PBS Sync issues after 2.2 upgrade

da-alb

Member
Jan 18, 2021
88
2
8
Code:
2022-05-24T09:26:42+02:00: Starting datastore sync job '10.46.10.102:local2-pm-80-81-82:local3-pm-80-81-82::s-b09c8d73-3e75'
2022-05-24T09:26:42+02:00: sync datastore 'local3-pm-80-81-82' from '10.46.10.102/local2-pm-80-81-82'
2022-05-24T09:26:42+02:00: ----
2022-05-24T09:26:42+02:00: Syncing datastore local2-pm-80-81-82, root namespace into datastore local3-pm-80-81-82, root namespace
2022-05-24T09:26:42+02:00: Cannot sync datastore local2-pm-80-81-82, root namespace into datastore local3-pm-80-81-82, root namespace - sync namespace datastore local3-pm-80-81-82, root namespace failed - no permission to modify parent/datastore.
2022-05-24T09:26:42+02:00: TASK ERROR: sync failed with some errors.

After updating both PBSs I cannot sync anymore, I'm using datastorebackup and remotesyncoperator as permissions for the remote user. I've tried giving remoteadmin and datastoreadmin but it's not working. What am I missing here?

Thanks
 

fabian

Proxmox Staff Member
Staff member
Jan 7, 2016
7,483
1,397
164
what permissions does the sync job owner have on the target system? e.g.,

Code:
proxmox-backup-manager user permissions USER@REALM

(replace USER@REALM according to your sync job setup)
 

fabian

Proxmox Staff Member
Staff member
Jan 7, 2016
7,483
1,397
164
that's the wrong end.. you are syncing from local2-pm-80-81-82 on pb-102 into local3-pm-80-81-82, and the permission error is on the latter datastore..
 

da-alb

Member
Jan 18, 2021
88
2
8
that's the wrong end.. you are syncing from local2-pm-80-81-82 on pb-102 into local3-pm-80-81-82, and the permission error is on the latter datastore..
Hi, I'm syncing from pb-102 (local2) to local3 on pbs-174. The remote user is created on pb-102 and is set on pbs-174. The screenshot above is from pb-102. Isn't that the right configuration?

Thx
 

fabian

Proxmox Staff Member
Staff member
Jan 7, 2016
7,483
1,397
164
yes - but the permission check that fails is on pbs-174, so you need to show the permissions (for the "owner" of the sync job) there..

see the docs:

https://pbs.proxmox.com/docs/managing-remotes.html#sync-jobs

for a sync job, you always have two users (or tokens) involved:
  • at the remote side (the source that gets pulled from), remote_user@foo
  • this user needs to be able to access the backups that should be synced (so at least Datastore.Backup + ownership, or higher privileges if you want to sync more than owned backups)
  • this remote user needs to be setup with a remote.cfg entry at the local side
  • at the local side (the target that gets synced to), you have a local_user@bar which owns the sync job (and the synced backup groups)
  • this local user needs access to the remote entry (to allow accessing the remote PBS as 'remote_user@foo')
  • this local user also needs access to the local target datastore (to write groups/snapshots/chunks - at least Datastore.Backup, possibly more depending on the exact configuration of the sync job)
the last part is what fails for you, so please dump the permissions of this user so we can see what's missing.
 

da-alb

Member
Jan 18, 2021
88
2
8
yes - but the permission check that fails is on pbs-174, so you need to show the permissions (for the "owner" of the sync job) there..

see the docs:

https://pbs.proxmox.com/docs/managing-remotes.html#sync-jobs

for a sync job, you always have two users (or tokens) involved:
  • at the remote side (the source that gets pulled from), remote_user@foo
  • this user needs to be able to access the backups that should be synced (so at least Datastore.Backup + ownership, or higher privileges if you want to sync more than owned backups)
  • this remote user needs to be setup with a remote.cfg entry at the local side
  • at the local side (the target that gets synced to), you have a local_user@bar which owns the sync job (and the synced backup groups)
  • this local user needs access to the remote entry (to allow accessing the remote PBS as 'remote_user@foo')
  • this local user also needs access to the local target datastore (to write groups/snapshots/chunks - at least Datastore.Backup, possibly more depending on the exact configuration of the sync job)
the last part is what fails for you, so please dump the permissions of this user so we can see what's missing.
1653489501518.png

These are the permission on the server that runs the sync job and fetches the files.
 

da-alb

Member
Jan 18, 2021
88
2
8
Hi, after giving the admin permission to the remote1 user on the remove server (pb-102), it seems that the sync job is working correctly.

I know it may sound strange but before the update everything was working just fine.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!