Title here
Summary here
Bareos
Bareos is a reliable, cross-network open-source backup solution for data protection, archiving, and recovery.
add repo
add the official debian repo
# add repo
> cat /etc/apt/sources.list.d/bareos.list
...
deb http://download.bareos.org/bareos/release/20/Debian_10 /
# download and check release key (gpg required)
> wget -qO /tmp/bareos20_release.key \
'https://download.bareos.org/bareos/release/20/Debian_10/Release.key' \
&& gpg --keyid-format LONG --show-keys < /tmp/bareos20_release.key
# import release key
> apt-key add /tmp/bareos20_release.key
# refresh package list
> apt update
# install required software
> apt install bareos bareos-database-postgresqlabort the
dbconfig-commondialog - we doing it manually
database setup
configure postgresql
# install postgres
> apt install postgres
# edit /etc/postgresql/11/main/postgresql.conf
...
password_encryption = scram-sha-256
# enable & start postgres service
> systemctl enable postgresql \
&& systemctl restart postgresql
# run postgres backend scripts
> su postgres -c /usr/lib/bareos/scripts/create_bareos_database
> su postgres -c /usr/lib/bareos/scripts/make_bareos_tables
> su postgres -c /usr/lib/bareos/scripts/grant_bareos_privilegesservice config
check services and configurations
# ensure bareos services are ready
> systemctl restart bareos-dir \
&& systemctl restart bareos-sd \
&& systemctl restart bareos-fd
# test config files
> su bareos -s /bin/sh -c "/usr/sbin/bareos-dir -t"
> su bareos -s /bin/sh -c "/usr/sbin/bareos-sd -t"
> bareos-fd -t
> bconsole -tNote
bareos set database encoding to C instead of UTF-8
manual postgres setup fails with:"Database encoding bad. Do not use this database"
commands
using bareos
# get into bareos shell
> bconsole
# reload console
*reload
# show filesets
*show filesets
# show dir status
*status dir
# show client status
*status client
# show storage
*status storage
# run a backup job
* run
# show messages (show only one time per job)
*message
# show job per ID and wait to be finished
*wait jobid=1
# restore all > all files are market to restore
*restore all
# restore > manually mark/unmark files to restore
*restore
# if a restore fails you can try
*rerun jobid=1smoke test
run test backup and restore
# run backup and select client (choose "1" and "yes")
*run
# check messages
*messages
# restore all files (select "5")
*restore all
# now you got a cmd line promt (type "help" for available commands)
cwd is: /
$
# after playing around choose "done" to start backup
# now you can hit "yes" or "mod" the specify restore path etc.default restore path is
/tmp/bareos-restores
restore on remote host will also placed on remote/tmp/bareos-restores
client setup
configure remote client
# on server add client
*configure add client name=debian-client address=10.0.0.100 password=secret
# file: "/etc/bareos/bareos-dir.d/client/debian-client.conf
# on client install required software
# see: "https://download.bareos.org/bareos/release/20/"
> apt install bareos-filedaemon
# copy the content of the following server file:
# "/etc/bareos/bareos-dir-export/client/debian-client/bareos-fd.d/director/bareos-dir.conf"
# to: "/etc/bareos/bareos-fd.d/director/bareos-dir.conf" on client side
# after copy config from server to client - restart client service
> systemctl restart bareos-filedaemon
# on server check client status
*status client=debian-client
# Connecting to Client debian at 10.0.0.100:9102
# we've got: "Handshake: Cleartext, Encryption: None"
# this must be better configured later
# add a job ressource
*configure add job name=debian-client-job client=debian-client jobdefs=DefaultJob
# Created resource config file "/etc/bareos/bareos-dir.d/job/debian-client-job.conf":
# dry run
*estimate listing job=debian-client-job
# run backup job (yes/mod/no) > runs in BG
*run job=debian-client-job
# FG job and wait until ready
*wait jobid=4
# verify and check job
*list joblog jobid=4
*list files jobid=4
*list volumesstorage setup
adding storage:
# create backup directory
> mkdir /mnt/backup \
&& chown bareos:bareos /mnt/backup \
&& chmod 750 /mnt/backup
# create new device
# edit /etc/bareos/bareos-sd.d/device/FileStorageDir.conf
Device {
Name = FileStorageDir
Device Type = File
Media Type = FileDir # unique name
Archive Device = /mnt/backup # backup path
LabelMedia = yes;
Random Access = yes;
AutomaticMount = yes;
RemovableMedia = no;
AlwaysOpen = yes;
Description = "Backup to /mnt/backup"
}
# for nfs append
...
Requires Mount = yes
Mount Point = /mnt/nfs
Mount Command = "/bin/mount %m"
Unmount Command = "/bin/umount %m"
...
# set file owner
> chown bareos:bareos /etc/bareos/bareos-sd.d/device/FileStorageDir.conf
# create new storage
# edit nano /etc/bareos/bareos-dir.d/storage/FileDir.conf
Storage {
Name = FileDir
Address = bareos.example.com # use FQDN or IP and check messages
Password = "secure" # same like in "/etc/bareos/bareos-sd.d/director/bareos-dir.conf"
Device = FileStorageDir # same as defined in /etc/bareos/bareos-sd.d/device/FileStorageDir.conf
Media Type = FileDir # same as definded in /etc/bareos/bareos-sd.d/device/FileStorageDir.conf
Maximum Concurrent Jobs = 2
}
# set file owner
> chown bareos:bareos /etc/bareos/bareos-dir.d/storage/FileDir.conf
# reload bconsole
*reload
# check storage
*status storage
# run backup > mod > select storage "2"
*run job=debian-client-job
# check messages
*messagesscheduler config
setup a scheduler
# create new scheduler
# edit /etc/bareos/bareos-dir.d/schedule/Nightly.conf
Schedule {
Name = "Nightly"
Run = daily at 23:30
}
# set file permissions
> chown bareos:bareos /etc/bareos/bareos-dir.d/schedule/Nightly.conffilesets
define filesets or what have to backup
# create new fileset /etc/bareos/bareos-dir.d/fileset/LinuxFullClient.conf
FileSet {
Name = "LinuxFullClient"
Description = "Backup whole system"
Include {
Options {
Signature = SHA1 # signature
Compression = LZ4 # compression
noatime = yes # minize writes on client
}
File = / # backup whole FHS
}
Exclude {
File = /var/lib/bareos # exclude bareos itself
File = /var/lib/bareos/storage # like above
File = /proc # exlude virtual directory of the current Sysconfig
File = /tmp # exclude temp
File = /media # exclude removable media
File = /mnt # exclude mounts
File = /run # exclude run time variable data
File = /sys # exclude virtual directory of system settings
File = /dev # exclude device files
}
}
# set file permissions
> chown bareos:bareos /etc/bareos/bareos-dir.d/fileset/LinuxFullClientBackup.confjobs
combine filesets and scheduler to a job
# create new jobdef /etc/bareos/bareos-dir.d/jobdefs/LinuxFullClientJob.conf
JobDefs {
Name = "LinuxFullClientJob"
Type = Backup # allowed are backup|restore|verify
Level = Incremental # allowed are Full|Differential|Incremental
Client = bareos-fd # overwritten by client-job.conf
FileSet = "LinuxFullClient"
Schedule = "Nightly"
Storage = FileDir
Messages = Standard
Pool = Incremental
Priority = 10
Write Bootstrap = "/var/lib/bareos/%c.bsr"
Full Backup Pool = Full
Differential Backup Pool = Differential
Incremental Backup Pool = Incremental
}
# set permissions
> chown bareos:bareos /etc/bareos/bareos-dir.d/jobdefs/LinuxFullClientJob.confconfigure job per client-job.conf
# edit /etc/bareos/bareos-dir.d/job/debian-client-job.conf
Job {
Name = debian-client-job
Client = debian-client
JobDefs = LinuxFullClientJob
}
# in a bconsole this looks like
*configure add job name=debian-client-job client=debian-client jobdefs=LinuxFullClientJobat this point you should reload the
bconsole
tls config
tls setup - server side
# create key directory and change in directory
> mkdir /etc/bareos/keys
> cd /etc/bareos/keys
# generate masterkey and store the passphrase
> openssl genrsa -aes256 -out master.key 4096
# generate a client certificate from masterkey
> openssl req -new -key master.key -x509 -out master.cert -days 3650
# each client needs a keypair we have to generate like this - store password
> openssl genrsa -aes256 -out fd-hostname.key 4096
> openssl req -new -key fd-hostname.key -x509 -out fd-hostname.cert -days 3650
# create a PEM file for filedaemon encryption
> openssl rsa -in fd-hostname.key -out fd-hostname-clear.key
> cat fd-hostname-clear.key fd-hostname.cert > fd-hostname.pem
# create key directory on client
> mkdir /etc/bareos/keys
# copy "fd-hostname.pem" and "master.cert" from server to client "/etc/bareos/keys"
# maybe with scp or stuff like that
# after we copy the files server to client we remove not needed files on server
> rm fd-hostname-clear.key fd-hostname.pem
# now set right permissions
> chown root:bareos master.key master.cert fd-hostname.key fd-hostname.cert
> chmod 640 master.key master.cert fd-hostname.key fd-hostname.cert
# == as script:
#!/bin/bash
echo "type in hostname:"
read HOSTNAME
openssl genrsa -aes256 -out $HOSTNAME-fd.key 4096
openssl req -new -key $HOSTNAME-fd.key \
-x509 -out $HOSTNAME-fd.cert \
-subj "/C=DE/ST=Sachsen-Anhalt/L=Magdeburg/O=x33u.org/OU=IT/CN=x33u.org" \
-days 3650
openssl rsa -in $HOSTNAME-fd.key -out $HOSTNAME-fd-clear.key
cat $HOSTNAME-fd-clear.key $HOSTNAME-fd.cert > $HOSTNAME-fd.pem
rm $HOSTNAME-fd-clear.key $HOSTNAME-fd.cert $HOSTNAME-fd.key
mkdir $HOSTNAME
chmod 640 $HOSTNAME-fd.pem
mv $HOSTNAME-fd.pem $HOSTNAME/.client setup
tls setup - client side
# setup right permissions on client side
> cd /etc/bareos/keys
> chown root:bareos master.cert fd-hostname.pem
> chmod 640 master.cert fd-hostname.pem
# edit /etc/bareos/bareos-fd.d/client/myself.conf
Client {
Name = debian-client-fd
Maximum Concurrent Jobs = 20
PKI Signatures = Yes # Enable Data Signing
PKI Encryption = Yes # Enable Data Encryption
PKI Keypair = "/etc/bareos/keys/hostname-fd.pem" # Public and Private Keys
PKI Master Key = "/etc/bareos/keys/master.pub.key" # ONLY the Public Key
PKI Cipher = aes256 # Specify desired PKI Cipher here
}
# restart service
> systemctl restart bareos-filedaemonrun
bareos-fd -f -d 100if this caused trouble -
on debian default packages encryption is not compiled
Next
Analog RYTM