[SOLVED] PBS log issue

C

cromatn5

Well-Known Member
Mar 26, 2018
77
11
48
39
France
Hello,

I don't know it's its since the last release, but I have this in syslog:

1633067606386.png

pveversion -v
proxmox-ve: 7.0-2 (running kernel: 5.11.22-4-pve)
pve-manager: 7.0-11 (running version: 7.0-11/63d82f4e)
pve-kernel-5.11: 7.0-7
pve-kernel-helper: 7.0-7
pve-kernel-5.11.22-4-pve: 5.11.22-9
pve-kernel-5.11.22-3-pve: 5.11.22-7
ceph-fuse: 14.2.21-1
corosync: 3.1.5-pve1
criu: 3.15-1+pve-1
glusterfs-client: 9.2-1
ifupdown2: 3.1.0-1+pmx3
ksmtuned: 4.20150326
libjs-extjs: 7.0.0-1
libknet1: 1.22-pve1
libproxmox-acme-perl: 1.3.0
libproxmox-backup-qemu0: 1.2.0-1
libpve-access-control: 7.0-4
libpve-apiclient-perl: 3.2-1
libpve-common-perl: 7.0-9
libpve-guest-common-perl: 4.0-2
libpve-http-server-perl: 4.0-2
libpve-storage-perl: 7.0-11
libspice-server1: 0.14.3-2.1
lvm2: 2.03.11-2.1
lxc-pve: 4.0.9-4
lxcfs: 4.0.8-pve2
novnc-pve: 1.2.0-3
proxmox-backup-client: 2.0.10-1
proxmox-backup-file-restore: 2.0.10-1
proxmox-mini-journalreader: 1.2-1
proxmox-widget-toolkit: 3.3-6
pve-cluster: 7.0-3
pve-container: 4.0-10
pve-docs: 7.0-5
pve-edk2-firmware: 3.20200531-1
pve-firewall: 4.2-3
pve-firmware: 3.3-1
pve-ha-manager: 3.3-1
pve-i18n: 2.5-1
pve-qemu-kvm: 6.0.0-4
pve-xtermjs: 4.12.0-1
qemu-server: 7.0-14
smartmontools: 7.2-pve2
spiceterm: 3.2-2
vncterm: 1.7-1
zfsutils-linux: 2.0.5-pve1

proxmox-backup: 2.0-1 (running kernel: 5.11.22-4-pve)
proxmox-backup-server: 2.0.10-1 (running version: 2.0.10)
pve-kernel-5.11: 7.0-7
pve-kernel-helper: 7.0-7
pve-kernel-5.11.22-4-pve: 5.11.22-9
pve-kernel-5.11.22-3-pve: 5.11.22-7
ifupdown2: 3.1.0-1+pmx3
libjs-extjs: 7.0.0-1
proxmox-backup-docs: 2.0.10-1
proxmox-backup-client: 2.0.10-1
proxmox-mini-journalreader: 1.2-1
proxmox-widget-toolkit: 3.3-6
pve-xtermjs: 4.12.0-1
smartmontools: 7.2-pve2
zfsutils-linux: 2.0.5-pve1
 
Hi,

is this PBS instance used in a cluster of PVE, how many nodes are there? And does their storage config entry uses root@pam + password for access? As it seems like the pvestatd status poll that it does every 10 seconds, logs in into your PBS instance every 10s times node count.

If that is the case I'd recommend using an API token instead, it's easier to revoke without affecting existing user logins, has a very strong secret and won't show up in the syslog that prominently.
 
Ok.
I just have one debian + PVE + PBS.
I use root@pam for PVE and PBS.
I will learn for API token.

Thanks you for answer.
 
I played a little with API token, but I want to "full reset" this to recreate neatly.
I understood I can connect PBS to PVE with API token and secret, but after removed all token and user, and connect PBS with root@pam, I cant backup some VM anymore.
I explored some files in PVE and PBS case, but I cant find the file that "say" "this VM require this user"

INFO: starting new backup job: vzdump 101 --node pve --storage backup --mode snapshot --remove 0
INFO: Starting Backup of VM 101 (qemu)
INFO: Backup started at 2021-10-08 07:48:24
INFO: status = stopped
INFO: backup mode: stop
INFO: ionice priority: 7
INFO: VM Name: clonezilla
INFO: include disk 'scsi0' 'pve-fast:vm-101-disk-0' 4G
INFO: creating Proxmox Backup Server archive 'vm/101/2021-10-08T05:48:24Z'
INFO: starting kvm to execute backup task
INFO: enabling encryption
ERROR: VM 101 qmp command 'backup' failed - backup connect failed: command error: backup owner check failed (root@pam != cromat@pbs)
INFO: aborting backup job
INFO: stopping kvm after backup task
ERROR: Backup of VM 101 failed - VM 101 qmp command 'backup' failed - backup connect failed: command error: backup owner check failed (root@pam != cromat@pbs)
INFO: Failed at 2021-10-08 07:48:26
INFO: Backup job finished with errors
TASK ERROR: job errors
 
Just for feedback, I have created one user for PVE and another one for PBS.
I disabled root in PVE and PBS, and I can login with respected token in PVE and PBS authentication server.
Now PBS is connected to PVE with a token.
No more log
Very interesting

Thanks again
 
I just spent hours playing with this... All to remove one annoying log entry....


The token thing is very confusing.

The only way I was able to get it to work was have a user

admin@pbs

as well as an admin@pbs!client1 (token)

But in the datastore permissions I had to add BOTH the user (admin@pbs) as well as the API TOKEN (admin@pb!client1) .. Both with DatastoreAdmin permissions otherwise it would not add to the storage. Then when you change owner you are offered the user and token.

This seems very confusing... un-intuitive. I reverted to root@pam for now.
 
Last edited:
Merci pour les fotos!

Yes, I think mine was similar. Except the Path's (Chemin) depending on if you want to give less permission you can point to /datastore/backup and different Role's but then you have to test make sure everything works.

Also if you have an existing datastore we have to change the owner to .. the token ID.

I also have a remote offsite that I'd have to re-configure and re-test so I may try again.

What if we just used user level with the PBS-Realm does the log still populate? Then I don't need tokens and extra confusion.
-> EDIT: Answered my own question... admin@pbs just user also generated logs in syslog! Tokens don't..

Thank You.
 
Last edited:
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back