- put "restrict_commands.sh" in /usr/local/bin and make it executable
- install ts, lzop and optionally mbuffer
useradd zfsbackup --create-home --system
mkdir /home/zfsbackup/.ssh
zfs allow -u zfsbackup send,hold tank/dataset
echo 'restrict,command="restrict_commands.sh" ssh-ed25519 ...' > /home/zfsbackup/.ssh/authorized_keys
chown zfsbackup:zfsbackup /home/zfsbackup/.ssh -R
run cronjob with:
syncoid --no-sync-snap --no-privilege-elevation --sendoptions=Rw zfsbackup@target:tank/dataset tank/dataset
I also encountered the above mysterious
lzop: <stdin>: not a lzop file
error. I initially tried to work around it by specifying--compress=none
, but that resulted in a differentcannot receive: failed to read from stream
. Turns out this is a bit of a red herring./var/log/syslog
on the remote host (source of the dataset) revealed that it was catching multiple "non-whitelisted" commands. It turns out that the two_RE_DATASET
and_RE_SNAPSHOT
regex in therestrict_commands.sh
above don't account for capital letters in either the dataset or snapshot, and syncoid was trying to send snapshots that started withTEMP_
.Changing those two lines to:
resolved my issue. I'm now happily pulling snapshots from my primary server to my backup server. @Mikesco3 harder to tell if this resolves your issue specifically, but @alembiq I do see a capital
GMT
in your log output so you might give it a shot.