Backing up PVE itself

[Patrick010]

There's a number of discussions on the forum about how to backup PVE itself, mainly focussed on the config files.
Being a scripting tard I've asked our friend ChatGTP to help me making a simple script. There's probably a way better method, but this covers my needs.

So for those looking for something similar, or something to start with, here it goes:

Here's your complete, no-nonsense setup guide to secure, automated Proxmox PVE config backup with remote sync, using a locked-down backupuser and rsync over SSH.​

This is for backing up only configuration files (host, VM, and LXC), not full VM images. You’ll end up with a secure and maintainable system that mirrors your backups to a remote box, auto-cleans, and doesn’t require remote shell access.​

---

GOAL​

You will:​

• Back up all important Proxmox config files
• Sync them to a remote server over SSH using rsync
• Lock down the remote user (backupuser) to only accept file uploads
• Automatically prune old local and remote backups
• Run the whole thing via cron

---

️ SYSTEM SETUP​

1. Create backupuser on the remote server​

On remote server (192.168.1.100):​

sudo adduser --disabled-password --shell /usr/sbin/nologin backupuser
sudo mkdir -p /backups/proxmox
sudo chown backupuser:backupuser /backups/proxmox
sudo chmod 700 /backups/proxmox

This creates a no-shell, upload-only user that owns its backup directory.​

---

2. Generate SSH key on Proxmox​

On your Proxmox host:​

ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519 -C "proxmox-backup"

• Press enter through all prompts
• Do not set a passphrase

---

3. Set up key-based login to backupuser​

On Proxmox:​

ssh-copy-id -i ~/.ssh/id_ed25519.pub backupuser@192.168.1.100

Then on the remote server:​

Edit ~backupuser/.ssh/authorized_keys and wrap the key with restrictions:​

command="rsync --server --sender -logDtprze.iLsfxC . /",no-agent-forwarding,no-port-forwarding,no-X11-forwarding,no-pty ssh-ed25519 AAAA... proxmox-backup

Replace ssh-ed25519 AAAA... with the actual key from the .pub file.​

This allows only rsync in upload mode. User cannot execute arbitrary commands or log in interactively.​

---

4. Install rsync on both machines​

Make sure it's available:​

apt update && apt install rsync -y

---

BACKUP SCRIPT​

On Proxmox, create the script:​

nano /usr/local/bin/pve-backup.sh

Paste:​

#!/bin/bash

# === CONFIGURATION ===
BACKUP_DIR="/root/pve-backups"
REMOTE_USER="backupuser"
REMOTE_HOST="192.168.1.100"
REMOTE_PATH="/backups/proxmox"
SSH_KEY="/root/.ssh/id_ed25519"
DATE=$(date +%F-%H%M)
ARCHIVE_NAME="pve-fullconfig-$DATE.tar.gz"

# === STEP 1: CREATE LOCAL BACKUP ===
mkdir -p "$BACKUP_DIR"

tar czf "$BACKUP_DIR/$ARCHIVE_NAME" \
  /etc/pve \
  /etc/network/interfaces \
  /etc/fstab \
  /etc/hosts \
  /etc/hostname \
  /etc/resolv.conf \
  /etc/passwd \
  /etc/shadow \
  /etc/group \
  /etc/pve/storage.cfg \
  /etc/pve/datacenter.cfg \
  /etc/pve/qemu-server \
  /etc/pve/lxc \
  /var/lib/lxc \
  --warning=no-file-changed

echo "Backup created: $BACKUP_DIR/$ARCHIVE_NAME"

# === STEP 2: SYNC TO REMOTE ===
rsync -av --delete -e "ssh -i $SSH_KEY -o StrictHostKeyChecking=no" "$BACKUP_DIR/" "$REMOTE_USER@$REMOTE_HOST:$REMOTE_PATH/"

echo "Remote sync complete."

# === STEP 3: CLEAN OLD LOCAL BACKUPS (>7 days) ===
find "$BACKUP_DIR" -type f -name "pve-fullconfig-*.tar.gz" -mtime +7 -exec rm -f {} \;

echo "Old local backups cleaned."

Make it executable:​

chmod +x /usr/local/bin/pve-backup.sh

---

AUTOMATE IT​

Edit root's crontab:​

crontab -e

Add this line to run daily at 3:30 AM:​

30 3 * * * /usr/local/bin/pve-backup.sh >> /var/log/pve-backup.log 2>&1

---

TEST EVERYTHING​

Manually run:​

/usr/local/bin/pve-backup.sh

Then check on remote:​

ls -lh /backups/proxmox/

You should see your .tar.gz archive with today’s date. No other junk. Clean and mirrored.​

---

Summary​

Step​	Description​
backupuser​	Locked-down upload-only user with no shell​
SSH Key​	Key-based auth from Proxmox only​
Secure​	Only rsync is allowed remotely​
Prunes​	Old backups deleted locally + mirrored remotely with --delete​
Cron​	Fully automated daily job​
Extensible​	Easy to add more files or move to restic, borg, etc. later​

---

Need to back up actual VM disk snapshots (vzdump) or integrate with offsite/cloud storage (S3, Backblaze, etc.) next?​

 

[Johannes S]

Yikes. Isn't it enough that people use chatGPT to ask questions (which are now harder to parse since one need to go through all the bubble chatGPT generates ) and their scraper bots are abusing community power to feed their hallucinations but now we have AI generated guides too? Next step will propably be to replace the whole forum with bot conversations: One question is a LLM generated hallucination and the answeres are different hallucinations made by another LLM.

Now please don't take this the wrong way, it has nothing to do with you in person, I'm sure you are a pleasant guy or girl to be with.
But this general trend towards AI (mis)use instead of actually contributing to communities and projects rubs me the wrong way.
Guess I'm getting old.

For the actual problem: Although it's a pity that there is no option inside the PVE GUI, it was and is already possible to to PVE host backups: Just use any Linux backup tool, there are enough to pick, including Proxmox own backup client. Now I personally prefer tools which don't need a running backup server (like anything which uses sftp for accessing storage, or one of rclones storage backends) but in the end that's just a matter of preference.
I would always recommend to not use proxmox backup client for PVE host backups for a different reason: You need a running proxmox backup server for the restore, which might be a problem if you run PBS as a vm (I know it's not recommended, but still a lot of people do this, myself included) or lxc. Now whether you use tar, rsync or one of the newer tools (restic, kopia, borg, duplicati, bacula...) is a matter of preference and personal taste
But you don't need chatGPT to setup a backup with your tool of choice and doing a writeup for the forum afterwards.

 

[Patrick010]

Feel free to ignore this topic if you think asking ChatGPT is beneath you. Or come up with something better.

 

[UdoB]

Feel free to ignore this topic if you think asking ChatGPT is beneath you.

Well, that's not so easy. Searching for a keyword will find and deliver it.

If you poke around here you'll find several first-posts of new accounts which reply to very old threads since some weeks now. Not all of them are recognizable as the output of a Generative LM at a first glance but personally I (purely my personal and unreflected impression!) suspect them to come from those, either introduced by fully automated bots or by future(!) spammers. Or both of them. "AI" content is rising. Everywhere.

You were so fair to state that it in your second sentence, thanks. And your post contains a "Test everything" chapter. But now it is not clear if you really did run those tests or if it just belongs to the generated script.

I am not fighting you. I am not fighting the so called(!) "AI" (there IS no intelligence in it, it is just statistics! Stupid but massive statistics!) and I can not stop it to spread, for sure.

But this forum has a number of experienced human users and their reply is much more worth to me than an extrapolated reply of a Language Model.


When this:

...bot conversations: One question is a LLM generated hallucination and the answeres are different hallucinations made by another LLM.

actually begins to happen (and it is absolutely possible) I expect this - and a lot of other - forums to die.


Sorry for the rant - but human knowledge is starting to decline with this.

 

[Patrick010]

Looks like you guys feel threatened by these systems
Now we no longer have to rely on l33t members and their, often, strange behaviour and responses. There's enough people who appreciate postings like this because not everybody has enough Linux knowledge to figure these things out, or don't want to spend hours on it.
Don't want to ask AI? Then don't and move on.

 

[guletz]

Hi,

I know a sentence who say somthing like this "It is not important what colour have the cat if can catch the mouse"(chiana origin). So with AI or with other tool is not so important what we use if we can "catch the mouse". Your goal is to make a backup of "all important Proxmox files".
But your post does not include "all important ....". So your "cat" is not able to catch the mouse(my own oppinion). For example all content of /etc/pve or /var/lib/pve.
Why we do a backup? We do this because if a system is broken(whatever name, like PMX in this case) we expect to restore this broken sistem. So ask yourself if this backup system can do this(for any case we can imagine, like server broken, and so on).
Also if rsync can not do complete?

So IMHO, your setup is not usefull. Maybe can be usefull in some limited scenario.

Good luck / Bafta !

 

[Patrick010]

If you read my initial post then you would have noticed that i said that this is just a basic script that copies config files, not complete vms or lxcs. And as I also said, if you think you can do better, feel free to enhance it. Until now I only have seen criticism and nothing helpful. In the meantime there's dozens of topics where people ask for basic scripts like this (backing up pve so a quick restore without the need of reconfiguring everything all over). If you use the basic backup functionality of pve to backup your vms or containers and use a script such as this one to secure the most important config files then you'll be back up and running after a disaster or reinstall. But hey, nobody is forcing you to use it. If you can do better, post it here.

 

[UdoB]

Looks like you guys feel threatened by these systems

Sorry again to move the topic of this thread so far away. I will stop discussing "AI" here. Perhaps a generic "New Post" would be helpful. Including a statement of "staff" if "AI" generated replies are a good thing, should be required to be tagged or should be avoided.

"AI" has come to stay and to spread - I know that.

 

[Patrick010]

I prefer a helpful ai generated answer over a useless one made by a human any time. I wonder what the responses would have been had i left out that i used chatgtp to make this. Half of this forum is full of crap because people have no idea what they're talking about and spew nonsense making it the truth.
This will be my last response to all of the rants about AI or this topic. Good luck fiddling around.

 

[Johannes S]

Looks like you guys feel threatened by these systems

I don't feel threatened since even I (who never was really good at programming, that's why I'm a sysadmin now) will always have a job to fix issues resulting from "vibe coding" or "vibe devops" like the one in this example: https://www.reddit.com/r/ProgrammerHumor/comments/1jdfhlo/securityjustinterfereswithvibes/

And that's (despite the subs name) not a joke, but an actual twitter/x posting, the user still has his profile open.

And it's not about gatekeeping: I'm a big fan of empowering people to solve their problems by themselves and sharing knowledge between humans. AI generated questions and answers are counter-productive in that regard since people learn how to write prompts but not how stuff works and solve their problems by themselves. One example: One coworker asked chatgpt for a certain script for a certain problem. The funny thing was that our existing tool already had an option so actually it took longer to write a prompt than it would have taken to read the tools documentation.
Now what profits novices more in the end? Learning how to write prompts and "going with the vibe" (aka hoping for the best) or learning how to read manuals and later teaching others? @UdoB for examples does a great job with his "FabU"-Postings where he explains stuff like considerations for a minimal ceph cluster, using ZFS as storage or often asked questions in a well written, hands-on way. Other community members also do voluntary work to answer the same questions again and again, still being friendly and explaining things, so the OP and other readers learn how things actually work.

I think it's quite rude to say, that a LLM generated bot output is more helpful. But if this is true, Reddit, stackoverflow, server and this forum can be shutdown right now, so nobody needs to actually communicate with fellow human beings.
One thing on a fundamental level: Although personally I don't have anything to fear I fear for society. I don't want social security data, my tax records or sensitive personal information processed with AI-built infrastructure. It is inevitable that human developers and sysadmins will have bugs in their code and infrastructure, but at least they still have the competence to fix them. Now AI AI is trained with their output so it will obviouvsly have bugs too. But when nobody knows how to debug and fix code anymore (expect us lucky few, who will profit from it) I expect more data leaks and security incidents. Which is great for people like Udo and me, but not so great for society as a whole.

AI has it's place though: As a tool to improve productivity for people who already have a fundamental knowledge how things works so they can tweak it's output and (if necessary) correct it. If this needs less time than doing everything on your own, this a win. It's not a win when in the end nobody knows how to do fix things, and what went wrong.