error restoring host backup: "unexpected offset" - mount works, restore fails with Like.
Hello, I'm encountering a persistent issue when trying to restore a host backup made with proxmox-backup-client. While the backup verification process completes successfully and I can mount the backup without any apparent issues, the restore...