Add TrueNAS pveuser + PVE mk33 integration chart - 2026-06-02
This commit is contained in:
F.R.I.D.A.Y.
80
audits/2026-06-02-truenas-pveuser-proxmox-integration.md
Normal file
80
audits/2026-06-02-truenas-pveuser-proxmox-integration.md
Normal file
@@ -0,0 +1,80 @@
|
|||||||
|
# TrueNAS pveuser + Proxmox Storage Integration Chart — 2026-06-02
|
||||||
|
|
||||||
|
**TrueNAS:** beelink-tns (192.168.16.254) | **Proxmox:** mk33 (192.168.7.33)
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## TrueNAS Changes: New User `pveuser`
|
||||||
|
|
||||||
|
| Property | Value |
|
||||||
|
|----------|-------|
|
||||||
|
| **Username** | `pveuser` |
|
||||||
|
| **UID** | 3003 |
|
||||||
|
| **GID** | 3003 |
|
||||||
|
| **Home** | `/var/empty` |
|
||||||
|
| **Shell** | `/usr/sbin/nologin` |
|
||||||
|
| **SMB** | Disabled |
|
||||||
|
| **Password** | Disabled (SSH key only) |
|
||||||
|
| **Groups** | `src` (GID 40) |
|
||||||
|
| **Role** | FULL_ADMIN (TrueNAS API role) |
|
||||||
|
|
||||||
|
## TrueNAS Changes: NFS ACL Permissions
|
||||||
|
|
||||||
|
| Dataset | Path | pveuser | Other Users | TrueNAS Permission |
|
||||||
|
|---------|------|---------|-------------|-------------------|
|
||||||
|
| **Backup** | `/mnt/Ice/Backup` | FULL_CONTROL | owner@, group@ | rw |
|
||||||
|
| **ISOs** | `/mnt/Ice/ISOs` | READ | owner@, group@ | r |
|
||||||
|
| Archive | `/mnt/Ice/Archive` | — | owner@, group@ | (not mapped) |
|
||||||
|
| Repo | `/mnt/Ice/Repo` | — | owner@, group@ | (not mapped) |
|
||||||
|
|
||||||
|
## TrueNAS Changes: NFS Maproot (All Shares)
|
||||||
|
|
||||||
|
| Share ID | Path | Previous Maproot | New Maproot |
|
||||||
|
|----------|------|-----------------|---------|
|
||||||
|
| 1 | `/mnt/Ice/Archive` | `nobody` | `pveuser` |
|
||||||
|
| 2 | `/mnt/Ice/Backup` | `nobody` | `pveuser` |
|
||||||
|
| 3 | `/mnt/Ice/ISOs` | `nobody` | `pveuser` |
|
||||||
|
| 6 | `/mnt/Ice/Repo` | `nobody` | `pveuser` |
|
||||||
|
| 7 | `/mnt/Ice/Backup/proxmox-pool/ds-mp-share` | (empty) | `pveuser` |
|
||||||
|
| 8 | `/mnt/Ice/Backup/proxmox-pool/pve-ct-stor` | (empty) | `pveuser` |
|
||||||
|
| 9 | `/mnt/Ice/Backup/proxmox-pool/pve-vm-stor` | (empty) | `pveuser` |
|
||||||
|
|
||||||
|
> **Note:** Maproot remaps ALL incoming NFS root (UID 0) requests to `pveuser` (UID 3003) on TrueNAS. Any root client (e.g., Proxmox mk33) accessing these shares will appear as `pveuser` on the TrueNAS filesystem, enforcing the ACL permissions above.
|
||||||
|
|
||||||
|
## Proxmox Storage Configuration (mk33)
|
||||||
|
|
||||||
|
| Storage ID | Type | Server | Export | Content | Options | Status |
|
||||||
|
|------------|------|--------|--------|---------|---------|--------|
|
||||||
|
| `nas-backup` | NFS | 192.168.16.254 | `/mnt/Ice/Backup` | backup, images, rootdir, snippets, vztmpl | vers=4.2,proto=tcp | ✅ active |
|
||||||
|
| `nas-iso` | NFS | 192.168.16.254 | `/mnt/Ice/ISOs` | iso, vztmpl | vers=4.2,proto=tcp | ⚠️ inactive (read-only, PVE cannot create content dirs) |
|
||||||
|
| `nas-repo` | NFS | 192.168.16.254 | `/mnt/Ice/Repo` | snippets | vers=4.2,proto=tcp | ⚠️ inactive (permission) |
|
||||||
|
| `nas-ds-mp-share` | NFS | 192.168.16.254 | `/mnt/Ice/Backup/proxmox-pool/ds-mp-share` | images, rootdir | vers=4.2,proto=tcp | ✅ active |
|
||||||
|
| `nas-ct-stor` | NFS | 192.168.16.254 | `/mnt/Ice/Backup/proxmox-pool/pve-ct-stor` | rootdir | vers=4.2,proto=tcp | ✅ active |
|
||||||
|
| `nas-vm-stor` | NFS | 192.168.16.254 | `/mnt/Ice/Backup/proxmox-pool/pve-vm-stor` | images | vers=4.2,proto=tcp | ✅ active |
|
||||||
|
|
||||||
|
## PVE Access Verification
|
||||||
|
|
||||||
|
| Mount Point | Writable? | Expected? |
|
||||||
|
|-------------|-----------|-----------|
|
||||||
|
| `/mnt/pve/nas-backup` | ✅ Yes | Yes (FULL_CONTROL) |
|
||||||
|
| `/mnt/pve/nas-iso` | ❌ Read-only | Yes (READ via ACL + NFS mount) |
|
||||||
|
| `/mnt/pve/nas-vm-stor` | ✅ Yes | Yes (Proxmox pool) |
|
||||||
|
| `/mnt/pve/nas-ct-stor` | ✅ Yes | Yes (Proxmox pool) |
|
||||||
|
| `/mnt/pve/nas-ds-mp-share` | ✅ Yes | Yes (Proxmox pool) |
|
||||||
|
|
||||||
|
## Notes
|
||||||
|
|
||||||
|
- `nas-iso` shows `inactive` in `pvesm status` because Proxmox tries to create `/mnt/pve/nas-iso/template/iso` on activation and fails (ACL READ only). The mount is still present and usable for ISO uploads/downloads — just not as a content-managed Proxmox storage.
|
||||||
|
- `nas-repo` shows `inactive` for similar reasons — Repo has no `pveuser` WRITE access in its ACL. Add `pveuser` to Repo ACL if snippets need to be writable from PVE.
|
||||||
|
- No local `pveuser` account exists on mk33. The user mapping is handled entirely by NFS `maproot_user` on TrueNAS.
|
||||||
|
- All NFS exports restricted to `192.168.0.0/18` (done in prior hardening).
|
||||||
|
|
||||||
|
## Recommendations
|
||||||
|
|
||||||
|
1. **ISOs as managed storage**: If you want Proxmox to manage ISOs (upload via UI), remove the ACL READ-only restriction and set `pveuser` READ on ISOs, or use the Proxmox `local` storage for ISO staging and copy to `nas-iso` manually.
|
||||||
|
2. **Repo snippets**: Add `pveuser` FULL_CONTROL to `/mnt/Ice/Repo` if you need to store Proxmox snippets there.
|
||||||
|
3. **Monitor mount health**: If TrueNAS reboots, PVE will auto-reconnect on next storage access. For immediate recovery, run `pvesm status` or restart `pvedaemon`.
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
*Generated: 2026-06-02*
|
||||||
Reference in New Issue
Block a user