Director resource

Este conteúdo não está disponível em sua língua ainda.

Configuration directives for the Director resource. Every directive is listed; value types and defaults are noted where the source provides them.

Address

Address = <address>

Where the address is a host name, a fully qualified domain name, or a network address used to connect to the Director. This directive is required when ConnectToDirector is enabled.

Allowed Backup Directories

Allowed Backup Directories = <Directories list>

Defines per-director list of client’s directories that are allowed to be backed up for specific Director. This directive is fully independent of the include/exclude part of the Fileset defined in the Director’s config file. Nothing is backed up if none of the files defined in the Fileset is inside FD’s allowed directory. This directive is not required. If it is not defined, every directory defined in the Fileset is allowed.

Allowed Restore Directories

Allowed Restore Directories = <Directories list>

Defines per-director list of client’s directories that are allowed to be used as a restore destination on a per-director basis. Directive can be specified as a list of directories.

Allowed Script Directories

Allowed Script Directories = <Directories list>

Defines per-director list of client’s directories which from the Director can execute client’s scripts and programs (e.g. using the Runscript feature or with the Fileset’s ‘File=’ directive). Directive can be specified as a list of directories. When this directive is set, NGBackup is also checking programs to be run against set of not-allowed characters. Full list of not-allowed characters:

$ ! ; \ & < > ` ( )

This directive can be used to disallow all runscript for a Director, ex: AllowedScriptDirectories = none or AllowedScriptDirectories = /dev/null

AutoPrune

AutoPrune = <yes|no>

Normally, pruning of Files from the Catalog is specified on a Client by Client basis in the Client resource with the AutoPrune directive. It is also possible to overwrite the Client settings in the Pool resource used by jobs, with the AutoPrune, PruneFiles and PruneJobs directives.

If this directive is specified (not normally) and the value is no, it will override the value specified in all the Client and the Pool resources. The default is yes.

If you set AutoPrune = no, pruning will not be done automatically, and your Catalog will grow in size each time you run a Job. Pruning affects only information in the catalog and not data stored in the backup archives (on Volumes). The prune backup-console command can be used to prune catalog records respecting the Client and/or the Pool FileRetention, JobRetention and VolumeRetention directives.

CommCompression

CommCompression = <yes|no>

If the two NGBackup components (DIR, FD, SD, backup-console) have the comm line compression enabled, the line compression will be enabled. The default value is yes.

In many cases, the volume of data transmitted across the communications line can be reduced by a factor of three when this directive is enabled. In the case that the compression is not effective, NGBackup turns it off on a record by record basis.

If you are backing up data that is already compressed the comm line compression will not be effective, and you are likely to end up with an average compression ratio that is very small. In this case, NGBackup reports None in the Job report.

ConnectToDirector

ConnectToDirector = <yes|no>

When the ConnectToDirector directive is set to true, the Client will contact the Director according to the Schedule rules. The connection initiated by the Client will be then used by the Director to start jobs or issue backup-console commands. If the Schedule directive is not set, the connection will be initiated when the file daemon starts. The connection will be reinitialized every ReconnectionTime. This directive can be useful if your File Daemon is behind a firewall that permits outgoing connections but not incoming connections.

Description

Description = <text>

The text field contains a description of the Director that will be displayed in the graphical user interface. This directive is optional.

DirAddress

DirAddress = <IP-Address>

This directive is optional, but if it is specified, it will cause the Director server (for the Console program) to bind to the specified <IP-Address>, which is either a domain name or an IP address specified as a dotted quadruple in string or quoted string format. If this directive is not specified, the Director will bind to any available address (the default). Note, unlike the DirAddresses specification noted above, this directive only permits a single address to be specified. This directive should not be used if you specify a DirAddresses (plural) directive.

DirAddresses

DirAddresses = <IP-address-specification>

Specify the ports and addresses on which the Director daemon will listen for NGBackup Console connections. Probably the simplest way to explain this is to show an example:

DirAddresses = { ip = { addr = 1.2.3.4; port = 1205;} ipv4 = { addr = 1.2.3.4; port = http; } ipv6 = { addr = 1.2.3.4; port = 1205; } ip = { addr = 1.2.3.4 port = 1205 } ip = { addr = 1.2.3.4 } ip = { addr = 201:220:222::2 } ip = { addr = bluedot.thun.net } }

where ip, ip4, ip6, addr, and port are all keywords. Note, that the address can be specified as either a dotted quadruple, or IPv6 colon notation, or as a symbolic name (only in the ip specification). Also, port can be specified as a number or as the mnemonic value from the /etc/services file. If a port is not specified, the default will be used. If an ip section is specified, the resolution can be made either by IPv4 or IPv6. If ip4 is specified, then only IPv4 resolutions will be permitted, and likewise with ip6.

Please note that if you use the DirAddresses directive, you must not use either a DirPort or a DirAddress directive in the same resource.

Director

Start of the Director records. There may be any number of Director resources in the Client configuration file. Each one specifies a Director that is allowed to connect to this Client.

DirPort

DirPort = <port-number>

Specify the port (a positive integer) on which the Director daemon will listen for NGBackup Console connections. This same port number must be specified in the Director resource of the Console configuration file. The default is 9101, so normally this directive need not be specified. This directive should not be used if you specify the DirAddresses (plural) directive.

DIRPort

DIRPort = <port-number>

Specify the port to use to connect to the Director. This value will most likely already be set to the value you specified on the --with-baseport option of the ./configure command. This port must be identical to the DIRport specified in the Director resource of the Director’s configuration file. The default is 9101 so this directive is not normally specified.

DirSourceAddress

DirSourceAddress = <IP-Address>

This record is optional, and if it is specified, it will cause the Director server (when initiating connections to a storage or file daemon) to source its connections from the specified address. Only a single IP address may be specified. If this record is not specified, the Director server will source its outgoing connections according to the system routing table (the default).

DisableCommand

DisableCommand = <cmd>

The Disable Command adds security to your File daemon by disabling certain commands for the current Director. More information about the syntax can be found on (here).

Events Retention

Events Retention = <time>

The Events Retention directive defines the length of time that NGBackup will keep events records in the Catalog database. When this time period expires, and if the user runs the prune events command, NGBackup will prune (remove) Events records that are older than the specified period.

See the Configuration chapter of this manual for additional details of time specifications.

The default is 1 month.

Excluded Backup Directories

Excluded Backup Directories = <Directories list>

Defines per-director list of client’s directories that are exluded from the backup for specific Director. This directive is fully independent of the include/exclude part of the Fileset defined in the Director’s config file. Nothing is backed up if all files defined in the Fileset are inside FD’s excluded directory.

FD Connect Timeout

FD Connect Timeout = <time>

where <time> is the time that the Director should continue attempting to contact the File daemon to start a job, and after which the Director will cancel the job. The default is 3 minutes.

Heartbeat Interval

Heartbeat Interval = <time-interval>

This directive is optional and if specified will cause the Director to set a keepalive interval (heartbeat) in seconds on each of the sockets it opens for the Client resource. This value will override any specified at the Director level. It is implemented only on systems (Linux, …) that provide the setsockopt TCP_KEEPIDLE function. The default value is 300s.

HistoryFile

HistoryFile = <filename>

Where the filename will be used to store the console command history. By default, the history file is set to $HOME/.bconsole_history

HistoryFileSize

HistoryFileSize = <number-of-lines>

Specify the history file size in lines. The default value is 100.

Maximum Bandwidth Per Job

Maximum Bandwidth Per Job = <speed>

The speed parameter specifies the maximum allowed bandwidth in bytes per second that a job may use when started from this Director. You may specify the following speed parameter modifiers: kb/s (1,000 bytes per second), k/s (1,024 bytes per second), mb/s (1,000,000 bytes per second), or m/s (1,048,576 bytes per second).

Maximum Concurrent Jobs

Maximum Concurrent Jobs = <number>

where <number> is the maximum number of total Director Jobs that should run concurrently. The default is set to 20, but you may set it to a larger number. Every valid connection to any daemon (Director, File daemon, or Storage daemon) results in a Job. This includes connections from NGBackup Console. Thus the number of concurrent Jobs must, in general, be greater than the maximum number of Jobs that you wish to actually run. In general, increasing the number of Concurrent Jobs increases the total throughtput of NGBackup, because the simultaneous Jobs can all feed data to the Storage daemon and to the Catalog at the same time. However, keep in mind, that the Volume format becomes more complicated with multiple simultaneous jobs, consequently, restores may take longer if NGBackup must sort through interleaved volume blocks from multiple simultaneous jobs. Though not normally necessary, this can be avoided by having each simultaneous job write to a different volume or by using data spooling, which will first spool the data to disk simultaneously, then write one spool file at a time to the volume thus avoiding excessive interleaving of the different job blocks.

MaximumConsoleConnections

MaximumConsoleConnections = <number>

where <number> is the maximum number of Console Connections that could run concurrently. The default is set to 20, but you may set it to a larger number.

MaximumReloadRequests

MaximumReloadRequests = <number>

Where <number> is the maximum number of reload command that can be queued while jobs are running. The default is set to 32 and is usually sufficient.

Messages

Messages = <Messages-resource-name>

The messages resource specifies where to deliver Director messages that are not associated with a specific Job. Most messages are specific to a job and will be directed to the Messages resource specified by the job. However, there are a few messages that can occur when no job is running. This directive is required.

Monitor

Monitor = <yes|no>

If Monitor is set to no (default), this director will have full access to this Storage daemon. If Monitor is set to yes, this director will only be able to fetch the current status of this Storage daemon. Please note that if this director is being used by a Monitor, we highly recommend to set this directive to yes to avoid serious security problems.

Name

Name = <name>

The name of the Director that may contact this Client. This name must be the same as the name specified on the Director resource in the Director’s configuration file. Note, the case (upper/lower) of the characters in the name are significant (i.e. S is not the same as s). This directive is required.

Password

Password = <UA-password>

Specifies the password that must be supplied for the default NGBackup Console to be authorized. The same password must appear in the Director resource of the Console configuration file. For added security, the password is never passed across the network but instead a challenge response hash code created from the password. This directive is required. If you have either /dev/random or bc on your machine, NGBackup will generate a random password during the configuration process, otherwise it will be left blank and you must manually supply it. The password is plain text. It is not generated through any special process but as noted above, it is better to use random text for security reasons.

Pid Directory

Pid Directory = <Directory>

This directive is mandatory and specifies a directory in which the Director may put its process Id file. The process Id file is used to shutdown NGBackup and to prevent multiple copies of NGBackup from running simultaneously. Standard shell expansion of the Pid Directory is done when the configuration file is read so that values such as $HOME will be properly expanded. The PID directory specified must already exist and be readable and writable by the NGBackup daemon referencing it

Typically on Linux systems, you will set this to: /var/run. If you are not installing NGBackup in the system directories, you can use the Working Directory as defined above. This directive is required.

Port

Port = <port-number>

Specify the port to use to connect to the Director. This value will most likely already be set to the value you specified on the -:with-baseport option of the ./configure command. This port must be identical to the DIRport specified in the Director resource of the Director’s configuration file. The default is 9101 so this record is not normally specified.

QueryFile

QueryFile = <Path>

This directive is mandatory and specifies a directory and file in which the Director can find the canned SQL statements for the query command of the Console. Standard shell expansion of the <Path> is done when the configuration file is read so that values such as $HOME will be properly expanded. This directive is required.

ReconnectionTime

ReconnectionTime = <time>

When the Director resource of the FileDaemon is configured to connect the Director with the ConnectToDirector directive, the connection initiated by the FileDeamon to the Director will be reinitialized at a regular interval specified by the ReconnectionTime directive. The default value is 40 mins.

Schedule

Schedule = <sched-resource>

The Schedule directive defines what schedule is to be used for Client to connect the Director if the directive ConnectToDirector is set to true.

This directive is optional, and if left out, the Client will initiate a connection automatically at the start of the daemon. Although you may specify only a single Schedule resource for any Director resource, the Schedule resource may contain multiple Connect directives, which allow you to initiate the Client connection at many different times, and each Connect directive permits to set the the Max Connect Time directive.

Scripts Directory

Scripts Directory = <Directory>

This directive is optional and, if defined, specifies a directory in which the Director and the Storage daemon will look for many of the scripts that it needs to use during particular operations such as starting/stopping, the mtx-changer script, tape alerts, as well as catalog updates. This directory may be shared by other NGBackup daemons. Standard shell expansion of the directory is done when the configuration file is read so that values such as $HOME will be properly expanded.

SD Connect Timeout

SD Connect Timeout = <time>

where <time> is the time that the Director should continue attempting to contact the Storage daemon to start a job, and after which the Director will cancel the job. The default is 30 minutes.

Statistics Retention

Statistics Retention = <time>

The Statistics Retention directive defines the length of time that NGBackup will keep statistics job records in the Catalog database after the Job End time. (In JobHistory table) When this time period expires, and if the user runs the prune stats command, NGBackup will prune (remove) Job records that are older than the specified period.

Theses statistics records aren’t used for restore purpose, but mainly for capacity planning, billings, etc. See Statistics chapter for additional information.

See the Configuration chapter of this manual for additional details of time specifications.

The default is 5 years.

TLS Allowed CN

TLS Allowed CN = <string list>

Common name attribute of allowed peer certificates. This directive is valid for a server and in a client context. If this directive is specified, the peer certificate will be verified against this list. In the case this directive is configured on a server side, the allowed CN list will not be checked if TLS Verify Peer is set to no (TLS Verify Peer is yes by default). This can be used to ensure that only the CN-approved component may connect. This directive may be specified more than once. In the case this directive is configured in a server side, the allowed CN list will only be checked if TLS Verify Peer = yes (default). For example, in backup-fd.conf, Director resource definition:

Director { Name = backup-dir Password = “password” Address = director.example.com

TLS configuration directives

TLS Enable = yes TLS Require = yes

if TLS Verify Peer = no, then TLS Allowed CN will not be checked.

TLS Verify Peer = yes TLS Allowed CN = director.example.com TLS CA Certificate File = /opt/backup/ssl/certs/root_cert.pem TLS Certificate = /opt/backup/ssl/certs/client1_cert.pem TLS Key = /opt/backup/ssl/keys/client1_key.pem }

In the case this directive is configured in a client side, the allowed CN list will always be checked.

Client { Name = client1-fd Address = client1.example.com FDPort = 9102 Catalog = MyCatalog Password = “password” …

TLS configuration directives

TLS Enable = yes TLS Require = yes

the Allowed CN will be checked for this client by director

the client’s certificate Common Name must match any of

the values of the Allowed CN list

TLS Allowed CN = client1.example.com TLS CA Certificate File = /opt/backup/ssl/certs/ca_client1_cert.pem TLS Certificate = /opt/backup/ssl/certs/director_cert.pem TLS Key = /opt/backup/ssl/keys/director_key.pem }

If the client doesnât provide a certificate with a Common Name that meets any value in the TLS Allowed CN list, an error message will be issued:

16-Nov 17:30 backup-dir JobId 0: Fatal error: bnet.c:273 TLS certificate verification failed. Peer certificate did not match a required commonName 16-Nov 17:30 backup-dir JobId 0: Fatal error: TLS negotiation failed with FD at “192.168.100.2:9102”.

TLS Authenticate

TLS Authenticate = <yes|no>

When TLS Authenticate is enabled, after doing the CRAM-MD5 authentication, NGBackup will also do TLS authentication, then TLS encryption will be turned off, and the rest of the communication between the two NGBackup components will be done without encryption. If TLS-PSK is used instead of the regular TLS, the encryption is turned off after the TLS-PSK authentication step. If you want to encrypt communications data, use the normal TLS directives but do not turn on TLS Authenticate.

TLS CA Certificate Dir

TLS CA Certificate Dir = <Directory>

Full path to TLS CA certificate directory. In the current implementation, certificates must be stored PEM encoded with OpenSSL-compatible hashes, which is the subject name’s hash and an extension of .0. One of TLS CA Certificate File or TLS CA Certificate Dir are required in a server context, unless TLS Verify Peer is set to no, and are always required in a client context.

TLS CA Certificate File

TLS CA Certificate File = <Filename>

The full path and filename specifying a PEM encoded TLS CA certificate(s). Multiple certificates are permitted in the file. One of TLS CA Certificate File or TLS CA Certificate Dir are required in a server context, unless TLS Verify Peer (see above) is set to no, and are always required in a client context.

TLS Certificate

TLS Certificate = <Filename>

The full path and filename of a PEM encoded TLS certificate. It will be used as either a client or server certificate, depending on the connection direction. PEM stands for Privacy Enhanced Mail, but in this context refers to how the certificates are encoded. This format is used because PEM files are base64 encoded and hence ASCII text based rather than binary. They may also contain encrypted information. This directive is required in a server context, but it may not be specified in a client context if TLS Verify Peer is set to no in the corresponding server context.

Example:

File Daemon configuration file (backup-fd.conf), Director resource configuration has TLS Verify Peer = no:

Director { Name = backup-dir Password = “password” Address = director.example.com

TLS configuration directives

TLS Enable = yes TLS Require = yes TLS Verify Peer = no TLS CA Certificate File = /opt/backup/ssl/certs/root_cert.pem TLS Certificate = /opt/backup/ssl/certs/client1_cert.pem TLS Key = /opt/backup/ssl/keys/client1_key.pem }

Having TLS Verify Peer = no, means the File Daemon, server context, will not check Directorâs public certificate, client context. There is no need to specify TLS Certificate File neither TLS Key directives in the Client resource, director configuration file. We can have the below client configuration in backup-dir.conf:

Client { Name = client1-fd Address = client1.example.com FDPort = 9102 Catalog = MyCatalog Password = “password” …

TLS configuration directives

TLS Enable = yes TLS Require = yes TLS CA Certificate File = /opt/backup/ssl/certs/ca_client1_cert.pem }

TLS DH File

TLS DH File = <Directory>

Path to PEM encoded Diffie-Hellman parameter file. If this directive is specified, DH key exchange will be used for the ephemeral keying, allowing for forward secrecy of communications. DH key exchange adds an additional level of security because the key used for encryption/decryption by the server and the client is computed on each end and thus is never passed over the network if Diffie-Hellman key exchange is used. Even if DH key exchange is not used, the encryption/decryption key is always passed encrypted. This directive is only valid within a server context. To generate the parameter file, you may use openssl:

openssl dhparam -out dh4096.pem -5 4096

TLS Enable

TLS Enable = <yes|no>

Enable TLS support. If TLS is not enabled, none of the other TLS directives have any effect. In other words, even if you set TLS Require = yes you need to have TLS enabled or TLS will not be used.

TLS Key

TLS Key = <Filename>

The full path and filename of a PEM encoded TLS private key. It must correspond to the TLS certificate.

TLS PSK Enable

TLS PSK Enable = <yes|no>

Enable or Disable automatic TLS PSK support. TLS PSK is enabled by default between all NGBackup components. The Pre-Shared Key used between the programs is the NGBackup password. If both TLS Enable and TLS PSK Enable are enabled, the system will use TLS certificates.

TLS Require

TLS Require = <yes|no>

Require TLS or TLS-PSK encryption. This directive is ignored unless one of TLS Enable or TLS PSK Enable is set to yes. If TLS is not required while TLS or TLS-PSK are enabled, then the NGBackup component will connect with other components either with or without TLS or TLS-PSK

If TLS or TLS-PSK is enabled and TLS is required, then the NGBackup component will refuse any connection request that does not use TLS.

TLS Verify Peer

TLS Verify Peer = <yes|no>

Verify peer certificate. Instructs server to request and verify the client’s X.509 certificate. Any client certificate signed by a known-CA will be accepted. Additionally, the client’s X509 certificate Common Name must meet the value of the Address directive. If the TLSAllowed CN onfiguration directive is used, the client’s x509 certificate Common Name must also correspond to one of the CN specified in the TLS Allowed CN directive. This directive is valid only for a server and not in client context. The default is yes.

VerId

VerId = <string>

where <string> is an identifier which can be used for support purpose. This string is displayed using the version command.

Working Directory

Working Directory = <Directory>

This directive is mandatory and specifies a directory in which the Director may put its status files. This directory should be used only by NGBackup but may be shared by other NGBackup daemons. However, please note, if this directory is shared with other NGBackup daemons (the File daemon and Storage daemon), you must ensure that the Name given to each daemon is unique so that the temporary filenames used do not collide. By default the NGBackup configure process creates unique daemon names by postfixing them with -dir, -fd, and -sd. Standard shell expansion of the Working Directory is done when the configuration file is read so that values such as $HOME will be properly expanded. This directive is required. The working directory specified must already exist and be readable and writable by the NGBackup daemon referencing it.

If you have specified a Director user and/or a Director group on your ./configure line with -with-dir-user and/or -with-dir-group the Working Directory owner and group will be set to those values.