How to set up a read-only secondary TrueNAS system

[tyler.montney]

I just started using TrueNAS as a replacement for a simple Debian Samba box. It's a VM that does simple CIFS sharing, but could do more. I want to make sure it's backed up, to protect from things like ransomware. I have a QNAP box for backup.

What I've tried:

• Veeam doesn't support a FreeBSD agent, so that's ruled out.
• rsync works to the QNAP but it's quite basic.

When searching, I saw someone's suggestion here to use a second TrueNAS box. It'll run on an old HP Z420 workstation running RAID 10.

What I want:

• Backup restore points (like what Veeam offers)
• Write-only from the main box
  • The main box should not have access to read its backups
  • The secondary box determines how many backups to keep (deletes based on days/size)
  • (This way, if the main box is compromised, it can't delete its own backups.)

 

[Patrick M. Hausen]

You should investigate snapshot and replication tasks for that. It's all builtin. If you want to control the retention period on the backup system, you should probably use a "pull" scheme for replication instead of "push".

 

[tyler.montney]

You should investigate snapshot and replication tasks for that. It's all builtin. If you want to control the retention period on the backup system, you should probably use a "pull" scheme for replication instead of "push".

So what I'm suggesting is possible?

 

[Patrick M. Hausen]

Yes. Why would I suggest that if it wasn't?

Periodic Snapshot Tasks |

Periodic Snapshot Tasks

www.truenas.com

Replication Tasks |

Replication Tasks

www.truenas.com

 

[tyler.montney]

Yes. Why would I suggest that if it wasn't?

Periodic Snapshot Tasks |

Periodic Snapshot Tasks

www.truenas.com

Replication Tasks |

Replication Tasks

www.truenas.com

Silly question, I know.

 

[Patrick M. Hausen]

Silly question, I know.

Not really. But I thought the link from my statement "look into snapshot and replication tasks" to the documentation was self-explanatory.

 

[tyler.montney]

Not really. But I thought the link from my statement "look into snapshot and replication tasks" to the documentation was self-explanatory.

It did.

I'm waiting for my drives to arrive. Once I get them, I'll pick up on this.

 

[tyler.montney]

Not really. But I thought the link from my statement "look into snapshot and replication tasks" to the documentation was self-explanatory.

Got the drives, configured a raidz2 pool. Configured SSH authentication, set a public key for the remote host. Got denied, could only get access via root (problematic user could ssh from truenas to truenas via shell). Would prefer to set up a non-root replication account.

I'm new to truenas so forgive me. I assume snapshots allow me to recover in the event my main truenas box gets corrupted/fails. When I try to replicate, an error like "data exists but no snapshots found, refusing to overwrite". I then realized that perhaps I need a local snapshot task on the remote system. It completes nearly instantly, under a KB used, referenced files in the GB. Remote replication task still fails with the same error.

https://retired-moocher-dave.org/2021/02/09/truenas-replication/

Found this and I feel like I followed it for the most part.

There's also this with a more detailed step approach, will see how that goes: http://storagegaga.com/zfs-replication-and-recovery-with-freenas/

 

[tyler.montney]

It seems checking "Synchronize Destination Snapshots With Source" did the trick.

 

[tyler.montney]

Is there any way to set a retention policy on a dataset?

 

[Patrick M. Hausen]

Is there any way to set a retention policy on a dataset?

Retention policy is set in the tasks. You can set one retention policy for the source in the snapshot task (e.g. hourly, keep 2 weeks), and another one for the destination in the replication task (e.g. only replicate the snapshot taken at midnight, keep for 4 weeks).

Don't create snapshots tasks on the destination.

Examples in my screenshots.

HTH,
Patrick