Setup PUSH-sync on Proxmox Backup Server

Since Proxmox Backup Server 3.3 the option for "Push sync" was introduced. To make it easier to sync local back-ups to an offsite location (Tuxis PBS) you can now push your back-ups to any remote PBS.

To create a push-job you need the following information:

1. Log-in credentials for both PBS sites. *See note below*
2. Hostname / IP Address of both locations
3. Fingerprint for your PBS (if not secured by SSL)

How to set up the push-sync:

1. Log in to your PBS environment
2. Head to "Configuration > Remotes"
3. Click on the "Add button", add your 2nd off-site PBS as remote location.

   
   
   

4. Fill in all required information needed to add this remote.
   - Remote ID            | Any name will suffice.
   - Host                       |  IP / FQDN for off-site location
   - Auth ID                  | (user @ realm)
   - Password            
   - Fingerprint           | Only when not secured by SSL
   - Comment              | Optional, used for internal documentation
   
   
   
   
5. Head over to your datastore located at the bottom left of the screen under the category "Datastores".
6. Click on the "Sync jobs" button located at the upper part of your screen
   
   
   
7. Click on "Add" then select "Add Push Sync Job"
   
   
   
8. Fill in all required information necessary to start the sync. This includes the following:
   - Local namespace          | Optional, standard is always root (all).
   - Local user*                     | Local user that has the required permissions, see note for extra information.
   - Sync schedule                | How often this sync job runs.
   - Rate limit                        | Limit how much bandwidth this job can use.
   - Target Remote               | Select the remote you previously created.
   - Target Datastore           | Select the datastore in which you want the local back-ups to sync towards.
   - Target Namespace        | Optional, standard is always root.
   - Max depth                       | Optional, standard is "Full".
   - Remove vanished          | Remove back-ups from remote source if deleted from local source, default false.
   
   
   
9. Start a sync to check if there are no problems, click the "Show log" button to verify this.
   

Note:

We suggest creating a API Token on both sides of the PBS that uses the "least rights principal".  This way you mitigate the risk of getting back-ups deleted from a breach.
The user should have the following permissions set to function properly (Source: Proxmox documentation):

• Remote.Audit on /remote/{remote} and Remote.DatastoreBackup on /remote/{remote}/{remote-store}/{remote-ns} path or subnamespace.

• At least Datastore.Read and Datastore.Audit on the local source datastore namespace (/datastore/{store}/{ns}) or Datastore.Backup if owner of the sync job.

• Remote.DatastorePrune on /remote/{remote}/{remote-store}/{remote-ns} path to remove vanished snapshots and groups. Make sure to use a dedicated remote for each sync job in push direction as noted above.

• Remote.DatastoreModify on /remote/{remote}/{remote-store}/{remote-ns} path to remove vanished namespaces. A remote user with limited access should be used on the remote backup server instance.

Consider the implications as noted below:

Remote.DatastoreModify will allow to remove whole namespaces on the remote target datastore, independent of ownership. Make sure the user as configured in remote.cfg has limited permissions on the remote side.