Non Root ZFS Replication with Syncoid
By hernil
One of the key strenghts of using ZFS as a file server is the extremely effecient replication that can be used for backup purposes. Sanoid and Syncoid are abstractions over the built in zfs snapshot
and zfs send
functionality that makes life a little simpler and should also help speed up transfers.
This guide is pretty bare bones and was written previously as a step by step reminder of how I set up my backup server pull data from my laptop.
The advantage of this pull-based configuration is that a compromised machine has no way to modify any of the previously backed up files on the backup destination. Similarly a compromised backup destination (hopefully it won’t come to that …) would actually not have any way of modifying files on the production system as we only grant it read access.
Sender / production system
Install ssh-server if needed
sudo apt install ssh
Create user
sudo mkdir /home/zfssend
sudo useradd --home-dir /home/zfssend --shell /bin/bash zfssend
sudo chown zfssend:zfssend /home/zfssend
Create ssh key
sudo -u zfssend bash
ssh-keygen -t ed25519
exit
Set zfs delegation rights
sudo zfs allow zfssend send,hold rpool
Reciever / Backup destination
Create zfs dataset
sudo zfs create tank/backup/zfs/sending-host
Create user
sudo useradd --no-create-home --home-dir /mnt/tank/backup/zfs --shell /bin/bash zfsrecv
Create ssh key
sudo -u zfsrecv bash
ssh-keygen -t ed25519
cat ~/.ssh/id_ed25519.pub
Add key to sender user
tee -a /home/zfssend/.ssh/authorized_keys << EOF
[paste key here]
EOF
Set zfs delegation rights
sudo zfs allow zfsrecv create,mount,receive,rollback tank/backup/zfs
Testing
Let’s go ahead and test that everything is working by running this as the zfsrecv
user.
syncoid -r --no-privilege-elevation --no-sync-snap zfssend@sending-host:rpool tank/backup/zfs/sending-host/rpool --exclude=docker
Sources
Heavily inspired by