If it was setup correctly then probably the user ‘repouser’ has been removed from the sudo group. In order to upgrade the Veeam services you need to add it back to this group (temporarily).
usermod -a -G sudo repouser
Afterwards enter the single use credentials again and see if it works.
Good thread here. I figured this would happen with the VHR on upgrades.
Hi Shane
Please replace reposuser with the username you use for the deployment.
1) Enable SSH
sudo systemctl start ssh
2) Add Repo User to Sudo
sudo usermod -aG sudo repouser
3) Update Backup Repo in VBR Console with Single Use Credentials
4) Remove Repo User from Sudo
sudo deluser repouser sudo
5) Disable SSH
sudo systemctl stop ssh
Future updates (v12 to a later version) will not require that process and SSH anymore.
Best,
Fabian
Yes, was just going to say that one of my takeaways from VeeamON was that with v12 and beyond, SSH no longer needs to be re-enabled for updates. Way to go Veeam!
When setting up the VHR, the ‘general user’, not root/admin, is the account which should have permissions on everything. Let me look at the permissions (user/group) on my folder structure and let you know what I find….
@dloseke Yes it is. The repouser needs to be in that group to install/upgrade the transport service. Afterwards you remove him from the group for security reasons as it doesn't need root/sudo permissions anymore.
So I just upgraded to V12 and of course my Linux repo required updating.
My linux repo has two users, the admin (root) account, and veeamrepo for repository access.
Instead of adding the veeamrepo user with repository permissions to the sudo users group and then upgrading the Linux repo to V12, I stupidly used the other admin (root) account to perform the SSL upgrade.
The upgrade worked fine, but now it seems B&R is using the other admin (root) account to access the linux repositories instead of the veeamrepo account with the correct CHMOD & CHOWN permissions on the directories.
Is there any way to change the repository account in B&R back to the veeamrepo one, or do I need to change the directory permissions on the linux repo to match the admin (root) account?
Doing so would require me to enable sudo on the veeamrepo account and disable it on the admin(root) account I believe.
Thoughts?
Thanks all, especially @regnor and @coolsport00 on this. I added repouser to the sudoers, go things reconnected and removed it, and all is looking good. Appreciate the quick help!
No, the permissions are correct
drwx------ 12 veeamrepo veeamrepo 4096 Dec 13 2022 VeeamBackups
And the admin/root account doesn’t nor ever did have permissions on those folders.
This is the error I receive btw:
6/22/2023 10:43:20 AM :: Error: Permission denied
Failed to get file system object info: '/media/local48/VeeamRepository/VeeamBackups/Santiam Linux Immutable/Santiam Linux Immutable.vbm'
Agent failed to process method {FileSystem.Exists}.
@PDXdoug V12 should prevent the usage of the root account, but maybe this only counts for new repositories. You can check which serviceuser is used in the config file on your hardened repository: /opt/veeam/transport/VeeamTransportConfig
Hi @Mildur - thanks for the updated info. Though I reviewed info about the ugprade, I pretty much had it all, but there was 1 item I forgot to do before I started the repo upgrade → enable SSH. Oops! Once I enabled it, I reperformed the upgrade attempt & it went without a hitch. I did re-disable SSH as well as removed my user from sudo after I completed it. Appreciate the detailed response. Hope you’ve had a good weekend...and thanks again.
I’m glad that it worked @dloseke! We have some great information on the hardened repository in the community, if you want to learn more about it (like the series from @vNote42) . And this article from @WorkingHardInIT has everything you need to know from Linux/Ubuntu to Veeam: https://www.starwindsoftware.com/blog/veeam-hardened-linux-repository-part-1
A very welcomed change
There is indeed. I used Paolo’s posts myself. Thought his was detailed, start to finish, & easy to follow.
Ok, this issue has been resolved.
Here is what I did. Run all commands as the root user.
1. Enable and start ssh on the linux box
sudo systemctl enable ssh
sudo systemctl start ssh
2. Open firewall ports for ssh
sudo ufw allow ssh
3. Add the user with repository access to the Sudoers group.
sudo usermod -aG sudo "username" or you could use sudo adduser "username" sudo
4. In the B&R Console go to Backup Infrastructure and find the linux box under Managed Servers
Right click the server and go to Properties > SSH Connection > add the linux user with repository permissions to the Credentials drop down list as a Single Use Credentials.
5. Once the ssh connection has passed testing and the linux server updated, remove the linux user from the Sudoers group - sudo deluser "username" sudo, stop the ssh service - sudo systemctl stop ssh, disable the ssh service - sudo systemctl disable ssh, and finally block ssh in the firewall - sudo ufw deny ssh.
That should do the trick. Happy Backups!
- Doug
If you ls -l on your /mnt folder, you should see repouser as both user & group owner of the /veeamrepo folder; if you go into /veeamrepo & run that cmd again, those same rights should also be down to /backups, and then on the files. The permissions on my folders/files within my /mnt directory are 755 (rwx-r-x-r-x). In implementing mine, I didn’t need to change file/folder permissions at all. Don’t think that makes a difference. Your repouser does need sudo permissions though as @regnor mentions. You can run sudo -l -U repouser to see if the user has sudo rights. The last line should say ‘run the following commands (ALL) ALL’ for that to be true. Let us know what you find.
If it was setup correctly then probably the user ‘repouser’ has been removed from the sudo group. In order to upgrade the Veeam services you need to add it back to this group (temporarily).
usermod -a -G sudo repouser
Afterwards enter the single use credentials again and see if it works.
Yes, repouser is not on the list of sudoers. It’s only the admin account. So the proper way to do this is to add repouser to the sudoers, and then once all is connected and working again, remove from sudoers?
Hey Derek...yessir...remove the regular acct from sudoers:
sudo deluser repouser sudo
Did the permissions on the folder & files change? Check, using ls -l on the folder & files.
The admin/root account shouldn’t even have had permissions on the folder/files...yes, even for being root.
I’ve opened support ticket on this. Looking forward to seeing what they say.
Hmm..odd. I’d be curious to hear what Support says. Keep us posted @PDXdoug
Hey @dloseke ...I’m following up on this as I’m now beginning my VBR upgrade. I have 2 servers - main/prod one for backups and a DR one or replication. I upgraded my repl VBR server last wk without hitch. I’m just getting ready to start the upgrade of my main VBR server today, which has a hardened repo attached to it. So, all which was needed was to re-add the local linux user to sudo to be able to finalize the upgrade of the repo component piece, correct?
Thanks!
Hey guys,
Just wanted to say thank you as I just upgraded to V12 and had the same issues.
this thread saved me a lot of time and heartache.
Cheers