Host-based backup of KVM-based VMs (Red Hat Virtualization, Oracle Linux Virtualization Manager and Proxmox VE)
Post Reply
rjoensen
Novice
Posts: 3
Liked: 3 times
Joined: Sep 03, 2024 4:02 am
Contact:

VBR & Proxmox (root?)

Post by rjoensen » 1 person likes this post

Hello,

I see people talking about a user with root privileges is required when you setup VBR and Proxmox, this indicates that you should (possibly?) be able to setup a different user, say veeambackup, and use that. But I have yet to be able to do that.

I haven't tested a UID0 yet, because thats just bad practice.

So, question is, is the root user absolutely necessary? Or is there another way?
rovshan.pashayev
Veeam Software
Posts: 422
Liked: 88 times
Joined: Jul 03, 2023 12:44 pm
Full Name: Rovshan Pashayev
Location: Czechia
Contact:

Re: VBR & Proxmox (root?)

Post by rovshan.pashayev » 3 people like this post

Hello,

Yes, root user is necessary.
Rovshan Pashayev
Analyst
Veeam Agent for Linux, Mac, AIX & Solaris
rjoensen
Novice
Posts: 3
Liked: 3 times
Joined: Sep 03, 2024 4:02 am
Contact:

Re: VBR & Proxmox (root?)

Post by rjoensen » 2 people like this post

Hello,

Nobody sees a security concern with using root and requiring it as SSH? Shouldn't this be implemented as another username (self-selected) and then utilizing something like sudo?

Using root hasn't been a good idea for decades?

I am a little confused by this decision.
PTide
Product Manager
Posts: 6535
Liked: 762 times
Joined: May 19, 2015 1:46 pm
Contact:

Re: VBR & Proxmox (root?)

Post by PTide » 2 people like this post

Hi,

We, too, would prefer to use a non-root account, and we are working towards resolving this situation.

One of the reasons why it works that way is that we interact with PVE via its API. As a result, things that we can or cannot do with the host under a certain account depend on the platform API's capabilities.

Besides, a service that is capable of doing all the stuff that is required to perfrom a proper backup is by definition already mighty enough to wreak havoc if compromised (even without root privileges).

Thanks!
matthydras1
Lurker
Posts: 2
Liked: 4 times
Joined: Dec 05, 2019 9:58 am
Full Name: Matt Hydras
Contact:

Re: VBR & Proxmox (root?)

Post by matthydras1 »

Hello PTide,

In fact I have meet the "problem" as rjoensen because I try to implement the same security as him.
As I can understand, the user root usage is due to some restrictions from Proxmox API more than Veeam BR solution that'is it ?

BR

Matt
Gostev
Chief Product Officer
Posts: 31712
Liked: 7217 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: VBR & Proxmox (root?)

Post by Gostev » 1 person likes this post

No, it's purely due to lack of time in the extremely short release cycle we had for v1. We will add support for specifying other accounts with sudo for required operations in the future updates.
rjoensen
Novice
Posts: 3
Liked: 3 times
Joined: Sep 03, 2024 4:02 am
Contact:

Re: VBR & Proxmox (root?)

Post by rjoensen »

> Besides, a service that is capable of doing all the stuff that is required to perfrom a proper backup is by definition already mighty enough to wreak havoc if compromised (even without root privileges).

This is also a concern that you have to be vigilant about, but, my concern is more related to using the "root" user. Veeam uses SSH, so you have to enable password auth if you want this to work, where you might have previously disabled password for root or password entirely for SSH.

> No, it's purely due to lack of time in the extremely short release cycle we had for v1. We will add support for specifying other accounts with sudo for required operations in the future updates.

I was hoping that this was the case and thank you for confirming it. Super happy to hear that there are intentions to make this more secure. I was worried though, because if I remember correctly, when you used ESXi, you had to also use the root user, it wasn't until you had vCenter as well where you could use a different user.

Cheers,
Ragnar
Gostev
Chief Product Officer
Posts: 31712
Liked: 7217 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: VBR & Proxmox (root?)

Post by Gostev »

For direct ESX connection we supported the desired approach literally since v1. So the capability to interact with Linux servers like that has been in the product forever. The only problem is that the current version of our platform extensibility SDK used to add support for all new hypervisors is unable to handle such advanced Linux credential types yet, but only basic credentials.
matthydras1
Lurker
Posts: 2
Liked: 4 times
Joined: Dec 05, 2019 9:58 am
Full Name: Matt Hydras
Contact:

Re: VBR & Proxmox (root?)

Post by matthydras1 » 4 people like this post

Gostev wrote: Sep 05, 2024 6:42 pm No, it's purely due to lack of time in the extremely short release cycle we had for v1. We will add support for specifying other accounts with sudo for required operations in the future updates.
Hello

For a v1 and for the timing of this update, all the Veeam teams could be proud about the job which have been done
vitami
Novice
Posts: 7
Liked: never
Joined: Oct 28, 2021 2:30 pm
Contact:

Re: VBR & Proxmox (root?)

Post by vitami »

Gostev wrote: Sep 05, 2024 6:42 pm No, it's purely due to lack of time in the extremely short release cycle we had for v1. We will add support for specifying other accounts with sudo for required operations in the future updates.
Is there an ETA for anything but basic auth? Like this year or next? I could live with root using a cert for auth but as it is we'll probably rollout the agent.
Don't get me wrong, I fully understand the short release and am grateful Veeam is supporting proxmox.
Gostev
Chief Product Officer
Posts: 31712
Liked: 7217 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: VBR & Proxmox (root?)

Post by Gostev »

We were hoping to include this into the immediate minor update before the end of this year, but ran into some issues on the Proxmox side where some API endpoints require root specifically to interact with. We have submitted a feature request to Proxmox developers asking to solve this. @PTide could you share the Proxmox R&D forum thread please? As added pressure from end users might help.
PTide
Product Manager
Posts: 6535
Liked: 762 times
Joined: May 19, 2015 1:46 pm
Contact:

Re: VBR & Proxmox (root?)

Post by PTide » 1 person likes this post

Hi,

So, here is the item on the bug tracker that is aimed to address this exact issue of having to use root for certain actions in Proxmox VE API.

And here are some links:

root or not root
api limitations to root pam
disable root account

Thanks!
Gostev
Chief Product Officer
Posts: 31712
Liked: 7217 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: VBR & Proxmox (root?)

Post by Gostev »

Looking at the bug creation date and the age of those topics this does not look too promising...
PTide
Product Manager
Posts: 6535
Liked: 762 times
Joined: May 19, 2015 1:46 pm
Contact:

Re: VBR & Proxmox (root?)

Post by PTide » 1 person likes this post

Proxmox developers have replied that a patch series had been proposed, but the implementation was not finished. Since the developer who was responsible for this particular feature has left the company, nobody else has picked up work on the series yet. I am in contact with the Proxmox devs regarding this item.
vitami
Novice
Posts: 7
Liked: never
Joined: Oct 28, 2021 2:30 pm
Contact:

Re: VBR & Proxmox (root?)

Post by vitami »

Thanks for the replies, any chance we can get private key authentication to work for root @ proxmox? This would relax the situation immensely.
rovshan.pashayev
Veeam Software
Posts: 422
Liked: 88 times
Joined: Jul 03, 2023 12:44 pm
Full Name: Rovshan Pashayev
Location: Czechia
Contact:

Re: VBR & Proxmox (root?)

Post by rovshan.pashayev » 1 person likes this post

Hello,

Private key authentication is planned to be supported in future releases (however, not in the next one).

There are also some limitations on the Proxmox API side that have yet to deal with. We are in contact with Proxmox R&D, so eventually we will sort this out,

Thanks!
Rovshan Pashayev
Analyst
Veeam Agent for Linux, Mac, AIX & Solaris
Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest