From: Hannes Laimer <h.laimer@proxmox.com>
To: Christian Ebner <c.ebner@proxmox.com>,
Proxmox Backup Server development discussion
<pbs-devel@lists.proxmox.com>
Subject: Re: [pbs-devel] [PATCH proxmox-backup v2 4/8] api: admin: run configured sync jobs when a datastore is mounted
Date: Wed, 4 Jun 2025 14:22:31 +0200 [thread overview]
Message-ID: <536a4529-8ad8-456a-a8d2-99bf748abbae@proxmox.com> (raw)
In-Reply-To: <f32ecd97-977d-46da-9ee9-47db5bd69853@proxmox.com>
On 5/30/25 15:08, Christian Ebner wrote:
> On 5/30/25 13:45, Hannes Laimer wrote:
>> added some inline comments, I'll probably send a v3 addressing some of
>> the things you mentioned
>>
>> On 5/30/25 12:02, Christian Ebner wrote:
>>> please see some comments inline
>>>
>>> On 5/15/25 14:41, Hannes Laimer wrote:
>>>> When a datastore is mounted, spawn a new task to run all sync jobs
>>>> marked with `run-on-mount`. These jobs run sequentially and include
>>>> any job for which the mounted datastore is:
>>>>
>>>> - The source or target in a local push/pull job
>>>> - The source in a push job to a remote datastore
>>>> - The target in a pull job from a remote datastore
>>>>
>>>> Signed-off-by: Hannes Laimer <h.laimer@proxmox.com>
>>>> + let _ = WorkerTask::spawn(
>>>> + "mount-sync-jobs",
>>>> + Some(store),
>>>> + auth_id.to_string(),
>>>> + false,
>>>> + move |worker| async move
>>>> { do_sync_jobs(jobs_to_run, worker).await },
>>>> + );
>>>> + }
>>>> + Ok(())
>>>> + },
>>>
>>> comment: all of above is executed within a api endpoint flagged as
>>> protected! This however leads to the sync job to be executed by the
>>> proxmox-backup-proxy, all the synced contents therefore written and
>>> owner by the root user instead of the backup user.
>>>
>>
>> actually true, good catch! I didn't even check that, I just assumed
>> we'd explicitly set the owner whenever we create dirs/files during
>> sync. We do this for garbage collection and in basically all other
>> places IIRC.
>>
>> So, I think we should also do that for syncs, can you think of a reason
>> to not do that? If not, I'll prepare a patch for that.
>
> As discussed off-list a bit, IMHO running the whole sync job code paths
> in the privileged api server is not ideal and would weaken the privilege
> separation. But I do agree that this is already been done in some places
> and would be probably easy to approach.
>
> An option would be to add an (unprivileged) api endpoint which allows to
> pass a list of sync jobs to be executed sequentially, e.g. `POST /api2/
> json/admin/sync/run-jobs`.
>
> Given that we found no better approach other then the two proposed ones,
> maybe somebody else has an opinion/suggestion on this?
For the sake of completeness, spoke with @Thomas off-list, and I'll use
the existing run_sync_job endpoint to start the jobs, and the UPID to do
polling on the status. This is in line with what we do in a few places
already and it does keep privileged and non-privileged stuff strictly
separated.
_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
next prev parent reply other threads:[~2025-06-04 12:22 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-15 12:41 [pbs-devel] [PATCH proxmox/proxmox-backup v2 0/8] trigger sync jobs on mount Hannes Laimer
2025-05-15 12:41 ` [pbs-devel] [PATCH proxmox v2 1/8] rest-server: add function that returns a join handle for spawn Hannes Laimer
2025-05-15 12:41 ` [pbs-devel] [PATCH proxmox v2 2/8] pbs-api-types: add run-on-mount flag to SyncJobConfig Hannes Laimer
2025-05-15 12:41 ` [pbs-devel] [PATCH proxmox-backup v2 3/8] api: config: sync: update run-on-mount correctly Hannes Laimer
2025-05-15 12:41 ` [pbs-devel] [PATCH proxmox-backup v2 4/8] api: admin: run configured sync jobs when a datastore is mounted Hannes Laimer
2025-05-30 10:02 ` Christian Ebner
2025-05-30 11:45 ` Hannes Laimer
2025-05-30 13:08 ` Christian Ebner
2025-06-04 12:22 ` Hannes Laimer [this message]
2025-05-15 12:41 ` [pbs-devel] [PATCH proxmox-backup v2 5/8] api: admin: trigger sync jobs only on datastore mount Hannes Laimer
2025-05-15 12:41 ` [pbs-devel] [PATCH proxmox-backup v2 6/8] bin: manager: run uuid_mount/mount tasks on the proxy Hannes Laimer
2025-05-15 12:41 ` [pbs-devel] [PATCH proxmox-backup v2 7/8] ui: add run-on-mount checkbox to SyncJob form Hannes Laimer
2025-05-15 12:41 ` [pbs-devel] [PATCH proxmox-backup v2 8/8] ui: add task title for triggering sync jobs Hannes Laimer
2025-06-04 12:32 ` [pbs-devel] superseded: Re: [PATCH proxmox/proxmox-backup v2 0/8] trigger sync jobs on mount Hannes Laimer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=536a4529-8ad8-456a-a8d2-99bf748abbae@proxmox.com \
--to=h.laimer@proxmox.com \
--cc=c.ebner@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.