Reference · Living document

Glossary

The shared vocabulary. Once a term is here, every lesson uses it the same way. Grows as we go.

RPO — Recovery Point Objective

The maximum data loss you can tolerate, measured in time. "RPO = 24h" means a disaster may cost you up to a day's changes. Set by backup frequency. Your homelab today: RPO = ∞ (no backups). In the field: written into every DR plan and SLA.

RTO — Recovery Time Objective

The maximum downtime you can tolerate — how fast you must be back. Set by your restore method and how rehearsed it is. Untested backups inflate RTO silently — a restore you've never run is a guess, not a number. Fix it with a fire drill.

3-2-1 rule

3 copies of data, on 2 different media, with 1 off-site. The minimum bar for surviving the realistic disasters (drive death, theft, fire, ransomware, your own mistake). Coined by photographer Peter Krogh, 2005. Modern variant 3-2-1-1-0 adds: 1 copy offline/immutable, 0 backup errors (i.e. verified restores).

Fire drill / Restore test

A deliberate, scheduled rehearsal of recovery — restore a backup to a throwaway target, confirm it boots, time it, tear it down — performed calm, not during an outage. The only thing that turns a backup into a proven recovery and an RTO into a real number. In the field: "when did you last test a restore?" is an audit and interview question. A true DR test restores onto different hardware. (GitLab, 2017: five backup methods, none restorable.)

DR / BCP — Disaster Recovery / Business Continuity

DR = the technical plan to restore systems after a failure. BCP = the wider plan to keep operating. The professional home of RPO, RTO, and 3-2-1.

Backup ≠ Redundancy

Redundancy (RAID, ZFS mirror) survives a hardware failure with no downtime — but faithfully replicates your mistakes and ransomware to both disks instantly. Backup is a point-in-time copy you can roll back to. You need both; they solve different problems.

vzdump

Proxmox's built-in backup tool. Produces a single archive per guest (config + all data). Modes: snapshot (live, minimal pause), suspend, stop. Schedulable as a job with retention.

Default-deny

A firewall posture where everything is blocked unless explicitly allowed (the opposite of default-allow). The foundation of every serious network policy. Your host firewall is currently disabled — neither deny nor allow is enforced.

Attack surface

The sum of all points an attacker could try — open ports, services, accounts, exposed APIs. Security work is largely shrinking it. Every listening port must earn its place.

Firewall it vs close it at the source

Two ways to make a port unreachable. Firewall it: the service still runs and listens; the firewall drops the packets. Close it at the source: stop/uninstall the service so nothing listens at all. For things you don't use (e.g. rpcbind), the source is strictly better — a service that isn't running can't be exploited or misconfigured. Firewall what you need; uninstall what you don't.

Management IPSet (Proxmox)

A named set of admin IPs in cluster.fw ([IPSET management]). Proxmox auto-generates rules so the GUI/SSH are reachable only from those addresses — the recommended way to scope the management plane to your admin subnet or Tailnet instead of the whole LAN. In the field: the homelab version of a bastion / jump-host access policy.

Proxmox firewall layers

Three nested levels: datacenter (cluster.fw), host/node (host.fw), and guest (per-VM/CT .fw). The datacenter level must be enabled for any of it to work. Default policy when enabled is policy_in: DROP, but management ports (8006, 22, 3128, VNC) are auto-allowed so you don't lock yourself out. Each guest's firewall enable defaults to 0 — the NIC firewall=1 flag alone does nothing until the guest firewall is turned on. Rollback: pve-firewall stop.

Blast radius

How far the damage spreads when one component is compromised. You reduce it with isolation and least privilege, so one breached service can't take the whole host.

Least privilege

Every user, process, and container gets the minimum access it needs — nothing more. A privileged LXC maps container-root to host-root (escape = host compromise); an unprivileged one does not.

CVE / CVSS

A CVE is a catalogued public vulnerability (e.g. CVE-2024-xxxxx). CVSS is its 0–10 severity score. Patch cadence is how you stop known, already-fixed CVEs from being your breach.

Audit findings All lessons Mission