search

jimsalterjrs / sanoid

These are policy-driven snapshot management and replication tools which use OpenZFS for underlying next-gen storage. (Btrfs support plans are shelved unless and until btrfs becomes reliable.)
http://www.openoid.net/products/
GNU General Public License v3.0
3.12k stars 306 forks source link

restrict authorized key on the target host #709

Open eoli3n opened 2 years ago

eoli3n commented 2 years ago

I don't want the key I use for syncoid to be able to get a shell on the target host. How to secure ssh key to be able to use only syncoid on the target host in pull and push modes ? Something like

command="syncoid",restrict ssh-rsa ********************************************************************* user@host
0xFate commented 2 years ago

as this is running through an SSH (shell) disabling the shell for the User would me fatal. please consult the documentation of your (unnamed) OS and Shell in how to limit access for a user to use only the neccesary commands (and maybe FS Permisions!), ab brief guidline in howto run as unprivilaged user, you can find here https://github.com/jimsalterjrs/sanoid/wiki/Syncoid#running-without-root. any further guide here would be out of scope, but feel free to ask for help if you run into problems, please dont forget to ship the neccesary details in your question so others can help you.

Am Mi., 12. Jan. 2022 um 21:39 Uhr schrieb Jonathan Kirszling < @.***>:

I don't want the key I use for syncoid to be able to get a shell on the target host. How to secure ssh key to be only able to use syncoid on the target host ? Something like

command="syncoid",restrict ssh-rsa *** *@.

— Reply to this email directly, view it on GitHub https://github.com/jimsalterjrs/sanoid/issues/709, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACWYH7TAWDCF6TSHE2BJLULUVXRIZANCNFSM5LZ6C5TQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

You are receiving this because you are subscribed to this thread.Message ID: @.***>

eoli3n commented 2 years ago

Works perfectly ! Thanks

I would like to use recursive and exclude some datasets, like

NAME                                   USED  AVAIL     REFER  MOUNTPOINT
$ zfs list
zroot                                 3.05G   443G       96K  /zroot
zroot/ROOT                            1.59G   443G       96K  none
zroot/ROOT/default                    1.59G   443G     1.54G  /
zroot/bastille                         769M   443G      120K  /usr/local/bastille
zroot/bastille/backups                  96K   443G       96K  /usr/local/bastille/backups
zroot/bastille/cache                   180M   443G       96K  /usr/local/bastille/cache
zroot/bastille/cache/13.0-RELEASE      180M   443G      180M  /usr/local/bastille/cache/13.0-RELEASE
zroot/bastille/jails                   119M   443G       96K  /usr/local/bastille/jails
zroot/bastille/jails/syncthing         119M   443G      112K  /usr/local/bastille/jails/syncthing
zroot/bastille/jails/syncthing/root    119M   443G      118M  /usr/local/bastille/jails/syncthing/root
zroot/bastille/logs                    100K   443G      100K  /var/log/bastille
zroot/bastille/releases                469M   443G       96K  /usr/local/bastille/releases
zroot/bastille/releases/13.0-RELEASE   469M   443G      469M  /usr/local/bastille/releases/13.0-RELEASE
zroot/bastille/templates               116K   443G      116K  /usr/local/bastille/templates
zroot/data                             288K   443G       96K  /zroot/data
zroot/encrypted                       1000K   443G      200K  /zroot/encrypted
zroot/tmp                              352K   443G      352K  /tmp
zroot/usr                              714M   443G       96K  /usr
zroot/usr/home                         160K   443G      160K  /usr/home
zroot/usr/ports                        713M   443G      713M  /usr/ports
zroot/usr/src                           96K   443G       96K  /usr/src
zroot/var                              916K   443G       96K  /var
zroot/var/audit                         96K   443G       96K  /var/audit
zroot/var/crash                         96K   443G       96K  /var/crash
zroot/var/log                          416K   443G      416K  /var/log
zroot/var/mail                         116K   443G      116K  /var/mail
zroot/var/tmp                           96K   443G       96K  /var/tmp
$ syncoid --no-privilege-elevation --no-sync-snap --exclude zroot/encrypted --exclude zroot/data --recursive zroot syncoid@nas:dpool/data/syncoid/zroot

How could I do this ?

0xFate commented 2 years ago

https://github.com/jimsalterjrs/sanoid/pull/189

Am Do., 13. Jan. 2022 um 15:49 Uhr schrieb Jonathan Kirszling < @.***>:

Works perfectly ! Thanks

I would like to exclude some datasets, like

NAME USED AVAIL REFER MOUNTPOINT $ zfs list zroot 3.05G 443G 96K /zroot zroot/ROOT 1.59G 443G 96K none zroot/ROOT/default 1.59G 443G 1.54G / zroot/bastille 769M 443G 120K /usr/local/bastille zroot/bastille/backups 96K 443G 96K /usr/local/bastille/backups zroot/bastille/cache 180M 443G 96K /usr/local/bastille/cache zroot/bastille/cache/13.0-RELEASE 180M 443G 180M /usr/local/bastille/cache/13.0-RELEASE zroot/bastille/jails 119M 443G 96K /usr/local/bastille/jails zroot/bastille/jails/syncthing 119M 443G 112K /usr/local/bastille/jails/syncthing zroot/bastille/jails/syncthing/root 119M 443G 118M /usr/local/bastille/jails/syncthing/root zroot/bastille/logs 100K 443G 100K /var/log/bastille zroot/bastille/releases 469M 443G 96K /usr/local/bastille/releases zroot/bastille/releases/13.0-RELEASE 469M 443G 469M /usr/local/bastille/releases/13.0-RELEASE zroot/bastille/templates 116K 443G 116K /usr/local/bastille/templates zroot/data 288K 443G 96K /zroot/data zroot/encrypted 1000K 443G 200K /zroot/encrypted zroot/tmp 352K 443G 352K /tmp zroot/usr 714M 443G 96K /usr zroot/usr/home 160K 443G 160K /usr/home zroot/usr/ports 713M 443G 713M /usr/ports zroot/usr/src 96K 443G 96K /usr/src zroot/var 916K 443G 96K /var zroot/var/audit 96K 443G 96K /var/audit zroot/var/crash 96K 443G 96K /var/crash zroot/var/log 416K 443G 416K /var/log zroot/var/mail 116K 443G 116K /var/mail zroot/var/tmp 96K 443G 96K /var/tmp

$ syncoid --no-privilege-elevation --no-sync-snap --exclude zroot/encrypted --exclude zroot/data --recursive zroot @.***:dpool/data/syncoid/zroot

How could I do this ?

— Reply to this email directly, view it on GitHub https://github.com/jimsalterjrs/sanoid/issues/709#issuecomment-1012205798, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACWYH7U2MWXLDRS4B25YGFDUV3Q7NANCNFSM5LZ6C5TQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

You are receiving this because you commented.Message ID: @.***>

eoli3n commented 2 years ago

Thanks, the last problem I get is that if I don't use --no-sync-snap, syncoid create some snapshots which it can't suppress locally after because I didn't give the destroy permission. As in the wiki link, I want local syncoid user to only be able to send,snapshot,hold. If I use --no-sync-snap, as I don't use sanoid on all datasets, then I get a warning

WARN: --no-sync-snap is set, and getnewestsnapshot() could not find any snapshots on source for current dataset. Continuing.

0xFate commented 2 years ago

this is only a warning about not finding newer snapshots which can be perfectly fine, as you instructed syncoid to not create transfer snapshots, it will only send snaps created after the last run.

Am Do., 13. Jan. 2022 um 16:14 Uhr schrieb Jonathan Kirszling < @.***>:

Thanks, the last problem I get is that if I don't use --no-sync-snap, syncoid create some snapshots which it can't suppress after because I didn't give the destroy permission locally. As in the wiki link, I want local syncoid user to only be able to send,snapshot,hold. If I use --no-sync-snap, as I don't use sanoid on all datasets, then I get a warning

WARN: --no-sync-snap is set, and getnewestsnapshot() could not find any snapshots on source for current dataset. Continuing.

— Reply to this email directly, view it on GitHub https://github.com/jimsalterjrs/sanoid/issues/709#issuecomment-1012229333, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACWYH7VLH463IVPBNVXNLITUV3T5JANCNFSM5LZ6C5TQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

You are receiving this because you commented.Message ID: @.***>

eoli3n commented 2 years ago

So when I sync a dataset without any snapshot on source, it warns, and then it create a snapshot at the destination ? That's not what I get.

Firstly, the syncoid:no-sync seems not working, it keeps trying to sync zroot/encrypted. Then, it seems that recursive cannot replicate the whole dataset hierarchy, because it can't sync parents, because it don't have any snapshots and I use --no-sync-snap.

syncoid@iode:~ $ zfs get -r syncoid:no-sync zroot/encrypted
NAME                     PROPERTY         VALUE            SOURCE
zroot/encrypted          syncoid:no-sync  on               local
zroot/encrypted/backups  syncoid:no-sync  on               inherited from zroot/encrypted
zroot/encrypted/local    syncoid:no-sync  on               inherited from zroot/encrypted
zroot/encrypted/sync     syncoid:no-sync  on               inherited from zroot/encrypted
zroot/encrypted/syncoid  syncoid:no-sync  on               inherited from zroot/encrypted

syncoid@iode:~ $ /usr/local/bin/syncoid --no-privilege-elevation --no-sync-snap --recursive zroot syncoid@nas:dpool/data/syncoid/zroot
WARN: --no-sync-snap is set, and getnewestsnapshot() could not find any snapshots on source for current dataset. Continuing.
CRITICAL: no snapshots exist on source zroot, and you asked for --no-sync-snap.
WARN: --no-sync-snap is set, and getnewestsnapshot() could not find any snapshots on source for current dataset. Continuing.
CRITICAL: no snapshots exist on source zroot/ROOT, and you asked for --no-sync-snap.
NEWEST SNAPSHOT: autosnap_2022-01-14_08:00:00_hourly
INFO: Sending oldest full snapshot zroot/ROOT/default@autosnap_2022-01-11_21:00:00_monthly (~ 2.4 GB) to new target filesystem:
cannot open 'dpool/data/syncoid/zroot/ROOT': dataset does not exist
cannot receive new filesystem stream: unable to restore to destination
mbuffer: error: outputThread: error writing to <stdout> at offset 0x260000: Broken pipe
mbuffer: warning: error during output to <stdout>: Broken pipe
25.6MiB 0:00:00 [81.5MiB/s] [>                                                                     ]  1%            
warning: cannot send 'zroot/ROOT/default@autosnap_2022-01-11_21:00:00_monthly': signal received
CRITICAL ERROR:  zfs send  'zroot/ROOT/default'@'autosnap_2022-01-11_21:00:00_monthly' | pv -s 2626186544 | lzop  | mbuffer  -q -s 128k -m 16M 2>/dev/null | ssh     -S /tmp/syncoid-syncoid-syncoid@nas-1642149590 syncoid@nas ' mbuffer  -q -s 128k -m 16M 2>/dev/null | lzop -dfc |  zfs receive  -s -F '"'"'dpool/data/syncoid/zroot/ROOT/default'"'"'' failed: 256 at /usr/local/bin/syncoid line 464.
WARN: --no-sync-snap is set, and getnewestsnapshot() could not find any snapshots on source for current dataset. Continuing.
CRITICAL: no snapshots exist on source zroot/bastille, and you asked for --no-sync-snap.
WARN: --no-sync-snap is set, and getnewestsnapshot() could not find any snapshots on source for current dataset. Continuing.
CRITICAL: no snapshots exist on source zroot/bastille/backups, and you asked for --no-sync-snap.
WARN: --no-sync-snap is set, and getnewestsnapshot() could not find any snapshots on source for current dataset. Continuing.
CRITICAL: no snapshots exist on source zroot/bastille/cache, and you asked for --no-sync-snap.
WARN: --no-sync-snap is set, and getnewestsnapshot() could not find any snapshots on source for current dataset. Continuing.
CRITICAL: no snapshots exist on source zroot/bastille/cache/13.0-RELEASE, and you asked for --no-sync-snap.
WARN: --no-sync-snap is set, and getnewestsnapshot() could not find any snapshots on source for current dataset. Continuing.
CRITICAL: no snapshots exist on source zroot/bastille/jails, and you asked for --no-sync-snap.
NEWEST SNAPSHOT: autosnap_2022-01-14_08:00:00_hourly
INFO: Sending oldest full snapshot zroot/bastille/jails/syncthing@autosnap_2022-01-13_11:00:00_monthly (~ 48 KB) to new target filesystem:
51.3KiB 0:00:00 [7.02MiB/s] [=====================================================================] 106%            
cannot open 'dpool/data/syncoid/zroot/bastille/jails': dataset does not exist
cannot receive new filesystem stream: unable to restore to destination
CRITICAL ERROR:  zfs send  'zroot/bastille/jails/syncthing'@'autosnap_2022-01-13_11:00:00_monthly' | pv -s 49264 | lzop  | mbuffer  -q -s 128k -m 16M 2>/dev/null | ssh     -S /tmp/syncoid-syncoid-syncoid@nas-1642149590 syncoid@nas ' mbuffer  -q -s 128k -m 16M 2>/dev/null | lzop -dfc |  zfs receive  -s -F '"'"'dpool/data/syncoid/zroot/bastille/jails/syncthing'"'"'' failed: 256 at /usr/local/bin/syncoid line 464.
NEWEST SNAPSHOT: autosnap_2022-01-14_08:00:00_hourly
INFO: Sending oldest full snapshot zroot/bastille/jails/syncthing/root@autosnap_2022-01-13_11:00:00_monthly (~ 6.9 MB) to new target filesystem:
9.07MiB 0:00:00 [53.6MiB/s] [=====================================================================] 130%            
cannot open 'dpool/data/syncoid/zroot/bastille/jails/syncthing': dataset does not exist
cannot receive new filesystem stream: unable to restore to destination
CRITICAL ERROR:  zfs send  'zroot/bastille/jails/syncthing/root'@'autosnap_2022-01-13_11:00:00_monthly' | pv -s 7265272 | lzop  | mbuffer  -q -s 128k -m 16M 2>/dev/null | ssh     -S /tmp/syncoid-syncoid-syncoid@nas-1642149590 syncoid@nas ' mbuffer  -q -s 128k -m 16M 2>/dev/null | lzop -dfc |  zfs receive  -s -F '"'"'dpool/data/syncoid/zroot/bastille/jails/syncthing/root'"'"'' failed: 256 at /usr/local/bin/syncoid line 464.
WARN: --no-sync-snap is set, and getnewestsnapshot() could not find any snapshots on source for current dataset. Continuing.
CRITICAL: no snapshots exist on source zroot/bastille/logs, and you asked for --no-sync-snap.
WARN: --no-sync-snap is set, and getnewestsnapshot() could not find any snapshots on source for current dataset. Continuing.
CRITICAL: no snapshots exist on source zroot/bastille/releases, and you asked for --no-sync-snap.
WARN: --no-sync-snap is set, and getnewestsnapshot() could not find any snapshots on source for current dataset. Continuing.
CRITICAL: no snapshots exist on source zroot/bastille/releases/13.0-RELEASE, and you asked for --no-sync-snap.
WARN: --no-sync-snap is set, and getnewestsnapshot() could not find any snapshots on source for current dataset. Continuing.
CRITICAL: no snapshots exist on source zroot/bastille/templates, and you asked for --no-sync-snap.
WARN: --no-sync-snap is set, and getnewestsnapshot() could not find any snapshots on source for current dataset. Continuing.
CRITICAL: no snapshots exist on source zroot/data, and you asked for --no-sync-snap.
WARN: --no-sync-snap is set, and getnewestsnapshot() could not find any snapshots on source for current dataset. Continuing.
CRITICAL: no snapshots exist on source zroot/data/isos, and you asked for --no-sync-snap.
WARN: --no-sync-snap is set, and getnewestsnapshot() could not find any snapshots on source for current dataset. Continuing.
CRITICAL: no snapshots exist on source zroot/data/vms, and you asked for --no-sync-snap.
WARN: --no-sync-snap is set, and getnewestsnapshot() could not find any snapshots on source for current dataset. Continuing.
CRITICAL: no snapshots exist on source zroot/encrypted, and you asked for --no-sync-snap.
WARN: --no-sync-snap is set, and getnewestsnapshot() could not find any snapshots on source for current dataset. Continuing.
CRITICAL: no snapshots exist on source zroot/encrypted/backups, and you asked for --no-sync-snap.
WARN: --no-sync-snap is set, and getnewestsnapshot() could not find any snapshots on source for current dataset. Continuing.
CRITICAL: no snapshots exist on source zroot/encrypted/local, and you asked for --no-sync-snap.
WARN: --no-sync-snap is set, and getnewestsnapshot() could not find any snapshots on source for current dataset. Continuing.
CRITICAL: no snapshots exist on source zroot/encrypted/sync, and you asked for --no-sync-snap.
WARN: --no-sync-snap is set, and getnewestsnapshot() could not find any snapshots on source for current dataset. Continuing.
CRITICAL: no snapshots exist on source zroot/encrypted/syncoid, and you asked for --no-sync-snap.
WARN: --no-sync-snap is set, and getnewestsnapshot() could not find any snapshots on source for current dataset. Continuing.
CRITICAL: no snapshots exist on source zroot/tmp, and you asked for --no-sync-snap.
WARN: --no-sync-snap is set, and getnewestsnapshot() could not find any snapshots on source for current dataset. Continuing.
CRITICAL: no snapshots exist on source zroot/usr, and you asked for --no-sync-snap.
WARN: --no-sync-snap is set, and getnewestsnapshot() could not find any snapshots on source for current dataset. Continuing.
CRITICAL: no snapshots exist on source zroot/usr/home, and you asked for --no-sync-snap.
WARN: --no-sync-snap is set, and getnewestsnapshot() could not find any snapshots on source for current dataset. Continuing.
CRITICAL: no snapshots exist on source zroot/usr/ports, and you asked for --no-sync-snap.
WARN: --no-sync-snap is set, and getnewestsnapshot() could not find any snapshots on source for current dataset. Continuing.
CRITICAL: no snapshots exist on source zroot/usr/src, and you asked for --no-sync-snap.
WARN: --no-sync-snap is set, and getnewestsnapshot() could not find any snapshots on source for current dataset. Continuing.
CRITICAL: no snapshots exist on source zroot/var, and you asked for --no-sync-snap.
WARN: --no-sync-snap is set, and getnewestsnapshot() could not find any snapshots on source for current dataset. Continuing.
CRITICAL: no snapshots exist on source zroot/var/audit, and you asked for --no-sync-snap.
WARN: --no-sync-snap is set, and getnewestsnapshot() could not find any snapshots on source for current dataset. Continuing.
CRITICAL: no snapshots exist on source zroot/var/crash, and you asked for --no-sync-snap.
WARN: --no-sync-snap is set, and getnewestsnapshot() could not find any snapshots on source for current dataset. Continuing.
CRITICAL: no snapshots exist on source zroot/var/log, and you asked for --no-sync-snap.
WARN: --no-sync-snap is set, and getnewestsnapshot() could not find any snapshots on source for current dataset. Continuing.
CRITICAL: no snapshots exist on source zroot/var/mail, and you asked for --no-sync-snap.
WARN: --no-sync-snap is set, and getnewestsnapshot() could not find any snapshots on source for current dataset. Continuing.
CRITICAL: no snapshots exist on source zroot/var/tmp, and you asked for --no-sync-snap.
eoli3n commented 2 years ago

Ok, I use the wrong property https://github.com/jimsalterjrs/sanoid#syncoid-dataset-properties

eoli3n commented 2 years ago

But still

syncoid@iode:~ $ /usr/local/bin/syncoid --no-privilege-elevation --no-sync-snap --recursive zroot syncoid@nas:dpool/data/syncoid/zroot
WARN: --no-sync-snap is set, and getnewestsnapshot() could not find any snapshots on source for current dataset. Continuing.
CRITICAL: no snapshots exist on source zroot, and you asked for --no-sync-snap.
WARN: --no-sync-snap is set, and getnewestsnapshot() could not find any snapshots on source for current dataset. Continuing.
CRITICAL: no snapshots exist on source zroot/ROOT, and you asked for --no-sync-snap.
NEWEST SNAPSHOT: autosnap_2022-01-14_08:00:00_hourly
INFO: Sending oldest full snapshot zroot/ROOT/default@autosnap_2022-01-11_21:00:00_monthly (~ 2.4 GB) to new target filesystem:
cannot open 'dpool/data/syncoid/zroot/ROOT': dataset does not exist
cannot receive new filesystem stream: unable to restore to destination
mbuffer: error: outputThread: error writing to <stdout> at offset 0x260000: Broken pipe
mbuffer: warning: error during output to <stdout>: Broken pipe
42.3MiB 0:00:00 [82.1MiB/s] [>                                                                     ]  1%            
warning: cannot send 'zroot/ROOT/default@autosnap_2022-01-11_21:00:00_monthly': signal received
CRITICAL ERROR:  zfs send  'zroot/ROOT/default'@'autosnap_2022-01-11_21:00:00_monthly' | pv -s 2626186544 | lzop  | mbuffer  -q -s 128k -m 16M 2>/dev/null | ssh     -S /tmp/syncoid-syncoid-syncoid@nas-1642150762 syncoid@nas ' mbuffer  -q -s 128k -m 16M 2>/dev/null | lzop -dfc |  zfs receive  -s -F '"'"'dpool/data/syncoid/zroot/ROOT/default'"'"'' failed: 256 at /usr/local/bin/syncoid line 464.
WARN: --no-sync-snap is set, and getnewestsnapshot() could not find any snapshots on source for current dataset. Continuing.
CRITICAL: no snapshots exist on source zroot/bastille, and you asked for --no-sync-snap.
WARN: --no-sync-snap is set, and getnewestsnapshot() could not find any snapshots on source for current dataset. Continuing.
CRITICAL: no snapshots exist on source zroot/bastille/backups, and you asked for --no-sync-snap.
WARN: --no-sync-snap is set, and getnewestsnapshot() could not find any snapshots on source for current dataset. Continuing.
CRITICAL: no snapshots exist on source zroot/bastille/cache, and you asked for --no-sync-snap.
WARN: --no-sync-snap is set, and getnewestsnapshot() could not find any snapshots on source for current dataset. Continuing.
CRITICAL: no snapshots exist on source zroot/bastille/cache/13.0-RELEASE, and you asked for --no-sync-snap.
WARN: --no-sync-snap is set, and getnewestsnapshot() could not find any snapshots on source for current dataset. Continuing.
CRITICAL: no snapshots exist on source zroot/bastille/jails, and you asked for --no-sync-snap.
NEWEST SNAPSHOT: autosnap_2022-01-14_08:00:00_hourly
INFO: Sending oldest full snapshot zroot/bastille/jails/syncthing@autosnap_2022-01-13_11:00:00_monthly (~ 48 KB) to new target filesystem:
51.3KiB 0:00:00 [10.8MiB/s] [=====================================================================] 106%            
cannot open 'dpool/data/syncoid/zroot/bastille/jails': dataset does not exist
cannot receive new filesystem stream: unable to restore to destination
CRITICAL ERROR:  zfs send  'zroot/bastille/jails/syncthing'@'autosnap_2022-01-13_11:00:00_monthly' | pv -s 49264 | lzop  | mbuffer  -q -s 128k -m 16M 2>/dev/null | ssh     -S /tmp/syncoid-syncoid-syncoid@nas-1642150762 syncoid@nas ' mbuffer  -q -s 128k -m 16M 2>/dev/null | lzop -dfc |  zfs receive  -s -F '"'"'dpool/data/syncoid/zroot/bastille/jails/syncthing'"'"'' failed: 256 at /usr/local/bin/syncoid line 464.
NEWEST SNAPSHOT: autosnap_2022-01-14_08:00:00_hourly
INFO: Sending oldest full snapshot zroot/bastille/jails/syncthing/root@autosnap_2022-01-13_11:00:00_monthly (~ 6.9 MB) to new target filesystem:
9.07MiB 0:00:00 [53.5MiB/s] [=====================================================================] 130%            
cannot open 'dpool/data/syncoid/zroot/bastille/jails/syncthing': dataset does not exist
cannot receive new filesystem stream: unable to restore to destination
CRITICAL ERROR:  zfs send  'zroot/bastille/jails/syncthing/root'@'autosnap_2022-01-13_11:00:00_monthly' | pv -s 7265272 | lzop  | mbuffer  -q -s 128k -m 16M 2>/dev/null | ssh     -S /tmp/syncoid-syncoid-syncoid@nas-1642150762 syncoid@nas ' mbuffer  -q -s 128k -m 16M 2>/dev/null | lzop -dfc |  zfs receive  -s -F '"'"'dpool/data/syncoid/zroot/bastille/jails/syncthing/root'"'"'' failed: 256 at /usr/local/bin/syncoid line 464.
WARN: --no-sync-snap is set, and getnewestsnapshot() could not find any snapshots on source for current dataset. Continuing.
CRITICAL: no snapshots exist on source zroot/bastille/logs, and you asked for --no-sync-snap.
WARN: --no-sync-snap is set, and getnewestsnapshot() could not find any snapshots on source for current dataset. Continuing.
CRITICAL: no snapshots exist on source zroot/bastille/releases, and you asked for --no-sync-snap.
WARN: --no-sync-snap is set, and getnewestsnapshot() could not find any snapshots on source for current dataset. Continuing.
CRITICAL: no snapshots exist on source zroot/bastille/releases/13.0-RELEASE, and you asked for --no-sync-snap.
WARN: --no-sync-snap is set, and getnewestsnapshot() could not find any snapshots on source for current dataset. Continuing.
CRITICAL: no snapshots exist on source zroot/bastille/templates, and you asked for --no-sync-snap.
INFO: Skipping dataset (syncoid:sync=false): zroot/data...
INFO: Skipping dataset (syncoid:sync=false): zroot/data/isos...
INFO: Skipping dataset (syncoid:sync=false): zroot/data/vms...
INFO: Skipping dataset (syncoid:sync=false): zroot/encrypted...
INFO: Skipping dataset (syncoid:sync=false): zroot/encrypted/backups...
INFO: Skipping dataset (syncoid:sync=false): zroot/encrypted/local...
INFO: Skipping dataset (syncoid:sync=false): zroot/encrypted/sync...
INFO: Skipping dataset (syncoid:sync=false): zroot/encrypted/syncoid...
WARN: --no-sync-snap is set, and getnewestsnapshot() could not find any snapshots on source for current dataset. Continuing.
CRITICAL: no snapshots exist on source zroot/tmp, and you asked for --no-sync-snap.
WARN: --no-sync-snap is set, and getnewestsnapshot() could not find any snapshots on source for current dataset. Continuing.
CRITICAL: no snapshots exist on source zroot/usr, and you asked for --no-sync-snap.
WARN: --no-sync-snap is set, and getnewestsnapshot() could not find any snapshots on source for current dataset. Continuing.
CRITICAL: no snapshots exist on source zroot/usr/home, and you asked for --no-sync-snap.
WARN: --no-sync-snap is set, and getnewestsnapshot() could not find any snapshots on source for current dataset. Continuing.
CRITICAL: no snapshots exist on source zroot/usr/ports, and you asked for --no-sync-snap.
WARN: --no-sync-snap is set, and getnewestsnapshot() could not find any snapshots on source for current dataset. Continuing.
CRITICAL: no snapshots exist on source zroot/usr/src, and you asked for --no-sync-snap.
WARN: --no-sync-snap is set, and getnewestsnapshot() could not find any snapshots on source for current dataset. Continuing.
CRITICAL: no snapshots exist on source zroot/var, and you asked for --no-sync-snap.
WARN: --no-sync-snap is set, and getnewestsnapshot() could not find any snapshots on source for current dataset. Continuing.
CRITICAL: no snapshots exist on source zroot/var/audit, and you asked for --no-sync-snap.
WARN: --no-sync-snap is set, and getnewestsnapshot() could not find any snapshots on source for current dataset. Continuing.
CRITICAL: no snapshots exist on source zroot/var/crash, and you asked for --no-sync-snap.
WARN: --no-sync-snap is set, and getnewestsnapshot() could not find any snapshots on source for current dataset. Continuing.
CRITICAL: no snapshots exist on source zroot/var/log, and you asked for --no-sync-snap.
WARN: --no-sync-snap is set, and getnewestsnapshot() could not find any snapshots on source for current dataset. Continuing.
CRITICAL: no snapshots exist on source zroot/var/mail, and you asked for --no-sync-snap.
WARN: --no-sync-snap is set, and getnewestsnapshot() could not find any snapshots on source for current dataset. Continuing.
CRITICAL: no snapshots exist on source zroot/var/tmp, and you asked for --no-sync-snap.

I would like to avoid to use sync snaps, because it needs the destroy permission for the local syncoid user. If it gets compromised, it could delete everything.

eoli3n commented 2 years ago

Ok, I pass on

syncoid@iode:~ $ /usr/local/bin/syncoid --no-privilege-elevation --no-sync-snap syncoid@nas:zroot zroot/encrypted/syncoid
Sending incremental zroot@syncoid_iode_2022-01-14:14:21:14 ... syncoid_iode_2022-01-14:14:35:29 (~ 4 KB):
1.52KiB 0:00:00 [5.54KiB/s] [=========================>                                            ] 38%            
Sending incremental zroot/ROOT@syncoid_iode_2022-01-14:14:21:18 ... syncoid_iode_2022-01-14:14:35:33 (~ 4 KB):
1.52KiB 0:00:00 [4.94KiB/s] [=========================>                                            ] 38%            
Resuming interrupted zfs send/receive from zroot/ROOT/default to dpool/data/syncoid/zroot/ROOT/default (~ 1.3 GB remaining):
1.35GiB 0:02:19 [9.86MiB/s] [=====================================================================] 102%            
cannot mount '/data/zfs/syncoid/zroot/ROOT/default': failed to create mountpoint: Permission denied
CRITICAL ERROR:  zfs send  -t 1-102cbd96d0-e0-789c636064000310a500c4ec50360710e72765a5269730302cb187a8c1904f4b2b4e2d01c96431c2e4d990e4932a4b528b81f40b8ddd1ed8f497e4a79766a63030ccddb387f39855dfcb0024794eb07c5e626e2a034355517e7e897e90bf7f887e4a6a5a62694e89436269497e715e6241bc91819191ae81a1aea161bc91a195810110c5e7e6e79564e45482dd0c00abae2760 | pv -s 1405961288 | lzop  | mbuffer  -q -s 128k -m 16M 2>/dev/null | ssh     -S /tmp/syncoid-syncoid-syncoid@nas-1642167328 syncoid@nas ' mbuffer  -q -s 128k -m 16M 2>/dev/null | lzop -dfc |  zfs receive  -s -F '"'"'dpool/data/syncoid/zroot/ROOT/default'"'"' 2>&1' failed: 256 at /usr/local/bin/syncoid line 549.
^C

But it still fails mounting because, on the target 1° even with parent dir owned by syncoid user, when syncing as syncoid user, it creates subdirs (mountpoints) as root.
Why ?

root@nas /d/zfs# pwd
/data/zfs
root@nas /d/zfs# ls -altr syncoid
total 10
drwxr-xr-x   4 root     wheel   4 Jan 13 14:01 zroot
drwxr-xr-x  11 root     wheel  11 Jan 13 15:17 ..
drwxr-xr-x   3 syncoid  wheel   3 Jan 14 14:49 .

2° children datasets inherit of canmount property from the source

root@nas /d/zfs# zfs get -r canmount dpool/data/syncoid
NAME                                                                        PROPERTY  VALUE     SOURCE
dpool/data/syncoid                                                          canmount  noauto    local
dpool/data/syncoid/zroot                                                    canmount  on        default
dpool/data/syncoid/zroot@syncoid_iode_2022-01-14:14:35:29                   canmount  -         -
dpool/data/syncoid/zroot/ROOT                                               canmount  on        default
dpool/data/syncoid/zroot/ROOT@syncoid_iode_2022-01-14:14:35:33              canmount  -         -
dpool/data/syncoid/zroot/ROOT/default                                       canmount  on        default
dpool/data/syncoid/zroot/bastille                                           canmount  on        default
dpool/data/syncoid/zroot/bastille@syncoid_iode_2022-01-14:14:38:01          canmount  -         -
dpool/data/syncoid/zroot/bastille/backups                                   canmount  on        default
dpool/data/syncoid/zroot/bastille/backups@syncoid_iode_2022-01-14:14:20:21  canmount  -         -
dpool/data/syncoid/zroot/bastille/cache                                     canmount  on        default
dpool/data/syncoid/zroot/bastille/cache@syncoid_iode_2022-01-14:14:38:07    canmount  -         -
dpool/data/syncoid/zroot/bastille/cache/13.0-RELEASE                        canmount  on        default
0xFate commented 2 years ago

As the synced datasets get same permissions as the source you will not have permissions to mount further subdirectories. Either refrain from automount, as this may always stay fragile while not having the necessary permissions, or get the necessary permissions for the user. On to your other questions: I didn't read on or off in any documentation I've linked. I've read true/false/list_of_hosts schema, so if your hostname is not "on" it may have worked the right way, but for the wrong reason, your mileage may vary. Please read the provided documentation more carefully. No sync snaps means do not create intermediate snapshots. So you won't get the latest version of your dataset, only the latest snapshots which (have to exist on source, but) aren't on the target. The message makes me think there are no snapshots to sync. Achieving your preferred security concept should be easier w/o mount permissions, and automount off (mounting could be achieved on target as root cron). Anything else would be a blackhole in your concept, so you could give him root right away.

Jonathan Kirszling @.***> schrieb am Fr., 14. Jan. 2022, 15:00:

Ok, I pass on

  • using sync snaps
  • allowing mount,destroy to local syncoid user

Now I get annoyed because syncoid can't mount on the target. I tried two solutions on the destination:

  • chmod syncoid /path/to/syncoid/mountpoint
  • zfs set canmount=noauto dpool/data/syncoid

@.:~ $ /usr/local/bin/syncoid --no-privilege-elevation --no-sync-snap @.:zroot zroot/encrypted/syncoid

Sending incremental @.***_iode_2022-01-14:14:21:14 ... syncoid_iode_2022-01-14:14:35:29 (~ 4 KB):

1.52KiB 0:00:00 [5.54KiB/s] [=========================> ] 38%

Sending incremental @.***_iode_2022-01-14:14:21:18 ... syncoid_iode_2022-01-14:14:35:33 (~ 4 KB):

1.52KiB 0:00:00 [4.94KiB/s] [=========================> ] 38%

Resuming interrupted zfs send/receive from zroot/ROOT/default to dpool/data/syncoid/zroot/ROOT/default (~ 1.3 GB remaining):

1.35GiB 0:02:19 [9.86MiB/s] [=====================================================================] 102%

cannot mount '/data/zfs/syncoid/zroot/ROOT/default': failed to create mountpoint: Permission denied

CRITICAL ERROR: zfs send -t 1-102cbd96d0-e0-789c636064000310a500c4ec50360710e72765a5269730302cb187a8c1904f4b2b4e2d01c96431c2e4d990e4932a4b528b81f40b8ddd1ed8f497e4a79766a63030ccddb387f39855dfcb0024794eb07c5e626e2a034355517e7e897e90bf7f887e4a6a5a62694e89436269497e715e6241bc91819191ae81a1aea161bc91a195810110c5e7e6e79564e45482dd0c00abae2760 | pv -s 1405961288 | lzop | mbuffer -q -s 128k -m 16M 2>/dev/null | ssh -S @. @. ' mbuffer -q -s 128k -m 16M 2>/dev/null | lzop -dfc | zfs receive -s -F '"'"'dpool/data/syncoid/zroot/ROOT/default'"'"' 2>&1' failed: 256 at /usr/local/bin/syncoid line 549.

^C

But it still fails mounting because, on the target 1° even with parent dir owned by syncoid user, when syncing as syncoid user, it creates subdirs (mountpoints) as root. Why ?

@.*** /d/zfs# pwd

/data/zfs

@.*** /d/zfs# ls -altr syncoid

total 10

drwxr-xr-x 4 root wheel 4 Jan 13 14:01 zroot

drwxr-xr-x 11 root wheel 11 Jan 13 15:17 ..

drwxr-xr-x 3 syncoid wheel 3 Jan 14 14:49 .

2° children datasets inherit of canmount property from the source

@.*** /d/zfs# zfs get -r canmount dpool/data/syncoid

NAME PROPERTY VALUE SOURCE

dpool/data/syncoid canmount noauto local

dpool/data/syncoid/zroot canmount on default

@.***_iode_2022-01-14:14:35:29 canmount - -

dpool/data/syncoid/zroot/ROOT canmount on default

@.***_iode_2022-01-14:14:35:33 canmount - -

dpool/data/syncoid/zroot/ROOT/default canmount on default

dpool/data/syncoid/zroot/bastille canmount on default

@.***_iode_2022-01-14:14:38:01 canmount - -

dpool/data/syncoid/zroot/bastille/backups canmount on default

@.***_iode_2022-01-14:14:20:21 canmount - -

dpool/data/syncoid/zroot/bastille/cache canmount on default

@.***_iode_2022-01-14:14:38:07 canmount - -

dpool/data/syncoid/zroot/bastille/cache/13.0-RELEASE canmount on default

— Reply to this email directly, view it on GitHub https://github.com/jimsalterjrs/sanoid/issues/709#issuecomment-1013142039, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACWYH7QL7WIGRIEDD5MJN3LUWAUBVANCNFSM5LZ6C5TQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

You are receiving this because you commented.Message ID: @.***>

eoli3n commented 2 years ago

So, Syncoid needs to create AND destroy snapshot locally. Then the user gets the permission to destroy any dataset too. If you remove this need with --no-sync-snap, then you need to snapshot with sanoid all synced datasets OR exclude datasets with syncoid:sync=false.

0xFate commented 2 years ago

It was built to sync snapshots created by sanoid. If you tell it to, not create snapshots by itself, and do not create snapshots on your own it has nothing to do. The snapshots created by itself are usually useful when you wanted the latest revision on disk.

Jonathan Kirszling @.***> schrieb am Fr., 14. Jan. 2022, 20:29:

So, Syncoid needs to create AND destroy snapshot locally. Then the user gets the permission to destroy any dataset too. If you remove this need with --no-sync-snap, then you need to snapshot with sanoid all synced datasets OR exclude datasets with syncoid:sync=false.

— Reply to this email directly, view it on GitHub https://github.com/jimsalterjrs/sanoid/issues/709#issuecomment-1013399612, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACWYH7TJPGW566ULDSHFJ4DUWB2SBANCNFSM5LZ6C5TQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

You are receiving this because you commented.Message ID: @.***>