Installing and Configuring BareOS for Linux Backup

Purpose

Core procedure for installing BareOS client on a host to be protected, and configuring a job to run backups on the BareOS server.

Audience

SIG or other systems staff with a medium level of Linux experience, including basics firewall configuration. 

Steps

Installing and configuring backup clients with BareOS

Bareos has multiple components to consider with backup scheduling.  A backup job consists of:

• A job definition
• Name (self explanatory)
• Type (Backup)
• Client
• FileSet (this is a configuration file defining the file set)
• Storage (where do the backups get stored, also a configuration)
• Pools that the job will use (also configs)

Because we have hosts sitting on four primary networks and we want to force traffic for those networks to stay local there should be jobs configured for every network for every type of backup job we need to ensure the STORAGE portion is efficient.  There may be a better way to do this.

Install the bareos-fd on your client

The client install for linux needs to add the bareos repo.  The latest instructions for client install live at https://www.bareos.org/en/HOWTO/articles/set_up_backup_client.html The following script can be used for Linux clients.

#!/bin/sh
# See http://download.bareos.org/bareos/release/
# for applicable releases and distributions

DIST=CentOS_8

# or
# DIST=RHEL_7
# DIST=CentOS_8
# DIST=CentOS_7
# DIST=Fedora_30
# DIST=Fedora_31

RELEASE=release/19.2/

# or
# RELEASE=release/latest/
# RELEASE=experimental/nightly/

# add the Bareos repository

URL=http://download.bareos.org/bareos/$RELEASE/$DIST

wget -O /etc/yum.repos.d/bareos.repo $URL/bareos.repo

# install Bareos packages

yum install bareos-fd

Windows Clients use: http://download.bareos.org/bareos/release/latest/windows

Once the client is installed you should configure any firewall changes.

Firewall changes

If the local client has a firewall (most Linux hosts will have an iptables firewall, minimally) you need to allow traffic from the backup box to port 9102 (bareos-fd).  If you want to open it up to all campus you can do so otherwise the network addresses on the various segments are:

• SERVER
• reverse.its.carleton.edu
• 137.22.194.3
• BASTION
• reverse-ba.its.carleton.edu
• 137.22.94.22
• ADMIN
• reverse-ad.its.carleton.edu
• 137.22.128.102
• ACAD
• reverse-ac.its.carleton.edu
• 137.22.1.23

For CentOS iptables the following two lines can be added to /etc/sysconfig/iptables

• -A INPUT -p tcp -s 137.22.1.23/32 -m tcp --dport 9102 -j ACCEPT
• -A INPUT -p udp -s 137.22.1.23/32 -m udp --dport 9102 -j ACCEPT

... and an example for nftables (which is generally /etc/nftables.conf, but you can check by running systemctl status nftables):

• # BareOS (for systems on the ACAD network, in this case)
• ip saddr 137.22.1.23 ct state new tcp dport 9102 counter accept
• ip saddr 137.22.1.23 ct state new udp dport 9102 counter accept

This example is obviously for ACAD, substitute the appropriate IP or more permissive subnet mask as appropriate.

Currently Defined Jobs

The following jobdefs should be self explanatory, the list will be added to as more definitions are created.  When you create the backup job you’ll need to select the jobdef that fits your client.  So if you’re backing up a default set of files on a Linux client that lives on the ACAD network, you would select LinuxAll-ACAD as your jobdef.  These delineations are probably not necessary but I put the work into creating them and they visually let you know where something lives.  Each job can have a dash two through four (ie LinuxAll-ACAD-4) which locks the full backup schedule to a specific weekend of the month.  The default (no dash) is for the first weekend of the month.  

• Default-SERVER
• LinuxAll-SERVER
• LinuxAll-ACAD
• LinuxAll-ADMIN
• LinuxAll-BASTION

Add the client to bareos

As root on reverse run bconsole (ex. # sudo bconsole).  Add the job with a command similar to the following (hostname will change and perhaps jobdef)  The address can also be a fqdn.

* configure add client name=repo.its.carleton.edu address=137.22.94.97 password=backup2020sol2

A config file will be echoed to the terminal and created in /etc/bareos/bareos-dir.d/client/<client-name>-fd.conf this is a server config file and will contain the plaintext secret.  Another file is echoed to the terminal and created in /etc/bareos/bareos-dir-export/client/s<client>-fd/bareos-fd.d/director/bareos-dir.conf this file needs to be copied to the appropriate place on the client.  On linux this is /etc/bareos/bareos-fd.d/director/bareos-dir.conf

Start the client daemon at this point. 

On Linux this is systemctl start bareos-fd.service and systemctl enable bareos-fd.service. 

On Windows, start the service.

At this point if all the previous steps have been followed successfully you should be able to test.  In bconsole you can enter status client=sol2-fd. 

If the configuration is functional you should see a TLS handshake and some other status messages.  If not, review your work.

Add your backup job to the client

There is a many to many relationship with backup jobs and clients.  Generally you will only have one job assigned to a client.  In bconsole you add the job (for instance)

* configure add job name=sol2-job client=sol2-fd jobdefs=LinuxAll-ACAD-2

I am configuring a job named sol2-job for my sol2 client (as defined by sol2-fd) and I’m using the LinuxAll fileset on the ACAD network and fulls will run on the 2nd weekend of the month.

You can check the job now with a command like estimate listing job=sol2-job and if all is defined well you’ll get all the files that would be backed up.  Not a great idea but everyone should do it once.