Network setup

Heartbeat Interval - TCP Keepalive

In Bareos the Heartbeat Interval is an optional parameter expressed in seconds and implemented only on systems that provides the setsockopt TCP_KEEPIDLE function like Unix, Linux, Windows… The default for those systems is 2 hours (7200s). The Bareos default value is zero (0), which means no change is made to the socket. If non-zero, a heartbeat signal is send from a daemon to the others to keep the channels active.

This feature is particularly useful if you have a router or a firewall that does not follow Internet standards and times out an valid connection after a short duration despite the fact that keepalive is set. This usually results in a broken pipe error message.

Warning

A hierarchy exist for this parameter depending of its usage. When HeartBeatInverval is defined at the daemon resource, this will affect all sockets used by this daemon or program. While when used in sub part this will override the global setup and only concern this specific resource. For example Heartbeat Interval (Dir->Director)(global) is overwritten by the more resource specific Heartbeat Interval (Dir->Client).

Note

Consult TLDP howto TCP-Keepalive to learn how to setup tcp keepalive in you Linux.

Passive Clients

The normal way of initializing the data channel (the channel where the backup data itself is transported) is done by the Bareos File Daemon (client) that connects to the Bareos Storage Daemon.

In many setups, this can cause problems, as this means that:

The client must be able to resolve the name of the Bareos Storage Daemon (often not true, you have to do tricks with the hosts file)
The client must be allowed to create a new connection.
The client must be able to connect to the Bareos Storage Daemon over the network (often difficult over NAT or Firewall)

By using Passive Client, the initialization of the data channel is reversed, so that the storage daemon connects to the Bareos File Daemon. This solves almost every problem created by firewalls, NAT-gateways and resolving issues, as

The Bareos Storage Daemon initiates the connection, and thus can pass through the same or similar firewall rules that the director already has to access the Bareos File Daemon.
The client never initiates any connection, thus can be completely firewalled.
The client never needs any name resolution and is totally independent from any resolving issues.

../_images/passive-client-communication.png

Usage

To use this feature, just configure Passive (Dir->Client)=yes in the client definition of the Bareos Director:

Enable passive mode in bareos-dir.d/client/myself.conf

Client {
   Name = client1-fd
   Password = "secretpassword"
   Passive = yes
   [...]
}

Using different IP Adresses for SD – FD Communication

Bareos supports network topologies where the Bareos File Daemon and Bareos Storage Daemon are situated inside of a LAN, but the Bareos Director is outside of that LAN in the Internet and accesses the Bareos File Daemon and Bareos Storage Daemon via SNAT / port forwarding.

Consider the following scheme:

/-------------------\
|                   |    LAN 10.0.0.1/24
|                   |
|  FD_LAN   SD_LAN  |
|  .10         .20  |
|                   |
\___________________/
          |
      NAT Firewall
      FD: 8.8.8.10 -> 10.0.0.10
      SD: 8.8.8.20 -> 10.0.0.20
          |
/-------------------\
|                   |
|                   |     WAN / Internet
|        DIR        |
|     8.8.8.100     |
|                   |
| FD_WAN   SD_WAN   |
| .30         .40   |
\___________________/

The Bareos Director can access the FD_LAN via the IP 8.8.8.10, which is forwarded to the IP 10.0.0.10 inside of the LAN.

The Bareos Director can access the SD_LAN via the IP 8.8.8.20 which is forwarded to the IP 10.0.0.20 inside of the LAN.

There is also a Bareos File Daemon and a Bareos Storage Daemon outside of the LAN, which have the IPs 8.8.8.30 and 8.8.8.40.

All resources are configured so that the Addressdirective gets the address where the Bareos Director can reach the daemons.

Additionally, devices being in the LAN get the LAN address configured in the Lan Addressdirective. The configuration looks as follows:

bareos-dir.d/client/FD_LAN.conf

Client {
   Name = FD_LAN
   Address = 8.8.8.10
   LanAddress = 10.0.0.10
   ...
}

bareos-dir.d/client/SD_LAN.conf

Storage {
   Name = SD_LAN
   Address = 8.8.8.20
   LanAddress = 10.0.0.20
   ...
}

bareos-dir.d/client/FD_WAN.conf

Client {
   Name = FD_WAN
   Address = 8.8.8.30
   ...
}

bareos-dir.d/client/SD_WAN.conf

Storage {
   Name = SD_WAN
   Address = 8.8.8.40
   ...
}

This way, backups and restores from each Bareos File Daemon using each Bareos Storage Daemon are possible as long as the firewall allows the needed network connections.

The Bareos Director simply checks if both the involved Bareos File Daemon and Bareos Storage Daemon both have a Lan Address(Lan Address (Dir->Client)and Lan Address (Dir->Storage)) configured.

In that case, the initiating daemon is ordered to connect to the Lan Addressinstead of the Address. In active client mode, the Bareos File Daemon connects to the Bareos Storage Daemon, in passive client mode (see Passive Clients) the Bareos Storage Daemon connects to the Bareos File Daemon.

If only one or none of the involved Bareos File Daemon and Bareos Storage Daemon have a Lan Addressconfigured, the Addressis used as connection target for the initiating daemon.

Client Initiated Connection

The Bareos Director knows, when it is required to talk to a client (Bareos File Daemon). Therefore, by defaults, the Bareos Director connects to the clients.

However, there are setups where this can cause problems, as this means that:

The client must be reachable by its configured Address (Dir->Client). Address can be the DNS name or the IP address. (For completeness: there are potential workarounds by using the setip command.)
The Bareos Director must be able to connect to the Bareos File Daemon over the network.

To circumvent these problems, since Bareos Version >= 16.2.2 it is possible to let the Bareos File Daemon initiate the network connection to the Bareos Director.

Which address the client connects to reach the Bareos Director is configured in the Address (Fd->Director) directive.

To additional allow this connection direction use:

Connection From Client To Director (Dir->Client) = yes
Heartbeat Interval (Dir->Client) = 60 # to keep the network connection established
Connection From Client To Director (Fd->Director) = yes

To only allow Connection From the Client to the Director use:

Connection From Director To Client (Dir->Client) = no
Connection From Client To Director (Dir->Client) = yes
Heartbeat Interval (Dir->Client) = 60 # to keep the network connection established
Connection From Director To Client (Fd->Director) = no
Connection From Client To Director (Fd->Director) = yes

Using Client Initiated Connections has disadvantages. Without Client Initiated Connections the Bareos Director only establishes a network connection when this is required. With Client Initiated Connections, the Bareos File Daemon connects to the Bareos Director and the Bareos Director keeps these connections open. The command status dir will show all waiting connections:

show waiting client connections

*status dir
...
Client Initiated Connections (waiting for jobs):
Connect time        Protocol            Authenticated       Name
====================================================================================================
19-Apr-16 21:50     54                  1                   client1.example.com
...
====

When both connection directions are allowed, the Bareos Director

checks, if there is a waiting connection from this client.
tries to connect to the client (using the usual timeouts).
waits for a client connection to appear (using the same timeout as when trying to connect to a client).

If none of this worked, the job fails.

When a waiting connection is used for a job, the Bareos File Daemon will detect this and creates an additional connection. This is required, to keep the client responsive for additional commands, like cancel.

To get feedback in case the Bareos File Daemon fails to connect to the Bareos Director, consider configuring Bareos File Daemon to log in a local file. This can be archived by adding the line

Append = "/var/log/bareos/bareos-fd.log" = all, !skipped, !restored

to the default message resource Standard (Fd->Messages):

bareos-fd.d/messages/Standard.conf

Messages {
  Name = Standard
  Director = bareos-dir = all, !skipped, !restored
  Append = "/var/log/bareos/bareos-fd.log" = all, !skipped, !restored
}

Network Connections Overview

The following diagrams show Bareos components with any possible network connections between them. Arrows point always from the TCP Client to the respective TCP Server, thus the direction of the connection initiation. This is not neccessarily the direction of the data flow.

Full connection overview

This diagram contains all possible connections between Bareos components that are virtually usable. See the chapters below for specific diagrams of the Bareos operating modes.

$left to right direction skinparam shadowing false (Console\nPython\nWebUI) as Con (Tray Monitor) as Tray [Filedaemon] as FD [Directordaemon] as Dir [Storagedaemon] as SD [Storagedaemon2] as SD2 database Catalog !define arrow_hidden(from,direction,to,comment) from -[#white]direction->to : <color white>comment</color> !define arrow(from,direction,to,comment) from -direction->to : comment arrow(Con, right, Dir, 1) arrow(Con, right, Dir, 2) arrow(Dir, up, FD, 3) arrow(FD, down, Dir, 4) arrow(Dir, right, SD, 5a) arrow(FD, down, SD, 6) arrow(SD, down, FD, 7) arrow(SD, down, SD2, 8) arrow(Dir, down, SD2, 5b) arrow(Tray, down, Dir, 9) arrow(Tray, down, FD, 10) arrow(Tray, down, SD, 11) arrow(Dir, down, Catalog, 12)$

Sequence diagram of a Bareos File Daemon connection

Legend for full connection overview
Connection Number	Description	Type
1	Named Console	control channel
2	Default Console	control channel
3	Director to File Daemon (default)	control channel
4	Client initiated File Daemon to Director	control channel
5a	Director to Storage (default)	control channel
5b	Director to 2nd Storage doing SD-SD copy or migrate	control channel
6	File Daemon to Storage Daemon (default)	data channel
7	Passive Client Storage Daemon to File Daemon	data channel
8	Storage Daemon to Storage Daemon	data channel
9	Tray Monitor to Director Daemon	monitor channel
10	Tray Monitor to File Daemon	monitor channel
11	Tray Monitor to Storage Daemon	monitor channel
12	Director to catalog database	database channel

Named Console and Default Console

$left to right direction skinparam shadowing false (Console\nPython\nWebUI) as Con (Tray Monitor) as Tray [Filedaemon] as FD [Directordaemon] as Dir [Storagedaemon] as SD [Storagedaemon2] as SD2 !define arrow_hidden(from,direction,to,comment) from -[#white]direction->to : <color white>comment</color> !define arrow(from,direction,to,comment) from -direction->to : comment arrow(Con, right, Dir, 1) arrow(Con, right, Dir, 2) arrow_hidden(Dir, up, FD, 3) arrow_hidden(FD, down, Dir, 4) arrow_hidden(Dir, right, SD, 5a) arrow_hidden(FD, down, SD, 6) arrow_hidden(SD, down, FD, 7) arrow_hidden(SD, down, SD2, 8) arrow_hidden(Dir, down, SD2, 5b) arrow_hidden(Tray, down, Dir, 9) arrow_hidden(Tray, down, FD, 10) arrow_hidden(Tray, down, SD, 11)$

Diagram of Console to Director connection

Default Backup/Restore

$left to right direction skinparam shadowing false (Console\nPython\nWebUI) as Con (Tray Monitor) as Tray [Filedaemon] as FD [Directordaemon] as Dir [Storagedaemon] as SD [Storagedaemon2] as SD2 !define arrow_hidden(from,direction,to,comment) from -[#white]direction->to : <color white>comment</color> !define arrow(from,direction,to,comment) from -direction->to : comment arrow_hidden(Con, right, Dir, 1) arrow_hidden(Con, right, Dir, 2) arrow(Dir, up, FD, 3) arrow_hidden(FD, down, Dir, 4) arrow(Dir, right, SD, 5a) arrow(FD, down, SD, 6) arrow_hidden(SD, down, FD, 7) arrow_hidden(SD, down, SD2, 8) arrow_hidden(Dir, down, SD2, 5b) arrow_hidden(Tray, down, Dir, 9) arrow_hidden(Tray, down, FD, 10) arrow_hidden(Tray, down, SD, 11)$

Diagram of a default Backup or Restore operation

Client Initiated Backup/Restore

$left to right direction skinparam shadowing false (Console\nPython\nWebUI) as Con (Tray Monitor) as Tray [Filedaemon] as FD [Directordaemon] as Dir [Storagedaemon] as SD [Storagedaemon2] as SD2 !define arrow_hidden(from,direction,to,comment) from -[#white]direction->to : <color white>comment</color> !define arrow(from,direction,to,comment) from -direction->to : comment arrow_hidden(Con, right, Dir, 1) arrow_hidden(Con, right, Dir, 2) arrow_hidden(Dir, up, FD, 3) arrow(FD, down, Dir, 4) arrow(Dir, right, SD, 5a) arrow(FD, down, SD, 6) arrow_hidden(SD, down, FD, 7) arrow_hidden(SD, down, SD2, 8) arrow_hidden(Dir, down, SD2, 5b) arrow_hidden(Tray, down, Dir, 9) arrow_hidden(Tray, down, FD, 10) arrow_hidden(Tray, down, SD, 11)$

Diagram of a client initiated Backup or Restore operation

Passive Client Backup/Restore

$left to right direction skinparam shadowing false (Console\nPython\nWebUI) as Con (Tray Monitor) as Tray [Filedaemon] as FD [Directordaemon] as Dir [Storagedaemon] as SD [Storagedaemon2] as SD2 !define arrow_hidden(from,direction,to,comment) from -[#white]direction->to : <color white>comment</color> !define arrow(from,direction,to,comment) from -direction->to : comment arrow_hidden(Con, right, Dir, 1) arrow_hidden(Con, right, Dir, 2) arrow(Dir, up, FD, 3) arrow_hidden(FD, down, Dir, 4) arrow(Dir, right, SD, 5a) arrow_hidden(FD, down, SD, 6) arrow(SD, down, FD, 7) arrow_hidden(SD, down, SD2, 8) arrow_hidden(Dir, down, SD2, 5b) arrow_hidden(Tray, down, Dir, 9) arrow_hidden(Tray, down, FD, 10) arrow_hidden(Tray, down, SD, 11)$

Diagram of a passive client Backup or Restore operation

Storage-Storage Migration

$left to right direction skinparam shadowing false (Console\nPython\nWebUI) as Con (Tray Monitor) as Tray [Filedaemon] as FD [Directordaemon] as Dir [Storagedaemon] as SD [Storagedaemon2] as SD2 !define arrow_hidden(from,direction,to,comment) from -[#white]direction->to : <color white>comment</color> !define arrow(from,direction,to,comment) from -direction->to : comment arrow_hidden(Con, right, Dir, 1) arrow_hidden(Con, right, Dir, 2) arrow_hidden(Dir, up, FD, 3) arrow_hidden(FD, down, Dir, 4) arrow(Dir, right, SD, 5a) arrow_hidden(FD, down, SD, 6) arrow_hidden(SD, down, FD, 7) arrow(SD, down, SD2, 8) arrow(Dir, down, SD2, 5b) arrow_hidden(Tray, down, Dir, 9) arrow_hidden(Tray, down, FD, 10) arrow_hidden(Tray, down, SD, 11)$

Diagram of a Storage to Storage copy or migrate operation

Tray-Monitor

$left to right direction skinparam shadowing false (Console\nPython\nWebUI) as Con (Tray Monitor) as Tray [Filedaemon] as FD [Directordaemon] as Dir [Storagedaemon] as SD [Storagedaemon2] as SD2 !define arrow_hidden(from,direction,to,comment) from -[#white]direction->to : <color white>comment</color> !define arrow(from,direction,to,comment) from -direction->to : comment arrow_hidden(Con, right, Dir, 1) arrow_hidden(Con, right, Dir, 2) arrow_hidden(Dir, up, FD, 3) arrow_hidden(FD, down, Dir, 4) arrow_hidden(Dir, right, SD, 5a) arrow_hidden(FD, down, SD, 6) arrow_hidden(SD, down, FD, 7) arrow_hidden(SD, down, SD2, 8) arrow_hidden(Dir, down, SD2, 5b) arrow(Tray, down, Dir, 9) arrow(Tray, down, FD, 10) arrow(Tray, down, SD, 11)$

Diagram of all Tray Monitor Connections