Hardened repo access after upgrading to v12

Glad I could help!  I imagine I may even have to come back and reference it for other clients, but perhaps not since this should be easier once on v12 to newer versions!

Hey guys,

Just wanted to say thank you as I just upgraded to V12 and had the same issues.

this thread saved me a lot of time and heartache.

Cheers

Ok, this issue has been resolved.

Here is what I did. Run all commands as the root user.

1. Enable and start ssh on the linux box 

sudo systemctl enable ssh
sudo systemctl start ssh

2. Open firewall ports for ssh

sudo ufw allow ssh

3. Add the user with repository access to the Sudoers group.

sudo usermod -aG sudo "username" or you could use sudo adduser "username" sudo

4. In the B&R Console go to Backup Infrastructure and find the linux box under Managed Servers
Right click the server and go to Properties > SSH Connection > add the linux user with repository permissions to the Credentials drop down list as a Single Use Credentials. 

5. Once the ssh connection has passed testing and the linux server updated, remove the linux user from the Sudoers group - sudo deluser "username" sudo, stop the ssh service - sudo systemctl stop ssh, disable the ssh service - sudo systemctl disable ssh, and finally block ssh in the firewall - sudo ufw deny ssh.

That should do the trick. Happy Backups!

- Doug
 

Oh I totally understand that one can add different account types there @coolsport00, and I did add the correct linux account and tested the ssh single use authentication and it worked fine.

Guess what I’m trying to say is how does one use this account to authenticate to the repository via either the backup job or the repository settings as the backups keep failing due to authentication.

6/23/2023 8:33:08 AM :: Error: Permission denied
Failed to get file system object info: '/media/local48/VeeamRepository/VeeamBackups/Exchange Linux Immutable/Exchange Linux Immutable.vbm'
Agent failed to process method {FileSystem.Exists}.
  
 

Hey @regnor 

You are most likely correct, but I do love the keywords “should” and “maybe” :-)

There are three options I can think of.

1. Delete the Linux Repo, then recreate it using the correct ssh single use authentication for the storage directories. Just not sure what this would do to the backup chains.
2. Change permissions on the storage directories to match the single use ssh credentials I used to upgrade the host.
3. Somehow edit the SQL database where the credentials are stored to match the current storage directory permissions.

Support suggested going into Credentials & Passwords and creating the correct account. Great idea but there is no way to add those account credentials for repository access. Access Permissions in the repository only allows for AD accounts. 

Unless I’m missing something here.

• Doug

Hmm..odd. I’d be curious to hear what Support says. Keep us posted @PDXdoug 

I’ve opened  support ticket on this. Looking forward to seeing what they say.

The admin/root account shouldn’t even have had permissions on the folder/files...yes, even for being root.

So I just upgraded to V12 and of course my Linux repo required updating.

My linux repo has two users, the admin (root) account, and veeamrepo for repository access.

Instead of adding the veeamrepo user with repository permissions to the sudo users group and then upgrading the Linux repo to V12, I stupidly used the other admin (root) account to perform the SSL  upgrade.

The upgrade worked fine, but now it seems B&R is using the other admin (root) account to access the linux repositories instead of the veeamrepo account with the correct CHMOD & CHOWN permissions on the directories.

Is there any way to change the repository account in B&R back to the veeamrepo one, or do I need to change the directory permissions on the linux repo to match the admin (root) account?

Doing so would require me to enable sudo on the veeamrepo account and disable it on the admin(root) account I believe.

Thoughts?

• Doug

Yes, was just going to say that one of my takeaways from VeeamON was that with v12 and beyond, SSH no longer needs to be re-enabled for updates.  Way to go Veeam!  

Hi @Mildur - thanks for the updated info. Though I reviewed info about the ugprade, I pretty much had it all, but there was 1 item I forgot to do before I started the repo upgrade → enable SSH. Oops! 😊 Once I enabled it, I reperformed the upgrade attempt & it went without a hitch. I did re-disable SSH as well as removed my user from sudo after I completed it. Appreciate the detailed response. Hope you’ve had a good weekend...and thanks again.

Hey @dloseke ...I’m following up on this as I’m now beginning my VBR upgrade. I have 2 servers - main/prod one for backups and a DR one or replication. I upgraded my repl VBR server last wk without hitch. I’m just getting ready to start the upgrade of my main VBR server today, which has a hardened repo attached to it. So, all which was needed was to re-add the local linux user to sudo to be able to finalize the upgrade of the repo component piece, correct?

Thanks!