Installing proxmox backup client into TrueNAS Scale

If you have a Proxmox VE, Proxmox Backup server (PBS) and TrueNAS Scale in your lab, you probably have one set of backups for the Proxmox infrastructure and another for your NAS backups. You do have backups right !? (NO, RAID IS NOT A BACKUP).

If, like me you got sick of having two sets of backups and thought…“Wouldn’t it be nice to have a single backup system” then is article is right up your alley.

Proxmox backup Server (PBS) to the rescue!

The PBS developers have released a backup client, a stand alone client that utilises the PBS API to provide a means to backup physical hosts. Currently the client is only available for Debian (v11 Bullseye) Linux and its derivatives (such as Ubuntu). This works well for our needs as both Proxmox and TrueNAS Scale are both based off Debian 11.

To start, we need to install the proxmox-backup-client packing onto TrueNAS.

First we need to install the gpg repository key into TrueNAS.

sudo wget https://enterprise.proxmox.com/debian/proxmox-release-bullseye.gpg -O /etc/apt/trusted.gpg.d/proxmox-release-bullseye.gpg

The Proxmox devs have an apt repository that only contains the proxmox-backup-client package and it’s dependancies, this prevents any accidental installation of other proxmox systems. Create a new repository list in /etc/apt/sources.list.d/pbs-client.list

sudo nano /etc/apt/sources.list.d/pbs-client.list

copy the Proxmox backup client repository address into it

deb http://download.proxmox.com/debian/pbs-client bullseye main

IMPORTANT SAFETY WARNING

TrueNAS Scale by default, has the apt utilities disabled as installing/upgrading packages from outside of ixsystems repositories may break your TrueNAS server and require a re-installation of TrueNAS.

Re-Enabling the apt utilities

To re-enable the apt utilites in TrueNAS, simply add the eXecute bit on each of the utilities.

sudo chmod +x /bin/apt*

Install the Proxmox Backup Client

Now we can update the repositories and install the proxmox-backup-client.

sudo apt update
sudo apt install proxmox-backup-client

DO NOT be tempted to run apt update or apt dist-upgrade ! See the safety warning above !

executing proxmox-backup-client in the shell should provide output similar to this:

admin@nas[~]$ proxmox-backup-client 
Error: no command specified.
Possible commands: backup, benchmark, catalog, change-owner, garbage-collect, help, key, list, login, logout, map, mount, namespace, prune, restore, snapshot, status, task, unmap, version

Usage:

proxmox-backup-client backup {<backupspec>} [OPTIONS]
proxmox-backup-client benchmark [OPTIONS]
proxmox-backup-client catalog dump <snapshot> [OPTIONS]
proxmox-backup-client catalog shell <snapshot> <archive-name> [OPTIONS]
proxmox-backup-client change-owner <group> <new-owner> [OPTIONS]
proxmox-backup-client garbage-collect [OPTIONS]
proxmox-backup-client help [{<command>}] [OPTIONS]
proxmox-backup-client key change-passphrase [<path>] [OPTIONS]
proxmox-backup-client key create [<path>] [OPTIONS]
proxmox-backup-client key create-master-key
proxmox-backup-client key import-master-pubkey <path>
proxmox-backup-client key import-with-master-key [<path>] --encrypted-keyfile <string> --master-keyfile <string> [OPTIONS]
proxmox-backup-client key paperkey [<path>] [OPTIONS]
proxmox-backup-client key show [<path>] [OPTIONS]
proxmox-backup-client key show-master-pubkey [<path>] [OPTIONS]
proxmox-backup-client list [OPTIONS]
proxmox-backup-client login [OPTIONS]
proxmox-backup-client logout [OPTIONS]
proxmox-backup-client map <snapshot> <archive-name> [OPTIONS]
proxmox-backup-client mount <snapshot> <archive-name> <target> [OPTIONS]
proxmox-backup-client namespace create [<ns>] [OPTIONS]
proxmox-backup-client namespace delete [<ns>] [OPTIONS]
proxmox-backup-client namespace list [<ns>] [OPTIONS]
proxmox-backup-client prune <group> [OPTIONS]
proxmox-backup-client restore <snapshot> <archive-name> <target> [OPTIONS]
proxmox-backup-client snapshot files <snapshot> [OPTIONS]
proxmox-backup-client snapshot forget <snapshot> [OPTIONS]
proxmox-backup-client snapshot list [<group>] [OPTIONS]
proxmox-backup-client snapshot notes show <snapshot> [OPTIONS]
proxmox-backup-client snapshot notes update <snapshot> <notes> [OPTIONS]
proxmox-backup-client snapshot protected show <snapshot> [OPTIONS]
proxmox-backup-client snapshot protected update <snapshot> <protected> [OPTIONS]
proxmox-backup-client snapshot upload-log <snapshot> <logfile> [OPTIONS]
proxmox-backup-client status [OPTIONS]
proxmox-backup-client task list [OPTIONS]
proxmox-backup-client task log <upid> [OPTIONS]
proxmox-backup-client task stop <upid> [OPTIONS]
proxmox-backup-client unmap [<name>]
proxmox-backup-client version [OPTIONS]

Clean Up

Now that we finally have the proxmox-backup-client installed, Lets disable the apt utilities again to prevent any accidents:

sudo chmod -x /bin/apt*

And confirm that the eXecute permission has been removed with ls -l /bin/apt*

admin@nas[~]$ ls -l /bin/apt*
-rw-r--r-- 1 root root  18664 Jun 10  2021 /bin/apt
-rw-r--r-- 1 root root  88376 Jun 10  2021 /bin/apt-cache
-rw-r--r-- 1 root root  26936 Jun 10  2021 /bin/apt-cdrom
-rw-r--r-- 1 root root  26856 Jun 10  2021 /bin/apt-config
-rw-r--r-- 1 root root  22848 Jun 10  2021 /bin/apt-extracttemplates
-rw-r--r-- 1 root root 276800 Jun 10  2021 /bin/apt-ftparchive
-rw-r--r-- 1 root root  47416 Jun 10  2021 /bin/apt-get
-rw-r--r-- 1 root root  28191 Jun 10  2021 /bin/apt-key
-rw-r--r-- 1 root root  51512 Jun 10  2021 /bin/apt-mark
-rw-r--r-- 1 root root  39152 Jun 10  2021 /bin/apt-sortpkgs

Setup account and permissions in PBS

In order to have PBS store out backups, we need to create a user account within PBS (Proxmox Backup Server), and restrict permissions to only allow backup and restore operations.

First, create a truenas account on PBS. Make sure to use the PBS realm and NOT the PAM realm. The PAM realm will create an user account on the underlying Linux system, whereas the PBS realm will only create the account within the PBS application itself.

Once the account is created, click on the permissions tab add the DatastoreBackup role to the truenas account, ensuring that the path is set to /datastore. You can further lock the account down by changing the path to a specific datastore e.g. /datastore/Mirror2 would restrict the account to only be able to perform backup operations (backup,restore and list backups) to the Mirror2 datastore. Setting the path to /datastore will allow backup operations to all datastores.

Testing proxmox-backup-client

Lets make a test backup in PBS and also check that the permissions are applied. Ensure that you have a TrueNAS dataset created with some small data in it. A good example would be to create a dataset to hold your backup scripts. In my example, I have a dataset named backup within the StoreagePool Pool. It’s mounted location within TrueNAS is /mnt/StoragePool/backup.

First off in the TrueNAS shell, ensure that you are root with sudo su -. To shorten and simplify the proxmox-backup-client command we’ll create two temporary environment variables to store our PBS credentials. These environment variables will only exist for the duration on the shell session and will cease to exist when the shell is closed.

export PBS_PASSWORD=truenas
export PBS_REPOSITORY=truenas@pbs@192.168.0.150:Mirror2

The PBS_REPOSITORY variable will tell proxmox-backup-client to connect with the truenas@pbs account on the PBS server at ip address 192.168.0.150 and to store our backup on the Mirror2 datastore. Change the server address and datastore name to suite your PBS instance.

And another variable to store our PBS pxar file name and where the filesystem is located. Pxar is an archive file format created by the Proxmox developers for the Proxmox Backup Server - think of it like a zip file.

export SPEC="backup.pxar:/mnt/StoragePool/backup/"

Lets backup the specified dataset.

proxmox-backup-client backup $SPEC

Once the backup is completed, the host backup should be visible within the PBS web portal. In my case mine is host/nas as the hostname of my NAS is well, nas :)

Expanding the backup will shot the what pxar archives are present and other files used internally by PBS.

Clicking on the folder icon, will allow browsing the contents or each pxar archive.

Testing permissions

Attempting to perform other actions with the proxmox-backup-client will result in an access denied message. This can be tested by attempting to create a new namespace on our PBS datatsore. Lets test this by attempting to create a namespace called test on the datastore.

root@nas[~]# proxmox-backup-client namespace create test
Error: permission check failed - missing Datastore.Modify on /datastore/Mirror2

But we can list available backups made by the truenas@pbs account.

root@nas[~]# proxmox-backup-client list        
+==========+===============================+==============+==================================================================
| group    | last snapshot                 | backup-count | files                                                            
+==========+===============================+==============+==================================================================
| host/nas | host/nas/2023-02-28T06:17:54Z |            1 | backup.pxar catalog.pcat1 index.json nas-data.pxar nas-home.pxar 
+==========+===============================+==============+==================================================================

Congratulations, you can now backup TrueNAS Scale datasets onto a Proxmox Backup Server instance. The full documentation for proxmox-backup-client can be found at https://pbs.proxmox.com/docs/backup-client.html.