undefined | Better HN

0 pointsrsync5y ago0 comments

You can 'zfs send' to a (special kind of) rsync.net account.

We support encrypted zfs[1][2][3] and raw-send, etc.

The pricing is the same but there is a 1TB minimum because we need to give you your own VM (bhyve) and we have to burn an ipv4 address for you, etc.

[1] https://www.rsync.net/products/zfs.html

[2] https://arstechnica.com/information-technology/2015/12/rsync...

[3] https://www.servethehome.com/automating-proxmox-ve-zfs-offsi...

0 comments

Dagger25y ago

Sounds like a good opportunity for an IPv6-only version at a discount/lower minimum. Many people (Google says 45% in the US) don't need servers to have v4 these days.

nicolaslem5y ago

> The snapshots are immutable (read-only) and cannot be altered in any way. In this way, your rsync.net account protects you from ransomware or malicious parties.

Is this still true for these special ZFS enabled accounts?

secabeen5y ago

Not /u/rsync, but I have one of these accounts. The snapshots are immutable (as are all ZFS snapshotss) but you have the ability to run `zfs destroy` on them, so there is a risk there. (When they're doing the snapshots for you, you don't have that ability, but then you just have a filesystem, with no access to the underlying ZFS.)

My solution to the `zfs destroy` risk is to make my backups pull-based, where rsync.net connects inbound to my production server, and rsync.net specifies the necessary commands on the production box to grab the raw encrypted streams. That eliminates the ability of an attacker that is on the production server to run arbitrary commands at rsync.net.

There is still a small risk of data destruction if an attacker gets your rsync.net credentials, but those can be protected via off-line storage and secured workstations, which works pretty well.

xoa5y ago

While that sounds like a workable solution, out of curiosity does rsync.net support multiple users and OpenZFS' delegated permissions for more fine-grained control? They're pretty useful, and amongst other things can ensure any given user can create/clone/send/receive/etc, with per-file system capability, inheritance and so on.

jaegerma5y ago

Is this VM like a DigitalOcean or Linode VM with storage attached and the customer is fully responsible for it or is this VM managed by rsync.net like the normal storage accounts?

nix235y ago

No. Yes.

blibble5y ago

could you allocate the VM on demand? xinetd style

(you could route the ssh traffic similarly based on login)

j / k navigate · click thread line to collapse