XO Backups on TrueNAS NFS Share

manoli · August 21, 2024, 11:08am

Hello to everyone,

I’d like to ask opinions and suggestions on how to setup “properly” NFS share on TrueNAS (Scale) for Xen Orchestra Backups?

Permissions on Dataset? I don’t like to have dataset wide open with ownership of root:root and permissions of 777
What about encryption? Does it make sense to encrypt dataset for Xen Backups? What might be drawbacks? …any performance hits?
Compression? Is it useful to have dataset with let’s say default lz compression?

Thank you in advance and have nice day everyone.

LTS_Tom · August 21, 2024, 12:40pm

Don’t worry about the NFS ownership unless you are going to use something such as kerberos, instead use a dedicated storage network and IP restrictions.
If you have an older slower CPU, encryption is not an issue. If you are using password based encryption on a data set you are protecting against access of the data in the event the physical theft of the TrueNAS system occurs.
Leave that at the default for the dataset.

Paul · August 21, 2024, 12:43pm

To add extra security on the truenas nfs share, under advanced you can lock access to certain ip addresses

LTS_Tom · August 21, 2024, 1:16pm

Yes, locking down the management interface of TrueNAS.

I have an older video on the topic, need to make a newer one.

manoli · August 21, 2024, 3:00pm

Thanks a lot for advice.

So I understand ownership root:root with permissions 777 on exported NFS share is ok.

Just because I’ve seen that actually files that XO creates are owned by nobody:nogroup (65534:65534).

I was thinking:
I’m not sure under which user is actually XO connecting to the NFS share, but I could make dedicated user:group that only have rw access to Backup NFS share nothing more than that. And then use either Mapall User or Maproot User in NFS Share settings.

…and of course restrict NFS Share only to specific IP of XO instance (or I’ll try to make that non-routable VLAN, just for XO storage access).

In regards to dedicated non-routable VLAN for TrueNAS NFS shares access, I understand that only XO with TrueNAS needs to be on this VLAN, correct? XCP-NG Hosts and VMs don’t need access here for Backups right?

But I don’t know if it is a good idea.

xerxes · October 23, 2024, 2:42pm

XO is writing as root

and correct, only truenas and XO need to be on this vlan. the traffic is tunneled from the xcp hosts through XO to the storage