Bareos (Backup Archiving Recovery Open Sourced) is an open-source software solution designed for managing backups, archiving, and data recovery. Among its functionalities, Bareos allows complete, incremental, and differential backups on local or remote systems and supports multiple databases and operating systems.
This article will install Bareos on FreeBSD (14.1) within a Bastille jail and Linux (Ubuntu-24.04) within an LXD container.
Concepts and Components:
Before starting with the configuration, let’s clarify some key concepts.
Concepts:
- Job: Backup/restore task to be performed.
- JobDef: Templates with base parameters, can be overridden in the job if necessary.
- FileSet: Configuration template indicating files to back up, allows directory inclusion and exclusion of certain files or subdirectories.
- Schedule: When backups should occur.
- Device: Disk, tape, S3, GlusterFS where backups are stored.
- Pool: Group of volumes.
- Volume: File on disk, tape, S3, GlusterFS where backup data is stored.
Components:
- Director: Manages backup jobs and client connections to storage daemons.
- File daemon: Software installed on the client that will perform the backup.
- Storage daemon: Service installed where storage capacity is available.
- Bconsole: CLI administration interface for the Director.
- Web-UI: Web-based administration interface for the Director.
- Tray monitor: Graphical tool for monitoring the Director and storages.
Backup Types:
- Full: Full backup.
- Incremental: Data that has changed since the last backup, whether Full Backup or Incremental Backup.
- Differential: Data that has changed since the last Full Backup.
The following diagram provides a quick overview of the interactions between Bareos components:
FreeBSD/Linux Environment:
FreeBSD:
When installing Bareos in a FreeBSD jail, note that it requires PostgreSQL, which needs access to sysvipc
. Without this, you’ll encounter the following error:
running bootstrap script ... 2024-10-22 20:11:16.834 CEST [23722] FATAL: could not create shared memory segment: Function not implemented
Create the jail and apply a basic configuration using a custom Bastille template :
bastille create -T BareosServer 14.1-RELEASE 192.168.69.30 nfe0
bastille template BareosServer datadyne.alfaexploit.com/bastille-basicconfiguration
Enable sysvipc
access per jail (recommended over global host configuration):
bastille config BareosServer set sysvmsg=new
bastille config BareosServer set sysvsem=new
bastille config BareosServer set sysvshm=new
bastille stop BareosServer
bastille start BareosServer
Note: Avoid allow.sysvipc
as it’s deprecated and grants more permissions than necessary.
Create a client:
bastille create -T BareosClient 14.1-RELEASE 192.168.69.31 nfe0
bastille template BareosClient datadyne.alfaexploit.com/bastille-basicconfiguration
Linux:
On Linux, set up Bareos in an LXD container without specific resource access requirements:
lxc launch ubuntu:noble/amd64 sys-bareos-server
Create the client container:
lxc launch ubuntu:noble/amd64 sys-bareos-client
Bareos Server:
The first step is to add the official Bareos repositories:
Bareos does not yet have a version for 14.1, so we install the version for 14.0
wget https://download.bareos.org/current/FreeBSD_14.0/add_bareos_repositories.sh
sh ./add_bareos_repositories.sh
wget https://download.bareos.org/current/xUbuntu_24.04/add_bareos_repositories.sh
chmod 700 add_bareos_repositories.sh
./add_bareos_repositories.sh
apt update
Next, we install PostgreSQL as a requirement for Bareos. On Linux, if PostgreSQL is not installed before Bareos, the dbconfig
assistant will produce an error trying to connect to the database:
We install PostgreSQL version 16, which is specifically required by Bareos Web-UI:
pkg install postgresql16-server
We enable, configure, and start the PostgreSQL service:
sysrc postgresql_enable=yes
service postgresql initdb
service postgresql start
apt install postgresql
Now we can install Bareos:
pkg install bareos.com-director bareos.com-storage bareos.com-filedaemon bareos.com-database-postgresql bareos.com-bconsole
We import the database, tables, and necessary permissions for Bareos:
su postgres -c /usr/local/lib/bareos/scripts/create_bareos_database
su postgres -c /usr/local/lib/bareos/scripts/make_bareos_tables
su postgres -c /usr/local/lib/bareos/scripts/grant_bareos_privileges
apt install bareos
Configuring Postfix: Internet Site/$HOSTNAME
Configuring the PostgreSQL database:
Configure database for bareos-database-common with dbconfig-common? Yes
Host name of the PostgreSQL database server for bareos-database-common: localhost
PostgreSQL application password for bareos-database-common: POSTGRESQL_BAREOS_PASSWORD
NOTE: In FreeBSD, Bareos installation did not prompt for a PostgreSQL password as it connects via a Unix socket by default.
The Director needs to know how and where to connect with the Storage Daemon. The Address
parameter should be either a Fully Qualified Domain Name (FQDN) or an IP address. Also, the Storage Daemon needs the same password to allow connection from the Director.
vi /usr/local/etc/bareos/bareos-dir.d/storage/File.conf
Storage {
Name = File
#Address = Bareos # N.B. Use a fully qualified name here (do not use "localhost" here).
Address = STORAGE_DAEMON_SERVER_IP # N.B. Use a fully qualified name here (do not use "localhost" here).
Password = "STORAGE_DAEMON_PASSWORD"
Device = FileStorage
Media Type = File
}
vi /usr/local/etc/bareos/bareos-sd.d/director/bareos-dir.conf
Director {
Name = bareos-dir
Password = "STORAGE_DAEMON_PASSWORD"
Description = "Director, who is permitted to contact this storage daemon."
}
We enable the related Bareos services:
sysrc bareosfd_enable=YES
sysrc bareosdir_enable=YES
sysrc bareossd_enable=YES
Start the related Bareos services:
service bareos-fd start
service bareos-dir start
service bareos-sd start
vi /etc/bareos/bareos-dir.d/storage/File.conf
Storage {
Name = File
#Address = sys-bareos-server # N.B. Use a fully qualified name here (do not use "localhost" here).
Address = STORAGE_DAEMON_SERVER_IP # N.B. Use a fully qualified name here (do not use "localhost" here).
Password = "STORAGE_DAEMON_PASSWORD"
Device = FileStorage
Media Type = File
}
vi /etc/bareos/bareos-sd.d/director/bareos-dir.conf
Director {
Name = bareos-dir
Password = "STORAGE_DAEMON_PASSWORD"
Description = "Director, who is permitted to contact this storage daemon."
}
Restart the Director and Storage Daemon:
systemctl restart bareos-dir bareos-sd
Each Bareos component is configured in a specific directory with subdirectories for each functionality:
-
Director:
/usr/local/etc/bareos/bareos-dir.d/
- catalog: Database connection configuration.
- client: Configuration for clients performing backups.
- console: Configuration of users administering the director through bconsole or webui.
- counter: Stores counter configurations used in Bareos to generate sequential identifiers.
- director: Director settings, including access password.
- fileset: Templates of files to be backed up.
- job: Backup/restore configurations linked to clients.
- jobdefs: Base parameter templates; job-specific parameters can overwrite if needed.
- messages: Configuration of Bareos notification messages.
- pool: Pool definitions with retention settings.
- profile: User ACLs for bconsole/webui access.
- schedule: Time range settings associating times with backup types (Full/Differential/Incremental).
- storage: Connection parameters to the storage daemon.
-
File daemon:
/usr/local/etc/bareos/bareos-fd.d
- client: Client configuration, concurrency parameters, backup timing, plugin usage.
- director: Connection configuration to the director, matching the director’s client settings at /usr/local/etc/bareos/bareos-dir.d/client/CLIENT_NAME.conf.
- messages: Configuration of Bareos notification messages.
-
Storage daemon:
/usr/local/etc/bareos/bareos-sd.d
- autochanger: Autochanger device configuration for automatic media exchange (e.g., tapes or virtual devices).
- device: Disk, tape, S3, GlusterFS definition for backup storage.
- director: Connection configuration to the director, matching settings at /usr/local/etc/bareos/bareos-dir.d/storage/File.conf.
- messages: Configuration of Bareos notification messages.
- ndmp: NDMP (Network Data Management Protocol) configuration for network-based backup and restoration.
- storage: Storage daemon settings, concurrency parameters, backup timing, plugin usage.
-
Bconsole:
/usr/local/etc/bareos/bconsole.conf
: Connection settings for bconsole to connect with the director, matching settings in /usr/local/etc/bareos/bareos-dir.d/director/bareos-dir.conf.
-
Director:
/etc/bareos/bareos-dir.d
- catalog: Database connection configuration.
- client: Configuration for clients performing backups.
- console: User configuration for administering the director through bconsole or webui.
- director: Director settings, including access password.
- fileset: Templates of files to be backed up.
- job: Backup/restore configurations linked to clients.
- jobdefs: Base parameter templates; job-specific parameters can overwrite if needed.
- messages: Configuration of Bareos notification messages.
- pool: Pool definitions with retention settings.
- profile: User ACLs for bconsole/webui access.
- schedule: Time range settings associating times with backup types (Full/Differential/Incremental).
- storage: Connection parameters to the storage daemon.
- user: Directory for configuring additional director access users, rarely used.
-
File daemon:
/etc/bareos/bareos-fd.d
- client: Client configuration, concurrency parameters, backup timing, plugin usage.
- director: Connection configuration to the director, matching the director’s client settings at /etc/bareos/bareos-dir.d/client/CLIENT_NAME.conf.
- messages: Configuration of Bareos notification messages.
-
Storage daemon:
/etc/bareos/bareos-sd.d
- device: Disk, tape, S3, GlusterFS definition for backup storage.
- director: Connection configuration to the director, matching settings at /etc/bareos/bareos-dir.d/storage/File.conf.
- messages: Configuration of Bareos notification messages.
- storage: Storage daemon settings, concurrency parameters, backup timing, plugin usage.
-
Bconsole:
/etc/bareos/bconsole.conf
: Connection settings for bconsole to connect with the director, matching settings in /etc/bareos/bareos-dir.d/director/bareos-dir.conf.
-
Exportaciones:
/etc/bareos/bareos-dir-export
: Current Bareos Director configurations exported to individual files. This enables easy backups or migration of Bareos configurations.
By default, volumes will be created in /var/lib/bareos/storage
as defined in:
/usr/local/etc/bareos/bareos-sd.d/device/FileStorage.conf
/etc/bareos/bareos-sd.d/device/FileStorage.conf
Archive Device = /var/lib/bareos/storage
Retention, recycling, and pruning settings in Bareos can initially seem complex, so here’s a clear breakdown:
- Retention: There are several retention parameters:
- Job Retention: Defines how long a job record is kept in the catalog. Once expired, the job entry disappears from the catalog but remains on the volume with metadata. This means the job data is recoverable and can be reinserted into the catalog via a
scan
. - File Retention: Similar to Job Retention but applies to file records backed up by a job. If the period expires, file searches become unavailable unless the volume containing the data is scanned.
- Volume Retention: Determines how long a volume is retained before it’s marked as recyclable (purged), allowing overwrites. A volume marked as recyclable doesn’t mean it’s recycled immediately or space is freed.
- Job Retention: Defines how long a job record is kept in the catalog. Once expired, the job entry disappears from the catalog but remains on the volume with metadata. This means the job data is recoverable and can be reinserted into the catalog via a
The main pool parameters typically adjusted are:
- Volume Retention = 365 days -> Volume retention setting.
- Auto Prune = yes -> Enables pruning for volumes.
- Recycle = yes -> Enables volume recycling.
Bareos Web UI:
The web interface makes administration tasks easier, as running jobs from here is simpler than using bconsole.
Installing Bareos Web UI:
pkg install bareos-webui
pkg install nginx php82
cp /usr/local/etc/php.ini-production /usr/local/etc/php.ini
vi /usr/local/etc/php.ini
date.timezone = Europe/Madrid
vi /usr/local/etc/nginx/nginx.conf
...
http {
include mime.types;
default_type application/octet-stream;
include bareos.conf;
...
vi /usr/local/etc/nginx/bareos.conf
server {
listen 9100;
server_name _;
root /usr/local/www/bareos/public;
location / {
index index.php;
try_files $uri $uri/ /index.php?$query_string;
}
location ~ \.php$ {
try_files $uri =404;
include fastcgi_params;
fastcgi_index index.php;
fastcgi_split_path_info ^(.+\.php)(.*)$;
fastcgi_keep_conn on;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass PHP_FPM_IP:9000;
}
}
chown -R www:www /usr/local/www/bareos/public
sysrc php_fpm_enable=YES
sysrc nginx_enable=YES
service php_fpm start
service nginx start
apt install bareos-webui
a2enmod proxy_fcgi setenvif
a2enconf php8.3-fpm
systemctl reload apache2
NOTE: On Linux, the web interface uses Apache by default upon installation, but it could also work with Nginx, as configured in FreeBSD.
Create the user the web interface will use to access the director’s console:
vi /usr/local/etc/bareos/bareos-dir.d/console/admin.conf
#
# Restricted console used by bareos-webui
#
Console {
Name = admin
Password = "PASSWORD"
Profile = "webui-admin"
# As php does not support TLS-PSK,
# and the director has TLS enabled by default,
# we need to either disable TLS or setup
# TLS with certificates.
#
# For testing purposes we disable it here
TLS Enable = No
}
service bareos-dir restart
bconsole
reload
configure add console name=admin password=PASSWORD profile=webui-admin tlsenable=false
systemctl restart bareos-dir
NOTE: Editing the file /etc/bareos/bareos-dir.d/console/admin.conf
might not work, but doing so in bconsole does.
Now we can access it from the browser:
http://DIRECTOR_IP:9100
http://DIRECTOR_IP/bareos-webui
admin / PASSWORD
You will see an interface like this:
Bareos client:
To install the Bareos client (File Daemon), add the same repositories used on the server.
Since there is no version for FreeBSD 14.1 yet, install version 14.0
wget https://download.bareos.org/current/FreeBSD_14.0/add_bareos_repositories.sh
sh ./add_bareos_repositories.sh
wget https://download.bareos.org/current/xUbuntu_24.04/add_bareos_repositories.sh
chmod 700 add_bareos_repositories.sh
./add_bareos_repositories.sh
apt update
Client(File Daemon) installation:
pkg install bareos.com-filedaemon
Activate the service:
sysrc bareosfd_enable=YES
service bareos-fd start
apt install bareos-filedaemon
To connect the Director to the File Daemon, configure the following file:
vi /usr/local/etc/bareos/bareos-fd.d/director/bareos-dir.conf
vi /etc/bareos/bareos-fd.d/director/bareos-dir.conf
Director {
Name = bareos-dir
Password = "DIRECTOR_SECRET"
Description = "Allow the configured Director to access this file daemon."
}
NOTE: The IP is not necessary, as the Director initiates the connection.
Restart the File Daemon:
service bareos-fd restart
systemctl restart bareos-fd
Client configuration on the director:
vi /usr/local/etc/bareos/bareos-dir.d/client/CLIENT_NAME-fd.conf
vi /etc/bareos/bareos-dir.d/client/CLIENT_NAME-fd.conf
Client {
Name = CLIENT_NAME-fd
Address = CLIENT_FQDN(or IP)
Password = "DIRECTOR_SECRET"
}
Restart the Director:
service bareos-dir restart
systemctl restart bareos-dir
We add a job with:
bconsole
reload
configure add job name=CLIENT_NAME-job client=CLIENT_NAME-fd jobdefs=DefaultJob
The Bareos director includes a default FileSet to back up files or directories specified in File
:
cat /usr/local/etc/bareos/bareos-dir.d/fileset/SelfTest.conf
FileSet {
Name = "SelfTest"
Description = "fileset just to backup some files for selftest"
Include {
Options {
Signature = XXH128 # calculate checksum per file
}
File = "/usr/local/sbin"
}
}
cat /etc/bareos/bareos-dir.d/fileset/SelfTest.conf
FileSet {
Name = "SelfTest"
Description = "fileset just to backup some files for selftest"
Include {
Options {
Signature = XXH128 # calculate checksum per file
}
File = "/usr/sbin"
}
}
Next, we execute the DefaultJob configured with this FileSet:
cat /usr/local/etc/bareos/bareos-dir.d/jobdefs/DefaultJob.conf
JobDefs {
Name = "DefaultJob"
Type = Backup
Level = Incremental
Client = bareos-fd
FileSet = "SelfTest" # selftest fileset
Schedule = "WeeklyCycle"
Storage = File
Messages = Standard
Pool = Incremental
Priority = 10
Write Bootstrap = "/var/lib/bareos/%c.bsr"
Full Backup Pool = Full # write Full Backups into "Full" Pool
Differential Backup Pool = Differential # write Diff Backups into "Differential" Pool
Incremental Backup Pool = Incremental # write Incr Backups into "Incremental" Pool
}
cat /etc/bareos/bareos-dir.d/jobdefs/DefaultJob.conf
JobDefs {
Name = "DefaultJob"
Type = Backup
Level = Incremental
Client = bareos-fd
FileSet = "SelfTest" # selftest fileset
Schedule = "WeeklyCycle"
Storage = File
Messages = Standard
Pool = Incremental
Priority = 10
Write Bootstrap = "/var/lib/bareos/%c.bsr"
Full Backup Pool = Full # write Full Backups into "Full" Pool
Differential Backup Pool = Differential # write Diff Backups into "Differential" Pool
Incremental Backup Pool = Incremental # write Incr Backups into "Incremental" Pool
}
In the Bareos web interface, navigate to Jobs:
Jobs -> Run:
Fill the fields by clicking the dropdowns:
After clicking Submit, the interface will show, where you can click the magnifying glass on the right:
You’ll see the backup status:
To restore a file, follow these steps: Restore
In the left menu, select the Client and backup to restore. Be sure to disable the “Merge all client filesets” option; otherwise, the file tree on the right will merge all client backups. We only want the files from the selected backup. Select the files to restore on the right and click Restore:
A message informs you that a job will be queued; click OK.
Another informational message will appear; click Close.
Navigate to “Jobs” to view the restore status:
On the server, you can verify the selected file was restored to the specified path:
ls -la /tmp/bareos-restores/usr/local/sbin/pkg
-rwxr-xr-x 1 root wheel 4040720 Oct 1 03:10 /tmp/bareos-restores/usr/local/sbin/pkg
Debug:
Some useful commands for debugging in bconsole
are:
status
status dir
status jobid=nn
list pools
list volumes
list jobs
list jobid=XX
list jobtotals
messages
If you need to check the FileSet parameters configured for a job when it was backed up:
bconsole
sqlquery
SELECT Job.JobId, Job.Name, FileSet.FileSet, FileSet.FileSetId FROM Job, FileSet WHERE Job.FileSetId = FileSet.FileSetId AND Job.JobId = XX;
list filesets
list files jobid=XX
Export the configuration to verify everything is in order:
bareos-dir --export-config
bareos-fd --export-config
bareos-sd --export-config
Run processes in the foreground with maximum debug level:
bareos-dir -f -d 100
bareos-fd -f -d 100
Sometimes, systemd
may disable a service if restarted multiple times. To reset this:
systemctl reset-failed bareos-director.service
You can also view Bareos logs:
tail -f /var/log/bareos/bareos.log
tail -f /var/log/bareos/bareos-audit.log
Or system logs:
tail -f /var/log/messages
tail -f /var/log/syslog
If the director’s password does not match for either the client or storage daemon, an unclear SSL error may appear:
7 2024-10-23 21:25:09 bareos-dir JobId 6: Fatal error: No Job status returned from FD.
6 2024-10-23 21:24:33 bareos-dir JobId 6: TLS negotiation failed (while probing client protocol)
5 2024-10-23 21:24:33 bareos-dir JobId 6: Fatal error: Connect failure: ERR=error:0A000417:SSL routines::sslv3 alert illegal parameter