documentation/audits/2026-06-02-truenas-pveuser-proxmox-integration.md

TrueNAS pveuser + Proxmox Storage Integration Chart — 2026-06-02

TrueNAS: beelink-tns (192.168.16.254) | Proxmox: mk33 (192.168.7.33)

---

TrueNAS Changes: New User pveuser

Property	Value
Username	pveuser
UID	3003
GID	3003
Home	/var/empty
Shell	/usr/sbin/nologin
SMB	Disabled
Password	Disabled (SSH key only)
Groups	src (GID 40)
Role	FULL_ADMIN (TrueNAS API role)

TrueNAS Changes: NFS ACL Permissions

Dataset	Path	pveuser	Other Users	TrueNAS Permission
Backup	/mnt/Ice/Backup	FULL_CONTROL	owner@, group@	rw
ISOs	/mnt/Ice/ISOs	READ	owner@, group@	r
Repo	/mnt/Ice/Repo	FULL_CONTROL	owner@, group@	rw
Archive	/mnt/Ice/Archive	—	owner@, group@	(not mapped)

Important: ISOs/template and ISOs/template/iso also received everyone@ TRAVERSE so the TrueNAS API user (jarvis) can manage child directories during ACL operations. This is a metadata-only change and does not affect file access.

TrueNAS Changes: NFS Maproot (All Shares)

Share ID	Path	Previous Maproot	New Maproot
1	/mnt/Ice/Archive	nobody	pveuser
2	/mnt/Ice/Backup	nobody	pveuser
3	/mnt/Ice/ISOs	nobody	pveuser
6	/mnt/Ice/Repo	nobody	pveuser
7	/mnt/Ice/Backup/proxmox-pool/ds-mp-share	(empty)	pveuser
8	/mnt/Ice/Backup/proxmox-pool/pve-ct-stor	(empty)	pveuser
9	/mnt/Ice/Backup/proxmox-pool/pve-vm-stor	(empty)	pveuser

Note: Maproot remaps ALL incoming NFS root (UID 0) requests to pveuser (UID 3003) on TrueNAS. Any root client (e.g., Proxmox mk33) accessing these shares will appear as pveuser on the TrueNAS filesystem, enforcing the ACL permissions above.

Proxmox Storage Configuration (mk33)

Storage ID	Type	Server	Export	Content	Options	Status
nas-backup	NFS	192.168.16.254	/mnt/Ice/Backup	backup, images, rootdir, snippets, vztmpl	vers=4.2,proto=tcp	✅ active
nas-iso	NFS	192.168.16.254	/mnt/Ice/ISOs	iso	vers=4.2,proto=tcp	✅ active (read-only by design, ACL enforced)
nas-repo	NFS	192.168.16.254	/mnt/Ice/Repo	snippets	vers=4.2,proto=tcp	✅ active
nas-ds-mp-share	NFS	192.168.16.254	/mnt/Ice/Backup/proxmox-pool/ds-mp-share	images, rootdir	vers=4.2,proto=tcp	✅ active
nas-ct-stor	NFS	192.168.16.254	/mnt/Ice/Backup/proxmox-pool/pve-ct-stor	rootdir	vers=4.2,proto=tcp	✅ active
nas-vm-stor	NFS	192.168.16.254	/mnt/Ice/Backup/proxmox-pool/pve-vm-stor	images	vers=4.2,proto=tcp	✅ active

PVE Access Verification

Mount Point	Writable?	Expected?
/mnt/pve/nas-backup	✅ Yes	Yes (FULL_CONTROL)
/mnt/pve/nas-iso	❌ Read-only	Yes (READ via ACL)
/mnt/pve/nas-repo	✅ Yes	Yes (FULL_CONTROL)
/mnt/pve/nas-vm-stor	✅ Yes	Yes (Proxmox pool)
/mnt/pve/nas-ct-stor	✅ Yes	Yes (Proxmox pool)
/mnt/pve/nas-ds-mp-share	✅ Yes	Yes (Proxmox pool)

Diagnostic Notes

• nas-iso is active and read-only by design. Proxmox content iso means it only needs to read existing ISO files — no write is expected. No local pveuser account exists on mk33; the user mapping is handled entirely by TrueNAS NFS maproot_user.
• nas-repo is active and writable. pveuser has FULL_CONTROL on /mnt/Ice/Repo.
• All NFS exports restricted to 192.168.0.0/18 (enforced during prior hardening).
• TrueNAS API v2.0 (filesystem.setacl) uses dacl field in SCALE 25.10.2 — earlier versions used acl. This was discovered during troubleshooting job 47396.
• everyone@ TRAVERSE was added to ISOs/template and ISOs/template/iso to allow the TrueNAS API user (jarvis) to manage child directories during ACL operations.

Recommendations

1. ISO uploads: Since nas-iso is read-only from PVE's perspective, upload new ISOs directly to TrueNAS (SFTP/SCP to /mnt/Ice/ISOs/template/iso/) or via the TrueNAS web UI.
2. Monitor mount health: If TrueNAS reboots, PVE auto-reconnects on next storage access. For immediate recovery, run pvesm status or restart pvedaemon.
3. Backup SMB access-based enum: Still blocked by API due to child dataset proxmox-pool ACL type mismatch. If required, fix manually via TrueNAS UI.

---

Generated: 2026-06-02 | Updated: 2026-06-02