Client/File Daemon Configuration

The Client (or File Daemon) Configuration is one of the simpler ones to specify. Generally, other than changing the Client name so that error messages are easily identified, you will not need to modify the default Client configuration file.

For a general discussion of configuration file and resources including the data types recognized by Bareos, please see the Configuration chapter of this manual. The following Client Resource definitions must be defined:

  • Client – to define what Clients are to be backed up.

  • Director – to define the Director’s name and its access password.

  • Messages – to define where error and information messages are to be sent.

Client Resource

The Client Resource (or FileDaemon) resource defines the name of the Client (as used by the Director) as well as the port on which the Client listens for Director connections.

Start of the Client records. There must be one and only one Client resource in the configuration file, since it defines the properties of the current client program.

configuration directive name

type of data

default value

remark

Absolute Job Timeout (Fd->Client)

= PINT32

Allow Bandwidth Bursting (Fd->Client)

= BOOLEAN

no

Allowed Job Command (Fd->Client)

= STRING_LIST

Allowed Script Dir (Fd->Client)

= DIRECTORY_LIST

Always Use LMDB (Fd->Client)

= BOOLEAN

no

Description (Fd->Client)

= STRING

Enable kTLS (Fd->Client)

= BOOLEAN

no

FD Address (Fd->Client)

= ADDRESS

9102

FD Addresses (Fd->Client)

= ADDRESSES

9102

FD Port (Fd->Client)

= PORT

9102

FD Source Address (Fd->Client)

= ADDRESS

0

Heartbeat Interval (Fd->Client)

= TIME

0

LMDB Threshold (Fd->Client)

= PINT32

Log Timestamp Format (Fd->Client)

= STRING

%d-%b %H:%M

Maximum Bandwidth Per Job (Fd->Client)

= SPEED

Maximum Concurrent Jobs (Fd->Client)

= PINT32

20

Maximum Network Buffer Size (Fd->Client)

= PINT32

Maximum Workers Per Job (Fd->Client)

= PINT32

2

Messages (Fd->Client)

= RES

Name (Fd->Client)

= NAME

required

Pki Cipher (Fd->Client)

= ENCRYPTION_CIPHER

aes128

Pki Encryption (Fd->Client)

= BOOLEAN

no

Pki Key Pair (Fd->Client)

= DIRECTORY

Pki Master Key (Fd->Client)

= DIRECTORY_LIST

Pki Signatures (Fd->Client)

= BOOLEAN

no

Pki Signer (Fd->Client)

= DIRECTORY_LIST

Plugin Directory (Fd->Client)

= DIRECTORY

Plugin Names (Fd->Client)

= PLUGIN_NAMES

Scripts Directory (Fd->Client)

= DIRECTORY

SD Connect Timeout (Fd->Client)

= TIME

1800

Secure Erase Command (Fd->Client)

= STRING

TLS Allowed CN (Fd->Client)

= STRING_LIST

TLS Authenticate (Fd->Client)

= BOOLEAN

no

TLS CA Certificate Dir (Fd->Client)

= DIRECTORY

TLS CA Certificate File (Fd->Client)

= DIRECTORY

TLS Certificate (Fd->Client)

= DIRECTORY

TLS Certificate Revocation List (Fd->Client)

= DIRECTORY

TLS Cipher List (Fd->Client)

= STRING

TLS Cipher Suites (Fd->Client)

= STRING

TLS DH File (Fd->Client)

= DIRECTORY

TLS Enable (Fd->Client)

= BOOLEAN

yes

TLS Key (Fd->Client)

= DIRECTORY

TLS Protocol (Fd->Client)

= STRING

TLS Require (Fd->Client)

= BOOLEAN

yes

TLS Verify Peer (Fd->Client)

= BOOLEAN

no

Ver Id (Fd->Client)

= STRING

Working Directory (Fd->Client)

= DIRECTORY

/var/lib/bareos (platform specific)

Absolute Job Timeout
Type:

PINT32

Since Version:

14.2.0

Absolute time after which a Job gets terminated regardless of its progress

Allow Bandwidth Bursting
Type:

BOOLEAN

Default value:

no

This option sets if there is Bandwidth Limiting in effect if the limiting code can use bursting e.g. when from a certain timeslice not all bandwidth is used this bandwidth can be used in a next timeslice. Which mean you will get a smoother limiting which will be much closer to the actual limit set but it also means that sometimes the bandwidth will be above the setting here.

Allowed Job Command
Type:

STRING_LIST

This directive filters what type of jobs the filedaemon should allow. Until now we had the -b (backup only) and -r (restore only) flags which could be specified at the startup of the filedaemon.

Allowed Job Command can be defined globally for all directors by adding it to the global filedaemon resource or for a specific director when added to the director resource.

You specify all commands you want to be executed by the filedaemon. When you don’t specify the option it will be empty which means all commands are allowed.

The following example shows how to use this functionality:

Director {
  Name = <name>
  Password = <password>
  Allowed Job Command = "backup"
  Allowed Job Command = "runscript"
}

All commands that are allowed are specified each on a new line with the Allowed Job Command keyword.

The following job commands are recognized:

backup

allow backups to be made

restore

allow restores to be done

verify

allow verify jobs to be done

estimate

allow estimate cmds to be executed

runscript

allow runscripts to run

Only the important commands the filedaemon can perform are filtered, as some commands are part of the above protocols and by disallowing the action the other commands are not invoked at all.

If runscripts are not needed it would be recommended as a security measure to disable running those or only allow the commands that you really want to be used.

Runscripts are particularly a problem as they allow the Bareos File Daemon to run arbitrary commands. You may also look into the Allowed Script Dir (Fd->Client) keyword to limit the impact of the runscript command.

Allowed Script Dir
Type:

DIRECTORY_LIST

This directive limits the impact of the runscript command of the filedaemon.

It can be specified either for all directors by adding it to the global filedaemon resource or for a specific director when added to the director resource.

All directories in which the scripts or commands are located that you allow to be run by the runscript command of the filedaemon. Any program not in one of these paths (or subpaths) cannot be used. The implementation checks if the full path of the script starts with one of the specified paths.

The following example shows how to use this functionality:

# bareos-fd.conf
Director {
  Name = <name>
  Password = <password>
  Allowed Script Dir = "/etc/bareos"
  Allowed Script Dir = "/path/that/is/also/allowed"
}



# bareos-dir.conf
Job {
   Name = "<name>"
   JobDefs = "DefaultJob"
   Client Run Before Job = "/etc/bareos/runbeforejob.sh"   # this will run
   Client Run Before Job = "/tmp/runbeforejob.sh"          # this will be blocked
}
Always Use LMDB
Type:

BOOLEAN

Default value:

no

Description
Type:

STRING

Enable kTLS
Type:

BOOLEAN

Default value:

no

If set to “yes”, Bareos will allow the SSL implementation to use Kernel TLS.

FD Address
Type:

ADDRESS

Default value:

9102

This record is optional, and if it is specified, it will cause the File daemon server (for Director connections) to bind to the specified IP-Address, which is either a domain name or an IP address. If it is not specified, the File Daemon will bind to both IPv6 and IPv4 default addresses (the default).

FD Addresses
Type:

ADDRESSES

Default value:

9102

Specify the ports and addresses on which the File daemon listens for Director connections. Probably the simplest way to explain is to show an example:

FDAddresses  = {
  ip = { addr = 1.2.3.4; port = 1205; }
  ipv4 = {
    addr = 1.2.3.4; port = http; }
  ipv6 = {
    addr = 1.2.3.4;
    port = 1205;
  }
  ip = {
    addr = 1.2.3.4
    port = 1205
  }
  ip = { addr = 1.2.3.4 }
  ip = {
    addr = 201:220:222::2
  }
  ip = {
    addr = bluedot.thun.net
  }
}

where ip, ip4, ip6, addr, and port are all keywords. Note, that the address can be specified as either a dotted quadruple, or IPv6 colon notation, or as a symbolic name (only in the ip specification). Also, the port can be specified as a number or as the mnemonic value from the /etc/services file. If a port is not specified, the default will be used. If an ip section is specified, the resolution can be made either by IPv4 or IPv6. If ip4 is specified, then only IPv4 resolutions will be permitted, and likewise with ip6.

FD Port
Type:

PORT

Default value:

9102

This specifies the port number on which the Client listens for Director connections. It must agree with the FDPort specified in the Client resource of the Director’s configuration file.

By default, the Client will listen to both IPv6 and IPv4 default addresses on the port you set. If you want to listen on either IPv4 or IPv6 only, you have to specify it with either FD Address (Fd->Client), or remove FD Port (Fd->Client)and just use FD Addresses (Fd->Client)instead.

FD Source Address
Type:

ADDRESS

Default value:

0

If specified, the Bareos File Daemon will bind to the specified address when creating outbound connections. If this record is not specified, the kernel will choose the best address according to the routing table (the default).

Heartbeat Interval
Type:

TIME

Default value:

0

Optional and if specified set a keepalive interval (heartbeat) on the sockets used by the defined Bareos File Daemon.

See details in Heartbeat Interval - TCP Keepalive.

LMDB Threshold
Type:

PINT32

Log Timestamp Format
Type:

STRING

Default value:

%d-%b %H:%M

Since Version:

15.2.3

Maximum Bandwidth Per Job
Type:

SPEED

The speed parameter specifies the maximum allowed bandwidth that a job may use.

Maximum Concurrent Jobs
Type:

PINT32

Default value:

20

This directive specifies the maximum number of Jobs that should run concurrently. Each contact from the Director (e.g. status request, job start request) is considered as a Job, so if you want to be able to do a status request in the console at the same time as a Job is running, you will need to set this value greater than 1.

Maximum Network Buffer Size
Type:

PINT32

This directive specifies the initial network buffer size to use. This size will be adjusted down if it is too large until it is accepted by the OS. Please use care in setting this value since if it is too large, it will be trimmed by 512 bytes until the OS is happy, which may require a large number of system calls. The default value is 65,536 bytes.

Note, on certain Windows machines, there are reports that the transfer rates are very slow and this seems to be related to the default 65,536 size. On systems where the transfer rates seem abnormally slow compared to other systems, you might try setting the Maximum Network Buffer Size to 32,768 in both the File daemon and in the Storage daemon.

Maximum Workers Per Job
Type:

PINT32

Default value:

2

Messages
Type:

RES

Name
Required:

True

Type:

NAME

The name of this resource. It is used to reference to it.

The client name that must be used by the Director when connecting. Generally, it is a good idea to use a name related to the machine so that error messages can be easily identified if you have multiple Clients. This directive is required.

Pki Cipher
Type:

ENCRYPTION_CIPHER

Default value:

aes128

PKI Cipher used for data encryption.

See the Data Encryption chapter of this manual.

Depending on the openssl library version different ciphers are available. To choose the desired cipher, you can use the PKI Cipher option in the filedaemon configuration.

FileDaemon {
   Name = client1-fd

   # encryption configuration
   PKI Signatures = Yes                           # Enable Data Signing
   PKI Encryption = Yes                           # Enable Data Encryption
   PKI Keypair    = "/etc/bareos/example-fd.pem"  # Public and Private Keys in one file
   PKI Master Key = "/etc/bareos/master.pub.key" # ONLY the Public Key
   PKI Cipher     = aes128                        # specify desired PKI Cipher here
}

The available options (and ciphers) are:

  • aes128

  • aes192

  • aes256

  • camellia128

  • camellia192

  • camellia256

  • aes128hmacsha1

  • aes256hmacsha1

  • blowfish

They depend on the version of the openssl library installed.

For decryption of encrypted data, the right decompression algorithm should be automatically chosen.

Pki Encryption
Type:

BOOLEAN

Default value:

no

Enable Data Encryption.

See Data Encryption.

Pki Key Pair
Type:

DIRECTORY

File with public and private key to sign, encrypt (backup) and decrypt (restore) the data.

See Data Encryption.

Pki Master Key
Type:

DIRECTORY_LIST

List of public key files. Data will be decryptable via the corresponding private keys.

See Data Encryption.

Pki Signatures
Type:

BOOLEAN

Default value:

no

Enable Data Signing.

See Data Encryption.

Pki Signer
Type:

DIRECTORY_LIST

Additional public/private key files to sign or verify the data.

See Data Encryption.

Plugin Directory
Type:

DIRECTORY

This directive specifies a directory in which the File Daemon searches for plugins with the name <pluginname>-fd.so which it will load at startup. Typically on Linux systems, plugins are installed to /usr/lib/bareos/plugins/ or /usr/lib64/bareos/plugins/.

Plugin Names
Type:

PLUGIN_NAMES

If a Plugin Directory (Fd->Client) is specified Plugin Names defines, which File Daemon Plugins get loaded.

If Plugin Names is not defined, all plugins get loaded, otherwise the defined ones.

Warning

It is highly recommended to always specify the Plugin Names directive to keep control about what plugins will be loaded by the filedaemon. Some plugins cannot be loaded at the same time, like the python2 and python3 plugins.

Scripts Directory
Type:

DIRECTORY

SD Connect Timeout
Type:

TIME

Default value:

1800

This record defines an interval of time that the File daemon will try to connect to the Storage daemon. If no connection is made in the specified time interval, the File daemon cancels the Job.

Secure Erase Command
Type:

STRING

Since Version:

15.2.1

Specify command that will be called when bareos unlinks files.

When files are no longer needed, Bareos will delete (unlink) them. With this directive, it will call the specified command to delete these files. See Secure Erase Command for details.

TLS Allowed CN
Type:

STRING_LIST

“Common Name”s (CNs) of the allowed peer certificates.

TLS Authenticate
Type:

BOOLEAN

Default value:

no

Use TLS only to authenticate, not for encryption.

TLS CA Certificate Dir
Type:

DIRECTORY

Path of a TLS CA certificate directory.

TLS CA Certificate File
Type:

DIRECTORY

Path of a PEM encoded TLS CA certificate(s) file.

TLS Certificate
Type:

DIRECTORY

Path of a PEM encoded TLS certificate.

TLS Certificate Revocation List
Type:

DIRECTORY

Path of a Certificate Revocation List file.

TLS Cipher List
Type:

STRING

Colon separated list of valid TLSv1.2 and lower Ciphers; see “openssl ciphers” command. Leftmost element has the highest priority.

TLS Cipher Suites
Type:

STRING

Colon separated list of valid TLSv1.3 Ciphers; see “openssl ciphers -s -tls1_3” command. Leftmost element has the highest priority. Currently only SHA256 ciphers are supported.

TLS DH File
Type:

DIRECTORY

Path to PEM encoded Diffie-Hellman parameter file. If this directive is specified, DH key exchange will be used for the ephemeral keying, allowing for forward secrecy of communications.

TLS Enable
Type:

BOOLEAN

Default value:

yes

Enable TLS support.

Bareos can be configured to encrypt all its network traffic. See chapter TLS Configuration Directives to see how the Bareos Director (and the other components) have to be configured to use TLS.

TLS Key
Type:

DIRECTORY

Path of a PEM encoded private key. It must correspond to the specified “TLS Certificate”.

TLS Protocol
Type:

STRING

Since Version:

20.0.0

OpenSSL Configuration: Protocol

TLS Require
Type:

BOOLEAN

Default value:

yes

If set to “no”, Bareos can fall back to use unencrypted connections.

TLS Verify Peer
Type:

BOOLEAN

Default value:

no

If disabled, all certificates signed by a known CA will be accepted. If enabled, the CN of a certificate must the Address or in the “TLS Allowed CN” list.

Ver Id
Type:

STRING

Working Directory
Type:

DIRECTORY

Default value:

/var/lib/bareos (platform specific)

This directive is optional and specifies a directory in which the File daemon may put its status files.

On Win32 systems, in some circumstances you may need to specify a drive letter in the specified working directory path. Also, please be sure that this directory is writable by the SYSTEM user otherwise restores may fail (the bootstrap file that is transferred to the File daemon from the Director is temporarily put in this directory before being passed to the Storage daemon).

The following is an example of a valid Client resource definition:

Client {                              # this is me
  Name = rufus-fd
}

Director Resource

The Director resource defines the name and password of the Directors that are permitted to contact this Client.

configuration directive name

type of data

default value

remark

Address (Fd->Director)

= STRING

Allowed Job Command (Fd->Director)

= STRING_LIST

Allowed Script Dir (Fd->Director)

= DIRECTORY_LIST

Connection From Client To Director (Fd->Director)

= BOOLEAN

no

Connection From Director To Client (Fd->Director)

= BOOLEAN

yes

Description (Fd->Director)

= STRING

Enable kTLS (Fd->Director)

= BOOLEAN

no

Maximum Bandwidth Per Job (Fd->Director)

= SPEED

Monitor (Fd->Director)

= BOOLEAN

no

Name (Fd->Director)

= NAME

required

Password (Fd->Director)

= MD5PASSWORD

required

Port (Fd->Director)

= PINT32

9101

TLS Allowed CN (Fd->Director)

= STRING_LIST

TLS Authenticate (Fd->Director)

= BOOLEAN

no

TLS CA Certificate Dir (Fd->Director)

= DIRECTORY

TLS CA Certificate File (Fd->Director)

= DIRECTORY

TLS Certificate (Fd->Director)

= DIRECTORY

TLS Certificate Revocation List (Fd->Director)

= DIRECTORY

TLS Cipher List (Fd->Director)

= STRING

TLS Cipher Suites (Fd->Director)

= STRING

TLS DH File (Fd->Director)

= DIRECTORY

TLS Enable (Fd->Director)

= BOOLEAN

yes

TLS Key (Fd->Director)

= DIRECTORY

TLS Protocol (Fd->Director)

= STRING

TLS Require (Fd->Director)

= BOOLEAN

yes

TLS Verify Peer (Fd->Director)

= BOOLEAN

no

Address
Type:

STRING

Director Network Address. Only required if “Connection From Client To Director” is enabled.

Allowed Job Command
Type:

STRING_LIST

see Allowed Job Command (Fd->Client)

Allowed Script Dir
Type:

DIRECTORY_LIST

see Allowed Script Dir (Fd->Client)

Connection From Client To Director
Type:

BOOLEAN

Default value:

no

Since Version:

16.2.2

Let the Filedaemon initiate network connections to the Director.

For details, see Client Initiated Connection.

Connection From Director To Client
Type:

BOOLEAN

Default value:

yes

Since Version:

16.2.2

This Client will accept incoming network connection from this Director.

Description
Type:

STRING

Enable kTLS
Type:

BOOLEAN

Default value:

no

If set to “yes”, Bareos will allow the SSL implementation to use Kernel TLS.

Maximum Bandwidth Per Job
Type:

SPEED

The speed parameter specifies the maximum allowed bandwidth that a job may use when started from this Director. The speed parameter should be specified in k/s, Kb/s, m/s or Mb/s.

Monitor
Type:

BOOLEAN

Default value:

no

If Monitor is set to no, this director will have full access to this Client. If Monitor is set to yes, this director will only be able to fetch the current status of this Client.

Please note that if this director is being used by a Monitor, we highly recommend to set this directive to yes to avoid serious security problems.

Name
Required:

True

Type:

NAME

The name of the Director that may contact this Client. This name must be the same as the name specified on the Director resource in the Director’s configuration file. Note, the case (upper/lower) of the characters in the name are significant (i.e. S is not the same as s). This directive is required.

Password
Required:

True

Type:

MD5PASSWORD

Specifies the password that must be supplied for a Director to be authorized. This password must be the same as the password specified in the Client resource in the Director’s configuration file. This directive is required.

Port
Type:

PINT32

Default value:

9101

Since Version:

16.2.2

Director Network Port. Only used if “Connection From Client To Director” is enabled.

TLS Allowed CN
Type:

STRING_LIST

“Common Name”s (CNs) of the allowed peer certificates.

TLS Authenticate
Type:

BOOLEAN

Default value:

no

Use TLS only to authenticate, not for encryption.

TLS CA Certificate Dir
Type:

DIRECTORY

Path of a TLS CA certificate directory.

TLS CA Certificate File
Type:

DIRECTORY

Path of a PEM encoded TLS CA certificate(s) file.

TLS Certificate
Type:

DIRECTORY

Path of a PEM encoded TLS certificate.

TLS Certificate Revocation List
Type:

DIRECTORY

Path of a Certificate Revocation List file.

TLS Cipher List
Type:

STRING

Colon separated list of valid TLSv1.2 and lower Ciphers; see “openssl ciphers” command. Leftmost element has the highest priority.

TLS Cipher Suites
Type:

STRING

Colon separated list of valid TLSv1.3 Ciphers; see “openssl ciphers -s -tls1_3” command. Leftmost element has the highest priority. Currently only SHA256 ciphers are supported.

TLS DH File
Type:

DIRECTORY

Path to PEM encoded Diffie-Hellman parameter file. If this directive is specified, DH key exchange will be used for the ephemeral keying, allowing for forward secrecy of communications.

TLS Enable
Type:

BOOLEAN

Default value:

yes

Enable TLS support.

Bareos can be configured to encrypt all its network traffic. See chapter TLS Configuration Directives to see how the Bareos Director (and the other components) have to be configured to use TLS.

TLS Key
Type:

DIRECTORY

Path of a PEM encoded private key. It must correspond to the specified “TLS Certificate”.

TLS Protocol
Type:

STRING

Since Version:

20.0.0

OpenSSL Configuration: Protocol

TLS Require
Type:

BOOLEAN

Default value:

yes

If set to “no”, Bareos can fall back to use unencrypted connections.

TLS Verify Peer
Type:

BOOLEAN

Default value:

no

If disabled, all certificates signed by a known CA will be accepted. If enabled, the CN of a certificate must the Address or in the “TLS Allowed CN” list.

Thus multiple Directors may be authorized to use this Client’s services. Each Director will have a different name, and normally a different password as well.

The following is an example of a valid Director resource definition:

#
# List Directors who are permitted to contact the File daemon
#
Director {
  Name = HeadMan
  Password = very_good                # password HeadMan must supply
}
Director {
  Name = Worker
  Password = not_as_good
  Monitor = Yes
}

Messages Resource

There must be at least one Message resource in the Client configuration file.

Please see the Messages Resource Chapter of this manual for the details of the Messages Resource.

configuration directive name

type of data

default value

remark

Append (Fd->Messages)

= MESSAGES

Catalog (Fd->Messages)

= MESSAGES

Console (Fd->Messages)

= MESSAGES

Description (Fd->Messages)

= STRING

Director (Fd->Messages)

= MESSAGES

File (Fd->Messages)

= MESSAGES

Mail (Fd->Messages)

= MESSAGES

Mail Command (Fd->Messages)

= STRING

Mail On Error (Fd->Messages)

= MESSAGES

Mail On Success (Fd->Messages)

= MESSAGES

Name (Fd->Messages)

= NAME

Operator (Fd->Messages)

= MESSAGES

Operator Command (Fd->Messages)

= STRING

Stderr (Fd->Messages)

= MESSAGES

Stdout (Fd->Messages)

= MESSAGES

Syslog (Fd->Messages)

= MESSAGES

Timestamp Format (Fd->Messages)

= STRING

Append
Type:

MESSAGES

Catalog
Type:

MESSAGES

Console
Type:

MESSAGES

Description
Type:

STRING

Director
Type:

MESSAGES

File
Type:

MESSAGES

Mail
Type:

MESSAGES

Mail Command
Type:

STRING

Mail On Error
Type:

MESSAGES

Mail On Success
Type:

MESSAGES

Name
Type:

NAME

Operator
Type:

MESSAGES

Operator Command
Type:

STRING

Stderr
Type:

MESSAGES

Stdout
Type:

MESSAGES

Syslog
Type:

MESSAGES

Timestamp Format
Type:

STRING

Example Client Configuration File

An example File Daemon configuration file might be the following:

#
# Bareos File Daemon Configuration file
#

#
# List Directors who are permitted to contact this File daemon
#
Director {
  Name = bareos-dir
  Password = "aEODFz89JgUbWpuG6hP4OTuAoMvfM1PaJwO+ShXGqXsP"
}

#
# Restricted Director, used by tray-monitor to get the
#   status of the file daemon
#
Director {
  Name = client1-mon
  Password = "8BoVwTju2TQlafdHFExRIJmUcHUMoIyIqPJjbvcSO61P"
  Monitor = yes
}

#
# "Global" File daemon configuration specifications
#
FileDaemon {                          # this is me
  Name = client1-fd
  Maximum Concurrent Jobs = 20

  # remove comment in next line to load plugins from specified directory
  # Plugin Directory = /usr/lib64/bareos/plugins
}

# Send all messages except skipped files back to Director
Messages {
  Name = Standard
  director = client1-dir = all, !skipped, !restored
}