Proxmox Backup Server 3.2 veröffentlicht

Die Enterprise Backuplösung, Proxmox, sichert virtuelle Maschinen und Container und stellt sie wenn nötig wieder her. Die Proxmox Backup Lösung integriert sich nahtlos in Proxmox VE. Nun ist die neue Version 3.2 erschienen die auf Debian 12.5 “Bookworm”, dem neueren Linux Kernel 6.8 und ZFS 2.2 basiert. Zudem wurden einige Fehler behoben und neue Features installiert.

Proxmox Backup Server 3.2 Highlights

• Debian 12.5 but using a newer Linux kernel 6.8
• ZFS 2.2
• Flexible notification system
• Automated installation
• Exclude backup groups from jobs
• Overview of prune and GC jobs
• and much more…

Proxmox Backup Server 3.2 Release Notes

Highlights

• New flexible notification system. Send notifications not only via the local Postfix MTA, but also via authenticated SMTP or to Gotify instances. Flexible notification routing with matcher-based rules to decide which targets receive notifications about which events.
• Support for automated and unattended installation of Proxmox Backup Server. Proxmox Backup Server now ships a tool that prepares a Proxmox Backup Server ISO for automated installation. The prepared ISO retrieves all required settings for automated installation from an answer file. The answer file can be provided directly in the ISO, on an additional disk such as a USB flash drive, or over the network.
• Ability to exclude particular backup groups from sync and tape backup jobs. Group filters already supported including particular backup groups, and now additionally support excluding particular backup groups. This allows more flexibility when defining which backup groups should be synchronized from a remote Proxmox Backup Server or written to tapes.
• Overview of prune and garbage collection jobs of all datastores. A new tab in the datastore summary panel shows defined prune and garbage collection jobs of all datastores. This allows to quickly assess whether all datastores are correctly set up to regularly run important maintenance tasks.
• Support for Active Directory authentication realms. The new Active Directory realm type synchronizes users and groups from a remote Active Directory server. This makes it easier to integrate with existing Enterprise infrastructure.

Changelog Overview

Enhancements in the web interface (GUI)

• Allow managing VLAN network interfaces in the GUI.
• A new “Prune & GC Jobs” tab in the datastore summary panel shows an overview of prune and garbage collection jobs of all datastores (issue 3217).
• The garbage collection job status view now displays the amount of removed, as well as, pending data.
• Allow usernames shorter than 4 characters, as they are already allowed by the backend (issue 4819).
• The datastore summary now handles missing usage information gracefully and avoids logging errors to the console.
• Fix an issue where the node summary page would not display the version of a running foreign kernel (issue 5117).
• Fix an issue where individual entries of the DNS configuration for the system (searchdomain and DNS Servers) could not be deleted via the GUI.
• Fix an issue where creating a new InfluxDB metric server entry would fail if one already exists.
• The context menu of backup snapshots and groups now allows to copy the snapshot or group name to the clipboard (issue 5188).
• Disallow setting an empty schedule for a prune job.
• Various fixes to the sync job overview.
• Fix issues where some edit windows would send API parameters that were not accepted by the backend.
• Fix an issue where the settings window would fail to reset the layout.
• Fix an issue where the GUI used an incorrect language code for Korean, and provide a clean transition for users who still have a cookie with the incorrect language code set.
• Fix xterm.js not loading in certain OS+Browser constellations, for example iOS (issue 5063).
• Fix an issue where the date picker would choose the wrong date after changing to a different month.
• Clarify the confirmation prompt for removing a certificate without a name.
• Fix an issue where edit windows would not be correctly masked while loading.
• Display the end-of-life message as a notice up until three weeks before the end-of-life date, and display it as a warning from that point on.
• Move the “Reset” button for edit windows to an icon-only button in the title bar (issue 5277). This reduces the risk of misclicking and accidentally resetting form data.
• The TFA input field now sets an autocompletion hint for improved compatibility with password managers (issue 5251).
• Improved translations, among others:
  • French
  • German
  • Italian
  • Japanese
  • Korean
  • Simplified Chinese
  • Spanish
  • Traditional Chinese
  • Ukrainian

General backend improvements

• Add a command to proxmox-backup-manager to list the garbage collection job status for all datastores (issue 4723). A similar command already exists for prune and verify jobs.
• Avoid a race condition when logging in with TFA.
• Improve efficiency of the routine that checks whether a block device is a partition.
• Check transitions from/to maintenance modes more strictly for validity. For instance, leaving maintenance mode “delete” should not be allowed, as the datastore may be in an undefined state.
• Group filters for sync jobs and tape backup jobs can now exclude particular backup groups (issue 4315). This allows more flexibility when defining which backup groups should be synchronized or written to tapes. All include filters are processed first, and exclude filters are processed afterwards.
• Improve error reporting when reading the backup group owner fails.
• When uploading a custom certificate, the private key is now optional and defaults to the existing key, similarly to the behavior of Proxmox VE.
• The backend now sends a Connection: upgrade header when upgrading to HTTP/2 (issue 5217). This further improves compatibility with reverse proxies that strictly adhere to RFC 7230, after a fix for issue 4779 shipped with Proxmox Backup Server 3.1 did not fully resolve the issue.
• Add summaries to sync job task logs:
  • Print the number and total size of synchronized chunks, as well as the average transfer rate (issue 5285).
  • Print the number of snapshots and groups that are removed because “remove vanished” is enabled.
• Avoid keeping a reference to datastore files when enabling the offline maintenance mode.
• When creating a datastore, allow reusing an existing directory if it is empty and not a mountpoint.
• Add an option to prune a group asynchronously in a worker task.
• Fix an issue where the total size of a storage would be calculated incorrectly in some edge cases.
• Datastores can now be configured with a notification-mode for a smooth migration to the new notification system. The notification mode determines how notifications for prune, garbage collection, verification and remote/local sync jobs will be sent. The legacy-sendmail mode replicates the previous behavior of sending an email via the local Postfix MTA to a configured user’s email address. This is the default for any existing datastores. The notification-system mode sends notifications exclusively using the new notification system. This is the default for new datastores created via the web UI.

Client improvements

• The new vma-to-pbs tool allows importing Proxmox Virtual Machine Archives (VMA) into Proxmox Backup Server. For backup targets other than Proxmox Backup Server, Proxmox VE creates VM backups in VMA format. With the new tool, these .vma files can be imported into Proxmox Backup Server, where they are made available as regular backup snapshots. For more information, see Import VMA Backups into Proxmox Backup Server.
• Add the delete-groups flag to the namespace deletion command, as it was previously missing.
• Backup creation can now optionally ignore metadata of files for which reading xattrs fails with an E2BIG (issue 4975). Some filesystems, for example ZFS, support xattrs larger than 64 KB. However, such large xattrs are not supported by the Linux kernel, and reading them fails with error E2BIG. Backup creation can now optionally ignore E2BIG errors. This will still back up files with overly large xattrs, but skip their metadata.
• Fix an issue where the connection to a Proxmox Backup Server presenting a certificate signed by a CA not trusted by the client’s host would fail, even if a fingerprint is provided (issue 5248).
• Switch to modern ntfs3g driver for the live-restore image, since it supports more features found in the filesystems of current Windows guests (issue 5259).

Tape backup

• Add a button to the GUI that removes media from the inventory without destroying the data.
• Remove the hard limit on the number of tapes in a media set (issue 5229). The limit was not properly enforced and, if exceeded, blocked access to most functions via API, CLI and GUI. Instead of a partially enforced hard limit, log a task warning if the media set has more than 20 media.
• Work around an issue with some changers that send incomplete responses when querying the element status.
• Add an option that, when enabled, instructs the changer to eject a tape before unloading it (issue 4904). This is required by some tape libraries that do not follow the standards correctly. The new option is named eject-before-unload and can be set manually via API or CLI.
• Increase the tape transfer timeout from 30 seconds to 3 minutes, since most changers take about a minute to complete a slot change.
• Fix an issue where the encryption key of the tape-drive was unloaded too eagerly. Before proxmox-backup-server version 3.1.4-1 the additional tape-specific encryption was disabled. We recommend using the native software-defined client-side encryption for the best security.
• Improve handling of duplicate media label texts:
  • Operations that identify the tape by its label text now throw an error if duplicate label texts are detected.
  • In addition to the label text, tape operations can now optionally identify a tape by its (unique) UUID.
  • Writing a label text now throws an error if the label already exists in the inventory.
  • The tape inventory GUI now uses the UUID to identify tapes instead of the label text, as it is not necessarily unique.
• Improve error output when reading the element status fails.
• Improve formatting of LTO9 (or higher) tapes:
  • Avoid full re-initialization when doing a fast erase, as it can take up to two hours.
  • When doing a slow erase, increase the timeout to two hours and warn that the operation can take a long time.
• Improvements to the LTO barcode generator:
  • Add LTO-9 tape type and make it the new default.
  • Add WORM tape types.
  • Only enable the “Add” button if fields are valid.
• The API now forbids creating a drive config with the same name as an existing changer, and vice-versa, to prevent confusing situations.
• Tape backups and restore can now be configured with a notification-mode for a smooth migration to the new notification system. The legacy-sendmail mode replicates the previous behavior of sending an email via the local Postfix MTA to a configured user’s email address The notification-system mode sends notifications exclusively using the new notification system.

Access control

• Add support for Active Directory authentication realms. This new realm type retrieves users and groups from an external Active Directory Server. Active Directory realms are already supported by Proxmox VE, and are now supported by Proxmox Backup Server as well.
• Fix an issue where the OpenID Connect realm would wrongly reject valid ACR values (issue 5190).
• Require non-root users to enter their current password on password change. This is to hedge against a scenario where an attacker has local or even physical access to a computer where a user is logged in.

Installation ISO

• Support for automated and unattended installation of Proxmox Backup Server. Introduce the proxmox-auto-install-assistant tool that prepares an ISO for automated installation. The automated installation ISO reads all required settings from an answer file in TOML format. One option to provide the answer file is to directly add it to the ISO. Alternatively, the installer can retrieve it from a specifically-labeled partition or via HTTPS from a specific URL. If the answer file is retrieved via HTTPS, URL and fingerprint can be directly added to the ISO, or obtained via DHCP or DNS. See the wiki page on Automated Installation for more details.

Improved management of Proxmox Backup Server machines

• New flexible notification system. Allows sending notifications to different targets. The local Postfix MTA, previously the sole notification option, is now one of several target types available. Two new target types include: smtp allowing direct notification emails via authenticated SMTP, and gotify, which sends notifications to a Gotify instance. Flexible notification routing is possible through matcher-based rules that determine which targets receive notifications for specific events. Match rules can select events based on their severity, time of occurrence, or event-specific metadata fields (such as the event type, datatore, job-id, media-pool). Multiple rules can be combined to implement more complex routing scenarios.
• Add the gdisk package to the dependencies, as sgdisk is needed to initialize disks.
• Remove whitespace when adding a subscription key, to avoid failing subscription checks due to superfluous whitespace.
• Support for adding custom ACME enabled CA’s with optional authentication through External Account Binding (EAB), on the commandline (issue 4497).
• Improved system report to provide a better status overview:
  • Add configured prune jobs.
• Improvements to Proxmox Offline Mirror:
  • Improve UX in promxox-offline-mirror-helper, when having multiple subscription keys available at the chosen mountpoint.
  • Add dark mode to the documentation.
  • Fix a wrong configuration setting for allowing weak RSA cryptographic parameters.
  • Improve path handling with command line arguments.
  • Support repositories that do not provide a Priority field (issue 5249).

Known Issues & Breaking Changes

Kernel 6.8

The Proxmox Backup Server 3.2 releases will install and use the 6.8 Linux kernel by default, a major kernel change can have a few, hardware specific, side effects.

You can avoid installing the 6.8 kernel by pinning the proxmox-default-kernel package version before the upgrade. The last version to depend on kernel 6.5 is 1.0.1.

To pin the package to that version, create a file in /etc/apt/preferences.d/proxmox-default-kernel with the following content. This will keep proxmox-default-kernel on the old version until that file is deleted, and a new upgrade is initiated:

Package: proxmox-default-kernel
Pin: version 1.0.1
Pin-Priority: 1000

Kernel: Change in Network Interface Names

Upgrading kernels always carries the risk of network interface names changing, which can lead to invalid network configurations after a reboot. In this case, you must either update the network configuration to reflect the name changes, or pin the network interface to its name beforehand.

See the reference documentation on how to pin the interface names based on MAC Addresses.

Currently, the following models are known to be affected at higher rates:

• Models using i40e. Their names can get an additional port suffix like p0 added.

Proxmox Backup Server Press Release: https://www.proxmox.com/en/about/press-releases/proxmox-backup-server-3-2