Bareos Shared Secrets
Bareos is a backup software, which was forked from Bacula years ago. It consists of several services:
- Bareos Director (D) @ TCP:9101: central scheduler to coordinate all activities.
- Bareos File Daemon (FD) @ TCP:9102: service running on each client to backup (and restore) the client.
- Bareos Storage Daemon (SD) @ TCP:9103: storage system to host the backed-up data.
- Bareos Catalog (C): database with data of all backed-up files.
- Bareos Console / WebUI: textual or graphical interface to the Director.
- Bareos Tray-Monitor (TM): Desktop application for monitoring other services.
Connections
They communicate over the network and use pair-wise shared secrets.
- The Director contacts the File Daemon to initiate the backup (or restore).
- The File Daemon contacts the Storage Daemon and sends it data to it. As an alternative the connection can be reversed if for example the SD has no public IP address.
- The Console contacts the Director to send it commands.
- The Tray-Monitor can connect to all other services to monitor them directly. Each TM is configured to access the Director as a restricted console or the other services as an additional Director with restricted read-only permissions.
- The Director needs access to the Catalog database.
Configuration
The services are configured through files below /etc/bareos/
.
Either the configuration can be put into a single file $SERVICE.conf
, or split over multiple fragments $SERVICE.d/$TYPE/$NAME.conf
.
While the former exists, the later is ignored.
$NAME
should match Name = "..."
except for `bareos-fd.d/client/myself.conf´.
Name = "..."
is only important for
bareos-dir.d/director/DIRECTOR.conf
bareos-dir.d/console/CONSOLE.conf
tray-monitor.d/monitor/CONSOLE.conf
as they define the name which mast match the name given inbareos-fd.d/director/DIRECTOR.conf
bareos-sd.d/director/DIRECTOR.conf
tray-monitor.d/director/DIRECTOR.conf
bconsole.d/director/DIRECTOR.conf
Director
- For each File Daemon there must be a matching
Client
section. - For each Storage Daemon there must be a matching
Storage
section. - For each restricted Console and Tray-Monitor there must be a matching
Console
section. - A admin Console uses the secret from
Director
.
# /etc/bareos/bareos-dir.d/director/DIRECTOR.conf
Director {
Name = "DIRECTOR" # !!!
Password = "ADMIN-SECRET" # admin access
}
# /etc/bareos/bareos-dir.d/console/CONSOLE.conf
Console {
Name = "CONSOLE" # !!!
Password = "CONSOLE-SECRET" # restricted access
}
# /etc/bareos/bareos-dir.d/client/CLIENT.conf
Client {
Name = "CLIENT"
Address = FILE-DAEMON-ADDRESS
Password = "FILE-DAEMON-SECRET"
}
# /etc/bareos/bareos-dir.d/storage/STORAGE.conf
Storage {
Name = "STORAGE"
Address = STORAGE-DAEMON-ADDRESS # public
Password = "STORAGE-DAEMON-SECRET"
Device = "SD-DEVICE"
MediaType = "SD-MEDIA"
}
# /etc/bareos/bareos-dir.d/counter/
Counter { }
# /etc/bareos/bareos-dir.d/catalog/
Catalog { }
# /etc/bareos/bareos-dir.d/fileset/
FileSet { }
# /etc/bareos/bareos-dir.d/job/
Job { }
# /etc/bareos/bareos-dir.d/jobdefs/
JobDefs { }
# /etc/bareos/bareos-dir.d/messages/
Messages { }
# /etc/bareos/bareos-dir.d/pool/
Pool { }
# /etc/bareos/bareos-dir.d/profile/
Profile { }
# /etc/bareos/bareos-dir.d/schedule/
Schedule { }
File Daemon
- There shoule be one
Director
section for the Director. - For each restricted Tray-Monitor there must be an additional
Director
section.
# /etc/bareos/bareos-fd.d/client/myself.conf # always that name
Client {
Name = "CLIENT"
}
# /etc/bareos/bareos-fd.d/director/DIRECTOR.conf
Director {
Name = "DIRECTOR"
Password = "FILE-DAEMON-SECRET"
Monitor = yes # for Monitor only
}
# /etc/bareos/bareos-fd.d/messages/
Messages { }
Storage Daemon
- There shoule be one
Director
section for the Director. - For each restricted Tray-Monitor there must be an additional
Director
section.
# /etc/bareos/bareos-sd.d/storage/STORAGE.conf
Storage {
Name = "STORAGE"
}
# /etc/bareos/bareos-sd.d/director/DIRECTOR.conf
Director {
Name = "DIRECTOR"
Password = "STORAGE-DAEMON-SECRET"
Monitor = yes # for Monitor only
}
# /etc/bareos/bareos-sd.d/messages/
Messages { }
# /etc/bareos/bareos-sd.d/autochanger/
Autochanger { }
# /etc/bareos/bareos-sd.d/device/
Device {
Name = "SD-DEVICE"
MediaType = "SD-MEDIA"
}
# /etc/bareos/bareos-sd.d/ndmp/
Ndmp { }
Tray Monitor
- There shoule be one
Monitor
and oneDirector
section for the Director. - For each File Daemon there can be a matching
Client
section. - For each Storage Daemon there can be a matching
Storage
section.
# /etc/bareos/tray-monitor.d/monitor/CONSOLE.conf
Monitor {
Name = "CONSOLE" # !!!
Password = "CONSOLE-SECRET"
}
# /etc/bareos/tray-monitor.d/director/DIRECTOR.conf
Director {
Name = "DIRECTOR"
Address = DIRECTOR-ADDRESS
}
# /etc/bareos/tray-monitor.d/client/FILE-DAEMON.conf
Client {
Name = "FILE-DAEMON"
Address = FILE-DAEMON-ADDRESS
Password = "FILE-DAEMON-SECRET"
}
# /etc/bareos/tray-monitor.d/storage/STORAGE-DAEMON.conf
Storage {
Name = "STORAGE-DAEMON"
Address = STORAGE-DAEMON-ADDRESS
Password = "STORAGE-DAEMON-SECRET"
}
Console
- There shoule be one
Director
section for the Director. - For an admin Console there must be a matching
Director
section. - For an restricted Console there must be a
Director
and matchingConsole
section.
# /etc/bareos/bconsole.d/director/DIRECTOR.conf
Director {
Name = "DIRECTOR"
Address = DIRECTOR-ADDRESS
Password = "ADMIN-SECRET" # admin access
}
# /etc/bareos/bconsole.d/console/CONSOLE.conf
Console {
Name = "CONSOLE"
Password = "CONSOLE-SECRET" # restricted access
}
Written on February 9, 2020