The Storage Daemon configuration file has relatively few resource definitions. However, due to the great variation in backup media and system capabilities, the storage daemon must be highly configurable. As a consequence, there are quite a large number of directives in the Device Resource definition that allow you to define all the characteristics of your Storage device (normally a tape drive). Fortunately, with modern storage devices, the defaults are sufficient, and very few directives are actually needed.
Examples of Device resource directives that are known to work for a number of common tape drives can be found in the <bacula-src>/examples/devices directory, and most will also be listed here.
For a general discussion of configuration file and resources including the data types recognized by Bacula, please see the Configuration chapter of this manual. The following Storage Resource definitions must be defined:
In general, the properties specified under the Storage resource define global properties of the Storage daemon. Each Storage daemon configuration file must have one and only one Storage resource definition.
Typically on Linux systems, you will set this to: /var/run. If you are not installing Bacula in the system directories, you can use the Working Directory as defined above.
This directive is mandatory when using Global Endpoint Deduplication feature, and specifies a directory in which the Storage daemon may put data block files for all devices of the type dedup. The Dedup Directory can be very large after some point, we advise you to use a logical volume manager to be able to extend the filesystem when needed with new disks.
Standard shell expansion of the Directory is done when the configuration file is read so that values such as $HOME will be properly expanded.
Standard shell expansion of the Directory is done when the configuration file is read so that values such as $HOME will be properly expanded. The default value is set to DedupDirectory when set.
SDAddresses = { ip = { addr = 1.2.3.4; port = 1205; } ipv4 = { addr = 1.2.3.4; port = http; } ipv6 = { addr = 1.2.3.4; port = 1205; } ip = { addr = 1.2.3.4 port = 1205 } ip = { addr = 1.2.3.4 } ip = { addr = 201:220:222::2 } ip = { addr = bluedot.thun.net } }
where ip, ip4, ip6, addr, and port are all keywords. Note, that the address can be specified as either a dotted quadruple, or IPv6 colon notation, or as a symbolic name (only in the ip specification). Also, port can be specified as a number or as the mnemonic value from the /etc/services file. If a port is not specified, the default will be used. If an ip section is specified, the resolution can be made either by IPv4 or IPv6. If ip4 is specified, then only IPv4 resolutions will be permitted, and likewise with ip6.
Using this directive, you can replace both the SDPort and SDAddress directives shown below.
If the two Bacula components (DIR, FD, SD, bconsole) have the comm line compression enabled, the line compression will be enabled. The default value is yes.
In many cases, the volume of data transmitted across the communications line can be reduced by a factor of three when this directive is enabled. In the case that the compression is not effective, Bacula turns it off on a record by record basis.
If you are backing up data that is already compressed the comm line compression will not be effective, and you are likely to end up with an average compression ratio that is very small. In this case, Bacula reports None in the Job report.
Enable TLS support. If TLS is not enabled, none of the other TLS directives have any effect. In other words, even if you set TLS Require = yes you need to have TLS enabled or TLS will not be used.
Enable or Disable automatic TLS PSK support. TLS PSK is enabled by default between all Bacula components. The Pre-Shared Key used between the programs is the Bacula password. If both TLS Enable and TLS PSK Enable are enabled, the system will use TLS certificates.
Require TLS or TLS-PSK encryption. This directive is ignored unless one of TLS Enable or TLS PSK Enable is set to yes. If TLS is not required while TLS or TLS-PSK are enabled, then the Bacula component will connect with other components either with or without TLS or TLS-PSK
If TLS or TLS-PSK is enabled and TLS is required, then the Bacula component will refuse any connection request that does not use TLS.
If you want to encrypt communications data, use the normal TLS directives but do not turn on TLS Authenticate.
This directive is required in a server context, but it may not be specified in a client context if TLS Verify Peer is set to no in the corresponding server context.
Example:
File Daemon configuration file (bacula-fd.conf), Director resource configuration has TLS Verify Peer = no:
Director { Name = bacula-dir Password = "password" Address = director.example.com # TLS configuration directives TLS Enable = yes TLS Require = yes TLS Verify Peer = no TLS CA Certificate File = /opt/bacula/ssl/certs/root_cert.pem TLS Certificate = /opt/bacula/ssl/certs/client1_cert.pem TLS Key = /opt/bacula/ssl/keys/client1_key.pem }
Having TLS Verify Peer = no, means the File Daemon, server context, will not check Directorâs public certificate, client context. There is no need to specify TLS Certificate File neither TLS Key directives in the Client resource, director configuration file. We can have the below client configuration in bacula-dir.conf:
Client { Name = client1-fd Address = client1.example.com FDPort = 9102 Catalog = MyCatalog Password = "password" ... # TLS configuration directives TLS Enable = yes TLS Require = yes TLS CA Certificate File = /opt/bacula/ssl/certs/ca_client1_cert.pem }
In the case this directive is configured in a server side, the allowed CN list will only be checked if TLS Verify Peer = yes (default). For example, in bacula-fd.conf, Director resource definition:
Director { Name = bacula-dir Password = "password" Address = director.example.com # TLS configuration directives TLS Enable = yes TLS Require = yes # if TLS Verify Peer = no, then TLS Allowed CN will not be checked. TLS Verify Peer = yes TLS Allowed CN = director.example.com TLS CA Certificate File = /opt/bacula/ssl/certs/root_cert.pem TLS Certificate = /opt/bacula/ssl/certs/client1_cert.pem TLS Key = /opt/bacula/ssl/keys/client1_key.pem }
In the case this directive is configured in a client side, the allowed CN list will always be checked.
Client { Name = client1-fd Address = client1.example.com FDPort = 9102 Catalog = MyCatalog Password = "password" ... # TLS configuration directives TLS Enable = yes TLS Require = yes # the Allowed CN will be checked for this client by director # the client's certificate Common Name must match any of # the values of the Allowed CN list TLS Allowed CN = client1.example.com TLS CA Certificate File = /opt/bacula/ssl/certs/ca_client1_cert.pem TLS Certificate = /opt/bacula/ssl/certs/director_cert.pem TLS Key = /opt/bacula/ssl/keys/director_key.pem }
If the client doesnât provide a certificate with a Common Name that meets any value in the TLS Allowed CN list, an error message will be issued:
16-Nov 17:30 bacula-dir JobId 0: Fatal error: bnet.c:273 TLS certificate verification failed. Peer certificate did not match a required commonName 16-Nov 17:30 bacula-dir JobId 0: Fatal error: TLS negotiation failed with FD at "192.168.100.2:9102".
To generate the parameter file, you may use openssl:
openssl dhparam -out dh4096.pem -5 4096
The following is a typical Storage daemon Storage definition.
# # "Global" Storage daemon configuration specifications appear # under the Storage resource. # Storage { Name = "Storage daemon" Address = localhost WorkingDirectory = "~/bacula/working" Pid Directory = "~/bacula/working" }
The Director resource specifies the Name of the Director which is permitted to use the services of the Storage daemon. There may be multiple Director resources. The Director Name and Password must match the corresponding values in the Director's configuration file.
Please note that if this director is being used by a Monitor, we highly recommend to set this directive to yes to avoid serious security problems.
Enable TLS support. If TLS is not enabled, none of the other TLS directives have any effect. In other words, even if you set TLS Require = yes you need to have TLS enabled or TLS will not be used.
Enable or Disable automatic TLS PSK support. TLS PSK is enabled by default between all Bacula components. The Pre-Shared Key used between the programs is the Bacula password. If both TLS Enable and TLS PSK Enable are enabled, the system will use TLS certificates.
Require TLS or TLS-PSK encryption. This directive is ignored unless one of TLS Enable or TLS PSK Enable is set to yes. If TLS is not required while TLS or TLS-PSK are enabled, then the Bacula component will connect with other components either with or without TLS or TLS-PSK
If TLS or TLS-PSK is enabled and TLS is required, then the Bacula component will refuse any connection request that does not use TLS.
If you want to encrypt communications data, use the normal TLS directives but do not turn on TLS Authenticate.
This directive is required in a server context, but it may not be specified in a client context if TLS Verify Peer is set to no in the corresponding server context.
Example:
File Daemon configuration file (bacula-fd.conf), Director resource configuration has TLS Verify Peer = no:
Director { Name = bacula-dir Password = "password" Address = director.example.com # TLS configuration directives TLS Enable = yes TLS Require = yes TLS Verify Peer = no TLS CA Certificate File = /opt/bacula/ssl/certs/root_cert.pem TLS Certificate = /opt/bacula/ssl/certs/client1_cert.pem TLS Key = /opt/bacula/ssl/keys/client1_key.pem }
Having TLS Verify Peer = no, means the File Daemon, server context, will not check Directorâs public certificate, client context. There is no need to specify TLS Certificate File neither TLS Key directives in the Client resource, director configuration file. We can have the below client configuration in bacula-dir.conf:
Client { Name = client1-fd Address = client1.example.com FDPort = 9102 Catalog = MyCatalog Password = "password" ... # TLS configuration directives TLS Enable = yes TLS Require = yes TLS CA Certificate File = /opt/bacula/ssl/certs/ca_client1_cert.pem }
In the case this directive is configured in a server side, the allowed CN list will only be checked if TLS Verify Peer = yes (default). For example, in bacula-fd.conf, Director resource definition:
Director { Name = bacula-dir Password = "password" Address = director.example.com # TLS configuration directives TLS Enable = yes TLS Require = yes # if TLS Verify Peer = no, then TLS Allowed CN will not be checked. TLS Verify Peer = yes TLS Allowed CN = director.example.com TLS CA Certificate File = /opt/bacula/ssl/certs/root_cert.pem TLS Certificate = /opt/bacula/ssl/certs/client1_cert.pem TLS Key = /opt/bacula/ssl/keys/client1_key.pem }
In the case this directive is configured in a client side, the allowed CN list will always be checked.
Client { Name = client1-fd Address = client1.example.com FDPort = 9102 Catalog = MyCatalog Password = "password" ... # TLS configuration directives TLS Enable = yes TLS Require = yes # the Allowed CN will be checked for this client by director # the client's certificate Common Name must match any of # the values of the Allowed CN list TLS Allowed CN = client1.example.com TLS CA Certificate File = /opt/bacula/ssl/certs/ca_client1_cert.pem TLS Certificate = /opt/bacula/ssl/certs/director_cert.pem TLS Key = /opt/bacula/ssl/keys/director_key.pem }
If the client doesnât provide a certificate with a Common Name that meets any value in the TLS Allowed CN list, an error message will be issued:
16-Nov 17:30 bacula-dir JobId 0: Fatal error: bnet.c:273 TLS certificate verification failed. Peer certificate did not match a required commonName 16-Nov 17:30 bacula-dir JobId 0: Fatal error: TLS negotiation failed with FD at "192.168.100.2:9102".
To generate the parameter file, you may use openssl:
openssl dhparam -out dh4096.pem -5 4096
The following is an example of a valid Director resource definition:
Director { Name = MainDirector Password = my_secret_password }
The Device Resource specifies the details of each device (normally a tape drive) that can be used by the Storage daemon. There may be multiple Device resources for a single Storage daemon. In general, the properties specified within the Device resource are specific to the Device.
As noted above, normally the Archive Device is the name of a tape drive, but you may also specify an absolute path to an existing directory. If the Device is a directory Bacula will write to file storage in the specified directory, and the filename used will be the Volume name as specified in the Catalog. If you want to write into more than one directory (i.e. to spread the load to different disk drives), you will need to define two Device resources, each containing an Archive Device with a different directory. In addition to a tape device name or a directory name, Bacula will accept the name of a FIFO. A FIFO is a special kind of file that connects two programs via kernel memory. If a FIFO device is specified for a backup operation, you must have a program that reads what Bacula writes into the FIFO. When the Storage daemon starts the job, it will wait for MaximumOpenWait seconds for the read program to start reading, and then time it out and terminate the job. As a consequence, it is best to start the read program at the beginning of the job perhaps with the RunBeforeJob directive. For this kind of device, you never want to specify AlwaysOpen, because you want the Storage daemon to open it only when a job starts, so you must explicitly set it to no. Since a FIFO is a one way device, Bacula will not attempt to read a label of a FIFO device, but will simply write on it. To create a FIFO Volume in the catalog, use the add command rather than the label command to avoid attempting to write a label.
Device { Name = FifoStorage Media Type = Fifo Device Type = Fifo Archive Device = /tmp/fifo LabelMedia = yes Random Access = no AutomaticMount = no RemovableMedia = no MaximumOpenWait = 60 AlwaysOpen = no }
During a restore operation, if the Archive Device is a FIFO, Bacula will attempt to read from the FIFO, so you must have an external program that writes into the FIFO. Bacula will wait MaximumOpenWait seconds for the program to begin writing and will then time it out and terminate the job. As noted above, you may use the RunBeforeJob to start the writer program at the beginning of the job.
The Archive Device directive is required.
The Device Type directive is not required, and if not specified, Bacula will attempt to guess what kind of device has been specified using the Archive Device specification supplied. There are several advantages to explicitly specifying the Device Type. First, on some systems, block and character devices have the same type. Secondly, if you explicitly specify the Device Type, the mount point need not be defined until the device is opened. This is the case with most removable devices such as USB that are mounted by the HAL daemon. If the Device Type is not explicitly specified, then the mount point must exist when the Storage daemon starts.
Even though the names you assign are arbitrary (i.e. you choose the name you want), you should take care in specifying them because the Media Type is used to determine which storage device Bacula will select during restore. Thus you should probably use the same Media Type specification for all drives where the Media can be freely interchanged. This is not generally an issue if you have a single Storage daemon, but it is with multiple Storage daemons, especially if they have incompatible media.
For example, if you specify a Media Type of "DDS-4" then during the restore, Bacula will be able to choose any Storage Daemon that handles "DDS-4". If you have an autochanger, you might want to name the Media Type in a way that is unique to the autochanger, unless you wish to possibly use the Volumes in other drives. You should also ensure to have unique Media Type names if the Media is not compatible between drives. This specification is required for all devices.
In addition, if you are using disk storage, each Device resource will generally have a different mount point or directory. In order for Bacula to select the correct Device resource, each one must have a unique Media Type.
Changer Command = "/path/mtx-changer %c %o %S %a %d"
and you will install the mtx on your system (found in the depkgs release). An example of this command is in the default bacula-sd.conf file. For more details on the substitution characters that may be specified to configure your autochanger please see the Autochangers chapter of this manual. For FreeBSD users, you might want to see one of the several chio scripts in examples/autochangers.
/opt/bacula# lsscsi -g [1:0:0:0] tape HP Ultrium 4-SCSI H61W /dev/st0 /dev/sg0 [1:0:0:1] tape HP Ultrium 4-SCSI H61W /dev/st1 /dev/sg1 [1:0:0:2] mediumx HP MSL G3 Series E.00 - /dev/sg2
The directive in the Device resource can call the tapealert script that is installed in the scripts directory. It is defined as follows:
Device { Name = ... Archive Device = /dev/nst0 Alert Command = "/opt/bacula/scripts/tapealert %l" Control Device = /dev/sg1 # must be SCSI ctl for /dev/nst0 ... }
Once the above mentioned two directives (Alert Command and Control Device) are in place in each of your Device resources, Bacula will check for tape alerts at two points:
At each of the above times, Bacula will call the new tapealert script, which uses the tapeinfo program. The tapeinfo utility is part of the apt sg3-utils and rpm sg3_utils packages. Then for each tape alert that Bacula finds for that drive, it will emit a Job message that is either INFO, WARNING, or FATAL depending on the designation in the Tape Alert published by the T10 Technical Committee on SCSI Storage Interfaces. For the specification, please see: http://www.t10.org/ftp/t10/document.02/02-142r0.pdf
The name-string specifies an external program to be called when loading a new volume. The purpose of this command is to check if the current tape is a WORMnoteWrite Once Read Many tape. The same substitution characters that may be specified in the Changer Command ay also be used in this string.
The directive in the Device resource can call the isworm script that is installed in the scripts directory. It is defined as follows:
Device { Name = ... Archive Device = /dev/nst0 Worm Command = "/opt/bacula/scripts/isworm %l" Control Device = /dev/sg1 # must be SCSI ctl for /dev/nst0 ... }
Bacula will call the isworm script, which uses the tapeinfo and sdparm program.
Maximum Concurrent Jobs is a directive that permits setting the maximum number of Jobs that can run concurrently on a specified Device. Using this directive, it is possible to have different Jobs using multiple drives, because when the Maximum Concurrent Jobs limit is reached, the Storage Daemon will start new Jobs on any other available compatible drive. This facilitates writing to multiple drives with multiple Jobs that all use the same Pool.
If you have Always Open = yes (recommended) and you want to use the drive for something else, simply use the unmount command in the Console program to release the drive. However, don't forget to remount the drive with mount when the drive is available or the next Bacula job will block.
For File storage, this directive is ignored. For a FIFO storage device, you must set this to no.
Please note that if you set this directive to no Bacula will release the tape drive between each job, and thus the next job will rewind the tape and position it to the end of the data. This can be a very time consuming operation. In addition, with this directive set to no, certain multiple drive autochanger operations will fail. We strongly recommend to keep Always Open set to yes
If yes, Bacula will sync the device at the end of each job and when closing the device. Normally it might be useful if you store the data on network filesystems. The default value is no.
If the removable medium is not automatically mounted (e.g. udev), then you might consider using additional Storage daemon device directives such as Requires Mount, Mount Point, Mount Command, and Unmount Command, all of which can be used in conjunction with Removable Media.
See the Edit Codes section below for more details of the editing codes that can be used in this directive.
If you need to specify multiple commands, create a shell script.
Most frequently, you will define it as follows:
Unmount Command = "/bin/umount %m"
See the Edit Codes section below for more details of the editing codes that can be used in this directive.
If you need to specify multiple commands, create a shell script.
The default is yes - i.e. the checksum is computed on write and checked on read.
We do not recommend to turn this off particularly on older tape drives or for disk Volumes where doing so may allow corrupted data to go undetected.
To force the block size to be fixed, as is the case for some non-random access devices (tape drives), set the Minimum block size and the Maximum block size to the same value (zero included). The default is that both the minimum and maximum block size are zero and the default block size is 64,512 bytes.
For example, suppose you want a fixed block size of 100K bytes, then you would specify:
Minimum block size = 100K Maximum block size = 100K
Please note that if you specify a fixed block size as shown above, the tape drive must either be in variable block size mode, or if it is in fixed block size mode, the block size (generally defined by mt) must be identical to the size specified in Bacula - otherwise when you attempt to re-read your Volumes, you will get an error.
If you want the block size to be variable but with a 64K minimum and 200K maximum (and default as well), you would specify:
Minimum block size = 64K Maximum blocksize = 256K
If no value is specified or zero is specified, the Storage daemon will use a default block size of 64,512 bytes (126 * 512).
The maximum size-in-bytes possible is 4,000,000.
Default setting for Hardware End of Medium is yes. This function is used before appending to a tape to ensure that no previously written data is lost. We recommend if you have a non-standard or unusual tape drive that you use the btape program to test your drive to see whether or not it supports this function. All modern (after 1998) tape drives support this feature.
Default setting for Fast Forward Space File is yes.
If you are using a Linux 2.6 kernel or other OSes such as FreeBSD or Solaris, the Offline On Unmount will leave the drive with no tape, and Bacula will not be able to properly open the drive and may fail the job. For more information on this problem, please see the description of Offline On Unmount subsection in the Tape Testing chapter of the Bacula Enterprise Problems Resolution guide.
If you are configuring an LTO-3 or LTO-4 tape, you probably will want to set the Maximum File Size to 2GB to avoid making the drive stop to write an EOF mark.
Note, this directive does not limit the size of Volumes that Bacula will create regardless of whether they are tape or disk volumes. It changes only the number of EOF marks on a tape and the number of block positioning records (see below) that are generated. If you want to limit the size of all Volumes for a particular device, use the Maximum Volume Size directive (above), or use the Maximum Volume Bytes directive in the Director's Pool resource, which does the same thing but on a Pool (Volume) basis.
Some data might include information about the actual position of a block in the data stream. This information is stored in the catalog inside the FileMedia table. By default, one index record will be created every 100MB of data. The index permits quicker positioning to the start of a given block in the Bacula Volume and can improve the Single Item Restore feature. If you set this to a small value (e.g. 1MB), you will generate lots of database records (FileMedia) and may significantly increase CPU/disk overhead.
This directive allows one to specify the maximum size for each part. Smaller part sizes will reduce restore costs, but may require a small additional overhead to handle multiple parts. The maximum number of parts permitted in a Cloud Volume is 524,288. The maximum size of any given part is approximately 17.5TB.
The default size was chosen to be relatively large but not too big in the case that you are transmitting data over Internet. It is clear that on a high speed local network, you can increase this number and improve performance. For example, some users have found that if you use a value of 65,536 bytes they get five to ten times the throughput. Larger values for most users don't seem to improve performance. If you are interested in improving your backup speeds, this is definitely a place to experiment. You will probably also want to make the corresponding change in each of your File daemons conf files.
The Cloud Storage Driver must be installed in the Bacula Storage Daemon Plugin Directory to be used.
The name of the Cloud resource. This is the logical Cloud name, and may be any string up to 127 characters in length.
This defines which driver to use. It can be S3 or Azure. There is also a File driver, which is used mostly for testing.
This directive specifies the bucket name that you wish to use on the Cloud service. This name is normally a unique name that you create on the cloud service that identifies where you want to place your Cloud Volumes. The maximum bucket name size is 255 characters.
The access key is your unique user identifier given to you by your cloud service provider.
The secret key is the security key that was given to you by your cloud service provider. It is equivalent to a password.
The protocol defines the communications protocol to use with the cloud service provider. The two protocols currently supported are: HTTPS and HTTP. The default is HTTPS.
This directive specifies the URI style to use to communicate with the cloud service provider. The two Uri Styles currently supported are: VirtualHost and Path. The default is VirtualHost.
This directive specifies when Bacula should automatically remove (truncate) the local cache parts. Local cache parts can only be removed if they have been uploaded to the cloud. The currently implemented values are:
This directive specifies when local cache parts will be uploaded to the Cloud. The options are:
The default is unlimited, but by using this directive, you may limit the upload bandwidth used globally by all devices referencing this Cloud resource.
The default is unlimited, but by using this directive, you may limit the download bandwidth used globally by all devices referencing this Cloud resource.
The Cloud resource can be configured to use a specific endpoint within a region. This directive is required for AWS-V4 regions. ex: Region = "eu-central-1"
An example of a Cloud Resource might be:
Cloud { Name = S3Cloud Driver = "S3" HostName = "s3.amazonaws.com" BucketName = "BaculaVolumes" AccessKey = "BZIXAIS39DYNER5FZ" SecretKey = "beesheeg7iTe0Gaex7aedie4aWohfuewohGaa0" Protocol = HTTPS UriStyle = VirtualHost Truncate Cache = No Upload = EachPart Region = "us-east-1" MaximumUploadBandwidth = 5MB/s }
When restoring directly a part from Glacier, this directive indicates the rehydration priority level. Values can be High, Medium or Low. Default is High. Those values match respectively Expeditive, Standard and Bulk transfers tiers within S3.
This directive indicates the number of days S3 should keep the rehydrated part online. The minimum value is 1 day. The default is 5 days.
Before submitting the Mount Command, Unmount Command, Write Part Command, or Free Space Command directives to the operating system, Bacula performs character substitution of the following characters:
%% = % %a = Archive device name %e = erase (set if cannot mount and first part) %n = part number %m = mount point %v = last part name (i.e. filename)
All the directives in this section are implemented only in Bacula version 1.37 and later and hence are available in version 1.38.6.
As of version 1.39.5, the directives “Requires Mount”, “Mount Point”, “Mount Command”, and “Unmount Command” apply to removable filesystems such as USB.
Most frequently, you will define it as follows:
Mount Command = "/bin/mount -t iso9660 -o ro %a %m"
For some media, you may need multiple commands. If so, it is recommended that you use a shell script instead of putting them all into the Mount Command. For example, instead of this:
Mount Command = "/usr/local/bin/mymount"
Where that script contains:
#!/bin/sh ndasadmin enable -s 1 -o w sleep 2 mount /dev/ndas-00323794-0p1 /backup
Similar consideration should be given to all other Command parameters.
Most frequently, you will define it as follows:
Unmount Command = "/bin/umount %m"
If you need to specify multiple commands, create a shell script.