Side effects of disabled PBS account to access datastore on PVE

[Taledo]

Hi all,

We've (finally) got a long-term storage, centralised, last resort PBS where all the other PBS go and dump their backups into.

I want to add a Read-only account of which every cluster will have a token of, so that in case of a disaster recovery process, I can restore backups from this PBS all over my PVEs.

Now I don't want this to be used in non-emergency situations, so I was thinking of disabling the account and tokens, but I do not know if there are any issues with having a disabled datastore on my PVEs (I know that back in NFS days, an unreachable NFS share would cause SNMP to time out unless you specified you didn't want to scan NFS shares).

Cheers,

 

[VictorSTS]

You can leave the "last resort" PBS storage disabled in PVE, datacenter, storage so it won't show in PVE nor will be queried.

IMHO, that storage should not be configured in PVE unless absolutely necessary: in case of ramson/directed attack/atp an attacker would get knowledge of that PBS and try to compromise it too. Just leave the procedure documented and add it when needed.

The issue with NFS/Samba is the storage is left mounted in the host when you disable the storage at datacenter level, causing issues if they become inaccessible, specially with NFS as it uses sync mode.