Solved

Hardened repo access after upgrading to v12


Userlevel 7
Badge +6

I just got all of our systems upgraded to v12.  With that said, I have two clients using hardened repo’s and two different people set them up, neither of them were me, and the system I’m working on now - the engineer that set that up left the company and moved on a couple months ago.  I planned on dipping into these a while ago but never had the time and am now thrust into it.  And my linux skills are still fairly basic, maybe intermediate at best.

So here’s what I have:

The configuration, not that I think it matters, but is a Ubuntu VM running on a Synology NAS with a virtual disk mounted to the VM.  I upgraded from v11 to v12 but the repository became unavailable during this process.  Single-use credentials are in place and I think I’ve mostly got around the learning curve on this, but can’t quite make connections on things.

There are two accounts, I’ll call them “repouser” and “admin”.  Repouser is the account that should have permissions to the repo at /mnt/veeamrepo/backups.  Admin is a member of the sudoers.  I don’t know the root password - guessing I can reset it if needed.

I’m performing the steps found here as that seems to be along the lines of what I need to do.  I’ve logged in with the admin account added the permissions specified to the mount using the below commands.

sudo chown -R repouser:repouser /mnt/veeamrepo/backups

sudo chown repouser:repouser /mnt/veeamrepo/backups

(Pretty sure I had to sudo on those)

Of course I can’t modify the existing backup files that have immutability flags set on them, but if I don’t use -R, I can grant the permission to the folders I believe.  I also added the permissions to /mnt/veeamrepo but I suspect that wasn’t needed.

After doing so, when I rescan the linux server with the one-time credentials using the admin account, it was able to upgrade the services and scan the disks without error (it was erroring before doing so).  I was not able to scan with repouser, which, I’m not sure if I should be able to or not.

That said, now when I try to add the existing mount/folder back as a new hardened repo, I get the below error after it checks for XFS Fastclone requirements.

 

I had also found an article that mentioned chmod’ing the folder to 700 which I did apply but didn’t note anything changing.  I applied that to both /mnt/veeamrepo and /mnt/veeamrepo/backups.

Any idea’s what I’m missing here?  Or am I using the wrong accounts in places?  My apologies as it’s all new to me on how this works, and it sounds like some things may have changed between v11 and v12, so crash course in learning this, so I really appreciate the help.

icon

Best answer by regnor 9 March 2023, 21:14

View original

49 comments

Userlevel 7
Badge +14

If it was setup correctly then probably the user ‘repouser’ has been removed from the sudo group. In order to upgrade the Veeam services you need to add it back to this group (temporarily). 

usermod -a -G sudo repouser

Afterwards enter the single use credentials again and see if it works.

Userlevel 7
Badge +17

When setting up the VHR, the ‘general user’, not root/admin, is the account which should have permissions on everything. Let me look at the permissions (user/group) on my folder structure and let you know what I find….

Userlevel 7
Badge +17

If you ls -l on your /mnt folder, you should see repouser as both user & group owner of the /veeamrepo folder; if you go into /veeamrepo & run that cmd again, those same rights should also be down to /backups, and then on the files. The permissions on my folders/files within my /mnt directory are 755 (rwx-r-x-r-x). In implementing mine, I didn’t need to change file/folder permissions at all. Don’t think that makes a difference. Your repouser does need sudo permissions though as @regnor mentions. You can run sudo -l -U repouser to see if the user has sudo rights. The last line should say ‘run the following commands (ALL) ALL’ for that to be true. Let us know what you find.

Userlevel 7
Badge +6

If it was setup correctly then probably the user ‘repouser’ has been removed from the sudo group. In order to upgrade the Veeam services you need to add it back to this group (temporarily). 

usermod -a -G sudo repouser

Afterwards enter the single use credentials again and see if it works.

 

Yes, repouser is not on the list of sudoers.  It’s only the admin account.  So the proper way to do this is to add repouser to the sudoers, and then once all is connected and working again, remove from sudoers?

Userlevel 7
Badge +17

Hey Derek...yessir...remove the regular acct from sudoers:

sudo deluser repouser sudo

Userlevel 7
Badge +10

Good thread here. I figured this would happen with the VHR on upgrades.

Userlevel 7
Badge +14

@dloseke Yes it is. The repouser needs to be in that group to install/upgrade the transport service. Afterwards you remove him from the group for security reasons as it doesn't need root/sudo permissions anymore.

Userlevel 7
Badge +6

Thanks all, especially @regnor and @coolsport00 on this.  I added repouser to the sudoers, go things reconnected and removed it, and all is looking good.  Appreciate the quick help!

Userlevel 7
Badge +17

Awesome. Glad to hear Derek!

Userlevel 7
Badge +14

I’m glad that it worked @dloseke! We have some great information on the hardened repository in the community, if you want to learn more about it (like the series from @vNote42) . And this article from @WorkingHardInIT has everything you need to know from Linux/Ubuntu to Veeam: https://www.starwindsoftware.com/blog/veeam-hardened-linux-repository-part-1

Userlevel 7
Badge +17

There is indeed. I used Paolo’s posts myself. Thought his was detailed, start to finish, & easy to follow.

Userlevel 7
Badge +17

Hey @dloseke ...I’m following up on this as I’m now beginning my VBR upgrade. I have 2 servers - main/prod one for backups and a DR one or replication. I upgraded my repl VBR server last wk without hitch. I’m just getting ready to start the upgrade of my main VBR server today, which has a hardened repo attached to it. So, all which was needed was to re-add the local linux user to sudo to be able to finalize the upgrade of the repo component piece, correct?

Thanks!

Userlevel 7
Badge +12

Hi Shane


Please replace reposuser with the username you use for the deployment. 
 

1) Enable SSH
sudo systemctl start ssh

2) Add Repo User to Sudo
sudo usermod -aG sudo repouser

3) Update Backup Repo in VBR Console with Single Use Credentials

4) Remove Repo User from Sudo
sudo deluser repouser sudo

5) Disable SSH
sudo systemctl stop ssh

 

Future updates (v12 to a later version) will not require that process and SSH anymore.

 

Best,

Fabian

Userlevel 7
Badge +17

Hi @Mildur - thanks for the updated info. Though I reviewed info about the ugprade, I pretty much had it all, but there was 1 item I forgot to do before I started the repo upgrade → enable SSH. Oops! 😊 Once I enabled it, I reperformed the upgrade attempt & it went without a hitch. I did re-disable SSH as well as removed my user from sudo after I completed it. Appreciate the detailed response. Hope you’ve had a good weekend...and thanks again.

Userlevel 7
Badge +17

Glad to also hear future updates won’t require the couple extra steps. They aren’t difficult, but convenient for the hardened repo to upgrade/update as ‘normal’ repos do. Thanks!

Userlevel 7
Badge +6

Yes, was just going to say that one of my takeaways from VeeamON was that with v12 and beyond, SSH no longer needs to be re-enabled for updates.  Way to go Veeam!  

Userlevel 7
Badge +17

A very welcomed change 😊

Userlevel 3

So I just upgraded to V12 and of course my Linux repo required updating.

My linux repo has two users, the admin (root) account, and veeamrepo for repository access.

Instead of adding the veeamrepo user with repository permissions to the sudo users group and then upgrading the Linux repo to V12, I stupidly used the other admin (root) account to perform the SSL  upgrade.

The upgrade worked fine, but now it seems B&R is using the other admin (root) account to access the linux repositories instead of the veeamrepo account with the correct CHMOD & CHOWN permissions on the directories.

Is there any way to change the repository account in B&R back to the veeamrepo one, or do I need to change the directory permissions on the linux repo to match the admin (root) account?

Doing so would require me to enable sudo on the veeamrepo account and disable it on the admin(root) account I believe.

Thoughts?

  • Doug
Userlevel 7
Badge +17

Did the permissions on the folder & files change? Check, using ls -l on the folder & files.

Userlevel 7
Badge +17

The admin/root account shouldn’t even have had permissions on the folder/files...yes, even for being root.

Userlevel 3

No, the permissions are correct

drwx------  12 veeamrepo veeamrepo 4096 Dec 13  2022 VeeamBackups

And the admin/root account doesn’t nor ever did have permissions on those folders.

Userlevel 3

I’ve opened  support ticket on this. Looking forward to seeing what they say.

Userlevel 3

This is the error I receive btw:

 

6/22/2023 10:43:20 AM :: Error: Permission denied
Failed to get file system object info: '/media/local48/VeeamRepository/VeeamBackups/Santiam Linux Immutable/Santiam Linux Immutable.vbm'
Agent failed to process method {FileSystem.Exists}.
  
 

Userlevel 7
Badge +17

Hmm..odd. I’d be curious to hear what Support says. Keep us posted @PDXdoug 

Userlevel 7
Badge +14

@PDXdoug V12 should prevent the usage of the root account, but maybe this only counts for new repositories. You can check which serviceuser is used in the config file on your hardened repository: /opt/veeam/transport/VeeamTransportConfig

Comment