Bacula Firewall/NAT Transversing (Client Initiated Backups)

Traditional backup software connection vector is initiated by the backup server. However, firewalls and NATs are the most frequent intermediary devices that can impact traffic on the Internet [1], blocking this type of communication.  Also, it is very hard and laborious to open local premises network ports to every machine that needs remote backup.

Backup clients behind firewalls or with NAT addresses shall be able to transverse these devices, starting the connection and backup jobs to the remote backup service themselves over the Internet. This is one of the Community & Enterprise Bacula Tray Monitor service features, as shown in Figure 1.

Bacula Firewall/NAT Transversing (Client Initiated Backups) 1

Figure 1: Client Initiated Backup flow[2]

Enterprise Bacula Tray Monitor Install

On Linux, Bacula Tray Monitor is provided by the same BAT installation package (e.g. bacula-enterprise-bat-8.8.6-1.el7.x86_64.rpm).

On Windows, the all-in-one installation package allows the selection of Tray Monitor component.

Community Bacula Tray Monitor Install

Community Bacula Tray Monitor might be also be installed with Windows executable installation package and with Linux standalone or bat package (e.g. rpm, deb), depending on how it was packed.

Nevertheless, it is also possible to compile and install the Tray Monitor from Bacula source code toguether with the Bacula Client, as follows:

wget -qO- http://www.bacula.com.br/atual | tar -xzvf - -C /usr/src
cd /usr/src/bacula-*/
./configure --enable-client-only --enable-build-dird=no --enable-build-stored=no --enable-smartalloc --enable-bat
yum install -y qt-devel qt
ln /usr/bin/qmake-qt4 /usr/bin/qmake
cd src/bacula-*/src/qt-console/tray-monitor/
qmake
make
make install
cd ../../../
make && make install && make install-autostart-fd
service bacula-fd restart

Tray Monitor Configuration

Director Side

Add the following resource to the /opt/bacula/etc/bacula-dir.conf Director configuration file. It can suit the connection of multiple remote clients.

Console {
  Name = fd-cons
  Password = yyy
  # These commands are used by the tray-monitor, it is possible to restrict
  CommandACL = run, restore, wait, .status, .jobs, .clients
  CommandACL = .storages, .pools, .filesets, .defaults, .estimate
  # Adapt for your needs
  jobacl = *all*
  poolacl = *all*
  clientacl = *all*
  storageacl = *all*
  catalogacl = *all*
  filesetacl = *all*
}

Remote Clients Side

Add the following resources to the /opt/bacula/etc/bacula-fd.conf Client configuration file (on Windows: Start Menu, Bacula, Configuration, Edit Client Configuration):

Console { # Console to connect the Director
  Name = fd-cons
  DIRPort = 9101
  address = localhost # Director Internet/Public Address
  Password = "yyy"
}

Director {
  Name = remote-cons
  Password = "xxx"
  Remote = yes
}

Restart the client to apply changes.

Add the following to the /opt/bacula/etc/bconsole.conf Console Configuration File (on Windows: Start Menu, Bacula, Configuration, Edit Console Configuration):

Director {
  Name = localhost-fd
  address = localhost # Specify the FD address
  DIRport = 9102 # Specify the FD Port
  Password = "notused"
}

Console {
  Name = remote-cons
  Password = "xxx"
}

Finally, replace or create a Bacula Tray Monitor user configuration file, for exemple: ~/.bacula-tray-monitor.conf (on windows, C:Users<user>AppDataRoamingbacula-tray-monitor.conf).

Remark: it is possible to make this configuration graphically using the Tray Monitor interface.

 

Monitor {
  Name = remote-cons
  Command Directory = /tmp # Directory to create "*.bcmd" files that runs backups automatically
}

Client {
  Name = localhost-fd
  address = localhost # Specify the FD address
  Port = 9102 # Specify the FD Port
  Password = "xxx"
  Remote = yes
  Monitor = yes
}

Running Backup Jobs

It is possible to use Tray Monitor GUI to start new backup jobs. Also, the Tray Monitor service will scan the “Command Directory” periodically and process user created “*.bcmd” files to find jobs to run.

The format of the “file.bcmd” command file is the following [2]:

<component name>:<run command>
<component name>:<run command>
...
<component name> = string
<run command> = string (bconsole command line)

For example:

localhost-fd: run job=backup-localhost-fd level=full
localhost-dir: run job=BackupCatalog

The command file should contain at least one command. The component specified in the first part of the command line should be defined in the tray monitor. Once the command file is detected by the tray monitor, a popup is displayed to the user and it is possible for the user to cancel the job directly.

The file can be created with tools such as “cron” or the “task scheduler” on Windows.

Screenshots

Bacula Firewall/NAT Transversing (Client Initiated Backups) 2 Bacula Firewall/NAT Transversing (Client Initiated Backups) 3 Bacula Firewall/NAT Transversing (Client Initiated Backups) 4

References

[1] Stiemerling, Martin. “NAT and Firewall Traversal Issues of Host Identity Protocol (HIP) Communication,” 2008. https://tools.ietf.org/html/rfc5207.txt.

[2] Bacula. “Release 9.0.0 | Bacula,” 2017. http://blog.bacula.org/release-9-0-0/.

Disponível em: pt-brPortuguês (Portuguese (Brazil))enEnglish

Leave a Reply