Network setup

Client Initiated Connection

The Bareos Director knows, when it is required to talk to a client (Bareos File Daemon). Therefore, by defaults, the Bareos Director connects to the clients.

However, there are setups where this can cause problems, as this means that:

  • The client must be reachable by its configured Address (Dir->Client). Address can be the DNS name or the IP address. (For completeness: there are potential workarounds by using the setip command.)
  • The Bareos Director must be able to connect to the Bareos File Daemon over the network.

To circumvent these problems, since Bareos Version >= 16.2.2 it is possible to let the Bareos File Daemon initiate the network connection to the Bareos Director.

Which address the client connects to reach the Bareos Director is configured in the Address (Fd->Director) directive.

To additional allow this connection direction use:

To only allow Connection From the Client to the Director use:

Using Client Initiated Connections has disadvantages. Without Client Initiated Connections the Bareos Director only establishes a network connection when this is required. With Client Initiated Connections, the Bareos File Daemon connects to the Bareos Director and the Bareos Director keeps these connections open. The command status dir will show all waiting connections:

show waiting client connections
*status dir
...
Client Initiated Connections (waiting for jobs):
Connect time        Protocol            Authenticated       Name
====================================================================================================
19-Apr-16 21:50     54                  1                   client1.example.com
...
====

When both connection directions are allowed, the Bareos Director

  1. checks, if there is a waiting connection from this client.
  2. tries to connect to the client (using the usual timeouts).
  3. waits for a client connection to appear (using the same timeout as when trying to connect to a client).

If none of this worked, the job fails.

When a waiting connection is used for a job, the Bareos File Daemon will detect this and creates an additional connection. This is required, to keep the client responsive for additional commands, like cancel.

To get feedback in case the Bareos File Daemon fails to connect to the Bareos Director, consider configuring Bareos File Daemon to log in a local file. This can be archived by adding the line

Append = "/var/log/bareos/bareos-fd.log" = all, !skipped, !restored

to the default message resource Standard (Fd->Messages):

bareos-fd.d/messages/Standard.conf
Messages {
  Name = Standard
  Director = bareos-dir = all, !skipped, !restored
  Append = "/var/log/bareos/bareos-fd.log" = all, !skipped, !restored
}

Passive Clients

The normal way of initializing the data channel (the channel where the backup data itself is transported) is done by the Bareos File Daemon (client) that connects to the Bareos Storage Daemon.

In many setups, this can cause problems, as this means that:

  • The client must be able to resolve the name of the Bareos Storage Daemon (often not true, you have to do tricks with the hosts file)
  • The client must be allowed to create a new connection.
  • The client must be able to connect to the Bareos Storage Daemon over the network (often difficult over NAT or Firewall)

By using Passive Client, the initialization of the datachannel is reversed, so that the storage daemon connects to the Bareos File Daemon. This solves almost every problem created by firewalls, NAT-gateways and resolving issues, as

  • The Bareos Storage Daemon initiates the connection, and thus can pass through the same or similar firewall rules that the director already has to access the Bareos File Daemon.
  • The client never initiates any connection, thus can be completely firewalled.
  • The client never needs any name resolution and is totally independent from any resolving issues.
../_images/passive-client-communication.png

Usage

To use this new feature, just configure Passive (Dir->Client)=yes in the client definition of the Bareos Director:

Enable passive mode in bareos-dir.conf
Client {
   Name = client1-fd
   Password = "secretpassword"
   Passive = yes
   [...]
}

Also, prior to bareos version 15, you need to set Compatible (Fd->Client)=no in the bareos-fd.conf configuration file. Since Bareos Version 15, the compatible option is set to no per default and does not need to be specified anymore.

Disable compatible mode for the Bareos File Daemon in bareos-fd.conf
Director {
  Name = bareos-dir
  Password = "secretpassword"
}

Client {
   Name = client1-fd
   [...]
   Compatible = no
}

Using different IP Adresses for SD – FD Communication

Bareos supports network topologies where the Bareos File Daemon and Bareos Storage Daemon are situated inside of a LAN, but the Bareos Director is outside of that LAN in the Internet and accesses the Bareos File Daemon and Bareos Storage Daemon via SNAT / port forwarding.

Consider the following scheme:

/-------------------\
|                   |    LAN 10.0.0.1/24
|                   |
|  FD_LAN   SD_LAN  |
|  .10         .20  |
|                   |
\___________________/
          |
      NAT Firewall
      FD: 8.8.8.10 -> 10.0.0.10
      SD: 8.8.8.20 -> 10.0.0.20
          |
/-------------------\
|                   |
|                   |     WAN / Internet
|        DIR        |
|     8.8.8.100     |
|                   |
| FD_WAN   SD_WAN   |
| .30         .40   |
\___________________/

The Bareos Director can access the FD_LAN via the IP 8.8.8.10, which is forwarded to the IP 10.0.0.10 inside of the LAN.

The Bareos Director can access the SD_LAN via the IP 8.8.8.20 which is forwarded to the IP 10.0.0.20 inside of the LAN.

There is also a Bareos File Daemon and a Bareos Storage Daemon outside of the LAN, which have the IPs 8.8.8.30 and 8.8.8.40

All resources are configured so that the Address directive gets the address where the Bareos Director can reach the daemons.

Additionally, devices being in the LAN get the LAN address configured in the Lan Address directive. The configuration looks as follows:

bareos-dir.d/client/FD_LAN.conf
Client {
   Name = FD_LAN
   Address = 8.8.8.10
   LanAddress = 10.0.0.10
   ...
}
bareos-dir.d/client/SD_LAN.conf
Storage {
   Name = SD_LAN
   Address = 8.8.8.20
   LanAddress = 10.0.0.20
   ...
}
bareos-dir.d/client/FD_WAN.conf
Client {
   Name = FD_WAN
   Address = 8.8.8.30
   ...
}
bareos-dir.d/client/SD_WAN.conf
Storage {
   Name = SD_WAN
   Address = 8.8.8.40
   ...
}

This way, backups and restores from each Bareos File Daemon using each Bareos Storage Daemon are possible as long as the firewall allows the needed network connections.

The Bareos Director simply checks if both the involved Bareos File Daemon and Bareos Storage Daemon both have a Lan Address (Lan Address (Dir->Client) and Lan Address (Dir->Storage)) configured.

In that case, the initiating daemon is ordered to connect to the Lan Address instead of the Address. In active client mode, the Bareos File Daemon connects to the Bareos Storage Daemon, in passive client mode (see Passive Clients) the Bareos Storage Daemon connects to the Bareos File Daemon.

If only one or none of the involved Bareos File Daemon and Bareos Storage Daemon have a Lan Address configured, the Address is used as connection target for the initiating daemon.