Bareos Shared Secrets

Bareos is a backup software, which was forked from Bacula years ago. It consists of several services:

  • Bareos Director (D) @ TCP:9101: central scheduler to coordinate all activities.
  • Bareos File Daemon (FD) @ TCP:9102: service running on each client to backup (and restore) the client.
  • Bareos Storage Daemon (SD) @ TCP:9103: storage system to host the backed-up data.
  • Bareos Catalog (C): database with data of all backed-up files.
  • Bareos Console / WebUI: textual or graphical interface to the Director.
  • Bareos Tray-Monitor (TM): Desktop application for monitoring other services.

Connections

They communicate over the network and use pair-wise shared secrets.

  • The Director contacts the File Daemon to initiate the backup (or restore).
  • The File Daemon contacts the Storage Daemon and sends it data to it. As an alternative the connection can be reversed if for example the SD has no public IP address.
  • The Console contacts the Director to send it commands.
  • The Tray-Monitor can connect to all other services to monitor them directly. Each TM is configured to access the Director as a restricted console or the other services as an additional Director with restricted read-only permissions.
  • The Director needs access to the Catalog database.

Configuration

The services are configured through files below /etc/bareos/. Either the configuration can be put into a single file $SERVICE.conf, or split over multiple fragments $SERVICE.d/$TYPE/$NAME.conf. While the former exists, the later is ignored. $NAME should match Name = "..." except for `bareos-fd.d/client/myself.conf´.

Name = "..." is only important for

  • bareos-dir.d/director/DIRECTOR.conf
  • bareos-dir.d/console/CONSOLE.conf
  • tray-monitor.d/monitor/CONSOLE.conf as they define the name which mast match the name given in
  • bareos-fd.d/director/DIRECTOR.conf
  • bareos-sd.d/director/DIRECTOR.conf
  • tray-monitor.d/director/DIRECTOR.conf
  • bconsole.d/director/DIRECTOR.conf

Director

/etc/bareos/bareos-dir.conf

  • For each File Daemon there must be a matching Client section.
  • For each Storage Daemon there must be a matching Storage section.
  • For each restricted Console and Tray-Monitor there must be a matching Console section.
  • A admin Console uses the secret from Director.
# /etc/bareos/bareos-dir.d/director/DIRECTOR.conf
Director {
  Name = "DIRECTOR"  # !!!
  Password = "ADMIN-SECRET"  # admin access
}
# /etc/bareos/bareos-dir.d/console/CONSOLE.conf
Console {
  Name = "CONSOLE"  # !!!
  Password = "CONSOLE-SECRET"  # restricted access
}
# /etc/bareos/bareos-dir.d/client/CLIENT.conf
Client {
  Name = "CLIENT"
  Address = FILE-DAEMON-ADDRESS
  Password = "FILE-DAEMON-SECRET"
}
# /etc/bareos/bareos-dir.d/storage/STORAGE.conf
Storage {
  Name = "STORAGE"
  Address = STORAGE-DAEMON-ADDRESS  # public
  Password = "STORAGE-DAEMON-SECRET"
  Device = "SD-DEVICE"
  MediaType = "SD-MEDIA"
}
# /etc/bareos/bareos-dir.d/counter/
Counter { }
# /etc/bareos/bareos-dir.d/catalog/
Catalog { }
# /etc/bareos/bareos-dir.d/fileset/
FileSet { }
# /etc/bareos/bareos-dir.d/job/
Job { }
# /etc/bareos/bareos-dir.d/jobdefs/
JobDefs { }
# /etc/bareos/bareos-dir.d/messages/
Messages { }
# /etc/bareos/bareos-dir.d/pool/
Pool { }
# /etc/bareos/bareos-dir.d/profile/
Profile { }
# /etc/bareos/bareos-dir.d/schedule/
Schedule { }

File Daemon

/etc/bareos/bareos-fd.conf

  • There shoule be one Director section for the Director.
  • For each restricted Tray-Monitor there must be an additional Director section.
# /etc/bareos/bareos-fd.d/client/myself.conf  # always that name
Client {
  Name = "CLIENT"
}
# /etc/bareos/bareos-fd.d/director/DIRECTOR.conf
Director {
  Name = "DIRECTOR"
  Password = "FILE-DAEMON-SECRET"
  Monitor = yes  # for Monitor only
}
# /etc/bareos/bareos-fd.d/messages/
Messages { }

Storage Daemon

/etc/bareos/bareos-sd.conf

  • There shoule be one Director section for the Director.
  • For each restricted Tray-Monitor there must be an additional Director section.
# /etc/bareos/bareos-sd.d/storage/STORAGE.conf
Storage {
  Name = "STORAGE"
}
# /etc/bareos/bareos-sd.d/director/DIRECTOR.conf
Director {
  Name = "DIRECTOR"
  Password = "STORAGE-DAEMON-SECRET"
  Monitor = yes  # for Monitor only
}
# /etc/bareos/bareos-sd.d/messages/
Messages { }
# /etc/bareos/bareos-sd.d/autochanger/
Autochanger { }
# /etc/bareos/bareos-sd.d/device/
Device {
  Name = "SD-DEVICE"
  MediaType = "SD-MEDIA"
}
# /etc/bareos/bareos-sd.d/ndmp/
Ndmp { }

Tray Monitor

/etc/bareos/bareos-fd.conf

  • There shoule be one Monitor and one Director section for the Director.
  • For each File Daemon there can be a matching Client section.
  • For each Storage Daemon there can be a matching Storage section.
# /etc/bareos/tray-monitor.d/monitor/CONSOLE.conf
Monitor {
  Name = "CONSOLE"  # !!!
  Password = "CONSOLE-SECRET"
}
# /etc/bareos/tray-monitor.d/director/DIRECTOR.conf
Director {
  Name = "DIRECTOR"
  Address = DIRECTOR-ADDRESS
}
# /etc/bareos/tray-monitor.d/client/FILE-DAEMON.conf
Client {
  Name = "FILE-DAEMON"
  Address = FILE-DAEMON-ADDRESS
  Password = "FILE-DAEMON-SECRET"
}
# /etc/bareos/tray-monitor.d/storage/STORAGE-DAEMON.conf
Storage {
  Name = "STORAGE-DAEMON"
  Address = STORAGE-DAEMON-ADDRESS
  Password = "STORAGE-DAEMON-SECRET"
}

Console

/etc/bareos/bconsole.conf

  • There shoule be one Director section for the Director.
  • For an admin Console there must be a matching Director section.
  • For an restricted Console there must be a Director and matching Console section.
# /etc/bareos/bconsole.d/director/DIRECTOR.conf
Director {
  Name = "DIRECTOR"
  Address = DIRECTOR-ADDRESS
  Password = "ADMIN-SECRET"  # admin access
}
# /etc/bareos/bconsole.d/console/CONSOLE.conf
Console {
  Name = "CONSOLE"
  Password = "CONSOLE-SECRET"  # restricted access
}
Written on February 9, 2020