Sync/pull using CLI

[daanw]

I have a second Proxmox Backup Server setup that I only boot occasionally to manually do a pull sync from the first server. For this I created a sync job in the GUI that works just fine. Instead of going into the GUI and trigger the sync job manually I would like to do the sync from CLI so I can incorporate it in a script.

From this forum I have learned that there is no way to trigger a configured sync job from the CLI, but issuing a pull command is possible:

proxmox-backup-manager pull pbs-server1 pbs-ds-server1 pbs-ds-server2 --remove-vanished

This however fails:

sync group ct/100 failed - owner check failed (root@pam != backup@pbs)

The datastores/backups in both servers are in root namespace. In the GUI of both servers I have configured a user backup@pbs with the DatastoreBackup Role which is used for the remote connection from server2 to server1. I suspect this somehow needs to be incorporated in the CLI command, but from the man pages it is not clear how?

 

[Chris]

HI,
if invoked via the cli, the sync job is executed as the pam user you are logged in as. So you can either create a dedicated pam user instead of the pbs authenticated user and use that for the sync job (after changing ownership of the already synced groups) or trigger the sync job via an api call using the pbs authenticated user instead.

Edit: Or invoke the pre-configured job as mentioned by @Hannes Laimer, which I forgot...

 

[Hannes Laimer]

Hey,

proxmox-backup-manager sync-job run <id>
is probably what you want to use, so you start an already configured job
And to get the id:
proxmox-backup-manager sync-job list

 

[daanw]

Hey,

proxmox-backup-manager sync-job run <id>
is probably what you want to use, so you start an already configured job
And to get the id:
proxmox-backup-manager sync-job list

Great, that's indeed very much what I was looking for.
I now see that it is actually mentioned in the man page, but not in the online documentation?
https://pbs.proxmox.com/docs/managing-remotes.html

 

[daanw]

HI,
if invoked via the cli, the sync job is executed as the pam user you are logged in as. So you can either create a dedicated pam user instead of the pbs authenticated user and use that for the sync job (after changing ownership of the already synced groups) or trigger the sync job via an api call using the pbs authenticated user instead.

I guess this would also be a really good addition to the documentation.

Or the other way around, adding --user and --pass options to the pull/push commands (and maybe others) to allow a pbs authenticated user to be used would make this a lot more straight forward and saves the hassle of setting up extra pam accounts. I think it's quite common/best practice to use a backup/sync user that has only the minimal required rights?

 

[Chris]

Or the other way around, adding --user and --pass options to the pull/push commands (and maybe others) to allow a pbs authenticated user to be used would make this a lot more straight forward and saves the hassle of setting up extra pam accounts. I think it's quite common/best practice to use a backup/sync user that has only the minimal required rights?

Most users will set up periodic sync jobs via their schedule and not trigger manual syncs via the cli, and you are already able to trigger the pre-configured job via api or cli...

We could however extend the current cli command and the api endpoint it invokes to allow for an optional owner/local user... This would need to check if the authenticated user (pam) has the required permissions to not only execute the job but also the permissions to change owner, which boils down to PRIV_DATASTORE_MODIFY.

Please open an issue at https://bugzilla.proxmox.com/ for this, referencing this thread.