Restoring backup from off-site PBS server.

S

SamTzu

Renowned Member
Mar 27, 2009
527
17
83
Helsinki, Finland
sami.mattila.eu
I'm planning to test restoring backup from off-site PBS server. I realised that I don't have a clue how to do this.
We have a remote backup server but no obvious way to sync back an old backup.
(One VM only.)
Restoration from local PBS is simple but how does one do it if the host does not have access to the off-site PBS?
 
Last edited:
You want grant the local PVE or PBS the needed rights (ideally via a dedicated API token and/or user), restore/sync everything and afterwards revoke the access rights.
 
Like I said, "the host does not have access to the off-site PBS."
This is by design. If the host had access some1 might be able to destroy the off-site backups.
Off-Site PBS should be able to push back the synced backups.
 
That's not possible, PBS can only push to another PBS. So you would setup a local PBS and configure the remote to push it's backips to the local. It might he useful to use a dedicated namespace on the local PBS to have privilege seperation
 
If the datastore is on ZFS you could also use zfs send/receive to replicate the data to another host. rsync.net for example allows this: https://www.rsync.net/products/zfsintro.html

For USB or other external drives you can use the function for removable datastores or tape backups for air-gapped backup.

Concerning ransomware protection of the regular PBS backups the best approach would be to configure the remote pbs to do a pull-sync from your local PBS so you only need to allow access from the remote pbs to the local pbs: https://pbs.proxmox.com/docs/storage.html#ransomware-protection-recovery

With that you would setup the PBS hosts like this:
- Remote PBS doesn't allow incoming connections by default (via iptables rules or some other firewall), the PBS permissions allows restoring the backups but nothing else. A pull-sync job pulls backups from the local PBS.
- Local PBS allows incomming connections from the PBS and your ProxmoxVE hosts for pulling,writing and restoring backups (again on a firewall level). PBS permissions allow that the PVE hosts can create and restore backups but not removing or editing them. The remote PBS is allowed to pull backups but not to edit or remove them

Normally, no connection to the remote PBS is possible, which ultimately makes ransomware attacks impossible. If you need a backup from the remote PBS you would create a temporary exception in the firewall, restore/pull the backup and afterwards remove the exception.

HTH
 
Last edited:
Johannes S said:
That's not possible, PBS can only push to another PBS. So you would setup a local PBS and configure the remote to push it's backups to the local. It might he useful to use a dedicated namespace on the local PBS to have privilege seperation
Click to expand...
Its the opposite, a remote off-site PBS can only PULL to sync, there is no push ability... So yes, you would need to temporarily open 8007 (with source IP restrictions or vpn) at the remote PBS and set it up as a local backup device on the PVE server or as a replication partner for the local PBS to pull, you can make a user or API on the PBS, and delete/revoke when done.

FEATURE REQUEST @dev TEAM:
The ultimate solution would be to plug a USB ssd in to the remote PBS, hit an export button in the GUI for selected archives and then drive it back to the original site and import the volume in to the PBS to allow restore directly from the the USB to the PVE. Imagine not having to wait for 2-4TB of data to replicate over a medium rate ISP.
 
  • Like
Reactions: SteveITS
totalimpact said:
Its the opposite, a remote off-site PBS can only PULL to sync, there is no push ability...
Click to expand...

Actually you can sync In both directions:
https://pbs.proxmox.com/docs/managing-remotes.html#sync-direction-push

But you will need to set the needed access rights.


totalimpact said:
The ultimate solution would be to plug a USB ssd in to the remote PBS, hit an export button in the GUI for selected archives and then drive it back to the original site and import the volume in to the PBS to allow restore directly from the the USB to the PVE. Imagine not having to wait for 2-4TB of data to replicate over a medium rate ISP.
Click to expand...

Shouldn't this be possible with the new features for removable datastores?
https://pbs.proxmox.com/docs/storage.html#datastore-configuration
 
Johannes S said:
Actually you can sync In both directions:
https://pbs.proxmox.com/docs/managing-remotes.html#sync-direction-push

But you will need to set the needed access rights.




Shouldn't this be possible with the new features for removable datastores?
https://pbs.proxmox.com/docs/storage.html#datastore-configuration
Click to expand...
Yes, funny I opened a feature request, and that is exactly the response it is available. I was a couple revs behind, and now on 3.3.3 I see there is now push/pull, and Removable Datasets. You might plug in a USB SSD, create a Push sync and set "Transfer Last" to 1 snapshot, Max Depth to 1, and set a Group Filter to the specific VMs needed, and that should lower time to restore.
1741630582378.png
Back on site you would check Removable and "Reuse existing datastore"
 
Last edited:
  • Like
Reactions: Johannes S
You must log in or register to reply here.
Top Bottom