I set up a bacula client through an SSH tunnel, and have a few
improvements over the documented method. So I wrote a new one - if there
is interest, feel free to snag it for your documentation!
--------------------------
Using an SSH tunnel with Bacula
Credit goes to Stephan Holl and Joshua Eugler, who wrote earlier
documents and scripts that document the basic idea of an SSH tunnel.
This is a similar approach, but different in some subtle but important
details. Most importantly, this approach allows you to use the same
Storage daemon for both local clients and clients through an SSH tunnel.
This is important because you can use the same pool and schedule for both.
I also changed the way SSH is invoked to make it self-closing. The
tunnel will simply disappear as soon as the backup is completed.
1. What you need
On the bacula-director side:
- bacula director running as user "bacula", and fully configured and
working using the standard ports 9101-9103. You can only have one
Storage Daemon in your configuration. Make sure the Storage resource
uses an FQDN; do not use IP addresses.
- openssh
- an available port to listen on, in addition to bacula's standard
9101-9103. I chose 9112.
- the firewall must be open on localhost, ports 9101 and 9103.
On the bacula client side:
- bacula-fd installed.
- a user account with minimal permissions. Let's call it "tunneluser".
This account will only serve as end point for the SSH tunnel. For
security reasons, DO NOT use the root account.
- The firewall must be open on localhost, port 9101, 9102 and 9103. It
is not necessary to open these ports on the network.
2. Setting up OpenSSH on the server side
First, we need to set up ssh for the bacula user, since this is the user
name the director uses:
Log on as user "bacula" (you may have to log on as root, and then use
the "su - bacula" command to actually become user bacula). You should be
in bacula's home directory - probably /var/lib/bacula.
mkdir -p ~/.ssh
chmod 700 ~/.ssh
Also verify that .ssh is owned by user bacula, group bacula.
Now we need to create an SSH key pair into this new directory. Make sure
that you do not use a pass phrase. We use the file names bacula_tunnel
and bacula_tunnel.pub for the private and public keys, respectively.
cd ~/.ssh
ssh-keygen -b 2048 -C "SSH Tunnel for bacula" -t rsa -f bacula_tunnel -N ""
Create a file "config" in the ~/.ssh directory with the following
content (yourclientFQDN is the actual FQDN that SSH will use to connect
to the client. yourclientname should simply be the same as
yourclientFQDN, although in some cases you could choose a different
value for it).
Host <yourclientFQDN>
AddressFamily inet
ConnectionAttempts 10
ForwardAgent no
ForwardX11 no
ForwardX11Trusted no
GatewayPorts yes
HostBasedAuthentication no
HostKeyAlias <yourclientname>
HostName <yourclientFQDN>
IdentityFile ~/.ssh/bacula_tunnel.pub
PasswordAuthentication no
Protocol 2
ServerAliveCountMax 3
ServerAliveInterval 15
TCPKeepAlive no
User tunneluser
Just in case permissions got messed up on the way, fix them in the .ssh
directory
chmod 400 ~/.ssh/*
Transfer the public key (the file bacula_tunnel.pub) to your client
machine, using whatever method you like (USB, FTP, scp, file shares,
...). IMPORTANT: DO NOT TRANSFER THE PRIVATE KEY!
3. Setting up OpenSSH on the client side.
install the SSH public key into the tunneluser account on the client
machine:
cd /home/tunneluser
mkdir -p /home/tunneluser/.ssh
touch /home/tunneluser/.ssh/authorized_keys
# Make sure you use the double >> redirection, or you will destroy any
# previous authorized keys if they existed.
cat <wherever>/bacula_tunnel.pub >>/home/tunneluser/.ssh/authorized_keys
chmod 700 /home/tunneluser/.ssh
chmod f00 /home/tunneluser/.ssh/*
chown -R tunneluser:tunneluser /home/tunneluser/.ssh
4. Complete OpenSSH setup
Before you can use OpenSSH, you need to complete one more step: store
the host's fingerprint. On the server side, log on as user "bacula" (or
use "su - bacula").
Then use ssh to connect to your client. Note that you MUST use the same
FQDN you used in the "config" file earlier.
ssh <yourclientFQDN>
ssh will now prompt you to accept the fingerprint. Once you are at the
command prompt, you can type "exit" to leave ssh.
5. Bacula setup, client side.
On the server, find the Address= lines for the Storage resource. Make
sure the address is a FQDN on the private network, and do not resolve
from the client.
On the client, edit your /etc/hosts file by adding the following line:
127.0.0.1 <storageFQDN>
Note: what this does is allow the file daemon (FD) to find the storage
daemon (SD). Normally, the SD is of course hidden behind a firewall and
inaccessible - that is why you are setting up an SSH tunnel, after all.
This entry tricks your client system into believing that the SD is
located at 127.0.0.1 - which actually will be the end of the tunnel that
we are going to establish soon.
The file daemon should listen only on port 127.0.0.1
FileDaemon { # this is me
Name = <yourclientFQDN>-fd
FDAddress = 127.0.0.1
FDport = 9102 # where we listen for the director
WorkingDirectory = (use the standard values)
Pid Directory = (use the standard values)
Maximum Concurrent Jobs = (use the standard values)
}
6. Bacula setup, server side
Simply set up a client and job resource for the new client as usual,
using the standard schedule and pool settings. Use <yourclientFQDN-fd>
as the client name.
Now change the client resource as follows:
Name=<yourclientFQDN-fd
Address=localhost
FDPort=9112
In the job resource, add a Run Before Job script:
Run Before Job = "/usr/local/sbin/sshbacula <yourclientFQDN>"
7. The SSH tunnel script
Use the following script and save it as /usr/local/sbin/sshbacula.
Remember to change the permission as needed:
chmod +x /usr/local/sbin/sshbacula
Hint: you may want to change the line
CLIENT=$1
to
CLIENT=${1:-<yourclientFQDN>}
This will provide a default value to connect to if you don't specify it
on the command line
Please be aware that some lines in the script may have wrapped due to
emailing
---- Start script below. #!/bin/bash must be the first line!
#!/bin/bash
# Establishes a self-killing SSH tunnel to the
# given SSH server, and forwards the correct
# ports for bacula usage.
# Bacula-dir runs as user bacula, but with root's
# environment. We need to trick it into running
# actually looking for the .ssh directory in
# the right place.
USER=bacula
HOME=$(grep "^$USER:" /etc/passwd | cut -d : -f 6)
CLIENT=$1
LOCAL=$(hostname -f)
SSH=/usr/bin/ssh
echo "Starting SSH-tunnel to $CLIENT..."
# -f means: go into background
# -C means: use compression
# -2 means: only use SSH2
# -R 9101:$LOCAL:9101 means: when client connects to remote port 9101
(bacula-dir), it will be
# forwarded to this machine.
# -R 9103:$LOCAL:9103 means: when client connects to remote port 9101
(bacula-sd), it will be
# forwarded to this machine.
# -L 9112:localhost:9102 means: when bacula-dir connects to port 9112
(instead of the normal 9102),
# it will be forwarded to the client's FD. The client will think the
connection was to port
# 9102 as usual
# sleep 60 is a simple command that will execute on the server and does
nothing for 60 seconds,
# then it exits. This keeps ssh running for 60 seconds. Once we connect
to the FD, that
# connection will keep ssh running even beyond the 60 seconds.
# Using this approach, we do not need to tear down the tunnel later, it
disconnects itself
# automagically.
# It is important to redirect stdout and stderr, or else bacula will not
realize that the
# script has terminated.
$SSH -fC2 -R 9101:$LOCAL:9101 -R 9103:$LOCAL:9103 -L 9112:localhost:9102
$CLIENT sleep 60 > /dev/null 2>/dev/null
# give ssh a little time to establish the connection.
sleep 10
--
Kevin Keane
Owner
The NetTech
Find the Uncommon: Expert Solutions for a Network You Never Have to Think About
Office: 866-642-7116
http://www.4nettech.com
This e-mail and attachments, if any, may contain confidential and/or
proprietary information. Please be advised that the unauthorized use or
disclosure of the information is strictly prohibited. The information herein is
intended only for use by the intended recipient(s) named above. If you have
received this transmission in error, please notify the sender immediately and
permanently delete the e-mail and any copies, printouts or attachments thereof.
------------------------------------------------------------------------------
Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM)
software. With Adobe AIR, Ajax developers can use existing skills and code to
build responsive, highly engaging applications that combine the power of local
resources and data with the reach of the web. Download the Adobe AIR SDK and
Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com
_______________________________________________
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users
