Warning: This document is for the development version of Bareos Documentation. The main version is bareos-23.

Console Configuration

The Console configuration file is the simplest of all the configuration files, and in general, you should not need to change it except for the password. It simply contains the information necessary to contact the Director or Directors.

For a general discussion of the syntax of configuration files and their resources including the data types recognized by Bareos, please see the Configuration chapter of this manual.

The following Console Resource definition must be defined:

Director Resource

The Director resource defines the attributes of the Director running on the network. You may have multiple Director resource specifications in a single Console configuration file. If you have more than one, you will be prompted to choose one when you start the Console program.

configuration directive name

type of data

default value

remark

Address (Console->Director)

= STRING

Description (Console->Director)

= STRING

Dir Port (Console->Director)

= PINT32

9101

Heartbeat Interval (Console->Director)

= TIME

0

Name (Console->Director)

= NAME

required

Password (Console->Director)

= MD5PASSWORD

required

TLS Allowed CN (Console->Director)

= STRING_LIST

TLS Authenticate (Console->Director)

= BOOLEAN

no

TLS CA Certificate Dir (Console->Director)

= DIRECTORY

TLS CA Certificate File (Console->Director)

= DIRECTORY

TLS Certificate (Console->Director)

= DIRECTORY

TLS Certificate Revocation List (Console->Director)

= DIRECTORY

TLS Cipher List (Console->Director)

= DIRECTORY

TLS DH File (Console->Director)

= DIRECTORY

TLS Enable (Console->Director)

= BOOLEAN

yes

TLS Key (Console->Director)

= DIRECTORY

TLS Require (Console->Director)

= BOOLEAN

no

TLS Verify Peer (Console->Director)

= BOOLEAN

no

Address
Type:

STRING

Where the address is a host name, a fully qualified domain name, or a network address used to connect to the Director. This record is required.

Description
Type:

STRING

Dir Port
Type:

PINT32

Default value:

9101

Specifies the port to use to connect to the Director. This port must be identical to the DIRport specified in the Director resource of the Director Configuration file.

Heartbeat Interval
Type:

TIME

Default value:

0

Name
Required:

True

Type:

NAME

The Director name used to identify the Director in the list of monitored daemons. It is not required to be the same as the one defined in the Director’s configuration file. This record is required.

Password
Required:

True

Type:

MD5PASSWORD

This password is used to authenticate when connecting to the Bareos Director as default console. It must correspond to Password (Dir->Director).

TLS Allowed CN
Type:

STRING_LIST

“Common Name”s (CNs) of the allowed peer certificates.

TLS Authenticate
Type:

BOOLEAN

Default value:

no

Use TLS only to authenticate, not for encryption.

TLS CA Certificate Dir
Type:

DIRECTORY

Path of a TLS CA certificate directory.

TLS CA Certificate File
Type:

DIRECTORY

Path of a PEM encoded TLS CA certificate(s) file.

TLS Certificate
Type:

DIRECTORY

Path of a PEM encoded TLS certificate.

TLS Certificate Revocation List
Type:

DIRECTORY

Path of a Certificate Revocation List file.

TLS Cipher List
Type:

DIRECTORY

List of valid TLS Ciphers.

TLS DH File
Type:

DIRECTORY

Path to PEM encoded Diffie-Hellman parameter file. If this directive is specified, DH key exchange will be used for the ephemeral keying, allowing for forward secrecy of communications.

TLS Enable
Type:

BOOLEAN

Default value:

yes

Enable TLS support.

Bareos can be configured to encrypt all its network traffic. See chapter TLS Configuration Directives to see how the Bareos Director (and the other components) have to be configured to use TLS.

TLS Key
Type:

DIRECTORY

Path of a PEM encoded private key. It must correspond to the specified “TLS Certificate”.

TLS Require
Type:

BOOLEAN

Default value:

no

Without setting this to yes, Bareos can fall back to use unencrypted connections. Enabling this implicitly sets “TLS Enable = yes”.

TLS Verify Peer
Type:

BOOLEAN

Default value:

no

If disabled, all certificates signed by a known CA will be accepted. If enabled, the CN of a certificate must the Address or in the “TLS Allowed CN” list.

An actual example might be:

Director {
  Name = HeadMan
  address = rufus.cats.com
  password = xyz1erploit
}

Console Resource

There are three different kinds of consoles, which the administrator or user can use to interact with the Director. These three kinds of consoles comprise three different security levels.

  • The first console type is an admin or anonymous or default console, which has full privileges. There is no console resource necessary for this type since the password is specified in the Director resource. Typically you would use this console only for administrators.

  • The second type of console is a “named” or “restricted” console defined within a Console resource in both the Director’s configuration file and in the Console’s configuration file. Both the names and the passwords in these two entries must match much as is the case for Client programs.

    This second type of console begins with absolutely no privileges except those explicitly specified in the Director’s Console resource. Note, the definition of what these restricted consoles can do is determined by the Director’s conf file.

    Thus you may define within the Director’s conf file multiple Consoles with different names and passwords, sort of like multiple users, each with different privileges. As a default, these consoles can do absolutely nothing – no commands what so ever. You give them privileges or rather access to commands and resources by specifying access control lists in the Director’s Console resource. This gives the administrator fine grained control over what particular consoles (or users) can do.

  • The third type of console is similar to the above mentioned restricted console in that it requires a Console resource definition in both the Director and the Console. In addition, if the console name, provided on the Name = directive, is the same as a Client name, the user of that console is permitted to use the SetIP command to change the Address directive in the Director’s client resource to the IP address of the Console. This permits portables or other machines using DHCP (non-fixed IP addresses) to “notify” the Director of their current IP address.

The Console resource is optional and need not be specified. However, if it is specified, you can use ACLs (Access Control Lists) in the Director’s configuration file to restrict the particular console (or user) to see only information pertaining to his jobs or client machine.

You may specify as many Console resources in the console’s conf file. If you do so, generally the first Console resource will be used. However, if you have multiple Director resources (i.e. you want to connect to different directors), you can bind one of your Console resources to a particular Director resource, and thus when you choose a particular Director, the appropriate Console configuration resource will be used. See the “Director” directive in the Console resource described below for more information.

Note, the Console resource is optional, but can be useful for restricted consoles as noted above.

configuration directive name

type of data

default value

remark

Description (Console->Console)

= STRING

Director (Console->Console)

= STRING

Heartbeat Interval (Console->Console)

= TIME

0

History File (Console->Console)

= DIRECTORY

History Length (Console->Console)

= PINT32

100

Name (Console->Console)

= NAME

required

Password (Console->Console)

= MD5PASSWORD

required

Rc File (Console->Console)

= DIRECTORY

TLS Allowed CN (Console->Console)

= STRING_LIST

TLS Authenticate (Console->Console)

= BOOLEAN

no

TLS CA Certificate Dir (Console->Console)

= DIRECTORY

TLS CA Certificate File (Console->Console)

= DIRECTORY

TLS Certificate (Console->Console)

= DIRECTORY

TLS Certificate Revocation List (Console->Console)

= DIRECTORY

TLS Cipher List (Console->Console)

= DIRECTORY

TLS DH File (Console->Console)

= DIRECTORY

TLS Enable (Console->Console)

= BOOLEAN

yes

TLS Key (Console->Console)

= DIRECTORY

TLS Require (Console->Console)

= BOOLEAN

no

TLS Verify Peer (Console->Console)

= BOOLEAN

no

Description
Type:

STRING

Director
Type:

STRING

If this directive is specified, this Console resource will be used by bconsole when that particular director is selected when first starting bconsole. I.e. it binds a particular console resource with its name and password to a particular director.

Heartbeat Interval
Type:

TIME

Default value:

0

This directive is optional and if specified will cause the Console to set a keepalive interval (heartbeat) in seconds on each of the sockets to communicate with the Director. It is implemented only on systems (Linux, …) that provide the setsockopt TCP_KEEPIDLE function. If the value is set to 0 (zero), no change is made to the socket.

History File
Type:

DIRECTORY

If this directive is specified and the console is compiled with readline support, it will use the given filename as history file. If not specified, the history file will be named ~/.bconsole_history

History Length
Type:

PINT32

Default value:

100

If this directive is specified the history file will be truncated after HistoryLength entries.

Name
Required:

True

Type:

NAME

The name of this resource.

The Console name used to allow a restricted console to change its IP address using the SetIP command. The SetIP command must also be defined in the Director’s conf CommandACL list.

Password
Required:

True

Type:

MD5PASSWORD

If this password is supplied, then the password specified in the Director resource of you Console conf will be ignored. See below for more details.

Rc File
Type:

DIRECTORY

TLS Allowed CN
Type:

STRING_LIST

“Common Name”s (CNs) of the allowed peer certificates.

TLS Authenticate
Type:

BOOLEAN

Default value:

no

Use TLS only to authenticate, not for encryption.

TLS CA Certificate Dir
Type:

DIRECTORY

Path of a TLS CA certificate directory.

TLS CA Certificate File
Type:

DIRECTORY

Path of a PEM encoded TLS CA certificate(s) file.

TLS Certificate
Type:

DIRECTORY

Path of a PEM encoded TLS certificate.

TLS Certificate Revocation List
Type:

DIRECTORY

Path of a Certificate Revocation List file.

TLS Cipher List
Type:

DIRECTORY

List of valid TLS Ciphers.

TLS DH File
Type:

DIRECTORY

Path to PEM encoded Diffie-Hellman parameter file. If this directive is specified, DH key exchange will be used for the ephemeral keying, allowing for forward secrecy of communications.

TLS Enable
Type:

BOOLEAN

Default value:

yes

Enable TLS support.

Bareos can be configured to encrypt all its network traffic. See chapter TLS Configuration Directives to see how the Bareos Director (and the other components) have to be configured to use TLS.

TLS Key
Type:

DIRECTORY

Path of a PEM encoded private key. It must correspond to the specified “TLS Certificate”.

TLS Require
Type:

BOOLEAN

Default value:

no

Without setting this to yes, Bareos can fall back to use unencrypted connections. Enabling this implicitly sets “TLS Enable = yes”.

TLS Verify Peer
Type:

BOOLEAN

Default value:

no

If disabled, all certificates signed by a known CA will be accepted. If enabled, the CN of a certificate must the Address or in the “TLS Allowed CN” list.

Example Console Configuration File

A Console configuration file might look like this:

bconsole configuration
Director {
  Name = "bareos.example.com-dir"
  address = "bareos.example.com"
  Password = "PASSWORD"
}

With this configuration, the console program (e.g. bconsole) will try to connect to a Bareos Director named bareos.example.com-dir at the network address bareos.example.com and authenticate to the admin console using the password PASSWORD.

Using Named Consoles

The following configuration files were supplied by Phil Stracchino.

To use named consoles from bconsole, use a bconsole.conf configuration file like this:

bconsole: restricted-user
Director {
   Name = bareos-dir
   Address = myserver
   Password = "XXXXXXXXXXX"
}

Console {
   Name = restricted-user
   Password = "RUPASSWORD"
}

Where the Password in the Director section is deliberately incorrect and the Console resource is given a name, in this case restricted-user. Then in the Director configuration (not directly accessible by the user), we define:

bareos-dir.d/console/restricted-user.conf
Console {
  Name = restricted-user
  Password = "RUPASSWORD"
  JobACL = "Restricted Client Save"
  ClientACL = restricted-client
  StorageACL = main-storage
  ScheduleACL = *all*
  PoolACL = *all*
  FileSetACL = "Restricted Client's FileSet"
  CatalogACL = MyCatalog
  CommandACL = run
}

The user login into the Director from his Console will get logged in as restricted-user (Dir->Console) and he will only be able to see or access a Job with the name Restricted Client Save (Dir->Job), a Client with the name restricted-client (Dir->Client), a storage device main-storage (Dir->Storage), any Schedule or Pool, a FileSet named Restricted Client's FileSet (Dir->Fileset), a Catalog named MyCatalog (Dir->Catalog) and the only command he can use in the Console is the run command. In other words, this user is rather limited in what he can see and do with Bareos. For details how to configure ACLs, see the Acl data type description.

The following is an example of a bconsole.conf file that can access several Directors and has different Consoles depending on the Director:

bconsole: multiple consoles
Director {
   Name = bareos-dir
   Address = myserver
   Password = "XXXXXXXXXXX"    # no, really.  this is not obfuscation.
}

Director {
   Name = SecondDirector
   Address = secondserver
   Password = "XXXXXXXXXXX"    # no, really.  this is not obfuscation.
}

Console {
   Name = restricted-user
   Password = "RUPASSWORD"
   Director = bareos-dir
}

Console {
   Name = restricted-user2
   Password = "OTHERPASSWORD"
   Director = SecondDirector
}

The second Director referenced at secondserver (Dir->Director) might look like the following:

bareos-dir.d/console/restricted-user2.conf
Console {
  Name = restricted-user2
  Password = "OTHERPASSWORD"
  JobACL = "Restricted Client Save"
  ClientACL = restricted-client
  StorageACL = second-storage
  ScheduleACL = *all*
  PoolACL = *all*
  FileSetACL = "Restricted Client's FileSet"
  CatalogACL = RestrictedCatalog
  CommandACL = run, restore
  WhereACL = "/"
}