Iron-Legion/documentation
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update pveuser integration chart - both nas-iso and nas-repo now active (2026-06-02)

Browse Source
This commit is contained in:
F.R.I.D.A.Y.
2026-06-02 14:01:21 -04:00
parent 75b0bd8f8d
commit 0962ea5cad
1 changed files with 17 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
audits/2026-06-02-truenas-pveuser-proxmox-integration.md
View File

@@ -24,8 +24,10 @@
|---------|------|---------|-------------|-------------------|
| **Backup** | `/mnt/Ice/Backup` | FULL_CONTROL | owner@, group@ | rw |
| **ISOs** | `/mnt/Ice/ISOs` | READ | owner@, group@ | r |
| **Repo** | `/mnt/Ice/Repo` | FULL_CONTROL | owner@, group@ | rw |
| Archive | `/mnt/Ice/Archive` | — | owner@, group@ | (not mapped) |
| Repo | `/mnt/Ice/Repo` | — | owner@, group@ | (not mapped) |
> **Important:** `ISOs/template` and `ISOs/template/iso` also received `everyone@ TRAVERSE` so the TrueNAS API user (`jarvis`) can manage child directories during ACL operations. This is a metadata-only change and does not affect file access.
## TrueNAS Changes: NFS Maproot (All Shares)
@@ -46,8 +48,8 @@
| Storage ID | Type | Server | Export | Content | Options | Status |
|------------|------|--------|--------|---------|---------|--------|
| `nas-backup` | NFS | 192.168.16.254 | `/mnt/Ice/Backup` | backup, images, rootdir, snippets, vztmpl | vers=4.2,proto=tcp | ✅ active |
| `nas-iso` | NFS | 192.168.16.254 | `/mnt/Ice/ISOs` | iso, vztmpl | vers=4.2,proto=tcp | ⚠️ inactive (read-only, PVE cannot create content dirs) |
| `nas-repo` | NFS | 192.168.16.254 | `/mnt/Ice/Repo` | snippets | vers=4.2,proto=tcp | ⚠️ inactive (permission) |
| `nas-iso` | NFS | 192.168.16.254 | `/mnt/Ice/ISOs` | iso | vers=4.2,proto=tcp | active (read-only by design, ACL enforced) |
| `nas-repo` | NFS | 192.168.16.254 | `/mnt/Ice/Repo` | snippets | vers=4.2,proto=tcp | active |
| `nas-ds-mp-share` | NFS | 192.168.16.254 | `/mnt/Ice/Backup/proxmox-pool/ds-mp-share` | images, rootdir | vers=4.2,proto=tcp | ✅ active |
| `nas-ct-stor` | NFS | 192.168.16.254 | `/mnt/Ice/Backup/proxmox-pool/pve-ct-stor` | rootdir | vers=4.2,proto=tcp | ✅ active |
| `nas-vm-stor` | NFS | 192.168.16.254 | `/mnt/Ice/Backup/proxmox-pool/pve-vm-stor` | images | vers=4.2,proto=tcp | ✅ active |
@@ -57,24 +59,26 @@
| Mount Point | Writable? | Expected? |
|-------------|-----------|-----------|
| `/mnt/pve/nas-backup` | ✅ Yes | Yes (FULL_CONTROL) |
| `/mnt/pve/nas-iso` | ❌ Read-only | Yes (READ via ACL + NFS mount) |
| `/mnt/pve/nas-iso` | ❌ Read-only | Yes (READ via ACL) |
| `/mnt/pve/nas-repo` | ✅ Yes | Yes (FULL_CONTROL) |
| `/mnt/pve/nas-vm-stor` | ✅ Yes | Yes (Proxmox pool) |
| `/mnt/pve/nas-ct-stor` | ✅ Yes | Yes (Proxmox pool) |
| `/mnt/pve/nas-ds-mp-share` | ✅ Yes | Yes (Proxmox pool) |
## Notes
## Diagnostic Notes
- `nas-iso` shows `inactive` in `pvesm status` because Proxmox tries to create `/mnt/pve/nas-iso/template/iso` on activation and fails (ACL READ only). The mount is still present and usable for ISO uploads/downloads — just not as a content-managed Proxmox storage.
- `nas-repo` shows `inactive` for similar reasons — Repo has no `pveuser` WRITE access in its ACL. Add `pveuser` to Repo ACL if snippets need to be writable from PVE.
- No local `pveuser` account exists on mk33. The user mapping is handled entirely by NFS `maproot_user` on TrueNAS.
- All NFS exports restricted to `192.168.0.0/18` (done in prior hardening).
- `nas-iso` is **active** and read-only by design. Proxmox `content iso` means it only needs to read existing ISO files — no write is expected. No local `pveuser` account exists on mk33; the user mapping is handled entirely by TrueNAS NFS `maproot_user`.
- `nas-repo` is **active** and writable. `pveuser` has `FULL_CONTROL` on `/mnt/Ice/Repo`.
- All NFS exports restricted to `192.168.0.0/18` (enforced during prior hardening).
- TrueNAS API v2.0 (`filesystem.setacl`) uses `dacl` field in SCALE 25.10.2 — earlier versions used `acl`. This was discovered during troubleshooting job 47396.
- `everyone@ TRAVERSE` was added to `ISOs/template` and `ISOs/template/iso` to allow the TrueNAS API user (`jarvis`) to manage child directories during ACL operations.
## Recommendations
1. **ISOs as managed storage**: If you want Proxmox to manage ISOs (upload via UI), remove the ACL READ-only restriction and set `pveuser` READ on ISOs, or use the Proxmox `local` storage for ISO staging and copy to `nas-iso` manually.
2. **Repo snippets**: Add `pveuser` FULL_CONTROL to `/mnt/Ice/Repo` if you need to store Proxmox snippets there.
3. **Monitor mount health**: If TrueNAS reboots, PVE will auto-reconnect on next storage access. For immediate recovery, run `pvesm status` or restart `pvedaemon`.
1. **ISO uploads**: Since `nas-iso` is read-only from PVE's perspective, upload new ISOs directly to TrueNAS (SFTP/SCP to `/mnt/Ice/ISOs/template/iso/`) or via the TrueNAS web UI.
2. **Monitor mount health**: If TrueNAS reboots, PVE auto-reconnects on next storage access. For immediate recovery, run `pvesm status` or restart `pvedaemon`.
3. **Backup SMB access-based enum**: Still blocked by API due to child dataset `proxmox-pool` ACL type mismatch. If required, fix manually via TrueNAS UI.
---
*Generated: 2026-06-02*
*Generated: 2026-06-02 | Updated: 2026-06-02*