Solved

Hardened repo access after upgrading to v12


Userlevel 7
Badge +6

I just got all of our systems upgraded to v12.  With that said, I have two clients using hardened repo’s and two different people set them up, neither of them were me, and the system I’m working on now - the engineer that set that up left the company and moved on a couple months ago.  I planned on dipping into these a while ago but never had the time and am now thrust into it.  And my linux skills are still fairly basic, maybe intermediate at best.

So here’s what I have:

The configuration, not that I think it matters, but is a Ubuntu VM running on a Synology NAS with a virtual disk mounted to the VM.  I upgraded from v11 to v12 but the repository became unavailable during this process.  Single-use credentials are in place and I think I’ve mostly got around the learning curve on this, but can’t quite make connections on things.

There are two accounts, I’ll call them “repouser” and “admin”.  Repouser is the account that should have permissions to the repo at /mnt/veeamrepo/backups.  Admin is a member of the sudoers.  I don’t know the root password - guessing I can reset it if needed.

I’m performing the steps found here as that seems to be along the lines of what I need to do.  I’ve logged in with the admin account added the permissions specified to the mount using the below commands.

sudo chown -R repouser:repouser /mnt/veeamrepo/backups

sudo chown repouser:repouser /mnt/veeamrepo/backups

(Pretty sure I had to sudo on those)

Of course I can’t modify the existing backup files that have immutability flags set on them, but if I don’t use -R, I can grant the permission to the folders I believe.  I also added the permissions to /mnt/veeamrepo but I suspect that wasn’t needed.

After doing so, when I rescan the linux server with the one-time credentials using the admin account, it was able to upgrade the services and scan the disks without error (it was erroring before doing so).  I was not able to scan with repouser, which, I’m not sure if I should be able to or not.

That said, now when I try to add the existing mount/folder back as a new hardened repo, I get the below error after it checks for XFS Fastclone requirements.

 

I had also found an article that mentioned chmod’ing the folder to 700 which I did apply but didn’t note anything changing.  I applied that to both /mnt/veeamrepo and /mnt/veeamrepo/backups.

Any idea’s what I’m missing here?  Or am I using the wrong accounts in places?  My apologies as it’s all new to me on how this works, and it sounds like some things may have changed between v11 and v12, so crash course in learning this, so I really appreciate the help.

icon

Best answer by regnor 9 March 2023, 21:14

View original

49 comments

Userlevel 3

Hey @regnor 

 

You are most likely correct, but I do love the keywords “should” and “maybe” :-)

There are three options I can think of.

  1. Delete the Linux Repo, then recreate it using the correct ssh single use authentication for the storage directories. Just not sure what this would do to the backup chains.
  2. Change permissions on the storage directories to match the single use ssh credentials I used to upgrade the host.
  3. Somehow edit the SQL database where the credentials are stored to match the current storage directory permissions.

Support suggested going into Credentials & Passwords and creating the correct account. Great idea but there is no way to add those account credentials for repository access. Access Permissions in the repository only allows for AD accounts. 

Unless I’m missing something here.

 

  • Doug
Userlevel 7
Badge +17

@PDXdoug no sir..that isn’t correct. You can add all kinds of accounts there:

 

Userlevel 3

Oh I totally understand that one can add different account types there @coolsport00, and I did add the correct linux account and tested the ssh single use authentication and it worked fine.

Guess what I’m trying to say is how does one use this account to authenticate to the repository via either the backup job or the repository settings as the backups keep failing due to authentication.

6/23/2023 8:33:08 AM :: Error: Permission denied
Failed to get file system object info: '/media/local48/VeeamRepository/VeeamBackups/Exchange Linux Immutable/Exchange Linux Immutable.vbm'
Agent failed to process method {FileSystem.Exists}.
  
 

Userlevel 7
Badge +17

Ah ok. Gotcha. I was actually thinking about that yesterday (your question). Thus why I was curious what support would say. How does one ‘reauthenticate’ against the VHR after it’s already been upgraded? 🤷🏻‍♂️

Userlevel 3

Ok, this issue has been resolved.

Here is what I did. Run all commands as the root user.

1. Enable and start ssh on the linux box 

sudo systemctl enable ssh
sudo systemctl start ssh

2. Open firewall ports for ssh

sudo ufw allow ssh

3. Add the user with repository access to the Sudoers group.

sudo usermod -aG sudo "username" or you could use sudo adduser "username" sudo

4. In the B&R Console go to Backup Infrastructure and find the linux box under Managed Servers
Right click the server and go to Properties > SSH Connection > add the linux user with repository permissions to the Credentials drop down list as a Single Use Credentials. 

5. Once the ssh connection has passed testing and the linux server updated, remove the linux user from the Sudoers group - sudo deluser "username" sudo, stop the ssh service - sudo systemctl stop ssh, disable the ssh service - sudo systemctl disable ssh, and finally block ssh in the firewall - sudo ufw deny ssh.

That should do the trick. Happy Backups!

- Doug
 

Userlevel 7
Badge +17

Nice! Appreciate the share @PDXdoug !

Hey guys,

Just wanted to say thank you as I just upgraded to V12 and had the same issues.

this thread saved me a lot of time and heartache.

Cheers

Userlevel 7
Badge +17

I re-referenced myself when I upgraded 😊

Userlevel 7
Badge +6

Glad I could help!  I imagine I may even have to come back and reference it for other clients, but perhaps not since this should be easier once on v12 to newer versions!

I had the exact same problem.

 

I can confirm that resaving the one time ssh credentials resolved the problem.


Under “ backup infrastructure” →  “managed servers” - > Linux → Properties then add the one time ssh credentials again and let it complete. The repository is back online!

 

Userlevel 1

If it was setup correctly then probably the user ‘repouser’ has been removed from the sudo group. In order to upgrade the Veeam services you need to add it back to this group (temporarily). 

usermod -a -G sudo repouser

Afterwards enter the single use credentials again and see if it works.

so found this thread when searching after upgrading to 12.1…  my Ubuntu Immutable repo is not upgrading, I added my user like above but where do I enter the single use credentials, in Ubuntu or the Veeam server?

Userlevel 7
Badge +17

Rt-click your Linux Repo > Properties, then go through the wizard.

Userlevel 1

If it was setup correctly then probably the user ‘repouser’ has been removed from the sudo group. In order to upgrade the Veeam services you need to add it back to this group (temporarily). 

usermod -a -G sudo repouser

Afterwards enter the single use credentials again and see if it works.

so found this thread when searching after upgrading to 12.1…  my Ubuntu Immutable repo is not upgrading, I added my user like above but where do I enter the single use credentials, in Ubuntu or the Veeam server?

NVM, found it by looking at my Linux server in VBR and processed the single use creds… still getting an error but I’ve created a case…

error

Enabling restricted mode for Installer Error: VAL components are installed on the target machine
Failed to save Linux server: VAL components are installed on the target machine
Infrastructure item save failed Error: VAL components are installed on the target machine
 

Userlevel 7
Badge +17

Ok...probably best. BTW...your error is interesting in that “VAL” is for Veeam Agent for Linux server, not Hardened Repo. 🤷🏻‍♂️

Userlevel 1

Ok...probably best. BTW...your error is interesting in that “VAL” is for Veeam Agent for Linux server, not Hardened Repo. 🤷🏻‍♂️

but aren’t we all running an agent on our Linux (Ubuntu) repositories to access them and push backup copies?

Userlevel 7
Badge +17

Yeah, a persistent or non-persistent agent. Not full-blown Veeam Agent for Linux, which is how I’m reading that error. I’d be interested what Support says.

Userlevel 1

Yeah, a persistent or non-persistent agent. Not full-blown Veeam Agent for Linux, which is how I’m reading that error. I’d be interested what Support says.

ahh gotcha…  admittedly I’m just a trained monkey when it comes to this Immutable setup, I followed this HOW-TO long ago and things have just been running :)

Userlevel 7
Badge +17

Understood :)

Userlevel 1

Yeah, a persistent or non-persistent agent. Not full-blown Veeam Agent for Linux, which is how I’m reading that error. I’d be interested what Support says.

So I looked further into my HOW-TO that I followed and it had me install the Linux agent in order to backup the Linux server.  So with this information does any other thoughts come to mind?  As the hardened repo setups have progressed are we now not able to backup the linux server itself?

Userlevel 7
Badge +17

Yeah, a persistent or non-persistent agent. Not full-blown Veeam Agent for Linux, which is how I’m reading that error. I’d be interested what Support says.

So I looked further into my HOW-TO that I followed and it had me install the Linux agent in order to backup the Linux server.  So with this information does any other thoughts come to mind?  As the hardened repo setups have progressed are we now not able to backup the linux server itself?

Proxy doesn't need backed up.

Nothing I can think of. Honestly probably something only Support can answer at this point. 

Userlevel 1

So support says the following;

The error you are seeing is due to Veeam agent for Linux is not supported on Linux servers that hold the hardened repository role. Veeam hardened repositories do not use root, while some VAL (Veeam Agent for Linux) components do. Having the agent and utilizing the same machine as the hardened repository, may result in a repository that is not sufficiently hardened, and there is a possibility that it may not function at all. This is why is not supported and received the error response.

Please consider uninstalling the VAL from this hardened repository. If you want to have another backup of this repository data, please consider a backup copy job instead.

·  To uninstall Veeam Agent please use the instruction from this article: 
https://helpcenter.veeam.com/docs/backup/agents/protected_computers_uninstall.html?ver=120

·  For manual uninstallation: https://helpcenter.veeam.com/docs/agentforlinux/userguide/uninstallation_process.html?ver=60

so if I understand (and I’ve asked for clarification) this reply is saying I should not have the VAL and be backing up the hardened repo, is that what you see too?  Do you backup for Linux server that acts as a repo?

Userlevel 7
Badge +17

Yes, uninstall the Agent. And no, you shouldn't be backing up your Repo server. I don't back mine up. I haven't heard of anyone doing that. 

Userlevel 1

Yes, uninstall the Agent. And no, you shouldn't be backing up your Repo server. I don't back mine up. I haven't heard of anyone doing that. 

ok so the uninstall -  apt-get remove veeam veeam-libs veeamsnap did the trick, the Upgrade now processed.  Thanks for your very quick replies...

Userlevel 7
Badge +17

No problem. 

Comment