Immutable backups

bfriconneau

Member
Feb 4, 2021
10
5
8
50
Hi every one,
All is in the title or almost ;-)
Is it possible to configure it ?
If yes, how can I do it ?
Regards
PS : My environment : Proxmox and Proxmox Backup
 
there are two levels to this
- you can mark individual snapshots as protected (to prevent accidental removal - anybody who can set this mark can also remove it!)
- you can configure access such that a given user/token can only create new and rerstore existing snapshots, but not remove existing ones (DatastoreBackup role)

https://pbs.proxmox.com/docs/user-management.html#access-control
 
You can enable/disable the backup encryption when adding a PBS storage to your PVE ("encryption" tab).
 
Last edited:
For really immutable backups, I can recomment to use ZFS as the backing device and do regular snapshots there. This is a bit counter-productive in terms of small backup sizes and stuff that PBS already does, but it will give you immutability.
 
For really immutable backups, I can recomment to use ZFS as the backing device and do regular snapshots there. This is a bit counter-productive in terms of small backup sizes and stuff that PBS already does, but it will give you immutability.

How will backing up ZFS give immutability?
What OP is asking about is something similar to this:
https://www.veeam.com/blog/immutable-backup-solutions-linux-hardened-repository.html

The other "solution" to this is to push backups to Tape-storage and carry away the tapes. But that will lead to a longer RTO compared to if the immutable repo was "online".
 
How will backing up ZFS give immutability?
If you have ZFS as your backing device, e.g. on another machine, you just snapshot your dataset (which is by definition immutable) and you can always show if a file was changed (zfs diff) and revert the dataset so, the backup is immutable.

We have multiple remote ZFS backup boxes in production, that export the dataset via NFS (server) to the nodes (client), which is used for the backup. You can then do timed snapshots on the storage side or use a snapshot-file, that its touching is automatically detected on the storage side and a snapshot is created. This can be hooked into the backup from PVE (or any other software) in order to create the snapshot (so the immutability is implicit). There is no direct SSH connection between the boxes, so you cannot delete the snapshots from your client side.
 
If you have ZFS as your backing device, e.g. on another machine, you just snapshot your dataset (which is by definition immutable) and you can always show if a file was changed (zfs diff) and revert the dataset so, the backup is immutable.

We have multiple remote ZFS backup boxes in production, that export the dataset via NFS (server) to the nodes (client), which is used for the backup. You can then do timed snapshots on the storage side or use a snapshot-file, that its touching is automatically detected on the storage side and a snapshot is created. This can be hooked into the backup from PVE (or any other software) in order to create the snapshot (so the immutability is implicit). There is no direct SSH connection between the boxes, so you cannot delete the snapshots from your client side.
Sounds interesting, I need to research how to do that.
I am in the middle of researching how ProxmoxVE and Proxmox Backup Server can fully replace VMWare, Veeam and Rancher in our rather big environment, hence all the questions
 
Sounds interesting, I need to research how to do that.
I am in the middle of researching how ProxmoxVE and Proxmox Backup Server can fully replace VMWare, Veeam and Rancher in our rather big environment, hence all the questions
VMware and Veeam are easily replaceable by Proxmox products (for all the things I need, your milage may vary), yet why would you want to replace Rancher? Rancher is great as a CaaS solution running on top of PVE. PVE has nothing that compares to Rancher and never will. PVE is a IaaS solution, Rancher is a CaaS solution.
 
Last edited:
  • Like
Reactions: Gilberto Ferreira
> VMware and Veeam are easily replaceable by Proxmox products

no. that's not true. proxmox is not (yet) at the same enterprise / maturity level as vmware and veeam and there is no such big ecosystem surrounding proxmox like it's surrounding vmware.

replacing a hypervisor and it's backup solution is not a trivial task, especially when you run more then a handful of VMs.

but as the new company policy of vmware really really sucks , i'm sure this will mean growth/success for proxmox.
 
  • Like
Reactions: exitsys
no. that's not true. proxmox is not (yet) at the same enterprise / maturity level as vmware and veeam and there is no such big ecosystem surrounding proxmox like it's surrounding vmware.
Please also quote my remark. You mileage seems to vary, so please share what you're missing there so that we can learn.
 
Please also quote my remark. You mileage seems to vary, so please share what you're missing there so that we can learn.

That's almost like asking for a dissing on the very forum dedicated to the product in question. :) I felt like he just wanted to say the general statement is not universally true, YMMV is not gonna rescue that as "for [me]" was also bundled with it.

I think a good start would be to support ZFS send/receive snapshots deltas natively and not re-reading the whole thing every time because PBS needs to be storage agnostic. Just an example.
 
VMware and Veeam are easily replaceable by Proxmox products (for all the things I need, your milage may vary), yet why would you want to replace Rancher? Rancher is great as a CaaS solution running on top of PVE. PVE has nothing that compares to Rancher and never will. PVE is a IaaS solution, Rancher is a CaaS solution.

In the current state - no, sadly.
We will most likely move to a mix of Proxmox and Nutanix. Proxmox Backup Servers limitations is just one example of it not being ready for production in a larger deployment. Even if I can manage fine with doing all "unsupported solutions" - we have a liability to run our stuff in a supported way that is not dependent on a few set of people.

We currently use Rancher to manage kubernetes-clusters and workloads and we are not looking into replacing that since it does everything just great. I just wish that there is official CAPI-support for Proxmox so Rancher in the future can manage the Kubernets-cluster itself, installing an ubuntu-node and doing all manual work around that is not something we want - we want Rancher to take care of that just as great as it does under a VSphere provider.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!