Sections here are really just placeholders with enough information to get started on building actual articles...

Better Permissions Handling

Proven on:

12 (bookworm)

• sudo apt install acl
• sudo mkdir /FOOBAR
• sudo chown -R :users /FOOBAR
• sudo chmod -R g+ws /FOOBAR
• sudo setfacl -R -m g:users:rwx /FOOBAR

Now, the directory /FOOBAR is writeable by anyone in the users group.

Do keep in mind that users is a default group that all accounts are a member of. You could also create specific groups and add each user to specific groups for finer granularity.

Some Links

• Wikipedia : setuid
• Wikipedia : Access-control list
• StackExchange : Getting new files to inherit group permissions on Linux
• StackExchange : Using setfacl to create recursive permissions for Apache with rsync

Development Testing for a Backup Server

Proven on:

12 (bookworm)

Currently testing on a pair of LXCs, both configured as priveledged containers (tho this may not be needed).

Interesting side-quest: Apparently, unpriviledged containers do a bit of weirdness with bind-mount ownerships. There are instructions to work around this, but I have yet to work through this... For the moment, I'm using priviledged containers to work around it.

• VMID 999001: storage
• VMID 999002: backup

I've created a user named draal with specific responsibility for handling backups.(because remote access by root is stupid...)

draal has an equivalent account on ALL involved machines and is set up with ssh keys to avoid the use of password-based access.

On the PVE Server:

(setting up the storage for the test LXCs...)

• mkdir /mnt/Storage-0
• mkdir /mnt/Storage-1
• mount -L Storage-0 /mnt/Storage-0
• mount -L Storage-1 /mnt/Storage-1
• vi /etc/fstab

LABEL=Storage-0     /mnt/Storage-0    ext4   defaults 0 0
LABEL=Storage-1     /mnt/Storage-1    ext4   defaults 0 0

• pct set 999001 -mp0 /mnt/Storage-0,mp=/mnt/Storage # storage
• pct set 999002 -mp0 /mnt/Storage-1,mp=/mnt/Storage # backup

On "storage"

(logged in as draal)

• ssh-keygen
• ssh-copy-id draal@backup
• sudo apt install acl rsync
• sudo setfacl -R -m u:draal:rwx /mnt/Storage

On "backup"

(logged in as draal)

• ssh-keygen
• ssh-copy-id draal@storage
• sudo apt install acl rsync
• sudo setfacl -R -m u:draal:rwx /mnt/Storage

Testing rsync commands

In order to test things, I've basically dumped a copy of my Documents folder into /mnt/Storage on the storage LXC. This is around 25GB of incredibley mixed & sloppy crap varying from zero-length placeholders to USB binaries...

Everything from here on is done while logged in to storage as draal.

• cd /mnt/Storage
• rsync -Aaiz * backup:/mnt/Storage
  • copies all files to the backup machine
    • Took about 7 minutes... (measured by wrapping the command in a time command)
  • (& if you run it again, only copies NEW or CHANGED files)
    • Every change I made took substantially under 1 second...
• rsync -Aaiz --delete * backup:/mnt/Storage
  • Will actually synchronize. (i.e. It will DELETE any files from the destination that have been removed on the source.)
  • DANGER...DANGER...DANGER
    • This may NOT be exactly what you want to do in a backup situation.
    • (But it might... Your choice...)

Custom LXC Templates

• Create an LXC
  • My example is an NFS capable LXC with VMID 666...
• Configure it
  • Install your preferred standard set of apps & such...

From the PVE command line:

• remove the network interface
  • pct set 666 --delete net0
• Do a backup (Gonna need a bunch of available space)
  • vzdump 666 --mode stop --compress zstd --dumpdir .
• Rename the backup to a more useful name
  • mv vzdump-lxc-666-2025_02_04-14_19_43.tar.zst Deb-12-NFS.tar.zst
• Copy it to someplace you can access it from the PVE UI
  • Option 1: For direct Upload (Some oddities happen... More research needed)
    • scp Deb-12-NFS.tar.zst user@mydesktopmachine:~
  • Option 2: For Download from URL
    • scp Deb-12-NFS.tar.zst user@mywebserver:/var/www/html/LXCtemplates/

Now you can add it to your CT Templates storage on any PVE server you're working on.