A previous post (https://community.veeam.com/blogs-and-podcasts-57/veeamsoftwareappliance-on-fedora-42-11241) covered how to set up the software appliance on a Fedora 42 host, including network configuration for direct bridging. This post provides information on setting up a Veeam Hardened Repository.

While this documentation is intended for lab use, it may also be relevant for SMB customers seeking guidance on configuring an all-in-one appliance. Security considerations were not a primary focus, so additional safety measures may be necessary. For instance, it may be advisable not to bridge the host itself to prevent external access after installation.

First, install virt-install to quickly set up new virtual machines.

sudo dnf install virt-install -y

If you want the disks on another drive set (eg /dev/sdb mounted to /mnt/backup), we can create a subdirectory for the user on it and add as a pool. 

sudo mkdir /mnt/backup/$USER
sudo chown $USER:$USER /mnt/backup/$USER
mkdir /mnt/backup/$USER/data
virsh pool-define-as dataimages dir - - - - /mnt/backup/$USER/data
virsh pool-build dataimages
virsh pool-autostart dataimages

Place the JeOS (infrastructure) ISO in /home/$USER/iso. Copy and modify the hardened repo kickstart to configure settings like timezone and keyboard layout for proper setup. This helps ensure your keyboard matches what you use, making password entry easier. If you use a US keyboard, delete the line that sets it to “be” otherwise, the example will set it to Belgium Azerty (be) by default. 

ISOPATH=/home/$USER/iso 
cd $ISOPATH
mkdir tmp
sudo mount *JeOS*.iso tmp
cat tmp/hardened-repo-ks.cfg > hardened-repo-ks-mod.cfg
sed -i 's/keyboard.*/keyboard --xlayouts='"'"be"'"'/' hardened-repo-ks-mod.cfg
sed -i 's/^timezone.*/timezone Europe\/Brussels --utc/' hardened-repo-ks-mod.cfg

To see how the default hardened repo boots, check the grub.cfg file. This helps when creating a custom startup line and to help us add the modified kickstart script.

cat $ISOPATH/tmp/EFI/BOOT/grub.cfg | grep "Hardened Repo" -A 4

should yield something like

 

submenu 'Veeam Hardened Repository' {
    menuentry 'Install - fresh install, wipes everything (including local backups)' --class fedora --class gnu-linux --class gnu --class os {
        linuxefi /images/pxeboot/vmlinuz inst.stage2=hd:LABEL=Rocky-9-2-x86_64 inst.ks=hd:LABEL=Rocky-9-2-x86_64:/hardened-repo-ks.cfg quiet
        initrdefi /images/pxeboot/initrd.img
    }

The installation command can now be defined. A variable R is used to facilitate the setup of multiple repositories within your environment. Repeated execution will increment R, resulting in repository names such as repo001, repo002, and so forth.

The --location parameter is required to inject the modified kickstart script and pass the necessary initrd parameters.

The command virsh send-key $RNAME KEY_ENTER sends an Enter keystroke to confirm erasure of all data on newly initialized disks. There is a 60-second delay implemented to allow sufficient time for the ISO image to boot; while 60 seconds may be conservative, 30 seconds may not provide adequate time depending on hardware specifications.

R=$(($R+1))

RNAME=$(printf "repo%03d" $R)
virt-install \
-n $RNAME \
--description "$(printf 'Veeam Backup & Replication REPO repo%03d' $R)" \
--graphics=spice \
--boot=uefi \
--os-variant=rocky9 \
--ram=4096 \
--vcpus=4 \
--disk pool=gnome-boxes,bus=virtio,size=120 \
--disk pool=dataimages,bus=virtio,size=150 \
--location $ISOPATH/VeeamJeOS_13.0.0.4967_20250822.iso \
--initrd-inject=$ISOPATH/hardened-repo-ks-mod.cfg \
--extra-args="inst.stage2=hd:LABEL=Rocky-9-2-x86_64 inst.ks=file:/hardened-repo-ks-mod.cfg quiet" \
--network network=br0 \
--noautoconsole && sleep 60;virsh send-key $RNAME KEY_ENTER

while R -z "$(virsh domstate $RNAME | grep off)" ];do echo "waiting";sleep 10;done
virsh start $RNAME
sleep 10;virt-viewer $RNAME &

Bonus Alternative ISO Installation for VBR

Installing VBR via the ISO may be more practical than importing the OVA, as the ISO is hardware-agnostic and officially supported. You can also modify the kickstart similarly. Since the commands are mostly copy-paste, I'll just include the example here with minimal explanation.

Download the VeeamSoftwareAppliance iso to /home/$USER/iso. Remove the keyboard line and set the timezone as needed.

ISOPATH=/home/$USER/iso 
cd $ISOPATH
mkdir tmp
sudo mount VeeamSoftwareAppliance*.iso tmp
cat tmp/vbr-ks.cfg > vbr-ks-mod.cfg
sed -i 's/keyboard.*/keyboard --xlayouts='"'"be"'"'/' vbr-ks-mod.cfg
sed -i 's/^timezone.*/timezone Europe\/Brussels --utc/' vbr-ks-mod.cfg

Let’s review the boot process of the default VBR installation.

cat $ISOPATH/tmp/EFI/BOOT/grub.cfg | grep "Backup &" -A 4

submenu 'Veeam Backup & Replication' {
    menuentry 'Install - fresh install, wipes everything (including local backups)' --class fedora --class gnu-linux --class gnu --class os {
        linuxefi /images/pxeboot/vmlinuz inst.stage2=hd:LABEL=Rocky-9-2-x86_64 inst.ks=hd:LABEL=Rocky-9-2-x86_64:/vbr-ks.cfg quiet
        initrdefi /images/pxeboot/initrd.img
    }

The process for installation closely resembles that of installing a repository.

R=$(($R+1))

RNAME=$(printf "vbr%03d" $R)
virt-install \
-n $RNAME \
--description "$(printf 'Veeam Backup & Replication VBR vbr%03d' $R)" \
--graphics=spice \
--boot=uefi \
--os-variant=rocky9 \
--ram=4096 \
--vcpus=4 \
--disk pool=dataimages,bus=virtio,size=240 \
--disk pool=dataimages,bus=virtio,size=250 \
--location $(ls $ISOPATH/VeeamSoftwareAppliance*.iso) \
--initrd-inject=$ISOPATH/vbr-ks-mod.cfg \
--extra-args="inst.stage2=hd:LABEL=Rocky-9-2-x86_64 inst.ks=file:/vbr-ks-mod.cfg quiet" \
--network network=br0 \
--noautoconsole && sleep 60 && virsh send-key $RNAME KEY_ENTER

echo "waiting";while   -z "$(virsh domstate $RNAME | grep off)" ];do echo -n ".";sleep 3;done
virsh start $RNAME
sleep 10;virt-viewer $RNAME &