85 lines
4.7 KiB
Markdown
85 lines
4.7 KiB
Markdown
# TrueNAS pveuser + Proxmox Storage Integration Chart — 2026-06-02
|
|
|
|
**TrueNAS:** beelink-tns (192.168.16.254) | **Proxmox:** mk33 (192.168.7.33)
|
|
|
|
---
|
|
|
|
## TrueNAS Changes: New User `pveuser`
|
|
|
|
| Property | Value |
|
|
|----------|-------|
|
|
| **Username** | `pveuser` |
|
|
| **UID** | 3003 |
|
|
| **GID** | 3003 |
|
|
| **Home** | `/var/empty` |
|
|
| **Shell** | `/usr/sbin/nologin` |
|
|
| **SMB** | Disabled |
|
|
| **Password** | Disabled (SSH key only) |
|
|
| **Groups** | `src` (GID 40) |
|
|
| **Role** | FULL_ADMIN (TrueNAS API role) |
|
|
|
|
## TrueNAS Changes: NFS ACL Permissions
|
|
|
|
| Dataset | Path | pveuser | Other Users | TrueNAS Permission |
|
|
|---------|------|---------|-------------|-------------------|
|
|
| **Backup** | `/mnt/Ice/Backup` | FULL_CONTROL | owner@, group@ | rw |
|
|
| **ISOs** | `/mnt/Ice/ISOs` | READ | owner@, group@ | r |
|
|
| **Repo** | `/mnt/Ice/Repo` | FULL_CONTROL | owner@, group@ | rw |
|
|
| Archive | `/mnt/Ice/Archive` | — | owner@, group@ | (not mapped) |
|
|
|
|
> **Important:** `ISOs/template` and `ISOs/template/iso` also received `everyone@ TRAVERSE` so the TrueNAS API user (`jarvis`) can manage child directories during ACL operations. This is a metadata-only change and does not affect file access.
|
|
|
|
## TrueNAS Changes: NFS Maproot (All Shares)
|
|
|
|
| Share ID | Path | Previous Maproot | New Maproot |
|
|
|----------|------|-----------------|---------|
|
|
| 1 | `/mnt/Ice/Archive` | `nobody` | `pveuser` |
|
|
| 2 | `/mnt/Ice/Backup` | `nobody` | `pveuser` |
|
|
| 3 | `/mnt/Ice/ISOs` | `nobody` | `pveuser` |
|
|
| 6 | `/mnt/Ice/Repo` | `nobody` | `pveuser` |
|
|
| 7 | `/mnt/Ice/Backup/proxmox-pool/ds-mp-share` | (empty) | `pveuser` |
|
|
| 8 | `/mnt/Ice/Backup/proxmox-pool/pve-ct-stor` | (empty) | `pveuser` |
|
|
| 9 | `/mnt/Ice/Backup/proxmox-pool/pve-vm-stor` | (empty) | `pveuser` |
|
|
|
|
> **Note:** Maproot remaps ALL incoming NFS root (UID 0) requests to `pveuser` (UID 3003) on TrueNAS. Any root client (e.g., Proxmox mk33) accessing these shares will appear as `pveuser` on the TrueNAS filesystem, enforcing the ACL permissions above.
|
|
|
|
## Proxmox Storage Configuration (mk33)
|
|
|
|
| Storage ID | Type | Server | Export | Content | Options | Status |
|
|
|------------|------|--------|--------|---------|---------|--------|
|
|
| `nas-backup` | NFS | 192.168.16.254 | `/mnt/Ice/Backup` | backup, images, rootdir, snippets, vztmpl | vers=4.2,proto=tcp | ✅ active |
|
|
| `nas-iso` | NFS | 192.168.16.254 | `/mnt/Ice/ISOs` | iso | vers=4.2,proto=tcp | ✅ active (read-only by design, ACL enforced) |
|
|
| `nas-repo` | NFS | 192.168.16.254 | `/mnt/Ice/Repo` | snippets | vers=4.2,proto=tcp | ✅ active |
|
|
| `nas-ds-mp-share` | NFS | 192.168.16.254 | `/mnt/Ice/Backup/proxmox-pool/ds-mp-share` | images, rootdir | vers=4.2,proto=tcp | ✅ active |
|
|
| `nas-ct-stor` | NFS | 192.168.16.254 | `/mnt/Ice/Backup/proxmox-pool/pve-ct-stor` | rootdir | vers=4.2,proto=tcp | ✅ active |
|
|
| `nas-vm-stor` | NFS | 192.168.16.254 | `/mnt/Ice/Backup/proxmox-pool/pve-vm-stor` | images | vers=4.2,proto=tcp | ✅ active |
|
|
|
|
## PVE Access Verification
|
|
|
|
| Mount Point | Writable? | Expected? |
|
|
|-------------|-----------|-----------|
|
|
| `/mnt/pve/nas-backup` | ✅ Yes | Yes (FULL_CONTROL) |
|
|
| `/mnt/pve/nas-iso` | ❌ Read-only | Yes (READ via ACL) |
|
|
| `/mnt/pve/nas-repo` | ✅ Yes | Yes (FULL_CONTROL) |
|
|
| `/mnt/pve/nas-vm-stor` | ✅ Yes | Yes (Proxmox pool) |
|
|
| `/mnt/pve/nas-ct-stor` | ✅ Yes | Yes (Proxmox pool) |
|
|
| `/mnt/pve/nas-ds-mp-share` | ✅ Yes | Yes (Proxmox pool) |
|
|
|
|
## Diagnostic Notes
|
|
|
|
- `nas-iso` is **active** and read-only by design. Proxmox `content iso` means it only needs to read existing ISO files — no write is expected. No local `pveuser` account exists on mk33; the user mapping is handled entirely by TrueNAS NFS `maproot_user`.
|
|
- `nas-repo` is **active** and writable. `pveuser` has `FULL_CONTROL` on `/mnt/Ice/Repo`.
|
|
- All NFS exports restricted to `192.168.0.0/18` (enforced during prior hardening).
|
|
- TrueNAS API v2.0 (`filesystem.setacl`) uses `dacl` field in SCALE 25.10.2 — earlier versions used `acl`. This was discovered during troubleshooting job 47396.
|
|
- `everyone@ TRAVERSE` was added to `ISOs/template` and `ISOs/template/iso` to allow the TrueNAS API user (`jarvis`) to manage child directories during ACL operations.
|
|
|
|
## Recommendations
|
|
|
|
1. **ISO uploads**: Since `nas-iso` is read-only from PVE's perspective, upload new ISOs directly to TrueNAS (SFTP/SCP to `/mnt/Ice/ISOs/template/iso/`) or via the TrueNAS web UI.
|
|
2. **Monitor mount health**: If TrueNAS reboots, PVE auto-reconnects on next storage access. For immediate recovery, run `pvesm status` or restart `pvedaemon`.
|
|
3. **Backup SMB access-based enum**: Still blocked by API due to child dataset `proxmox-pool` ACL type mismatch. If required, fix manually via TrueNAS UI.
|
|
|
|
---
|
|
|
|
*Generated: 2026-06-02 | Updated: 2026-06-02*
|