Proxmox newbie needing help to setup server/client for linux backup

[typoworx]

Hello there,
I've been using BackupPC recently but I want to switch to a more modern solution. I'm using Hetzner Cloud VMs for Proxmox-Server and my servers (proxmox clients) as well. I've setup Proxmox from repo on ubuntu 24.

I've setup backup@pbs user with Permissions to my Datastore:

Path	User/Group/API-Tooken	Role	Propagate
/	backup@pbs	DataStoreBackup	Yes
/datastore/ds0-hetzner-backup	backup@pbs!server01	DatastoreBackup	Yes

and API token for client authentication as well:

User	Token Name	Enabled	Expire	Comment
backup@pbs	server01	Yes	never

on my proxmox-client (server vm to be backup'ed):

PBS_HOST='proxmox.vlan.my-proxmox-server.net'
PBS_TOKEN_NAME='server01'
PBS_TOKEN_SECRET='043****-****-****-****-********576'
PBS_DATASTORE='ds0-hetzner-backup'
export PBS_FINGERPRINT="c5:07:70:ea:7e:02:e9:77:e7:c5:15:ed:cd:c5:d1:57:53:30:d9:eb:75:1b:41:49:91:f5:b0:ff:f8:21:6f:8c"

export PBS_REPOSITORY="backup@pbs@${PBS_TOKEN_NAME}@${PBS_HOST}:${PBS_DATASTORE}"
export PBS_PASSWORD="${PBS_TOKEN_NAME}!${PBS_TOKEN_SECRET}"

proxmox-backup-client snapshot list

exit
proxmox-backup-client backup \
  etc.pxar:/etc \
  vmail.pxar:/var/vmail \
  --repository "${PBS_REPOSITORY}" \
  --backup-id $(hostname --fqdn) \
  --exclude '*.cache'

Gives me:

Error: permission check failed.

Same for proxmox-backup-client backup (actually skipped by exit in the script).

What is wrong here?


By the way without PBS_FINGERPRINT proxmox-client is continously asking me to confirm the fingerprint for ever!

proxmox-backup-client version
client version: 3.4.1

 

[Johannes S]

Os the datastore a disc on the vservervor somewhere else e.g. a nfs or cifs network share?

 

[typoworx]

Its a cifs mount to hetzner storage-box (https://www.hetzner.com/storage/storage-box/). Actually nfs is not possible there :-/
The storage provided by hetzner is a ZFS server shared using either Samba/CIFS/FTPS - but actually no NFS available.

Proxmox server ui shows datastorage without errors.

 

[Chris]

export PBS_REPOSITORY="backup@pbs@${PBS_TOKEN_NAME}@${PBS_HOST}:${PBS_DATASTORE}" export PBS_PASSWORD="${PBS_TOKEN_NAME}!${PBS_TOKEN_SECRET}"

Your environmental variables do not follow the required schema. PBS_PASSWORD should be the token secret only and the token name as declared in the PBS_REPOSITORY is required to be separated by an exclamation mark (!), so user@pbs!token@host:store. For details see https://pbs.proxmox.com/docs/backup-client.html#backup-client-usage

Also, be careful with escaping as some of the characters might be interpreted by your shell otherwise.

 

[typoworx]

Ah. Got it now working. Thank you so much I must have been blinded not noticing that.

 

[typoworx]

Just another question on top: is it possible to use multiple datastores at once? like lokal file-system (or cifs) as datastore1 + S3 storage using rclone mount as second datastore2?

And for excludes how to best do it? It seems like this won't work:
proxmox-backup-client backup \
etc.pxar:/etc \
vmail.pxar:/var/vmail \
--exclude '/etc/*.lock'

the exclude here should be '*.lock' (example only), but then this would match for all backup-dirs and not only /etc (which could cause some trouble for some more generic excludes that should not apply everywhere)

 

[Johannes S]

Just another question on top: is it possible to use multiple datastores at once? like lokal file-system (or cifs) as datastore1 + S3 storage using rclone mount as second datastore2?

Using rclone is a bad idea, rclone is known to break backups stored in a PBS datastore.
https://forum.proxmox.com/threads/datastore-synced-with-rclone-broken.154709/
https://forum.proxmox.com/threads/pbs-appears-not-to-write-to-disk.157751/

The reason is that PBS splits the data in a lot of small files for his deduplication magic (the space savings are insane)., To ensure that they are complete and consistent PBS expect them to be synced in a certain manner (at least according to the explainations done by Proxmox stuff here in the forum and in the manual, up to now I' m neither motivated nor skilled enough to check the source code to determine how everything is working). Since the existing options were not sufficient for this suecase the Proxmox developers developed their own sync mechanism for syncing between different PBS instances.

Your best bet would be sycing to another PBS e.G. in your home network or a service like inett or tuxis managed PBS offerings.

 

[Chris]

And for excludes how to best do it? It seems like this won't work:
proxmox-backup-client backup \
etc.pxar:/etc \
vmail.pxar:/var/vmail \
--exclude '/etc/*.lock'

the exclude here should be '*.lock' (example only), but then this would match for all backup-dirs and not only /etc (which could cause some trouble for some more generic excludes that should not apply everywhere)

One option to solve this would be to place a .pxarexclude at the corresponding archives root directory (so in your example /etc) and specify the excludes in there. In that case you do not need to specify them via the cli and the exclude patterns are only applied to that directory sub-tree.

Another option would be to have a more specific pattern.