Syncoid over ssh without root

I am trying to follow the advice from here for zfs replication, but using syncoid (following the commands from here). But it looks like the syncoid script has a sudo command in the zfs receive. I think this is because on the receiving end, I am not using a root user, so it inserts a $sudocmd (syncoid line 233). This makes it prompt for a password.

How can I use syncoid without a root user on the receiving end? The user I am sshing into already has the zfs allow for the things necessary.

2 Likes

Ha. Nevermind. I just didn’t read far enough down the page. The answer is clearly to give --no-privilege-elevation to syncoid.

I still get some cannot rollback errors even though I set them to not mount on the destination.

1 Like

Just mind you that on Linux, you cannot mount and unmount volumes, as this requires superuser rights.

I wrote about this (and the --no-privilege-elevation option) in the HOWTO I posted to ‘that old space’ 3 years ago.

2 Likes

If you’re getting rollback errors, you may be using an elderly version of syncoid. I originally wrote it to forcibly roll back the target to the most recent common snapshot, but around the same time I wrote that delegated replication guide you’re working from at Klara, I changed the behavior to use zfs receive -F without the explicit rollback, since that way I wouldn’t need to grant the rollback permission to the receiving user.

At some point in the near future, we’re also looking to replace the --no-privilege-elevation flag, for similar reasons. Make that the default behavior, with a new (not yet implemented) flag like --use-sudo-elevation for those who need that behavior to explicitly request it.

2 Likes

The following seems to be working for me. I added a backup user on both my backup server (which automatically boots on a schedule via bios, then takes backups, then shuts down again) and the hosts being backed up, then added sudoers files in /etc/sudoers.d/ with minor differences between backup server and clients.

On both:

Cmnd_Alias ZFS_COMANDS = /usr/bin/zfs send *, /usr/bin/zfs get *, /usr/bin/zfs set *, /usr/bin/zfs list *, /usr/bin/zfs destroy *, /usr/bin/zfs snapshot *, /usr/bin/zfs rollback *, /usr/bin/zfs hold *, /usr/bin/zfs release *, /usr/bin/zfs bookmark *

On clients:

_backups ALL=(root) NOPASSWD: ZFS_COMANDS

On the backup server:

_backups ALL=(root) NOPASSWD: ZFS_COMANDS, /usr/bin/zfs receive *, /usr/bin/zfs create *, /usr/sbin/sanoid *, /usr/sbin/poweroff

Edit: spelling

2 Likes