Bareos Webui
Since Version >= 15.2.0 Bareos WebUI is part of the Bareos project and available for a number of platforms.
Features
Intuitive web interface
Multilingual
Can access multiple directors and catalogs
Individual accounts and ACL support via Bareos restricted named consoles
Tape Autochanger management with the possibility to label, import/export media and update your autochanger slot status
Temporarly enable or disable jobs, clients and schedules and also see their current state
Show
Detailed information about Jobs, Clients, Filesets, Pools, Volumes, Storages, Schedules, Logs and Director messages
Filedaemon, Storage- and Director updates
Client, Director, Storage and Scheduler status
Backup Jobs
Start, cancel, rerun and restore from
Show the file list of backup jobs
Restore files by browsing through a filetree of your backup jobs
Merge your backup jobs history and filesets of a client or use a single backup job for restore
Restore files to a different client instead of the origin
bconsole interface (limited to non-interactive commands)
System Requirements
A platform for which the bareos-webui package is available, see Bareos Packages
A working Bareos environment
Bareos Director version and Bareos WebUI version must match (major need to be identical)
The Bareos WebUI can be installed on any host. It does not have to be installed on the same as the Bareos Director.
The default installation uses PHP-FPM with Apache HTTP webserver having mod-rewrite and mod-fcgid enabled.
PHP 7 or newer is recommended.
On SUSE Linux Enterprise 12 you need the additional SUSE Linux Enterprise Module for Web Scripting 12 and additional repository Package Hub to satisfy apache2-mod-fcgid requirement.
Installation
Adding the Bareos Repository
If not already done, add the Bareos repository that is matching your Linux distribution. Please have a look at the chapter Install the Bareos Software Packages for more information on how to achieve this.
Install the bareos-webui package
After adding the repository simply install the bareos-webui package via your package manager.
RHEL, CentOS and Fedora
yum install bareos-webuior
dnf install bareos-webuiSUSE Linux Enterprise Server (SLES), openSUSE
zypper install bareos-webuiDebian, Ubuntu
apt-get install bareos-webui
Because php-fpm support is not automatically added to Apache2 on Debian like platforms, you have to issue those commands to enable it. Replace php8.1-fpm by the version you have installed.
a2enmod proxy_fcgi setenvif
a2enconf php8.1-fpm
systemctl reload apache2
Minimal Configuration
This assumes, Bareos Director and Bareos WebUI are installed on the same host.
If you are using SELinux, see SELinux.
If you are using AppArmor, see AppArmor.
Restart Apache, see Configure your Apache Webserver.
Use bconsole to create a user with name admin and password secret and permissions defined in
webui-admin (Dir->Profile):*reload reloaded *configure add console name=admin password=secret profile=webui-admin tlsenable=false
Of course, you can choose other names and passwords. For details, see Create a restricted consoles.
Or rename
/etc/bareos/bareos-dir.d/console/admin.conf.exampleto .conf and reload Bareos Director configuration.Login to http://HOSTNAME/bareos-webui with username and password as created.
Upgrading Bareos WebUI
Upgrade from Bareos 21 or lower to Bareos 22
Bareos WebUI now requires php-fpm instead of Apache mod-php.
Usually this should be automatically handled by the packagemanager while updating.
Please consider the following remarks below according to your operating system of choice if auto upgrading does not work for you.
If the Bareos WebUI is not reachable after upgrading, make sure that:
Apache mod-php is disabled or has been removed
php-fpm* usage is configured properly in Apache
php-fpm service is enabled and has been restarted
Apache service has been restarted
SELinux or AppArmor configuration are done
Debian, Ubuntu, Univention
Please use apt instead of apt-get to upgrade automatically.
SUSE Linux Enterprise Server (SLES), openSUSE
Before upgrading
Disable or remove any PHP module in Apache2
After upgrading
Ensure a php.ini file is in place (e.g. /etc/php7/fpm/php.ini or /etc/php8/fpm/php.ini)
Configure PHP-FPM to your needs (e.g. /etc/php7/fpm/php-fpm.conf and /etc/php7/fpm/php-fpm.d/www.conf)
Configure mod_fcgid to your needs /etc/apache2/conf.d/mod_fcgid.conf
A minimal example may look like following.
Restart Apache2 and PHP-FPM
systemctl restart apache2 php-fpm
Console/Profile changes
The Bareos WebUI restore form now accepts a plugin options string in the restore form for plugin restores.
Therefore, the Bareos WebUI Director profile webui-admin (Dir->Profile) has been extended by the directive Plugin Options ACL (Dir->Profile) = *all* in Bareos Version >= 22.0.0.
To make use of that feature in Bareos WebUI, a proper configured Plugin Options ACL (Dir->Profile) is required.
Additional detailed information
Create a restricted consoles
There is no need, that Bareos WebUI itself provide a user management. Instead it uses so named Console (Dir) defined in the Bareos Director. You can have multiple consoles with different names and passwords, sort of like multiple users, each with different privileges.
At least one Console (Dir) is required to use the Bareos WebUI.
To allow a user with name admin and password secret to access the Bareos Director with permissions defined in the webui-admin (Dir->Profile) (see Configuration of profile resources), either
create a file
/etc/bareos/bareos-dir.d/console/admin.confwith following content:bareos-dir.d/console/admin.confTo enable this, reload or restart your Bareos Director.
or use the bconsole:
*configure add console name=admin password=secret profile=webui-admin tlsenable=falseIf the profile could not be found, reload or restart your Bareos Director.
TLS-PSK is not available between the Bareos WebUI and the Bareos Director. To enable TLS with certificates, see Bareos Webui.
For details, please read Console Resource.
Configuration of profile resources
The package bareos-webui comes with a predefined profile for Bareos WebUI: webui-admin (Dir->Profile).
If your Bareos WebUI is installed on another system than the Bareos Director, you have to copy the profile to the Bareos Director.
This is the default profile, giving access to all Bareos resources and allowing all commands used by the Bareos WebUI:
The Profile (Dir) itself does not give any access to the Bareos Director, but can be used by Console (Dir), which do give access to the Bareos Director, see Create a restricted consoles.
For details, please read Access Control Configuration and Profile Resource.
SELinux
To use the Bareos WebUI on a system with SELinux enabled, permission must be given to HTTPD to make network connections:
setsebool -P httpd_can_network_connect on
AppArmor
To use the Bareos WebUI on a system with AppArmor enabled, some permissions must be given to php-fpm.
The following example can be saved to /etc/apparmor.d/local/php-fpm.
You have to adapt the path of your php-fpm configured session.save_path.
cat > /etc/apparmor.d/local/php-fpm <<<"# Site-specific additions and overrides for 'php-fpm'
# bareos-webui
/usr/share/bareos-webui/** r,
/etc/bareos-webui/directors.ini r,
/etc/bareos-webui/configuration.ini r,
/var/lib/php8/sessions/** w,
"
systemctl reload apparmor.service
You can use tools like aa-logprof to check if any other AppArmor restriction are raised during webui usage. You can then add the needed resource to the profile.
TransportEncryption
See the dedicated chapter and section Bareos Webui.
Configure your Apache Webserver
The package bareos-webui provides a default configuration for Apache. Depending on your distribution, it is installed at /etc/apache2/conf.d/bareos-webui.conf, /etc/httpd/conf.d/bareos-webui.conf, /etc/apache2/available-conf/bareos-webui.conf or similar.
The required Apache modules, fcgid and rewrite are enabled via package postinstall script. However, after installing the bareos-webui package, you need to restart your Apache webserver manually.
Configure your /etc/bareos-webui/directors.ini
Configure your directors in /etc/bareos-webui/directors.ini to match your settings.
The configuration file /etc/bareos-webui/directors.ini should look similar to this:
You can add as many directors as you want, also the same host with a different name and different catalog, if you have multiple catalogs.
Configure your /etc/bareos-webui/configuration.ini
Some parameters of the Bareos WebUI can be configured in /etc/bareos-webui/configuration.ini:
Configure updating the Bvfs cache frequently
The restore module in the Bareos WebUI makes use of the Bvfs API and for example the .bvfs_update command to generate or update the Bvfs cache for jobs that are not already in the cache.
In case of larger backup jobs with lots of files that are not already in the cache, this could lead to timeouts while trying to load the filetree in the Bareos WebUI. That is why we highly recommend to update the Bvfs cache frequently.
This can be accomplished by the Run Script directive of a Job Resource.
The following code snippet is an example how to run the cache update process in a RunScript after the catalog backup.
Note
We do not provide a list of Jobs specified in the JobId command argument so the cache is computed for all jobs not already in the cache.
As an alternative to the method above the Bvfs cache can be updated after each job run by using the Run Script directive as well.
Note
We do provide a specific JobId in the JobId command argument in this example. Only the JobId given by the placeholder %i will be computed into the cache.
NGINX
If you prefer to use Bareos WebUI on Nginx with php-fpm instead of Apache, a basic working configuration could look like this:
This will make the Bareos WebUI accessible at http://bareos:9100/ (assuming your DNS resolve the hostname bareos to the NGINX server).
php.ini settings
The Bareos WebUI relies on date functions. Set the date.timezone directive according to the timezone of your Bareos Director.
[Date] ; Defines the default timezone used by the date functions ; http://php.net/date.timezone date.timezone = Europe/Berlin
Command ACL Requirements
The following tables show which commands are required and optional for each module of the Bareos WebUI.
Optional commands may be denied by Command ACL (Dir->Profile)
settings to limit specific functionality. If you deny a required command,
the module will not work.
Note
The commands .api, .help and use are essential commands
and should never be denied by Command ACL (Dir->Profile) settings in your
Console (Dir) or Profile (Dir) resources.
Command |
Client |
|---|---|
disable |
optional |
enable |
optional |
list |
required |
llist |
required |
status |
optional |
use |
required |
version |
required |
.api |
required |
.clients |
required |
.help |
required |
Command |
Dashboard |
|---|---|
cancel |
optional |
list |
required |
llist |
required |
use |
required |
.api |
required |
.help |
required |
Command |
Director |
|---|---|
list |
required |
llist |
required |
status |
optional |
use |
required |
.api |
required |
.help |
required |
Command |
Fileset |
|---|---|
list |
required |
llist |
required |
use |
required |
.api |
required |
.help |
required |
Command |
Job |
|---|---|
cancel |
optional |
disable |
optional |
enable |
optional |
list |
required |
llist |
required |
rerun |
optional |
run |
optional |
use |
required |
.api |
required |
.defaults |
required |
.filesets |
required |
.help |
required |
.jobs |
required |
.pools |
required |
.storages |
required |
Command |
Media |
|---|---|
list |
required |
llist |
required |
use |
required |
.api |
required |
.help |
required |
Command |
Pool |
|---|---|
list |
required |
llist |
required |
use |
required |
.api |
required |
.help |
required |
Command |
Restore |
|---|---|
list |
required |
llist |
required |
restore |
optional |
use |
required |
.api |
required |
.filesets |
required |
.help |
required |
.jobs |
required |
.bvfs_lsdirs |
required |
.bvfs_lsfiles |
required |
.bvfs_update |
required |
.bvfs_get_jobids |
required |
.bvfs_versions |
required |
.bvfs_restore |
required |
Command |
Schedule |
|---|---|
disable |
optional |
enable |
optional |
list |
required |
llist |
required |
status |
optional |
show |
optional |
use |
required |
.api |
required |
.help |
required |
.schedule |
required |
Command |
Storage |
|---|---|
export |
optional |
import |
optional |
label |
optional |
list |
required |
llist |
required |
release |
optional |
status |
optional |
update |
optional |
use |
required |
.api |
required |
.help |
required |
.pools |
optional |
Command |
Analytics |
|---|---|
list |
required |
llist |
required |
use |
required |
.api |
required |
.help |
required |
A complete overview of bconsole command usage in the Bareos WebUI can be found in the Developer Guide chapter “Command usage in modules and the according ACL requirements”.
Access Control Configuration
Access Control is configured in Profile (Dir),
Console (Dir) or User (Dir) resources.
Below are some example profile resources that should serve you as guidance to configure access to certain elements of the Bareos WebUI to your needs and use cases.
Full Access
No restrictions are given by Profile (Dir),
everything is allowed. This profile is included in the Bareos WebUI package.
Profile {
Name = "webui-admin"
CommandACL = *all*
JobACL = *all*
ScheduleACL = *all*
CatalogACL = *all*
PoolACL = *all*
StorageACL = *all*
ClientACL = *all*
FilesetACL = *all*
WhereACL = *all*
}
Limited Access
Users with the following profile example have limited access to various resources but they are allowed to run, rerun and cancel the jobs backup-bareos-fd and backup-example-fd.
Note
Access to depending resources for the jobs set in the
Job ACL (Dir->Profile) needs also be given by
Client ACL (Dir->Profile),
Pool ACL (Dir->Profile),
Storage ACL (Dir->Profile) and
File Set ACL (Dir->Profile) settings.
Users of this profile are also able to do a restore from within the Bareos WebUI by having access to the RestoreFiles job resource, the required Bvfs API commands and the restore command itself.
Profile {
Name = "webui-user"
# Multiple CommandACL directives as given below are concatenated
CommandACL = .api, .help, use, version, status, show
CommandACL = list, llist
CommandACL = run, rerun, cancel, restore
CommandACL = .clients, .jobs, .filesets, .pools, .storages, .defaults, .schedule
CommandACL = .bvfs_update, .bvfs_get_jobids, .bvfs_lsdirs, .bvfs_lsfiles
CommandACL = .bvfs_versions, .bvfs_restore, .bvfs_cleanup
JobACL = backup-bareos-fd, backup-example-fd, RestoreFiles
ScheduleACL = WeeklyCycle
CatalogACL = MyCatalog
PoolACL = Full, Differential, Incremental
StorageACL = File
ClientACL = bareos-fd, example-fd
FilesetACL = SelfTest, example-fileset
WhereACL = *all*
}
Read-Only Access
This example profile resource denies access to most of the commands and
additionally restricts access to certain other resources like
Job (Dir), Schedule (Dir),
Pool (Dir), Storage (Dir),
Client (Dir), Fileset (Dir), etc.
Users of this profile would not be able to run or restore jobs, execute volume and autochanger related operations, enable or disable resources besides other restrictions.
Profile {
Name = "webui-user-readonly-example-1"
# Deny general command access
CommandACL = !.bvfs_clear_cache, !.exit, !configure, !purge, !prune, !reload
CommandACL = !create, !update, !delete, !disable, !enable
CommandACL = !show, !status
# Deny job related command access
CommandACL = !run, !rerun, !restore, !cancel
# Deny autochanger related command access
CommandACL = !mount, !umount, !unmount, !export, !import, !move, !release, !automount
# Deny media/volume related command access
CommandACL = !add, !label, !relabel, !truncate
# Deny SQL related command access
CommandACL = !sqlquery, !query, !.sql
# Deny debugging related command access
CommandACL = !setdebug, !trace
# Deny network related command access
CommandACL = !setbandwidth, !setip, !resolve
# Allow non-excluded command access
CommandACL = *all*
# Allow access to the following job resources
Job ACL = backup-bareos-fd, RestoreFiles
# Allow access to the following schedule resources
Schedule ACL = WeeklyCycle
# Allow access to the following catalog resources
Catalog ACL = MyCatalog
# Deny access to the following pool resources
Pool ACL = !Scratch
# Allow access to non-excluded pool resources
Pool ACL = *all*
# Allow access to the following storage resources
Storage ACL = File
# Allow access to the following client resources
Client ACL = bareos-fd
# Allow access to the following filset resources
FileSet ACL = SelfTest
# Allow access to restore to any filesystem location
Where ACL = *all*
}
Alternatively the example above can be configured as following if you prefer a shorter version.
Profile {
Name = "webui-user-readonly-example-2"
# Allow access to the following commands
CommandACL = .api, .help, use, version, status
CommandACL = list, llist
CommandACL = .clients, .jobs, .filesets, .pools, .storages, .defaults, .schedule
CommandACL = .bvfs_lsdirs, .bvfs_lsfiles, .bvfs_update, .bvfs_get_jobids, .bvfs_versions, .bvfs_restore
# Allow access to the following job resources
Job ACL = backup-bareos-fd, RestoreFiles
# Allow access to the following schedule resources
Schedule ACL = WeeklyCycle
# Allow access to the following catalog resources
Catalog ACL = MyCatalog
# Allow access to the following pool resources
Pool ACL = Full, Differential, Incremental
# Allow access to the following storage resources
Storage ACL = File
# Allow access to the following client resources
Client ACL = bareos-fd
# Allow access to the following filset resources
FileSet ACL = SelfTest
# Allow access to restore to any filesystem location
Where ACL = *all*
}
For more details, please read Profile Resource.
Restore
By default when running a restore in the Bareos WebUI the most recent version of all files from the available backups will be restored. You can change this behavior by selecting the merge strategy and specific job selections in the fields described below. The Bareos WebUI allows you to restore multiple files or specific file versions.
Available restore parameters
Client
A list of available backup clients.
Backup jobs
A list of successful backup jobs available for the selected client.
Merge all client filesets
Determines if all available backup job filesets for the selected client should be merged into one file tree. This is helpful i.e. if multiple backup jobs with different filesets are available for the selected client. When you are just interested in a specific backup job, disable merging here and make the appropriate selection of a backup job.
Merge all related jobs to last full backup of selected backup job
By default all most recent versions of a file from your incremental, differential and full backup jobs will be merged into the file tree. If this behaviour is not desirable and instead the file tree should show the contents of a particular backup job, set the value to “No” here. Select a specific backup job afterwards to browse through the according file tree which has been backed up by that job.
Restore to client
In case you do not want to restore to the original client, you can select an alternative client here.
Restore job
Sometimes dedicated restore jobs may be required, which can be selected here.
Replace files on client
Here you can change the behaviour of how and when files should be replaced on the backup client while restoring.
always
never
if file being restored is older than existing file
if file being restored is newer than existing file
Restore location on client
If you like to restore all files to the original location then enter a single
/here but keep the settings of “Replace files on client” in mind.In case you want to use another location, simply enter the path here where you want to restore to on the selected client, for example
/tmp/bareos-restore/.
Plugin options
Provide a plugin options string here if required. The field is only shown if a fileset using a plugin is detected.
Restore multiple files
Restore a specific file version
Limitations
Note
Restoring NDMP backups is currently not supported by Bareos WebUI. Please use the bconsole instead.