]>
Commit | Line | Data |
---|---|---|
24406ebc TL |
1 | Backup Management |
2 | ================= | |
7e688b71 | 3 | |
24406ebc TL |
4 | .. The administration guide. |
5 | .. todo:: either add a bit more explanation or remove the previous sentence | |
c4f1b69f | 6 | |
fea8789c DM |
7 | Terminology |
8 | ----------- | |
9 | ||
85e139b7 DM |
10 | Backup Content |
11 | ~~~~~~~~~~~~~~ | |
12 | ||
13 | When doing deduplication, there are different strategies to get | |
14 | optimal results in terms of performance and/or deduplication rates. | |
8c6e5ce2 | 15 | Depending on the type of data, it can be split into *fixed* or *variable* |
85e139b7 DM |
16 | sized chunks. |
17 | ||
8c6e5ce2 | 18 | Fixed sized chunking requires minimal CPU power, and is used to |
85e139b7 DM |
19 | backup virtual machine images. |
20 | ||
21 | Variable sized chunking needs more CPU power, but is essential to get | |
22 | good deduplication rates for file archives. | |
23 | ||
8c6e5ce2 | 24 | The Proxmox Backup Server supports both strategies. |
85e139b7 DM |
25 | |
26 | ||
57905a61 DM |
27 | File Archives: ``<name>.pxar`` |
28 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | |
85e139b7 DM |
29 | |
30 | .. see https://moinakg.wordpress.com/2013/06/22/high-performance-content-defined-chunking/ | |
31 | ||
4f3db187 | 32 | A file archive stores a full directory tree. Content is stored using |
8c6e5ce2 | 33 | the :ref:`pxar-format`, split into variable-sized chunks. The format |
4f3db187 | 34 | is optimized to achieve good deduplication rates. |
85e139b7 DM |
35 | |
36 | ||
57905a61 DM |
37 | Image Archives: ``<name>.img`` |
38 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | |
85e139b7 DM |
39 | |
40 | This is used for virtual machine images and other large binary | |
8c6e5ce2 | 41 | data. Content is split into fixed-sized chunks. |
85e139b7 DM |
42 | |
43 | ||
44 | Binary Data (BLOBs) | |
45 | ^^^^^^^^^^^^^^^^^^^ | |
46 | ||
4f3db187 AL |
47 | This type is used to store smaller (< 16MB) binary data such as |
48 | configuration files. Larger files should be stored as image archive. | |
85e139b7 DM |
49 | |
50 | .. caution:: Please do not store all files as BLOBs. Instead, use the | |
51 | file archive to store whole directory trees. | |
52 | ||
53 | ||
57905a61 DM |
54 | Catalog File: ``catalog.pcat1`` |
55 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | |
56 | ||
4f3db187 | 57 | The catalog file is an index for file archives. It contains |
8c6e5ce2 | 58 | the list of files and is used to speed up search operations. |
57905a61 DM |
59 | |
60 | ||
61 | The Manifest: ``index.json`` | |
62 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | |
63 | ||
4f3db187 AL |
64 | The manifest contains the list of all backup files, their |
65 | sizes and checksums. It is used to verify the consistency of a | |
57905a61 DM |
66 | backup. |
67 | ||
68 | ||
fea8789c DM |
69 | Backup Type |
70 | ~~~~~~~~~~~ | |
71 | ||
72 | The backup server groups backups by *type*, where *type* is one of: | |
73 | ||
74 | ``vm`` | |
a129fdd9 | 75 | This type is used for :term:`virtual machine`\ s. Typically |
8c6e5ce2 | 76 | consists of the virtual machine's configuration file and an image archive |
fea8789c DM |
77 | for each disk. |
78 | ||
79 | ``ct`` | |
8c6e5ce2 OB |
80 | This type is used for :term:`container`\ s. Consists of the container's |
81 | configuration and a single file archive for the filesystem content. | |
fea8789c DM |
82 | |
83 | ``host`` | |
4f3db187 AL |
84 | This type is used for backups created from within the backed up machine. |
85 | Typically this would be a physical host but could also be a virtual machine | |
86 | or container. Such backups may contain file and image archives, there are no restrictions in this regard. | |
fea8789c DM |
87 | |
88 | ||
89 | Backup ID | |
90 | ~~~~~~~~~ | |
91 | ||
8c6e5ce2 | 92 | A unique ID. Usually the virtual machine or container ID. ``host`` |
fea8789c DM |
93 | type backups normally use the hostname. |
94 | ||
95 | ||
96 | Backup Time | |
97 | ~~~~~~~~~~~ | |
98 | ||
99 | The time when the backup was made. | |
100 | ||
101 | ||
6e5a0c03 DM |
102 | Backup Group |
103 | ~~~~~~~~~~~~ | |
104 | ||
4f3db187 AL |
105 | The tuple ``<type>/<ID>`` is called a backup group. Such a group |
106 | may contain one or more backup snapshots. | |
6e5a0c03 DM |
107 | |
108 | ||
fea8789c DM |
109 | Backup Snapshot |
110 | ~~~~~~~~~~~~~~~ | |
111 | ||
4f3db187 | 112 | The triplet ``<type>/<ID>/<time>`` is called a backup snapshot. It |
fea8789c DM |
113 | uniquely identifies a specific backup within a datastore. |
114 | ||
115 | .. code-block:: console | |
116 | :caption: Backup Snapshot Examples | |
117 | ||
118 | vm/104/2019-10-09T08:01:06Z | |
119 | host/elsa/2019-11-08T09:48:14Z | |
120 | ||
4f3db187 | 121 | As you can see, the time format is RFC3399_ with Coordinated |
fea8789c DM |
122 | Universal Time (UTC_, identified by the trailing *Z*). |
123 | ||
8c6e5ce2 OB |
124 | Backup Server Management |
125 | ------------------------ | |
126 | ||
127 | The command line tool to configure and manage the backup server is called | |
128 | :command:`proxmox-backup-manager`. | |
129 | ||
130 | ||
fea8789c DM |
131 | |
132 | :term:`DataStore` | |
133 | ~~~~~~~~~~~~~~~~~ | |
134 | ||
4f3db187 | 135 | A datastore is a place where backups are stored. The current implementation |
fea8789c | 136 | uses a directory inside a standard unix file system (``ext4``, ``xfs`` |
4f3db187 | 137 | or ``zfs``) to store the backup data. |
fea8789c | 138 | |
4f3db187 | 139 | Datastores are identified by a simple *ID*. You can configure it |
fea8789c DM |
140 | when setting up the backup server. |
141 | ||
538c2b6d TL |
142 | .. note:: The `File Layout`_ requires the file system to support at least *65538* |
143 | subdirectories per directory. That number comes from the 2\ :sup:`16` | |
144 | pre-created chunk namespace directories, and the ``.`` and ``..`` default | |
145 | directory entries. This requirement excludes certain filesystems and | |
146 | filesystem configuration from being supported for a datastore. For example, | |
147 | ``ext3`` as a whole or ``ext4`` with the ``dir_nlink`` feature manually disabled. | |
fea8789c | 148 | |
dce9dd6f DW |
149 | Disk Management |
150 | ~~~~~~~~~~~~~~~ | |
151 | Proxmox Backup Server comes with a set of disk utilities, which are | |
152 | accessed using the ``disk`` subcommand. This subcommand allows you to initialize | |
153 | disks, create various filesystems, and get information about the disks. | |
154 | ||
155 | To view the disks connected to the system, use the ``list`` subcommand of | |
156 | ``disk``: | |
157 | ||
158 | .. code-block:: console | |
159 | ||
160 | # proxmox-backup-manager disk list | |
161 | ┌──────┬────────┬─────┬───────────┬─────────────┬───────────────┬─────────┬────────┐ | |
162 | │ name │ used │ gpt │ disk-type │ size │ model │ wearout │ status │ | |
163 | ╞══════╪════════╪═════╪═══════════╪═════════════╪═══════════════╪═════════╪════════╡ | |
164 | │ sda │ lvm │ 1 │ hdd │ 34359738368 │ QEMU_HARDDISK │ - │ passed │ | |
165 | ├──────┼────────┼─────┼───────────┼─────────────┼───────────────┼─────────┼────────┤ | |
166 | │ sdb │ unused │ 1 │ hdd │ 68719476736 │ QEMU_HARDDISK │ - │ passed │ | |
167 | ├──────┼────────┼─────┼───────────┼─────────────┼───────────────┼─────────┼────────┤ | |
168 | │ sdc │ unused │ 1 │ hdd │ 68719476736 │ QEMU_HARDDISK │ - │ passed │ | |
169 | └──────┴────────┴─────┴───────────┴─────────────┴───────────────┴─────────┴────────┘ | |
170 | ||
171 | To initialize a disk with a new GPT, use the ``initialize`` subcommand: | |
172 | ||
173 | .. code-block:: console | |
174 | ||
175 | # proxmox-backup-manager disk initialize sdX | |
176 | ||
177 | You can create an ``ext4`` or ``xfs`` filesystem on a disk, using ``fs | |
178 | create``. The following command creates an ``ext4`` filesystem and passes the | |
179 | ``--add-datastore`` parameter, in order to automatically create a datastore on | |
180 | the disk (in this case ``sdd``). This will create a datastore at the location | |
181 | ``/mnt/datastore/store1``: | |
182 | ||
183 | .. code-block:: console | |
184 | ||
185 | # proxmox-backup-manager disk fs create store1 --disk sdd --filesystem ext4 --add-datastore true | |
dce9dd6f DW |
186 | create datastore 'store1' on disk sdd |
187 | Percentage done: 1 | |
188 | ... | |
189 | Percentage done: 99 | |
190 | TASK OK | |
dce9dd6f DW |
191 | |
192 | You can also create a ``zpool`` with various raid levels. The command below | |
193 | creates a mirrored ``zpool`` using two disks (``sdb`` & ``sdc``) and mounts it | |
194 | on the root directory (default): | |
195 | ||
196 | .. code-block:: console | |
197 | ||
198 | # proxmox-backup-manager disk zpool create zpool1 --devices sdb,sdc --raidlevel mirror | |
dce9dd6f DW |
199 | create Mirror zpool 'zpool1' on devices 'sdb,sdc' |
200 | # "zpool" "create" "-o" "ashift=12" "zpool1" "mirror" "sdb" "sdc" | |
201 | ||
202 | TASK OK | |
dce9dd6f DW |
203 | |
204 | .. note:: | |
205 | You can also pass the ``--add-datastore`` parameter here, to automatically | |
206 | create a datastore from the disk. | |
207 | ||
208 | You can use ``disk fs list`` and ``disk zpool list`` to keep track of your | |
209 | filesystems and zpools respectively. | |
210 | ||
211 | If a disk supports S.M.A.R.T. capability, and you have this enabled, you can | |
212 | display S.M.A.R.T. attributes using the command: | |
213 | ||
214 | .. code-block:: console | |
215 | ||
216 | # proxmox-backup-manager disk smart-attributes sdX | |
58ea88c8 DM |
217 | |
218 | Datastore Configuration | |
219 | ~~~~~~~~~~~~~~~~~~~~~~~ | |
220 | ||
8c6e5ce2 OB |
221 | You can configure multiple datastores. Minimum one datastore needs to be |
222 | configured. The datastore is identified by a simple `name` and points to a | |
22231524 SI |
223 | directory on the filesystem. Each datastore also has associated retention |
224 | settings of how many backup snapshots for each interval of ``hourly``, | |
aef49768 | 225 | ``daily``, ``weekly``, ``monthly``, ``yearly`` as well as a time-independent |
22231524 SI |
226 | number of backups to keep in that store. :ref:`Pruning <pruning>` and |
227 | :ref:`garbage collection <garbage-collection>` can also be configured to run | |
228 | periodically based on a configured :term:`schedule` per datastore. | |
58ea88c8 DM |
229 | |
230 | The following command creates a new datastore called ``store1`` on :file:`/backup/disk1/store1` | |
231 | ||
232 | .. code-block:: console | |
233 | ||
234 | # proxmox-backup-manager datastore create store1 /backup/disk1/store1 | |
235 | ||
4f3db187 | 236 | To list existing datastores run: |
58ea88c8 DM |
237 | |
238 | .. code-block:: console | |
239 | ||
240 | # proxmox-backup-manager datastore list | |
17ec699d DM |
241 | ┌────────┬──────────────────────┬─────────────────────────────┐ |
242 | │ name │ path │ comment │ | |
243 | ╞════════╪══════════════════════╪═════════════════════════════╡ | |
244 | │ store1 │ /backup/disk1/store1 │ This is my default storage. │ | |
245 | └────────┴──────────────────────┴─────────────────────────────┘ | |
58ea88c8 | 246 | |
22231524 SI |
247 | You can change settings of a datastore, for example to set a prune and garbage |
248 | collection schedule or retention settings using ``update`` subcommand and view | |
249 | a datastore with the ``show`` subcommand: | |
250 | ||
251 | .. code-block:: console | |
252 | ||
253 | # proxmox-backup-manager datastore update store1 --keep-last 7 --prune-schedule daily --gc-schedule 'Tue 04:27' | |
254 | # proxmox-backup-manager datastore show store1 | |
255 | ┌────────────────┬─────────────────────────────┐ | |
256 | │ Name │ Value │ | |
257 | ╞════════════════╪═════════════════════════════╡ | |
258 | │ name │ store1 │ | |
259 | ├────────────────┼─────────────────────────────┤ | |
260 | │ path │ /backup/disk1/store1 │ | |
261 | ├────────────────┼─────────────────────────────┤ | |
262 | │ comment │ This is my default storage. │ | |
263 | ├────────────────┼─────────────────────────────┤ | |
264 | │ gc-schedule │ Tue 04:27 │ | |
265 | ├────────────────┼─────────────────────────────┤ | |
266 | │ keep-last │ 7 │ | |
267 | ├────────────────┼─────────────────────────────┤ | |
268 | │ prune-schedule │ daily │ | |
269 | └────────────────┴─────────────────────────────┘ | |
270 | ||
4f3db187 | 271 | Finally, it is possible to remove the datastore configuration: |
58ea88c8 DM |
272 | |
273 | .. code-block:: console | |
274 | ||
275 | # proxmox-backup-manager datastore remove store1 | |
276 | ||
4f3db187 | 277 | .. note:: The above command removes only the datastore configuration. It does |
58ea88c8 DM |
278 | not delete any data from the underlying directory. |
279 | ||
280 | ||
fea8789c DM |
281 | File Layout |
282 | ^^^^^^^^^^^ | |
283 | ||
8c6e5ce2 OB |
284 | After creating a datastore, the following default layout will appear: |
285 | ||
286 | .. code-block:: console | |
24406ebc | 287 | |
8c6e5ce2 OB |
288 | # ls -arilh /backup/disk1/store1 |
289 | 276493 -rw-r--r-- 1 backup backup 0 Jul 8 12:35 .lock | |
290 | 276490 drwxr-x--- 1 backup backup 1064960 Jul 8 12:35 .chunks | |
291 | ||
292 | `.lock` is an empty file used for process locking. | |
293 | ||
294 | The `.chunks` directory contains folders, starting from `0000` and taking hexadecimal values until `ffff`. These | |
295 | directories will store the chunked data after a backup operation has been executed. | |
296 | ||
297 | .. code-block:: console | |
24406ebc | 298 | |
8c6e5ce2 OB |
299 | # ls -arilh /backup/disk1/store1/.chunks |
300 | 545824 drwxr-x--- 2 backup backup 4.0K Jul 8 12:35 ffff | |
301 | 545823 drwxr-x--- 2 backup backup 4.0K Jul 8 12:35 fffe | |
302 | 415621 drwxr-x--- 2 backup backup 4.0K Jul 8 12:35 fffd | |
303 | 415620 drwxr-x--- 2 backup backup 4.0K Jul 8 12:35 fffc | |
304 | 353187 drwxr-x--- 2 backup backup 4.0K Jul 8 12:35 fffb | |
305 | 344995 drwxr-x--- 2 backup backup 4.0K Jul 8 12:35 fffa | |
306 | 144079 drwxr-x--- 2 backup backup 4.0K Jul 8 12:35 fff9 | |
307 | 144078 drwxr-x--- 2 backup backup 4.0K Jul 8 12:35 fff8 | |
308 | 144077 drwxr-x--- 2 backup backup 4.0K Jul 8 12:35 fff7 | |
309 | ... | |
310 | 403180 drwxr-x--- 2 backup backup 4.0K Jul 8 12:35 000c | |
311 | 403179 drwxr-x--- 2 backup backup 4.0K Jul 8 12:35 000b | |
312 | 403177 drwxr-x--- 2 backup backup 4.0K Jul 8 12:35 000a | |
313 | 402530 drwxr-x--- 2 backup backup 4.0K Jul 8 12:35 0009 | |
314 | 402513 drwxr-x--- 2 backup backup 4.0K Jul 8 12:35 0008 | |
315 | 402509 drwxr-x--- 2 backup backup 4.0K Jul 8 12:35 0007 | |
316 | 276509 drwxr-x--- 2 backup backup 4.0K Jul 8 12:35 0006 | |
317 | 276508 drwxr-x--- 2 backup backup 4.0K Jul 8 12:35 0005 | |
318 | 276507 drwxr-x--- 2 backup backup 4.0K Jul 8 12:35 0004 | |
319 | 276501 drwxr-x--- 2 backup backup 4.0K Jul 8 12:35 0003 | |
320 | 276499 drwxr-x--- 2 backup backup 4.0K Jul 8 12:35 0002 | |
321 | 276498 drwxr-x--- 2 backup backup 4.0K Jul 8 12:35 0001 | |
322 | 276494 drwxr-x--- 2 backup backup 4.0K Jul 8 12:35 0000 | |
323 | 276489 drwxr-xr-x 3 backup backup 4.0K Jul 8 12:35 .. | |
324 | 276490 drwxr-x--- 1 backup backup 1.1M Jul 8 12:35 . | |
325 | ||
fea8789c DM |
326 | |
327 | ||
17ec699d DM |
328 | User Management |
329 | ~~~~~~~~~~~~~~~ | |
330 | ||
8c6e5ce2 | 331 | Proxmox Backup Server supports several authentication realms, and you need to |
17ec699d DM |
332 | choose the realm when you add a new user. Possible realms are: |
333 | ||
334 | :pam: Linux PAM standard authentication. Use this if you want to | |
8c6e5ce2 | 335 | authenticate as Linux system user (Users need to exist on the |
17ec699d DM |
336 | system). |
337 | ||
338 | :pbs: Proxmox Backup Server realm. This type stores hashed passwords in | |
339 | ``/etc/proxmox-backup/shadow.json``. | |
340 | ||
341 | After installation, there is a single user ``root@pam``, which | |
342 | corresponds to the Unix superuser. You can use the | |
343 | ``proxmox-backup-manager`` command line tool to list or manipulate | |
344 | users: | |
345 | ||
346 | .. code-block:: console | |
347 | ||
348 | # proxmox-backup-manager user list | |
26d29e0e DM |
349 | ┌─────────────┬────────┬────────┬───────────┬──────────┬────────────────┬────────────────────┐ |
350 | │ userid │ enable │ expire │ firstname │ lastname │ email │ comment │ | |
351 | ╞═════════════╪════════╪════════╪═══════════╪══════════╪════════════════╪════════════════════╡ | |
352 | │ root@pam │ 1 │ │ │ │ │ Superuser │ | |
353 | └─────────────┴────────┴────────┴───────────┴──────────┴────────────────┴────────────────────┘ | |
17ec699d DM |
354 | |
355 | The superuser has full administration rights on everything, so you | |
356 | normally want to add other users with less privileges: | |
357 | ||
358 | .. code-block:: console | |
359 | ||
360 | # proxmox-backup-manager user create john@pbs --email john@example.com | |
361 | ||
8c6e5ce2 OB |
362 | The create command lets you specify many options like ``--email`` or |
363 | ``--password``. You can update or change any of them using the | |
17ec699d DM |
364 | update command later: |
365 | ||
366 | .. code-block:: console | |
367 | ||
368 | # proxmox-backup-manager user update john@pbs --firstname John --lastname Smith | |
369 | # proxmox-backup-manager user update john@pbs --comment "An example user." | |
370 | ||
17ec699d DM |
371 | .. todo:: Mention how to set password without passing plaintext password as cli argument. |
372 | ||
373 | ||
8c6e5ce2 | 374 | The resulting user list looks like this: |
17ec699d DM |
375 | |
376 | .. code-block:: console | |
377 | ||
378 | # proxmox-backup-manager user list | |
379 | ┌──────────┬────────┬────────┬───────────┬──────────┬──────────────────┬──────────────────┐ | |
380 | │ userid │ enable │ expire │ firstname │ lastname │ email │ comment │ | |
381 | ╞══════════╪════════╪════════╪═══════════╪══════════╪══════════════════╪══════════════════╡ | |
382 | │ john@pbs │ 1 │ │ John │ Smith │ john@example.com │ An example user. │ | |
383 | ├──────────┼────────┼────────┼───────────┼──────────┼──────────────────┼──────────────────┤ | |
384 | │ root@pam │ 1 │ │ │ │ │ Superuser │ | |
385 | └──────────┴────────┴────────┴───────────┴──────────┴──────────────────┴──────────────────┘ | |
386 | ||
8c6e5ce2 | 387 | Newly created users do not have any permissions. Please read the next |
17ec699d DM |
388 | section to learn how to set access permissions. |
389 | ||
8c6e5ce2 | 390 | If you want to disable a user account, you can do that by setting ``--enable`` to ``0`` |
8f3b3cc1 DM |
391 | |
392 | .. code-block:: console | |
393 | ||
394 | # proxmox-backup-manager user update john@pbs --enable 0 | |
395 | ||
8c6e5ce2 | 396 | Or completely remove the user with: |
8f3b3cc1 DM |
397 | |
398 | .. code-block:: console | |
399 | ||
400 | # proxmox-backup-manager user remove john@pbs | |
401 | ||
402 | ||
17ec699d DM |
403 | Access Control |
404 | ~~~~~~~~~~~~~~ | |
405 | ||
8c6e5ce2 OB |
406 | By default new users do not have any permission. Instead you need to |
407 | specify what is allowed and what is not. You can do this by assigning | |
8df51d48 DM |
408 | roles to users on specific objects like datastores or remotes. The |
409 | following roles exist: | |
410 | ||
8c6e5ce2 OB |
411 | **NoAccess** |
412 | Disable Access - nothing is allowed. | |
413 | ||
8df51d48 | 414 | **Admin** |
4cda7603 | 415 | Can do anything. |
8df51d48 DM |
416 | |
417 | **Audit** | |
4cda7603 | 418 | Can view things, but is not allowed to change settings. |
8df51d48 | 419 | |
8df51d48 DM |
420 | **DatastoreAdmin** |
421 | Can do anything on datastores. | |
422 | ||
423 | **DatastoreAudit** | |
424 | Can view datastore settings and list content. But | |
425 | is not allowed to read the actual data. | |
426 | ||
74fc8447 | 427 | **DatastoreReader** |
8df51d48 DM |
428 | Can Inspect datastore content and can do restores. |
429 | ||
74fc8447 | 430 | **DatastoreBackup** |
8df51d48 DM |
431 | Can backup and restore owned backups. |
432 | ||
433 | **DatastorePowerUser** | |
434 | Can backup, restore, and prune owned backups. | |
435 | ||
436 | **RemoteAdmin** | |
437 | Can do anything on remotes. | |
438 | ||
439 | **RemoteAudit** | |
440 | Can view remote settings. | |
441 | ||
442 | **RemoteSyncOperator** | |
443 | Is allowed to read data from a remote. | |
444 | ||
1e68497c DW |
445 | You can use the ``acl`` subcommand to manage and monitor user permissions. For |
446 | example, the command below will add the user ``john@pbs`` as a | |
447 | **DatastoreAdmin** for the data store ``store1``, located at ``/backup/disk1/store1``: | |
448 | ||
449 | .. code-block:: console | |
450 | ||
451 | # proxmox-backup-manager acl update /datastore/store1 DatastoreAdmin --userid john@pbs | |
452 | ||
453 | You can monitor the roles of each user using the following command: | |
454 | ||
455 | .. code-block:: console | |
456 | ||
457 | # proxmox-backup-manager acl list | |
458 | ┌──────────┬──────────────────┬───────────┬────────────────┐ | |
459 | │ ugid │ path │ propagate │ roleid │ | |
460 | ╞══════════╪══════════════════╪═══════════╪════════════════╡ | |
461 | │ john@pbs │ /datastore/disk1 │ 1 │ DatastoreAdmin │ | |
462 | └──────────┴──────────────────┴───────────┴────────────────┘ | |
463 | ||
464 | A single user can be assigned multiple permission sets for different data stores. | |
465 | ||
466 | .. Note:: | |
467 | Naming convention is important here. For data stores on the host, | |
468 | you must use the convention ``/datastore/{storename}``. For example, to set | |
469 | permissions for a data store mounted at ``/mnt/backup/disk4/store2``, you would use | |
470 | ``/datastore/store2`` for the path. For remote stores, use the convention | |
471 | ``/remote/{remote}/{storename}``, where ``{remote}`` signifies the name of the | |
472 | remote (see `Remote` below) and ``{storename}`` is the name of the data store on | |
473 | the remote. | |
17ec699d | 474 | |
24b638bd DW |
475 | Network Management |
476 | ~~~~~~~~~~~~~~~~~~ | |
477 | Proxmox Backup Server provides an interface for network configuration, through the | |
478 | ``network`` subcommand. This allows you to carry out some basic network | |
479 | management tasks such as adding, configuring and removing network interfaces. | |
480 | ||
481 | To get a list of available interfaces, use the following command: | |
482 | ||
483 | .. code-block:: console | |
484 | ||
485 | # proxmox-backup-manager network list | |
486 | ┌───────┬────────┬───────────┬────────┬─────────┬───────────────────┬──────────────┬──────────────┐ | |
487 | │ name │ type │ autostart │ method │ method6 │ address │ gateway │ ports/slaves │ | |
488 | ╞═══════╪════════╪═══════════╪════════╪═════════╪═══════════════════╪══════════════╪══════════════╡ | |
489 | │ bond0 │ bond │ 1 │ manual │ │ │ │ ens18 ens19 │ | |
490 | ├───────┼────────┼───────────┼────────┼─────────┼───────────────────┼──────────────┼──────────────┤ | |
491 | │ ens18 │ eth │ 1 │ manual │ │ │ │ │ | |
492 | ├───────┼────────┼───────────┼────────┼─────────┼───────────────────┼──────────────┼──────────────┤ | |
493 | │ ens19 │ eth │ 1 │ manual │ │ │ │ │ | |
494 | ├───────┼────────┼───────────┼────────┼─────────┼───────────────────┼──────────────┼──────────────┤ | |
495 | │ vmbr0 │ bridge │ 1 │ static │ │ x.x.x.x/x │ x.x.x.x │ bond0 │ | |
496 | └───────┴────────┴───────────┴────────┴─────────┴───────────────────┴──────────────┴──────────────┘ | |
497 | ||
498 | To add a new network interface, use the ``create`` subcommand with the relevant | |
499 | parameters. The following command shows a template for creating a new bridge: | |
500 | ||
501 | .. code-block:: console | |
502 | ||
503 | # proxmox-backup-manager network create vmbr1 --autostart true --cidr x.x.x.x/x --gateway x.x.x.x --bridge_ports iface_name --type bridge | |
504 | ||
505 | You can make changes to the configuration of a network interface with the | |
506 | ``update`` subcommand: | |
507 | ||
508 | .. code-block:: console | |
509 | ||
510 | # proxmox-backup-manager network update vmbr1 --cidr y.y.y.y/y | |
511 | ||
512 | You can also remove a network interface: | |
513 | ||
514 | .. code-block:: console | |
515 | ||
516 | # proxmox-backup-manager network remove vmbr1 | |
517 | ||
518 | To view the changes made to the network configuration file, before committing | |
519 | them, use the command: | |
520 | ||
521 | .. code-block:: console | |
522 | ||
523 | # proxmox-backup-manager network changes | |
524 | ||
525 | If you would like to cancel all changes at this point, you can do this using: | |
526 | ||
527 | .. code-block:: console | |
528 | ||
529 | # proxmox-backup-manager network revert | |
530 | ||
531 | If you are happy with the changes and would like to write them into the | |
532 | configuration file, the command is: | |
533 | ||
534 | .. code-block:: console | |
535 | ||
536 | # proxmox-backup-manager network reload | |
537 | ||
538 | You can also configure DNS settings using the ``dns`` subcommand of | |
539 | ``proxmox-backup-manager``. | |
540 | ||
9634ca07 SI |
541 | :term:`Remote` |
542 | ~~~~~~~~~~~~~~ | |
543 | ||
aef49768 | 544 | A remote refers to a separate Proxmox Backup Server installation and a user on that |
9634ca07 SI |
545 | installation, from which you can `sync` datastores to a local datastore with a |
546 | `Sync Job`. | |
547 | ||
aef49768 DW |
548 | To add a remote, you need its hostname or ip, a userid and password on the |
549 | remote, and its certificate fingerprint. To get the fingerprint, use the | |
550 | ``proxmox-backup-manager cert info`` command on the remote. | |
9634ca07 SI |
551 | |
552 | .. code-block:: console | |
553 | ||
554 | # proxmox-backup-manager cert info |grep Fingerprint | |
555 | Fingerprint (sha256): 64:d3:ff:3a:50:38:53:5a:9b:f7:50:...:ab:fe | |
556 | ||
aef49768 | 557 | Using the information specified above, add the remote with: |
9634ca07 SI |
558 | |
559 | .. code-block:: console | |
560 | ||
561 | # proxmox-backup-manager remote create pbs2 --host pbs2.mydomain.example --userid sync@pam --password 'SECRET' --fingerprint 64:d3:ff:3a:50:38:53:5a:9b:f7:50:...:ab:fe | |
562 | ||
563 | Use the ``list``, ``show``, ``update``, ``remove`` subcommands of | |
564 | ``proxmox-backup-manager remote`` to manage your remotes: | |
565 | ||
566 | .. code-block:: console | |
567 | ||
568 | # proxmox-backup-manager remote update pbs2 --host pbs2.example | |
569 | # proxmox-backup-manager remote list | |
570 | ┌──────┬──────────────┬──────────┬───────────────────────────────────────────┬─────────┐ | |
571 | │ name │ host │ userid │ fingerprint │ comment │ | |
572 | ╞══════╪══════════════╪══════════╪═══════════════════════════════════════════╪═════════╡ | |
573 | │ pbs2 │ pbs2.example │ sync@pam │64:d3:ff:3a:50:38:53:5a:9b:f7:50:...:ab:fe │ │ | |
574 | └──────┴──────────────┴──────────┴───────────────────────────────────────────┴─────────┘ | |
575 | # proxmox-backup-manager remote remove pbs2 | |
576 | ||
577 | ||
578 | Sync Jobs | |
579 | ~~~~~~~~~ | |
580 | ||
581 | Sync jobs are configured to pull the contents of a datastore on a `Remote` to a | |
582 | local datastore. You can either start the sync job manually on the GUI or | |
583 | provide it with a :term:`schedule` to run regularly. The | |
584 | ``proxmox-backup-manager sync-job`` command is used to manage sync jobs: | |
585 | ||
586 | .. code-block:: console | |
587 | ||
588 | # proxmox-backup-manager sync-job create pbs2-local --remote pbs2 --remote-store local --store local --schedule 'Wed 02:30' | |
589 | # proxmox-backup-manager sync-job update pbs2-local --comment 'offsite' | |
590 | # proxmox-backup-manager sync-job list | |
591 | ┌────────────┬───────┬────────┬──────────────┬───────────┬─────────┐ | |
592 | │ id │ store │ remote │ remote-store │ schedule │ comment │ | |
593 | ╞════════════╪═══════╪════════╪══════════════╪═══════════╪═════════╡ | |
594 | │ pbs2-local │ local │ pbs2 │ local │ Wed 02:30 │ offsite │ | |
595 | └────────────┴───────┴────────┴──────────────┴───────────┴─────────┘ | |
596 | # proxmox-backup-manager sync-job remove pbs2-local | |
597 | ||
fd3f6901 DW |
598 | Garbage Collection |
599 | ~~~~~~~~~~~~~~~~~~ | |
600 | You can monitor and run :ref:`garbage collection <garbage-collection>` on the | |
601 | Proxmox Backup Server using the ``garbage-collection`` subcommand of | |
602 | ``proxmox-backup-manager``. You can use the ``start`` subcommand to manually start garbage | |
603 | collection on an entire data store and the ``status`` subcommand to see | |
604 | attributes relating to the :ref:`garbage collection <garbage-collection>`. | |
605 | ||
9634ca07 | 606 | |
cb01363c DM |
607 | Backup Client usage |
608 | ------------------- | |
58ea88c8 DM |
609 | |
610 | The command line client is called :command:`proxmox-backup-client`. | |
611 | ||
a129fdd9 | 612 | |
0c1c492d TL |
613 | Repository Locations |
614 | ~~~~~~~~~~~~~~~~~~~~ | |
58ea88c8 | 615 | |
4f3db187 | 616 | The client uses the following notation to specify a datastore repository |
58ea88c8 DM |
617 | on the backup server. |
618 | ||
619 | [[username@]server:]datastore | |
620 | ||
8c6e5ce2 OB |
621 | The default value for ``username`` ist ``root``. If no server is specified, |
622 | the default is the local host (``localhost``). | |
58ea88c8 | 623 | |
4f3db187 AL |
624 | You can pass the repository with the ``--repository`` command |
625 | line option, or by setting the ``PBS_REPOSITORY`` environment | |
58ea88c8 DM |
626 | variable. |
627 | ||
628 | ||
629 | Environment Variables | |
53ea6556 | 630 | ~~~~~~~~~~~~~~~~~~~~~ |
58ea88c8 DM |
631 | |
632 | ``PBS_REPOSITORY`` | |
633 | The default backup repository. | |
634 | ||
635 | ``PBS_PASSWORD`` | |
636 | When set, this value is used for the password required for the | |
637 | backup server. | |
638 | ||
639 | ``PBS_ENCRYPTION_PASSWORD`` | |
58ea88c8 DM |
640 | When set, this value is used to access the secret encryption key (if |
641 | protected by password). | |
642 | ||
3243f93c DM |
643 | ``PBS_FINGERPRINT`` When set, this value is used to verify the server |
644 | certificate (only used if the system CA certificates cannot | |
645 | validate the certificate). | |
646 | ||
53ea6556 DM |
647 | |
648 | Output Format | |
649 | ~~~~~~~~~~~~~ | |
650 | ||
4f3db187 AL |
651 | Most commands support the ``--output-format`` parameter. It accepts |
652 | the following values: | |
53ea6556 DM |
653 | |
654 | :``text``: Text format (default). Structured data is rendered as a table. | |
655 | ||
656 | :``json``: JSON (single line). | |
657 | ||
658 | :``json-pretty``: JSON (multiple lines, nicely formatted). | |
659 | ||
660 | ||
661 | Please use the following environment variables to modify output behavior: | |
662 | ||
663 | ``PROXMOX_OUTPUT_FORMAT`` | |
664 | Defines the default output format. | |
665 | ||
666 | ``PROXMOX_OUTPUT_NO_BORDER`` | |
667 | If set (to any value), do not render table borders. | |
668 | ||
669 | ``PROXMOX_OUTPUT_NO_HEADER`` | |
670 | If set (to any value), do not render table headers. | |
671 | ||
4f3db187 | 672 | .. note:: The ``text`` format is designed to be human readable, and |
53ea6556 | 673 | not meant to be parsed by automation tools. Please use the ``json`` |
4f3db187 | 674 | format if you need to process the output. |
53ea6556 DM |
675 | |
676 | ||
cee53b34 | 677 | .. _creating-backups: |
58ea88c8 DM |
678 | |
679 | Creating Backups | |
680 | ~~~~~~~~~~~~~~~~ | |
681 | ||
4f3db187 AL |
682 | This section explains how to create a backup from within the machine. This can |
683 | be a physical host, a virtual machine, or a container. Such backups may contain file | |
684 | and image archives. There are no restrictions in this case. | |
a129fdd9 | 685 | |
8c6e5ce2 | 686 | .. note:: If you want to backup virtual machines or containers on Proxmox VE, see :ref:`pve-integration`. |
a129fdd9 | 687 | |
4f3db187 AL |
688 | For the following example you need to have a backup server set up, working |
689 | credentials and need to know the repository name. | |
690 | In the following examples we use ``backup-server:store1``. | |
a129fdd9 DM |
691 | |
692 | .. code-block:: console | |
693 | ||
694 | # proxmox-backup-client backup root.pxar:/ --repository backup-server:store1 | |
695 | Starting backup: host/elsa/2019-12-03T09:35:01Z | |
696 | Client name: elsa | |
697 | skip mount point: "/boot/efi" | |
698 | skip mount point: "/dev" | |
699 | skip mount point: "/run" | |
700 | skip mount point: "/sys" | |
701 | Uploaded 12129 chunks in 87 seconds (564 MB/s). | |
702 | End Time: 2019-12-03T10:36:29+01:00 | |
703 | ||
704 | This will prompt you for a password and then uploads a file archive named | |
705 | ``root.pxar`` containing all the files in the ``/`` directory. | |
706 | ||
4f3db187 | 707 | .. Caution:: Please note that the proxmox-backup-client does not |
ed858b0a | 708 | automatically include mount points. Instead, you will see a short |
4f3db187 AL |
709 | ``skip mount point`` notice for each of them. The idea is to |
710 | create a separate file archive for each mounted disk. You can | |
a129fdd9 DM |
711 | explicitly include them using the ``--include-dev`` option |
712 | (i.e. ``--include-dev /boot/efi``). You can use this option | |
4f3db187 | 713 | multiple times for each mount point that should be included. |
a129fdd9 | 714 | |
4f3db187 | 715 | The ``--repository`` option can get quite long and is used by all |
a129fdd9 | 716 | commands. You can avoid having to enter this value by setting the |
74fc8447 DW |
717 | environment variable ``PBS_REPOSITORY``. Note that if you would like this to remain set |
718 | over multiple sessions, you should instead add the below line to your | |
719 | ``.bashrc`` file. | |
a129fdd9 DM |
720 | |
721 | .. code-block:: console | |
722 | ||
78ee20d7 | 723 | # export PBS_REPOSITORY=backup-server:store1 |
a129fdd9 | 724 | |
4f3db187 | 725 | After this you can execute all commands without specifying the ``--repository`` |
a129fdd9 DM |
726 | option. |
727 | ||
4f3db187 AL |
728 | One single backup is allowed to contain more than one archive. For example, if |
729 | you want to backup two disks mounted at ``/mmt/disk1`` and ``/mnt/disk2``: | |
a129fdd9 DM |
730 | |
731 | .. code-block:: console | |
732 | ||
733 | # proxmox-backup-client backup disk1.pxar:/mnt/disk1 disk2.pxar:/mnt/disk2 | |
734 | ||
4f3db187 | 735 | This creates a backup of both disks. |
a129fdd9 DM |
736 | |
737 | The backup command takes a list of backup specifications, which | |
4f3db187 AL |
738 | include the archive name on the server, the type of the archive, and the |
739 | archive source at the client. The format is: | |
a129fdd9 DM |
740 | |
741 | <archive-name>.<type>:<source-path> | |
742 | ||
743 | Common types are ``.pxar`` for file archives, and ``.img`` for block | |
4f3db187 | 744 | device images. To create a backup of a block device run the following command: |
a129fdd9 DM |
745 | |
746 | .. code-block:: console | |
747 | ||
748 | # proxmox-backup-client backup mydata.img:/dev/mylvm/mydata | |
749 | ||
50b8f9dd CE |
750 | Excluding files/folders from a backup |
751 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | |
752 | ||
753 | Sometimes it is desired to exclude certain files or folders from a backup archive. | |
4cda7603 | 754 | To tell the Proxmox Backup client when and how to ignore files and directories, |
4f3db187 AL |
755 | place a text file called ``.pxarexclude`` in the filesystem hierarchy. |
756 | Whenever the backup client encounters such a file in a directory, it interprets | |
757 | each line as glob match patterns for files and directories that are to be excluded | |
758 | from the backup. | |
759 | ||
760 | The file must contain a single glob pattern per line. Empty lines are ignored. | |
761 | The same is true for lines starting with ``#``, which indicates a comment. | |
762 | A ``!`` at the beginning of a line reverses the glob match pattern from an exclusion | |
763 | to an explicit inclusion. This makes it possible to exclude all entries in a | |
764 | directory except for a few single files/subdirectories. | |
765 | Lines ending in ``/`` match only on directories. | |
766 | The directory containing the ``.pxarexclude`` file is considered to be the root of | |
767 | the given patterns. It is only possible to match files in this directory and its subdirectories. | |
768 | ||
769 | ``\`` is used to escape special glob characters. | |
770 | ``?`` matches any single character. | |
771 | ``*`` matches any character, including an empty string. | |
772 | ``**`` is used to match subdirectories. It can be used to, for example, exclude | |
773 | all files ending in ``.tmp`` within the directory or subdirectories with the | |
50b8f9dd CE |
774 | following pattern ``**/*.tmp``. |
775 | ``[...]`` matches a single character from any of the provided characters within | |
0c1c492d | 776 | the brackets. ``[!...]`` does the complementary and matches any single character |
4f3db187 AL |
777 | not contained within the brackets. It is also possible to specify ranges with two |
778 | characters separated by ``-``. For example, ``[a-z]`` matches any lowercase | |
779 | alphabetic character and ``[0-9]`` matches any one single digit. | |
50b8f9dd | 780 | |
aef49768 DW |
781 | The order of the glob match patterns defines whether a file is included or |
782 | excluded, that is to say later entries override previous ones. | |
50b8f9dd | 783 | This is also true for match patterns encountered deeper down the directory tree, |
4f3db187 AL |
784 | which can override a previous exclusion. |
785 | Be aware that excluded directories will **not** be read by the backup client. | |
aef49768 | 786 | Thus, a ``.pxarexclude`` file in an excluded subdirectory will have no effect. |
4f3db187 | 787 | ``.pxarexclude`` files are treated as regular files and will be included in the |
50b8f9dd CE |
788 | backup archive. |
789 | ||
4f3db187 | 790 | For example, consider the following directory structure: |
50b8f9dd CE |
791 | |
792 | .. code-block:: console | |
793 | ||
794 | # ls -aR folder | |
795 | folder/: | |
796 | . .. .pxarexclude subfolder0 subfolder1 | |
797 | ||
798 | folder/subfolder0: | |
799 | . .. file0 file1 file2 file3 .pxarexclude | |
800 | ||
801 | folder/subfolder1: | |
802 | . .. file0 file1 file2 file3 | |
803 | ||
4f3db187 | 804 | The different ``.pxarexclude`` files contain the following: |
50b8f9dd CE |
805 | |
806 | .. code-block:: console | |
807 | ||
808 | # cat folder/.pxarexclude | |
809 | /subfolder0/file1 | |
810 | /subfolder1/* | |
811 | !/subfolder1/file2 | |
812 | ||
813 | .. code-block:: console | |
814 | ||
815 | # cat folder/subfolder0/.pxarexclude | |
816 | file3 | |
817 | ||
818 | This would exclude ``file1`` and ``file3`` in ``subfolder0`` and all of | |
819 | ``subfolder1`` except ``file2``. | |
820 | ||
4f3db187 | 821 | Restoring this backup will result in: |
50b8f9dd CE |
822 | |
823 | .. code-block:: console | |
824 | ||
825 | ls -aR restored | |
826 | restored/: | |
827 | . .. .pxarexclude subfolder0 subfolder1 | |
828 | ||
829 | restored/subfolder0: | |
830 | . .. file0 file2 .pxarexclude | |
831 | ||
832 | restored/subfolder1: | |
833 | . .. file2 | |
a129fdd9 | 834 | |
58ea88c8 | 835 | Encryption |
747c3bc0 | 836 | ~~~~~~~~~~ |
58ea88c8 | 837 | |
aef49768 DW |
838 | Proxmox Backup supports client-side encryption with AES-256 in GCM_ |
839 | mode. To set this up, you first need to create an encryption key: | |
5a499f32 DM |
840 | |
841 | .. code-block:: console | |
842 | ||
843 | # proxmox-backup-client key create my-backup.key | |
844 | Encryption Key Password: ************** | |
845 | ||
846 | The key is password protected by default. If you do not need this | |
847 | extra protection, you can also create it without a password: | |
848 | ||
849 | .. code-block:: console | |
850 | ||
4f3db187 | 851 | # proxmox-backup-client key create /path/to/my-backup.key --kdf none |
5a499f32 | 852 | |
16a18dad DW |
853 | Having created this key, it is now possible to create an encrypted backup, by |
854 | passing the ``--keyfile`` parameter, with the path to the key file. | |
5a499f32 DM |
855 | |
856 | .. code-block:: console | |
857 | ||
858 | # proxmox-backup-client backup etc.pxar:/etc --keyfile /path/to/my-backup.key | |
859 | Password: ********* | |
860 | Encryption Key Password: ************** | |
861 | ... | |
862 | ||
16a18dad DW |
863 | .. Note:: If you do not specify the name of the backup key, the key will be |
864 | created in the default location | |
865 | ``~/.config/proxmox-backup/encryption-key.json``. ``proxmox-backup-client`` | |
866 | will also search this location by default, in case the ``--keyfile`` | |
867 | parameter is not specified. | |
5a499f32 | 868 | |
4f3db187 | 869 | You can avoid entering the passwords by setting the environment |
5a499f32 DM |
870 | variables ``PBS_PASSWORD`` and ``PBS_ENCRYPTION_PASSWORD``. |
871 | ||
16a18dad | 872 | Using a master key to store and recover encryption keys |
c23e257c | 873 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
16a18dad DW |
874 | |
875 | You can also use ``proxmox-backup-client key`` to create an RSA public/private | |
876 | key pair, which can be used to store an encrypted version of the symmetric | |
877 | backup encryption key alongside each backup and recover it later. | |
878 | ||
879 | To set up a master key: | |
880 | ||
881 | 1. Create an encryption key for the backup: | |
882 | ||
883 | .. code-block:: console | |
884 | ||
885 | # proxmox-backup-client key create | |
886 | creating default key at: "~/.config/proxmox-backup/encryption-key.json" | |
887 | Encryption Key Password: ********** | |
888 | ... | |
889 | ||
890 | The resulting file will be saved to ``~/.config/proxmox-backup/encryption-key.json``. | |
891 | ||
892 | 2. Create an RSA public/private key pair: | |
893 | ||
894 | .. code-block:: console | |
895 | ||
896 | # proxmox-backup-client key create-master-key | |
897 | Master Key Password: ********* | |
898 | ... | |
899 | ||
900 | This will create two files in your current directory, ``master-public.pem`` | |
901 | and ``master-private.pem``. | |
902 | ||
903 | 3. Import the newly created ``master-public.pem`` public certificate, so that | |
904 | ``proxmox-backup-client`` can find and use it upon backup. | |
905 | ||
906 | .. code-block:: console | |
907 | ||
908 | # proxmox-backup-client key import-master-pubkey /path/to/master-public.pem | |
909 | Imported public master key to "~/.config/proxmox-backup/master-public.pem" | |
910 | ||
911 | 4. With all these files in place, run a backup job: | |
912 | ||
913 | .. code-block:: console | |
914 | ||
915 | # proxmox-backup-client backup etc.pxar:/etc | |
916 | ||
917 | The key will be stored in your backup, under the name ``rsa-encrypted.key``. | |
918 | ||
919 | .. Note:: The ``--keyfile`` parameter can be excluded, if the encryption key | |
920 | is in the default path. If you specified another path upon creation, you | |
921 | must pass the ``--keyfile`` parameter. | |
922 | ||
923 | 5. To test that everything worked, you can restore the key from the backup: | |
924 | ||
925 | .. code-block:: console | |
926 | ||
927 | # proxmox-backup-client restore /path/to/backup/ rsa-encrypted.key /path/to/target | |
928 | ||
929 | .. Note:: You should not need an encryption key to extract this file. However, if | |
930 | a key exists at the default location | |
931 | (``~/.config/proxmox-backup/encryption-key.json``) the program will prompt | |
932 | you for an encryption key password. Simply moving ``encryption-key.json`` | |
933 | out of this directory will fix this issue. | |
934 | ||
935 | 6. Then, use the previously generated master key to decrypt the file: | |
936 | ||
937 | .. code-block:: console | |
938 | ||
939 | # openssl rsautl -decrypt -inkey master-private.pem -in rsa-encrypted.key -out /path/to/target | |
940 | Enter pass phrase for ./master-private.pem: ********* | |
941 | ||
942 | 7. The target file will now contain the encryption key information in plain | |
943 | text. The success of this can be confirmed by passing the resulting ``json`` | |
944 | file, with the ``--keyfile`` parameter, when decrypting files from the backup. | |
5a499f32 | 945 | |
16a18dad DW |
946 | .. warning:: Without their key, backed up files will be inaccessible. Thus, you should |
947 | keep keys ordered and in a place that is separate from the contents being | |
948 | backed up. It can happen, for example, that you back up an entire system, using | |
949 | a key on that system. If the system then becomes inaccessable for any reason | |
950 | and needs to be restored, this will not be possible as the encryption key will be | |
74fc8447 DW |
951 | lost along with the broken system. In preparation for the worst case scenario, |
952 | you should consider keeping a paper copy of this key locked away in | |
953 | a safe place. | |
58ea88c8 DM |
954 | |
955 | Restoring Data | |
956 | ~~~~~~~~~~~~~~ | |
957 | ||
aef49768 DW |
958 | The regular creation of backups is a necessary step to avoiding data |
959 | loss. More importantly, however, is the restoration. It is good practice to perform | |
4f3db187 | 960 | periodic recovery tests to ensure that you can access the data in |
64b85116 DM |
961 | case of problems. |
962 | ||
4f3db187 | 963 | First, you need to find the snapshot which you want to restore. The snapshot |
aef49768 | 964 | command provides a list of all the snapshots on the server: |
64b85116 DM |
965 | |
966 | .. code-block:: console | |
967 | ||
968 | # proxmox-backup-client snapshots | |
96feecd6 DM |
969 | ┌────────────────────────────────┬─────────────┬────────────────────────────────────┐ |
970 | │ snapshot │ size │ files │ | |
971 | ╞════════════════════════════════╪═════════════╪════════════════════════════════════╡ | |
972 | │ host/elsa/2019-12-03T09:30:15Z │ 51788646825 │ root.pxar catalog.pcat1 index.json │ | |
973 | ├────────────────────────────────┼─────────────┼────────────────────────────────────┤ | |
974 | │ host/elsa/2019-12-03T09:35:01Z │ 51790622048 │ root.pxar catalog.pcat1 index.json │ | |
975 | ├────────────────────────────────┼─────────────┼────────────────────────────────────┤ | |
64b85116 DM |
976 | ... |
977 | ||
4f3db187 | 978 | You can inspect the catalog to find specific files. |
64b85116 DM |
979 | |
980 | .. code-block:: console | |
981 | ||
3c50a9d8 | 982 | # proxmox-backup-client catalog dump host/elsa/2019-12-03T09:35:01Z |
64b85116 DM |
983 | ... |
984 | d "./root.pxar.didx/etc/cifs-utils" | |
985 | l "./root.pxar.didx/etc/cifs-utils/idmap-plugin" | |
986 | d "./root.pxar.didx/etc/console-setup" | |
987 | ... | |
988 | ||
989 | The restore command lets you restore a single archive from the | |
990 | backup. | |
991 | ||
992 | .. code-block:: console | |
993 | ||
994 | # proxmox-backup-client restore host/elsa/2019-12-03T09:35:01Z root.pxar /target/path/ | |
995 | ||
4cda7603 | 996 | To get the contents of any archive, you can restore the ``index.json`` file in the |
aef49768 | 997 | repository to the target path '-'. This will dump the contents to the standard output. |
64b85116 DM |
998 | |
999 | .. code-block:: console | |
1000 | ||
1001 | # proxmox-backup-client restore host/elsa/2019-12-03T09:35:01Z index.json - | |
1002 | ||
1003 | ||
1004 | Interactive Restores | |
1005 | ^^^^^^^^^^^^^^^^^^^^ | |
1006 | ||
1007 | If you only want to restore a few individual files, it is often easier | |
1008 | to use the interactive recovery shell. | |
1009 | ||
1010 | .. code-block:: console | |
1011 | ||
3c50a9d8 | 1012 | # proxmox-backup-client catalog shell host/elsa/2019-12-03T09:35:01Z root.pxar |
64b85116 DM |
1013 | Starting interactive shell |
1014 | pxar:/ > ls | |
1015 | bin boot dev etc home lib lib32 | |
1016 | ... | |
1017 | ||
3f0983b7 | 1018 | The interactive recovery shell is a minimalistic command line interface that |
4f3db187 AL |
1019 | utilizes the metadata stored in the catalog to quickly list, navigate and |
1020 | search files in a file archive. | |
1021 | To restore files, you can select them individually or match them with a glob | |
1022 | pattern. | |
1023 | ||
1024 | Using the catalog for navigation reduces the overhead considerably because only | |
1025 | the catalog needs to be downloaded and, optionally, decrypted. | |
3f0983b7 CE |
1026 | The actual chunks are only accessed if the metadata in the catalog is not enough |
1027 | or for the actual restore. | |
1028 | ||
1029 | Similar to common UNIX shells ``cd`` and ``ls`` are the commands used to change | |
4f3db187 | 1030 | working directory and list directory contents in the archive. |
3f0983b7 CE |
1031 | ``pwd`` shows the full path of the current working directory with respect to the |
1032 | archive root. | |
1033 | ||
aef49768 | 1034 | Being able to quickly search the contents of the archive is a commmonly needed feature. |
3f0983b7 CE |
1035 | That's where the catalog is most valuable. |
1036 | For example: | |
1037 | ||
1038 | .. code-block:: console | |
1039 | ||
a83674ad | 1040 | pxar:/ > find etc/**/*.txt --select |
3f0983b7 CE |
1041 | "/etc/X11/rgb.txt" |
1042 | pxar:/ > list-selected | |
1043 | etc/**/*.txt | |
1044 | pxar:/ > restore-selected /target/path | |
1045 | ... | |
1046 | ||
1047 | This will find and print all files ending in ``.txt`` located in ``etc/`` or a | |
1048 | subdirectory and add the corresponding pattern to the list for subsequent restores. | |
1049 | ``list-selected`` shows these patterns and ``restore-selected`` finally restores | |
1050 | all files in the archive matching the patterns to ``/target/path`` on the local | |
1051 | host. This will scan the whole archive. | |
1052 | ||
1053 | With ``restore /target/path`` you can restore the sub-archive given by the current | |
1054 | working directory to the local target path ``/target/path`` on your host. | |
1055 | By additionally passing a glob pattern with ``--pattern <glob>``, the restore is | |
1056 | further limited to files matching the pattern. | |
1057 | For example: | |
1058 | ||
1059 | .. code-block:: console | |
1060 | ||
1061 | pxar:/ > cd /etc/ | |
1062 | pxar:/etc/ > restore /target/ --pattern **/*.conf | |
1063 | ... | |
1064 | ||
1065 | The above will scan trough all the directories below ``/etc`` and restore all | |
1066 | files ending in ``.conf``. | |
1067 | ||
1068 | .. todo:: Explain interactive restore in more detail | |
64b85116 | 1069 | |
c7971d7f CE |
1070 | Mounting of Archives via FUSE |
1071 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | |
1072 | ||
1073 | The :term:`FUSE` implementation for the pxar archive allows you to mount a | |
1074 | file archive as a read-only filesystem to a mountpoint on your host. | |
1075 | ||
1076 | .. code-block:: console | |
1077 | ||
74fc8447 DW |
1078 | # proxmox-backup-client mount host/backup-client/2020-01-29T11:29:22Z root.pxar /mnt/mountpoint |
1079 | # ls /mnt/mountpoint | |
c7971d7f CE |
1080 | bin dev home lib32 libx32 media opt root sbin sys usr |
1081 | boot etc lib lib64 lost+found mnt proc run srv tmp var | |
1082 | ||
aef49768 | 1083 | This allows you to access the full contents of the archive in a seamless manner. |
c7971d7f CE |
1084 | |
1085 | .. note:: As the FUSE connection needs to fetch and decrypt chunks from the | |
aef49768 | 1086 | backup server's datastore, this can cause some additional network and CPU |
c7971d7f CE |
1087 | load on your host, depending on the operations you perform on the mounted |
1088 | filesystem. | |
1089 | ||
4f3db187 | 1090 | To unmount the filesystem use the ``umount`` command on the mountpoint: |
c7971d7f CE |
1091 | |
1092 | .. code-block:: console | |
1093 | ||
74fc8447 | 1094 | # umount /mnt/mountpoint |
58ea88c8 | 1095 | |
ac456d85 DM |
1096 | Login and Logout |
1097 | ~~~~~~~~~~~~~~~~ | |
1098 | ||
1099 | The client tool prompts you to enter the logon password as soon as you | |
1100 | want to access the backup server. The server checks your credentials | |
1101 | and responds with a ticket that is valid for two hours. The client | |
4f3db187 | 1102 | tool automatically stores that ticket and uses it for further requests |
ac456d85 DM |
1103 | to this server. |
1104 | ||
1105 | You can also manually trigger this login/logout using the login and | |
1106 | logout commands: | |
1107 | ||
1108 | .. code-block:: console | |
1109 | ||
1110 | # proxmox-backup-client login | |
1111 | Password: ********** | |
1112 | ||
4f3db187 | 1113 | To remove the ticket, issue a logout: |
ac456d85 DM |
1114 | |
1115 | .. code-block:: console | |
1116 | ||
1117 | # proxmox-backup-client logout | |
1118 | ||
1119 | ||
22231524 SI |
1120 | .. _pruning: |
1121 | ||
6e5a0c03 DM |
1122 | Pruning and Removing Backups |
1123 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
1124 | ||
1125 | You can manually delete a backup snapshot using the ``forget`` | |
1126 | command: | |
1127 | ||
1128 | .. code-block:: console | |
1129 | ||
1130 | # proxmox-backup-client forget <snapshot> | |
1131 | ||
1132 | ||
4f3db187 AL |
1133 | .. caution:: This command removes all archives in this backup |
1134 | snapshot. They will be inaccessible and unrecoverable. | |
6e5a0c03 DM |
1135 | |
1136 | ||
4cda7603 DW |
1137 | Although manual removal is sometimes required, the ``prune`` |
1138 | command is normally used to systematically delete older backups. Prune lets | |
4f3db187 AL |
1139 | you specify which backup snapshots you want to keep. The |
1140 | following retention options are available: | |
52b2be97 DM |
1141 | |
1142 | ``--keep-last <N>`` | |
1143 | Keep the last ``<N>`` backup snapshots. | |
1144 | ||
102d8d41 | 1145 | ``--keep-hourly <N>`` |
4f3db187 AL |
1146 | Keep backups for the last ``<N>`` hours. If there is more than one |
1147 | backup for a single hour, only the latest is kept. | |
102d8d41 | 1148 | |
52b2be97 | 1149 | ``--keep-daily <N>`` |
4f3db187 AL |
1150 | Keep backups for the last ``<N>`` days. If there is more than one |
1151 | backup for a single day, only the latest is kept. | |
52b2be97 DM |
1152 | |
1153 | ``--keep-weekly <N>`` | |
4f3db187 AL |
1154 | Keep backups for the last ``<N>`` weeks. If there is more than one |
1155 | backup for a single week, only the latest is kept. | |
52b2be97 | 1156 | |
4f3db187 AL |
1157 | .. note:: Weeks start on Monday and end on Sunday. The software |
1158 | uses the `ISO week date`_ system and handles weeks at | |
1159 | the end of the year correctly. | |
1af66370 | 1160 | |
52b2be97 | 1161 | ``--keep-monthly <N>`` |
4f3db187 AL |
1162 | Keep backups for the last ``<N>`` months. If there is more than one |
1163 | backup for a single month, only the latest is kept. | |
52b2be97 DM |
1164 | |
1165 | ``--keep-yearly <N>`` | |
4f3db187 AL |
1166 | Keep backups for the last ``<N>`` years. If there is more than one |
1167 | backup for a single year, only the latest is kept. | |
1168 | ||
1169 | The retention options are processed in the order given above. Each option | |
1170 | only covers backups within its time period. The next option does not take care | |
1171 | of already covered backups. It will only consider older backups. | |
52b2be97 | 1172 | |
4f3db187 AL |
1173 | Unfinished and incomplete backups will be removed by the prune command unless |
1174 | they are newer than the last successful backup. In this case, the last failed | |
1175 | backup is retained. | |
02d22dec | 1176 | |
6e5a0c03 DM |
1177 | .. code-block:: console |
1178 | ||
1179 | # proxmox-backup-client prune <group> --keep-daily 7 --keep-weekly 4 --keep-monthly 3 | |
1180 | ||
1181 | ||
4f3db187 | 1182 | You can use the ``--dry-run`` option to test your settings. This only |
aef49768 | 1183 | shows the list of existing snapshots and what actions prune would take. |
84322d8c DM |
1184 | |
1185 | .. code-block:: console | |
1186 | ||
1187 | # proxmox-backup-client prune host/elsa --dry-run --keep-daily 1 --keep-weekly 3 | |
a66d5898 DM |
1188 | ┌────────────────────────────────┬──────┐ |
1189 | │ snapshot │ keep │ | |
1190 | ╞════════════════════════════════╪══════╡ | |
1191 | │ host/elsa/2019-12-04T13:20:37Z │ 1 │ | |
1192 | ├────────────────────────────────┼──────┤ | |
1193 | │ host/elsa/2019-12-03T09:35:01Z │ 0 │ | |
1194 | ├────────────────────────────────┼──────┤ | |
1195 | │ host/elsa/2019-11-22T11:54:47Z │ 1 │ | |
1196 | ├────────────────────────────────┼──────┤ | |
1197 | │ host/elsa/2019-11-21T12:36:25Z │ 0 │ | |
1198 | ├────────────────────────────────┼──────┤ | |
1199 | │ host/elsa/2019-11-10T10:42:20Z │ 1 │ | |
1200 | └────────────────────────────────┴──────┘ | |
84322d8c | 1201 | |
52b2be97 | 1202 | .. note:: Neither the ``prune`` command nor the ``forget`` command free space |
4f3db187 AL |
1203 | in the chunk-store. The chunk-store still contains the data blocks. To free |
1204 | space you need to perform :ref:`garbage-collection`. | |
6e5a0c03 DM |
1205 | |
1206 | ||
1207 | .. _garbage-collection: | |
1208 | ||
1209 | Garbage Collection | |
1210 | ~~~~~~~~~~~~~~~~~~ | |
1211 | ||
e1c356ec DM |
1212 | The ``prune`` command removes only the backup index files, not the data |
1213 | from the data store. This task is left to the garbage collection | |
4f3db187 | 1214 | command. It is recommended to carry out garbage collection on a regular basis. |
e1c356ec DM |
1215 | |
1216 | The garbage collection works in two phases. In the first phase, all | |
1217 | data blocks that are still in use are marked. In the second phase, | |
1218 | unused data blocks are removed. | |
1219 | ||
1220 | .. note:: This command needs to read all existing backup index files | |
f0188322 CE |
1221 | and touches the complete chunk-store. This can take a long time |
1222 | depending on the number of chunks and the speed of the underlying | |
e1c356ec DM |
1223 | disks. |
1224 | ||
8314ca9c AL |
1225 | .. note:: The garbage collection will only remove chunks that haven't been used |
1226 | for at least one day (exactly 24h 5m). This grace period is necessary because | |
1227 | chunks in use are marked by touching the chunk which updates the ``atime`` | |
1228 | (access time) property. Filesystems are mounted with the ``relatime`` option | |
1229 | by default. This results in a better performance by only updating the | |
1230 | ``atime`` property if the last access has been at least 24 hours ago. The | |
255ed621 TL |
1231 | downside is, that touching a chunk within these 24 hours will not always |
1232 | update its ``atime`` property. | |
8314ca9c | 1233 | |
255ed621 TL |
1234 | Chunks in the grace period will be logged at the end of the garbage |
1235 | collection task as *Pending removals*. | |
e1c356ec DM |
1236 | |
1237 | .. code-block:: console | |
1238 | ||
1239 | # proxmox-backup-client garbage-collect | |
1240 | starting garbage collection on store store2 | |
1241 | Start GC phase1 (mark used chunks) | |
1242 | Start GC phase2 (sweep unused chunks) | |
1243 | percentage done: 1, chunk count: 219 | |
1244 | percentage done: 2, chunk count: 453 | |
1245 | ... | |
1246 | percentage done: 99, chunk count: 21188 | |
1247 | Removed bytes: 411368505 | |
1248 | Removed chunks: 203 | |
1249 | Original data bytes: 327160886391 | |
1250 | Disk bytes: 52767414743 (16 %) | |
1251 | Disk chunks: 21221 | |
1252 | Average chunk size: 2486565 | |
1253 | TASK OK | |
1254 | ||
1255 | ||
1256 | .. todo:: howto run garbage-collection at regular intervalls (cron) | |
6e5a0c03 | 1257 | |
a8d69fcf DW |
1258 | Benchmarking |
1259 | ~~~~~~~~~~~~ | |
1260 | The backup client also comes with a benchmarking tool. This tool measures | |
1261 | various metrics relating to compression and encryption speeds. You can run a | |
1262 | benchmark using the ``benchmark`` subcommand of ``proxmox-backup-client``: | |
1263 | ||
1264 | .. code-block:: console | |
1265 | ||
1266 | # proxmox-backup-client benchmark | |
1267 | Uploaded 656 chunks in 5 seconds. | |
1268 | Time per request: 7659 microseconds. | |
1269 | TLS speed: 547.60 MB/s | |
1270 | SHA256 speed: 585.76 MB/s | |
1271 | Compression speed: 1923.96 MB/s | |
1272 | Decompress speed: 7885.24 MB/s | |
1273 | AES256/GCM speed: 3974.03 MB/s | |
1274 | ┌───────────────────────────────────┬─────────────────────┐ | |
1275 | │ Name │ Value │ | |
1276 | ╞═══════════════════════════════════╪═════════════════════╡ | |
1277 | │ TLS (maximal backup upload speed) │ 547.60 MB/s (93%) │ | |
1278 | ├───────────────────────────────────┼─────────────────────┤ | |
1279 | │ SHA256 checksum computation speed │ 585.76 MB/s (28%) │ | |
1280 | ├───────────────────────────────────┼─────────────────────┤ | |
1281 | │ ZStd level 1 compression speed │ 1923.96 MB/s (89%) │ | |
1282 | ├───────────────────────────────────┼─────────────────────┤ | |
1283 | │ ZStd level 1 decompression speed │ 7885.24 MB/s (98%) │ | |
1284 | ├───────────────────────────────────┼─────────────────────┤ | |
1285 | │ AES256 GCM encryption speed │ 3974.03 MB/s (104%) │ | |
1286 | └───────────────────────────────────┴─────────────────────┘ | |
1287 | ||
9624c5ee DM |
1288 | .. note:: The percentages given in the output table correspond to a |
1289 | comparison against a Ryzen 7 2700X. The TLS test connects to the | |
1290 | local host, so there is no network involved. | |
503dd339 | 1291 | |
a8d69fcf DW |
1292 | You can also pass the ``--output-format`` parameter to output stats in ``json``, |
1293 | rather than the default table format. | |
6e5a0c03 | 1294 | |
a129fdd9 DM |
1295 | .. _pve-integration: |
1296 | ||
58ea88c8 DM |
1297 | `Proxmox VE`_ integration |
1298 | ------------------------- | |
cb01363c | 1299 | |
f9dcfa41 DM |
1300 | You need to define a new storage with type 'pbs' on your `Proxmox VE`_ |
1301 | node. The following example uses ``store2`` as storage name, and | |
1302 | assumes the server address is ``localhost``, and you want to connect | |
1303 | as ``user1@pbs``. | |
1304 | ||
1305 | .. code-block:: console | |
1306 | ||
1307 | # pvesm add pbs store2 --server localhost --datastore store2 | |
1308 | # pvesm set store2 --username user1@pbs --password <secret> | |
1309 | ||
1310 | If your backup server uses a self signed certificate, you need to add | |
1311 | the certificate fingerprint to the configuration. You can get the | |
1312 | fingerprint by running the following command on the backup server: | |
1313 | ||
1314 | .. code-block:: console | |
1315 | ||
1316 | # proxmox-backup-manager cert info |grep Fingerprint | |
1317 | Fingerprint (sha256): 64:d3:ff:3a:50:38:53:5a:9b:f7:50:...:ab:fe | |
1318 | ||
1319 | Please add that fingerprint to your configuration to establish a trust | |
1320 | relationship: | |
1321 | ||
1322 | .. code-block:: console | |
1323 | ||
1324 | # pvesm set store2 --fingerprint 64:d3:ff:3a:50:38:53:5a:9b:f7:50:...:ab:fe | |
1325 | ||
1326 | After that you should be able to see storage status with: | |
1327 | ||
1328 | .. code-block:: console | |
1329 | ||
1330 | # pvesm status --storage store2 | |
1331 | Name Type Status Total Used Available % | |
1332 | store2 pbs active 3905109820 1336687816 2568422004 34.23% | |
1333 | ||
1334 | ||
cb01363c DM |
1335 | |
1336 | .. include:: command-line-tools.rst | |
1337 | ||
1338 | .. include:: services.rst |