Prune error (but why?)

I

infra

New Member
Jul 12, 2020
4
2
3
46
I've started a poc with this new product, and was very happy with the result yesterday. Until the results of the nightly job came in.

My setup:
Production PVE (Site A) with permissions set to DatastoreBackup
DR PVE (Site B) with permissions set to DatastoreReader
PBS is a VM on the DR PVE and can reach Site A over a site2site VPN.

After some initial confusions about how to set permissions, I made a backup of a VM on site A and restored it on site B.
This morning the scheduled result came in: Backup failed.

PBS has a good backup, this is the part that is failing:
555: 2020-07-12 00:00:12 INFO: run: /usr/bin/proxmox-backup-client prune vm/555 --quiet 1 --keep-last 1 --repository XXXX@pbs@x.x.x.x:local-poc
555: 2020-07-12 00:00:12 INFO: Error: HTTP Error 403 Forbidden: permission check failed
555: 2020-07-12 00:00:12 ERROR: Backup of VM 555 failed - command '/usr/bin/proxmox-backup-client prune vm/555 --quiet 1 --keep-last 1 --repository XXXX@pbs@x.x.x.x:local-poc' failed: exit code 255

Why is it trying to prune when it seems to be the PBS servers task? I've always been a fan of pull-backups, however access that is write,read but not delete in a push scenario is fine by me. But I cannot allow delete. If site A gets compromised/hacked/cryptolocked, it should never ever have delete access on the backupserver.
 
infra said:
Why is it trying to prune when it seems to be the PBS servers task?
Click to expand...

Because you configured the storage, directly or indirectly, to having max-backups 1 ?
Just set it to 0 to tell Proxmox VE that it's allowed unlimited amounts of backups on that storage then it won't prune anymore and only the Proxmox Backup Server will. The prune settings will be integrated more natively in Proxmox VE in the near future.
 
infra said:
If site A gets compromised/hacked/cryptolocked, it should never ever have delete access on the backupserver.
Click to expand...

Yeah, I mean exactly that's what happened here. It tried to prune but it had no permission to do so...
We explicitly made a own role for pruning, DataStorePoweruser, so that one can differ between "user can make backups" and "user can make backups and prune their own backups".
https://pbs.proxmox.com/docs/administration-guide.html#access-control
 
t.lamprecht said:
Because you configured the storage, directly or indirectly, to having max-backups 1 ?
Just set it to 0 to tell Proxmox VE that it's allowed unlimited amounts of backups on that storage then it won't prune anymore and only the Proxmox Backup Server will. The prune settings will be integrated more natively in Proxmox VE in the near future.
Click to expand...
max-backups was empty, seems odd that that would default to 1 instead of 0. I've set it to 0 now.
 
infra said:
max-backups was empty, seems odd that that would default to 1 instead of 0. I've set it to 0 now.
Click to expand...

yes exactly, the default is 1, AFAIK it was made then to avoid people filling up their space with unlimited backups but making the choice explicit. It's normally not an issue if one uses the webinterface to add a storage, as there it's shown as 1 and thus less subtle.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom