still no immutability option, without a solid immutability option you still need another backup solution.
Proxmox Backup Server 4.2 released!
- Thread starter t.lamprecht
- Start date
For regular datastores this is not easily implemented and requires the underlying storage to provide some mechanism to do so, see https://bugzilla.proxmox.com/show_bug.cgi?id=4293.
For datastores backed by S3, this might get implemented based on the discussion in https://bugzilla.proxmox.com/show_bug.cgi?id=6780 and the there linked forum thread, but I cannot give an ETA.
Edit: FYI, what you can already do is sync to offsite remotes or store to tape if the goal is ransomware protection https://pbs.proxmox.com/docs/storage.html#ransomware-protection-recovery
Last edited:
Adding to your link to the manual I want to point out, that for regular datastores it's not really needed since you can
- Use tapes or usb discs ("removable datastores") as air-gapped backup target
- Setup another PBS behind a firewall so neither the primary PBS nor the PVE nodes can access it. Then the remote PBS can do a pull-sync to the primary PBS.
I had some trouble installing 4.2 on old hardware - it seems the underlying Debian Trixie has dropped support for several components, I could not get the install to complete on a Dell R510 with H700 perc card. I fully understand this is way beyond ideal hardware but what I thought was a full HBA card in a failed newer system turned out to be one of those mini daughter cards (thanks Dell! ), so I have to make do with the H700 in an older chassis as a stop-gap solution. I'm using 2 x fast SSD in hardware raid1 for boot and then the remaining 6 bays each as a RAID0 volume of an enterprise quality SSD which is presented to PBS for ZFS (RAIDZ2) for the data pool. Like I say - not ideal. But I'm also putting in a NAS for 'colder' archive backups in a remote building.
I was getting squashfs errors and it looked like the boot media was faulty. I also suspected it was using EFI rather than Legacy on the older chassis but that wasn't the issue either. I tried a lot of different permutations but came to the conclusion it wasn't possible to install 4.2. What worked was install older PBS 3.2 and upgrade to 4.2 - that was very smooth and no problems. Resulting system seems to be working better than I expected of such old hardware. Smartctl can see the smart data using megaraid so it's reasonably robust.
Anyway, just thought I'd share that 3.2 and upgrading is very smooth if you are using older hardware in a home lab etc. Its my first time trying PBS and I have to say I'm already a huge fan.
I was getting squashfs errors and it looked like the boot media was faulty. I also suspected it was using EFI rather than Legacy on the older chassis but that wasn't the issue either. I tried a lot of different permutations but came to the conclusion it wasn't possible to install 4.2. What worked was install older PBS 3.2 and upgrade to 4.2 - that was very smooth and no problems. Resulting system seems to be working better than I expected of such old hardware. Smartctl can see the smart data using megaraid so it's reasonably robust.
Anyway, just thought I'd share that 3.2 and upgrading is very smooth if you are using older hardware in a home lab etc. Its my first time trying PBS and I have to say I'm already a huge fan.
I’m still playing around with it, but so far I’m happy with it.
I’m coming from Veeam, but Veeam doesn’t seem to work as well with Proxmox as it does with VMware.
I do miss immutability — that’s definitely a must-have — but for now I’m still testing things. Other than that, Veeam seems to work fine so far.
I’m coming from Veeam, but Veeam doesn’t seem to work as well with Proxmox as it does with VMware.
I do miss immutability — that’s definitely a must-have — but for now I’m still testing things. Other than that, Veeam seems to work fine so far.
Last edited:
Hello,
I would like to point out that PBS 4.2 ISO installer seems to not boot on a Hyper-V host (Windows 11 25H2 laptop)
Legacy CSM boot is affected
UEFI boot also affected, regardless if Secure Boot is enabled or not
Symptoms :
Proxmox Backup Server installer Grub menu is displaying just fine
Actual boot using the GUI or Terminal UI options of Grub are not working
The kernel seems to boot fine but the installation media is somehow "not found" ?
Applied workaround :
Install PBS 4.1 and upgrade to 4.2 is OK
Thank you.
I would like to point out that PBS 4.2 ISO installer seems to not boot on a Hyper-V host (Windows 11 25H2 laptop)
Legacy CSM boot is affected
UEFI boot also affected, regardless if Secure Boot is enabled or not
Symptoms :
Proxmox Backup Server installer Grub menu is displaying just fine
Actual boot using the GUI or Terminal UI options of Grub are not working
The kernel seems to boot fine but the installation media is somehow "not found" ?
Applied workaround :
Install PBS 4.1 and upgrade to 4.2 is OK
Thank you.
Follow up. So I noticed an update to the kernel 7 to 7.0.2-2-pve, so I tried it on my PBS with the enterprise subscription (HP, gen 11). It's newer hardware so I figured it might be OK. And it has been fine. So I might try the newer kernel on the HP Microserver Gen 8 again and see what happens. Plus I see the kernel is up to 7.0.2-4-pve. So it may have addressed some issues. We'll see. Wish me luck.
And that's a hard no. The HP Microserver Gen 8 does NOT tolerate kernel 7.0.2-4-pve. As soon as I attempted a backup, a hard crash requiring power off and back on, reboot, and select a 6.17 kernel. We are now pinned to kernel 6.17.13-7-pve. And that's probably the way it's going to have to be. The HP server gen 11 seems to be tolerating the 7.0.2-4-pve kernel just fine though. Strange.
You can use a similar implementation to what Veeam did: XFS immutable storage located on a hardened server outside of PBS and attached as an XFS immutable repository.
Having immutable S3 as an option will do, but tape is not a real option. It is not only expensive legacy technology, but it’s also not practical to rely on people to change tapes.
Last edited:
Could you see any telling error messages? Maybe the persistent syslog has saved something so that you do not need to retry booting into 7.0 in your setup to gather those logs.
New LTO generations are still being released, autoloaders and libraries handle the swapping, and WORM media gives you actual physical protection-not just a software flag that can be cleared. Tape is cheap per TB over its whole lifetime and, more importantly, it doesn't share a failure domain with the credentials managing it. That's why 3-2-1-1-0 still (should) end in a "1" that's offline. Use immutable S3 by all means, but dismissing tape is how some people end up with a very modern backup set they can't restore when really facing such an attack.
As for XFS immutable: it's "just" a
chattr +i that root can reverse just as easily. Its real protection comes mostly from it living on a separate box, so an attacker who owns the backup server can't trivially nuke the data. You get basically (rather exactly) the same guarantee in PBS today by pushing to a remote with a user that can create but not delete-no XFS gymnastics required.Tape is certainly not perfect, and its biggest drawback is latency, and somewhat also throughput, but it definitely is still a very valid option.
I'll do another test and get you that information. The focus at that moment was getting things operating again. But I'll do a more controlled test to get as much information as I can. It's a holiday weekend here, so maybe I can spend some time on that this weekend when the business is closed.