• EN

All-Demo Session & Installable ISO for Veeam Hardened Repository

All-Demo Session & Installable ISO for Veeam Hardened Repository
Rick Vanover
Userlevel 7
Badge +10

 

22-February 2024 Update:  GOOD NEWS! We are scheming a big update and overhaul of this page at or around VeeamON time. I can’t say more!

 

During the lead-up to VeeamON, it was amazing to see what content was leading the pre-registration information. We have the most data here than ever before. Constantly back and forth with the “Architecting Veeam Backup for Microsoft 365 at Scale” session, the session that @hannesk, Christoph Meyer and I are delivering was racing to the finish line as the leader. The “All Demo Session for Veeam Hardened Repository” was in the end the most popular pre-registered session, and as promised in the delivery in Miami, here is your everything you need to know guide.

Post Publish Updates:

  • 1-June 2023:  The installation requirements for the .ISO have been added.
  • 1-June 2023:  Video of installation of the .ISO has been added.
  • 2-June 2023:  Clarification on support, formatting of document.
  • 5-June 2023:  Updated .ISO with support banner and logon screen update, link updated. No changes to Ubuntu configuration or hardening script.
  • 29-June 2023: Updated .ISO with one enhancement, offline installation works.

Recording Resources

You can watch one of my practice runs of the session from Miami here:

At the VeeamON virtual event experience, we will have the replay from Miami session up very soon. 

Markdown File & Write Up

I have made a markdown file with a lot of the key information ready, you can download it here: rickvanover/VeeamHardenedRepoHub (github.com) Additionally - you can download the Markdown file at the QR code below:
 

This link goes to the VHR Markdown file that I’ve written up.

If you are not doing Markdown or GitHub you can download this as a PDF at the bottom of the page.

Overall advice

My overall advice on the Veeam Hardened Repository is to plan your deployment, this will greatly improve your experience with using the VHR. For example, I’m notorious for not documenting the options I put during the Ubuntu installation at this important stage:

 

Installable .ISO & Hardening Script

Key Update 18-December 2023: We have taken down the link for the .ISO, there will be a  new one coming “Soon” :)! 

One of the key parts of the Miami experience is the update we had from Product Management on new functionality for the Veeam hardened repository, which includes the Hardening Script and the installable .ISO. I recommend watching the replay to hear from Hannes and Christop directly before using the script and .ISO. We recommend at least 100 GB for storage. You can get both below:

  • Hardening Script: https://www.veeam.com/sys507
  • Installable .ISO: )18-December 2023 - We’ve removed this download and a new one is coming “soon”!)

About this installable .ISO…. The principal benefit of the installable .ISO is that it sets up much of the installation pre-defined *and* applies the above linked hardening script. 

Installable .ISO Requirements

For the installable .ISO, we recommend you follow these prerequisites (mainly relevant if you try to install it in a VM for lab purposes):

  • This is now optional from the 29-June update:  Internet connection (HTTP to the Ubuntu update servers for automatic security updates)
  • 2 CPUs, 6 GB RAM
  • UEFI boot is required (BIOS does not work) UEFI secure boot strongly recommended
  • 1 disk with at least 100GB for the operating system (plus cache files)
  • 100GB is a hard requirement. If that’s too high, please give feedback below.
  • Then there should be at least one second disk that is larger 100GB for backup data that would be the Veeam repository

During the installation, follow the wizard and reboot after the installation finished. Then install the hardened repository role. The VHR final layout will have all disks are mounted to /mnt/backup<n>

Important: Reboot again (this second reboot locks down the whole system and you can only reboot / shutdown with sudo. there is no root / sudo anymore at this stage) - this is the result of the hardening.  Think of this result as taking a massive green pill that tells this system its role in life forever on is to be a VHR.

After reading all of this, you are now ready to watch my video of installing the VHR with the .ISO:



Installable .ISO General Information & Support Statement

  • It's a community project. please don't call Veeam support for use of the .ISO. Once a VHR is deployed and configured in Veeam Backup & Replication, it would be subject to support. 
  • Automatic updates are enabled.
  • The user does not have permissions to update manually.
  • We plan to add a note to the banner message where to find more information about the ISO installer.

Get Started with the Veeam Hardened Repository 

Getting started with the VHR doesn’t have to be overwhelming. Give it a try - and let us know how it goes in the comments below.

1 Attachment
Twitter @RickVanover | Email: rick.vanover@veeam.com
This topic has been closed for comments

199 comments

Rick Vanover
Userlevel 7
Badge +10

Before I go to deep & wide @regnor - BIOS/UEFI mode option on the physical server… is it set?

Twitter @RickVanover | Email: rick.vanover@veeam.com
regnor
Userlevel 7
Badge +14

@Rick Vanover UEFI Mode. It's the same server which I've used for the other tests.

Max M. | Systems Engineer @Veeam | VMCE/VMCA | former Legend & Vanguard
Rick Vanover
Userlevel 7
Badge +10

@Rick VanoverUEFI Mode. It's the same server which I've used for the other tests.

There was an updated .ISO - so the one previously worked. I may put you in touch with the QA person cuz ‘German...

Twitter @RickVanover | Email: rick.vanover@veeam.com
mrizzi2
Userlevel 2

Hi there @Rick Vanover,

in our scenario, there is no way to boot the VM from the updated Veeam .ISO. Basically, after choosing the EFI VMware Virtual SATA CDROM Drive, the VM attempts to boot but then returns to the boot selection prompt:

As soon as we switch to the vanilla Ubuntu ISO, the VM boots successfully:

 

Please let me know if you need any additional information from our side.

Thanks !

Massimiliano

regnor
Userlevel 7
Badge +14

@Rick VanoverUEFI Mode. It's the same server which I've used for the other tests.

There was an updated .ISO - so the one previously worked. I may put you in touch with the QA person cuz ‘German...

@Rick Vanover I can switch to US layout if you prefer 😅

Max M. | Systems Engineer @Veeam | VMCE/VMCA | former Legend & Vanguard
H
Userlevel 5
Badge +2

I installed it a few minutes ago in VMware and it just worked. So it’s not completely broken I guess :-)

@mrizzi2 did you check the md5 / sha265 sum? If it does not even boot, that’s odd

@regnor :  if you can send me the logs via email, that would be great. Just to be sure… the server still has internet access? Not that some firewall rules changed.

I guess, the easiest way is to boot with another LIVE ISO and then the following logs would be interesting (or just everything in /var/log)

  • /var/log/veeam/hardened_repository_installer.log
  • /var/log/syslog
  • /var/log/cloud-init.log
mrizzi2
Userlevel 2

@mrizzi2 did you check the md5 / sha265 sum? If it does not even boot, that’s odd

That’s strange indeed as the sha265 sum is matching:

UEFI secure boot option is enabled on the test VMs I am using:

@HannesK Would it be possible for you to kindly share a VeeamZIP of the VM you are using in order for me to restore it in our lab environment ? Thanks !

R
Badge

Hello,
First of all an great job on providing this ISO and information. 
When installing the iso on a VM (for test) I got the following error:

 

My vm  is running on vmware (vsphere 7 ), UFI and secure boot enabled.
disk1 = 100GB disk 2=150 GB 1 NIC
thanks in advance

regnor
Userlevel 7
Badge +14

@HannesK Thanks for the hint with the internet access. Is this necessary for the installation to succeed? Indeed the physical server doesn’t have internet access at the moment. So I tried setting it up in a virtual machine, which can access the internet and it also failed. I’m sending you the logs in the next time.

Max M. | Systems Engineer @Veeam | VMCE/VMCA | former Legend & Vanguard
regnor
Userlevel 7
Badge +14

Update: Forgot to check the boot mode for the new VM; it was BIOS. Switched to EFI and now was able to install it. So the problem may be related only to the missing internet connection of my physical server.

Max M. | Systems Engineer @Veeam | VMCE/VMCA | former Legend & Vanguard
regnor
Userlevel 7
Badge +14

I’m sorry to post 3 times in a row, but just wanted to say everything’s working for me with the new ISO. Seems like it was the missing internet connection which let the installer fail; didn’t see this as a hard requirement.

Internet connection (HTTP to the Ubuntu update servers for automatic security updates)

 

Max M. | Systems Engineer @Veeam | VMCE/VMCA | former Legend & Vanguard
H
Userlevel 5
Badge +2

Hello,
First of all an great job on providing this ISO and information. 
When installing the iso on a VM (for test) I got the following error:

 

My vm  is running on vmware (vsphere 7 ), UFI and secure boot enabled.
disk1 = 100GB disk 2=150 GB 1 NIC
thanks in advance

No idea so far on this one. it’s not the classic “no internet connection” problem. 

the error about dependency issues is clear, but no idea where it comes from

H

Hello,
First of all an great job on providing this ISO and information. 
When installing the iso on a VM (for test) I got the following error:

 

My vm  is running on vmware (vsphere 7 ), UFI and secure boot enabled.
disk1 = 100GB disk 2=150 GB 1 NIC
thanks in advance

No idea so far on this one. it’s not the classic “no internet connection” problem. 

the error about dependency issues is clear, but no idea where it comes from

Got the same error with my test vm, but in my case it was the classic “no internet connection” problem. First try was in a VLAN without internet, cause the backup server hardware i want to use, will be also without internet connection and i got the error above.
Then i tried a VLAN with internet connection and oberserved the installation progress. Setup seems to download the packages. Installation worked fine.
No idea how to investigate that, since i’m one of thoses windows guys … but internet seems necassery.

H
Userlevel 5
Badge +2

thanks for confirming that the problem can be solved with internet connection. I got a different error.

yes, internet is a hard requirement. otherwise the system would not get security updates. that’s why the wizard for the HTTP proxy exists

as we got so much feedback now about “no internet connection” problems: we are working to include all required packages directly into the ISO.

That creates a new problem with missing security updates. I guess, it’s something to ignore from our side, because it’s obvious that one cannot have updates without internet (assuming that nobody who uses the ISO would run it’s own Ubuntu mirror)

Chris.Childerhose
Userlevel 7
Badge +20

Just deployed a VHR using the ISO on VMware vSphere 8 in my homelab.  Worked like a charm and then added it to VBR with single use credentials.  So far it is working so might spin up a few more and then create a SOBR from them.  😎

Chris Childerhose - VMCA2022 | VMCE2023 | Veeam Vanguard 7* | Veeam Legend 3* | vExpert 5* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
Rick Vanover
Userlevel 7
Badge +10

Yes, every time I had an error it was as the requirements were not met :)

Twitter @RickVanover | Email: rick.vanover@veeam.com
R
Badge

Thanks all for the information and confirmation.
But if Internet is a hard requirement perheps there could be a check before the installation starts.

But is this really needed? Also after intstallation? We have our Repo's isolated in our network with minimal access.

If the internet requirements is mandentory for the installation, is it possible to change the Ip settings after installing the VHR?

And even with internet access is there a kind of patching in the background, or is it a one-time installation with no patching possible?
 

R
Badge

Hi,
I still get an Error even when I configured a Proxy server.
 

And verifying the proxy is allowing connection
 


So it seems like during the installatation the proxy server is not used.
Any help is appreciated
Thx!

Rick Vanover
Userlevel 7
Badge +10

Hey @rladrak → That is an interesting idea, like a pre-requisite checker. Our goal was to have the installer be as limited as possible, but this may make sense. I’ll relay this idea to the QA resource.

Twitter @RickVanover | Email: rick.vanover@veeam.com
regnor
Userlevel 7
Badge +14

@Rick Vanover Do you know if/when the recording of your Miami session will be online?

Max M. | Systems Engineer @Veeam | VMCE/VMCA | former Legend & Vanguard
H
Userlevel 5
Badge +2

thanks, we will check the proxy behavior. I’m a bit concerned about the IPv6 messages though…

 

Anyway: I got a a new ISO that does not require internet and I want to test it next week before Rick can update the download link

J
Userlevel 1

Hello,

I’ve just deployed a test repo, and now I’m starting to play with it. Once rebooted, I’ve realized that it’s impossible to run sudo to change disk layout, for example I wan to modify a LVM instance, or extend a filesystem and I can’t see how to do this…..

Any idea?

 

H
Userlevel 5
Badge +2

Hello,
correct… people who are able to do such things don’t need the ISO :-)

They can just use the hardening script https://github.com/VeeamHub/veeam-hardened-repository

If you need root login, there is a blog post for that: https://www.veeam.com/blog/ubuntu-linux-defense-secure-boot-single-user.html

Best regards
Hannes

Chris.Childerhose
Userlevel 7
Badge +20

Hello,

I’ve just deployed a test repo, and now I’m starting to play with it. Once rebooted, I’ve realized that it’s impossible to run sudo to change disk layout, for example I wan to modify a LVM instance, or extend a filesystem and I can’t see how to do this…..

Any idea?

 

I believe you need to log in as root or enable the login again after the deployment since the hardening of the server removes this.  Once you have the system running why would you want to change it though?  The OS drive is set up with the ISO and the larger drive becomes the backup.  Just curious on the use case to make changes.

I believe the other way to make changes is during the deployment of the ISO as you can manually set up the disk layout.

***UPDATE - Hannes beat me to it LOL ***

Chris Childerhose - VMCA2022 | VMCE2023 | Veeam Vanguard 7* | Veeam Legend 3* | vExpert 5* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
J
Userlevel 1

Hello,

I’ve just deployed a test repo, and now I’m starting to play with it. Once rebooted, I’ve realized that it’s impossible to run sudo to change disk layout, for example I wan to modify a LVM instance, or extend a filesystem and I can’t see how to do this…..

Any idea?

 

I believe you need to log in as root or enable the login again after the deployment since the hardening of the server removes this.  Once you have the system running why would you want to change it though?  The OS drive is set up with the ISO and the larger drive becomes the backup.  Just curious on the use case to make changes.

I believe the other way to make changes is during the deployment of the ISO as you can manually set up the disk layout.

***UPDATE - Hannes beat me to it LOL ***

What if your backup drive needs to be extended?…..sometimes data grows, or even grows a lot….. We run our production backup in a physical self deployed repo server with hardening tips from Gostev, and others, and I’ve had to extend the repo filesystem because of this… I was just wondering if this ISO was a better option for us

Terms & Conditions