iSCSI Permissions

[jediweapon]

I use Veeam Backups over iSCSI (Direct SAN) and for this to work with iSCSI each Veeam proxy has an iSCSI initiator to the TrueNAS device. If the volume automounts upon discovery or someone accidently initializes the disk from Windows Disk Management all data in the volume would be lost. Is there a way to set read-only access permissions from the Veeam proxy?

 

[Stilez]

I don't know veeam, but a quick look at google ("veeam proxy pre-backup script") says it should be possible to run pre- and post- scripts around your backups. For example this page describes one site's scripts. With that in mind, 2 obvious solutions I can think of:

1. ZFS will tolerate 15 minute interval snaps easily - 5 or 10 minute if needed. If you keep say the last 200 5-15 minute interval snaps, even formatting the disk within windows or encrypting its contents from windows (ransomware) loses at most 5 - 15 minutes of data.
   That would be my suggested solution if workable.
2. If worried about ZFS DESTROY or misuse of the server commands by mistake, then set ZFS HOLDs on your recent ZVOL snapshots as well (you are keeping snapshots, right?). You wont be allowed to fully destroy the ZVOL without destroying its snapshots, and you wont be allowed to destroy HELD snaps.
3. FInally, if those aren't good enough, you can set the underlying ZVOL read only, and have a pre- and post-backup script via SSH that clears and resets the read-only flag on it. If you want more security you can require a specific user+password, or user+SSH key, to do this. Like most professional backup solutions Veeam can be configured to run pre- and post- scripts, or can itself be run from a script. SSH can run predetermined scripts using authorised keys. So you can have a fixed login that runs to "unlock" readonly, waits 30 seconds, kicks off a backup, waits 30 seconds after completion, and calls its fixed login a second time to "relock" the disk.

Hope one of those ideas helps!

 

[Oodimdemus]

Looking for an answer to the same question. I am using TrueNAS with several ESXi hosts. I have Zvol shared via iSCSI with the ESXI hosts. These Zvol are formatted using VMFS-6. The various VM disk images are contained on those VMFS volumes.

Veeam supports a direct SAN mode. The Veeam backup proxy is given direct access to each iSCSI share to read the VM disk data, rather than funnelling it through an ESXi host. The VM snapshot needed to read the VM disk in a consistent state is initiated via the vSphere API. The vSphere API returns the NAA and path to disk file to the Veeam proxy. If the Veeam proxy has access to the NAA and can find the file, voila, it can perform the data transfer bypassing the ESXi host.

Because of Windows peculiarities I want to be 200% certain that the Windows based Veeam backup proxy cannot initialize my VMFS shares. If it did, all my VM would be lost. Thus, I would like to restrict the Veeambackup proxy to have read-only access to the same iSCSI shares that ESXi hosts have read-wite access to.

I tried going about it the wrong way. I saw that extends can be marked read-only. So I created initiator groups, one for ESXi hosts an another for the Veeam backup proxy. I then created two targets, one for the ESXi hosts and the other for the Veeam backup proxy. Lastly I created two extends for each Zvol, one read-only and the other read-write, each associated respectively to the Veeam backup proxy and the ESXi hosts.

This works almost wonderfully, The ESXi hosts have read-write access to the same data the Veeam backup proxy has read-only access to - except - every extend has a unique NAA. Thus, when ESXi provides the NAA a particulat dataset is located at, Veeam cannot find it as it doesn't have access to that same NAA.

Are there any other ways I can make the same NAA available read-write to one set of initiators and read-only to another set of initiators?