Snapshoting ZFS-Datasets & Samba-Share with shadowcopy over LXC

[Ramalama]

Hi guys, i need a bit help, maybe this could get a great tutorial for others later:

Goal:
- Creating an ZFS Dataset
- mount it inside an LXC Container that runs Samba with vfs shadowcopy
- Create Snapshot Retention Plan

Preword:
I know how to make this basically with whole Pools.
But i have no Disks left sadly. Additionally snapshotting only Datasets is quite comfortable, because you can create simply Datasets for every need without wasting space and snapshot only the specific Data, not the whole Pool.
This is actually amazing if you have one gigantic Pool with raid10/5/1/z1/z2 with vdefs/caches/l2arc etc... and you run everything on that single pool.
So snapshotting that gigantic pool is quite uncomfortable.

Hardware:
zfs pool --> DATA
Consists of 4 Drives raid 10 / 32gb raid1 optane as vdef / (2x Firecuda120 in raid1) splitted up to 60gb log drive and 60gb cache drive

Todo:
1. Creating Dataset: zfs create DATA/SMB-DATA
2. Create an Priviliged LXC Container, set it up with Samba
--- Doesn't matter auctually if Priviliged or unpriviliged, just keep in mind with unpriviliged containers the files in the dataset will have shifted UID/GID above 100k, while priviliged containers keep usually almost the same user uid/gid numbers as the host.
3. Mount the ZFS Dataset:
--- Open the lxc config: /etc/pve/lxc/1XX.conf and add mp0: /DATA/SMB-DATA,mp=/smb_storage, then save and start the container again.
--- Small Help/Hint: mp0: /source/folder,mp=/destination/folder
4. Adjust Samba config to share that folder [Later to that]

Now at this point im struggling and thats where i need help:
create dataset: zfs create DATA/SMB-DATA
create snapshot: zfs snapshot DATA/SMB-DATA@test1/2/3/4/etc...
delete snapshot: zfs destroy DATA/SMB-DATA@test1
list snapshots: zfs list -t snapshot

1. Do i need to add the dataset to the proxmox gui? Is there any reason/need/benefit?
--> pvesm add zfspool samba_files -pool DATA/SMB-DATA
2. Is there any script/gui/anything that let me setup stupidly an snapshot retention plan?
--> It would be a pain in the ass to setup that as cronjobs.
3. Is it actually possible or anyone tryed to make snapshots inside an LXC Container?
--> But this would require some sort of zfs passthrough of the whole pool to the container?
--> Im just asking, because probably there is any gui/docker whatever available to manage zfs pools/datasets/snapshots, i just don't want to install that crap directly on the host.

Thats basically it, mainly i need basically recommendations what you guys are using to manage snapshots.
I mean i know, we can do it via cli, but thats just so uncomfortable.. xD
When i got everything running, i will convert this thread simply into an how-to.
Basically i have everything running since 2 years or so, just without snapshots
And slowly its getting critical, if some virus or other crap deletes/encrypts my samba share data.
Thats why i want shadowcopy xD

Cheers and Thanks!

 

[Dunuin]

2. Is there any script/gui/anything that let me setup stupidly an snapshot retention plan?
--> It would be a pain in the ass to setup that as cronjobs.

There are a lot of scripts:
https://github.com/zfsonlinux/zfs-auto-snapshot
https://github.com/zfsnap/zfsnap
https://crates.io/crates/zfs-autosnap
https://github.com/Corsinvest/cv4pve-autosnap

Last one should be prefered for snapshotting VMs/LXCs because it uses the PVE API, so fsfreeze will be used to ensure data integrity of the guests. But as it uses the PVE API it won't be able to snapshot datasets/zvols that are not managed by PVE.

Do i need to add the dataset to the proxmox gui? Is there any reason/need/benefit?
--> pvesm add zfspool samba_files -pool DATA/SMB-DATA

No, only if you want to store VMs/LXCs on top it.

3. Is it actually possible or anyone tryed to make snapshots inside an LXC Container?
--> But this would require some sort of zfs passthrough of the whole pool to the container?
--> Im just asking, because probably there is any gui/docker whatever available to manage zfs pools/datasets/snapshots, i just don't want to install that crap directly on the host.

Never tested this, but I would bet that this isn't possible with normal bind-mounts. Would be a really bad security concern if LXC would be able to manipulate your ZFS pool.

Basically i have everything running since 2 years or so, just without snapshots
And slowly its getting critical, if some virus or other crap deletes/encrypts my samba share data.
Thats why i want shadowcopy xD

For ransomware protection you need to keep those snapshots for months and this isn't great. If you got a 3 months old snapshot that also means that everyhting you deleted in the last 3 months can't be really deleted and still consumes the full space. The older your snapshots get, the more space they will consume...after some months the snapshots might consume a multiple of the size of the actual data that you snapshotted.
Should be more space efficient to use a Proxmox Backup Server (PBS) for long-term backups instead. And snapshots or raid never replace a real backup. So you would need to create backups in addition to snapshots anyway.

My recommendation would be snapshots for hourly to daily retention and PBS for daily to annual retention.

 

[Ramalama]

There are a lot of scripts:
https://github.com/zfsonlinux/zfs-auto-snapshot
https://github.com/zfsnap/zfsnap
https://crates.io/crates/zfs-autosnap
https://github.com/Corsinvest/cv4pve-autosnap

Last one should be prefered for snapshotting VMs/LXCs because it uses the PVE API, so fsfreeze will be used to ensure data integrity of the guests. But as it uses the PVE API it won't be able to snapshot datasets/zvols that are not managed by PVE.

No, only if you want to store VMs/LXCs on top it.

Never tested this, but I would bet that this isn't possible with normal bind-mounts. Would be a really bad security concern if LXC would be able to manipulate your ZFS pool.


For ransomware protection you need to keep those snapshots for months and this isn't great. If you got a 3 months old snapshot that also means that everyhting you deleted in the last 3 months can't be really deleted and still consumes the full space. The older your snapshots get, the more space they will consume...after some months the snapshots might consume a multiple of the size of the actual data that you snapshotted.
Should be more space efficient to use a Proxmox Backup Server (PBS) for long-term backups instead. And snapshots or raid never replace a real backup. So you would need to create backups in addition to snapshots anyway.

My recommendation would be snapshots for hourly to daily retention and PBS for daily to annual retention.

I thought actually the same, that i need additionally at least one long term backup.
Just didn't spoke about that, to not get offtopic.

Otherwise, thank you for answering my answers. That's a perfect reply, exactly what i wanted to know

About the snapshot solution, the first 3 looks a bit outdated to me.
C4pe is actually exactly what i need/want, the only downside is, that it is made mainly for vm/container snapshotting, not so much about datasets.
But that was long ago since i tested it, maybe they added some features or maybe there are workarounds lately to "missuse" it for datasets.

I need simply to test first all 4 solutions and then i can revert to this topic.

Thanks for the help!

 

[Ramalama]

Hey @Dunuin, Ive tested some solutions now:
https://github.com/zfsonlinux/zfs-auto-snapshot -> not really straightforward/outdated, bad documented
https://github.com/zfsnap/zfsnap -> looks great, well documented, but archived by the owner, just a matter of time till it wont work at some point
https://crates.io/crates/zfs-autosnap -> great, testing right now, bit outdated, but for me it looks like the best candidate
https://github.com/Corsinvest/cv4pve-autosnap -> great, tested already, works perfect, but absolutely no options for pools/datasets, only for vms/containers
https://www.cv4pve-tools.com/installazione-toolbox-docker/ -> really bad, outdated, nice gui, no options for datasets, and it basically doesnt work anymore anyway.

however, zfs-autosnap is probably what i stick to like it seems! Just i wish there would be a gui, to simply check over an webpage how much the snapshot consumes, when they were made etc, a delete option or snapshot now....
but that sadly doesn't exists, so zfs-autosnap combined with zfs list -t snapshot does the job either.

However, it's working absolutely amazing,
if you mount your dataset straight into container, for example:
create the Dataset: zfs create DATA/SMB-DATA
edit lxc.conf and add: mp0: /DATA/SMB-DATA,mp=/smb_storage

then you start the container and play a bit:
inside the container or host: touch /DATA/SMB-DATA/test234.txt or in the Container touch /smb_storage/test234.txt
on the host: zfs snapshot DATA/SMB-DATA@test123
inside the container: cd /smb_storage/.zfs/ && ls -lah

you will see actually the zfs snapshots here (inside the container), with 777 rights and root as owner.
Which is actually exactly what you need for samba shadowcopy!

Just for zfs create DATA/SMB-DATA im plying atm with zfs-autosnap, takes a bit, need to see if it deletes/and everything else over a longer period.

Otherwise this is all a lot easier as i thought, actually even wondering that you can access that easy snapshots from inside the container.
As the snapshot directorys are anyway 777, this will work for sure even with unpriviliged containers.

However, i fill finish the first post, tomorrow maybe.
Its all a lot easier as i thought and doesn't even require a lot of knowledge lol, so it will get a perfect How-To xD

Cheers & Thanks