Purpose
Core procedure for installing BareOS client on a host to be protected, and configuring a job to run backups on the BareOS server.
Audience
SIG or other systems staff with a medium level of Linux experience, including basics firewall configuration.
Steps
Installing and configuring backup clients with BareOS
Bareos has multiple components to consider with backup scheduling. A backup job consists of:
- A job definition
- Name (self explanatory)
- Type (Backup)
- Client
- FileSet (this is a configuration file defining the file set)
- Storage (where do the backups get stored, also a configuration)
- Pools that the job will use (also configs)
Because we have hosts sitting on four primary networks and we want to force traffic for those networks to stay local there should be jobs configured for every network for every type of backup job we need to ensure the STORAGE portion is efficient. There may be a better way to do this.
Install the bareos-fd on your client
The client install for linux needs to add the bareos repo. The latest instructions for client install live at https://www.bareos.org/en/HOWTO/articles/set_up_backup_client.html The following script can be used for Linux clients.
#!/bin/sh
# See http://download.bareos.org/bareos/release/
# for applicable releases and distributions
DIST=CentOS_8
# or
# DIST=RHEL_7
# DIST=CentOS_8
# DIST=CentOS_7
# DIST=Fedora_30
# DIST=Fedora_31
RELEASE=release/19.2/
# or
# RELEASE=release/latest/
# RELEASE=experimental/nightly/
# add the Bareos repository
URL=http://download.bareos.org/bareos/$RELEASE/$DIST
wget -O /etc/yum.repos.d/bareos.repo $URL/bareos.repo
# install Bareos packages
yum install bareos-fd
Windows Clients use: http://download.bareos.org/bareos/release/latest/windows
Once the client is installed you should configure any firewall changes.
Firewall changes
If the local client has a firewall (most Linux hosts will have an iptables firewall, minimally) you need to allow traffic from the backup box to port 9102 (bareos-fd). If you want to open it up to all campus you can do so otherwise the network addresses on the various segments are:
- SERVER
- reverse.its.carleton.edu
- 137.22.194.3
- BASTION
- reverse-ba.its.carleton.edu
- 137.22.94.22
- ADMIN
- reverse-ad.its.carleton.edu
- 137.22.128.102
- ACAD
- reverse-ac.its.carleton.edu
- 137.22.1.23
For CentOS iptables the following two lines can be added to /etc/sysconfig/iptables
- -A INPUT -p tcp -s 137.22.1.23/32 -m tcp --dport 9102 -j ACCEPT
- -A INPUT -p udp -s 137.22.1.23/32 -m udp --dport 9102 -j ACCEPT
This example is obviously for ACAD, substitute the appropriate IP or more permissive subnet mask as appropriate.
Currently Defined Jobs
The following jobdefs should be self explanatory, the list will be added to as more definitions are created. When you create the backup job you’ll need to select the jobdef that fits your client. So if you’re backing up a default set of files on a Linux client that lives on the ACAD network, you would select LinuxAll-ACAD as your jobdef. These delineations are probably not necessary but I put the work into creating them and they visually let you know where something lives. Each job can have a dash two through four (ie LinuxAll-ACAD-4) which locks the full backup schedule to a specific weekend of the month. The default (no dash) is for the first weekend of the month.
- Default-SERVER
- LinuxAll-SERVER
- LinuxAll-ACAD
- LinuxAll-ADMIN
- LinuxAll-BASTION
Add the client to bareos
As root on reverse run bconsole (ex. # sudo bconsole). Add the job with a command similar to the following (hostname will change and perhaps jobdef) The address can also be a fqdn.
* configure add client name=repo.its.carleton.edu address=137.22.94.97 password=backup2020sol2
A config file will be echoed to the terminal and created in /etc/bareos/bareos-dir.d/client/<client-name>-fd.conf this is a server config file and will contain the plaintext secret. Another file is echoed to the terminal and created in /etc/bareos/bareos-dir-export/client/s<client>-fd/bareos-fd.d/director/bareos-dir.conf this file needs to be copied to the appropriate place on the client. On linux this is /etc/bareos/bareos-fd.d/director/bareos-dir.conf
Start the client daemon at this point.
On Linux this is systemctl start bareos-fd.service On Windows start the service.
At this point if all the previous steps have been followed successfully you should be able to test. In bconsole you can enter status client=sol2-fd If the configuration is functional you should see a TLS handshake and some other status messages. If not, review your work.
Add your backup job to the client
There is a many to many relationship with backup jobs and clients. Generally you will only have one job assigned to a client. In bconsole you add the job (for instance)
* configure add job name=sol2-job client=sol2-fd jobdefs=LinuxAll-ACAD-2
I am configuring a job named sol2-job for my sol2 client (as defined by sol2-fd) and I’m using the LinuxAll fileset on the ACAD network and fulls will run on the 2nd weekend of the month.
You can check the job now with a command like estimate listing job=sol2-job and if all is defined well you’ll get all the files that would be backed up. Not a great idea but everyone should do it once.