Using Docker

Community

The Bacula REST API is installed via Docker image and it uses a Docker container to manage the service. Unicatelly, you need to follow the next steps.

Create a Docker image

Create a new directory and create a new file named Dockerfile:

FROM debian:bookworm

ARG CUSTOMER_AREA
ARG BACULA_USER_ID
ARG BACULA_GROUP_ID
ARG BEE_VERSION

ENV DEBIAN_FRONTEND=noninteractive

RUN groupadd -g $BACULA_GROUP_ID bacula
RUN useradd -u $BACULA_USER_ID -g bacula bacula

RUN apt-get update && apt-get install -y \
    lighttpd \
    php \
    php-cli \
    php-curl \
    php-bcmath \
    php-pgsql \
    php-mysql \
    php-xml \
    php-intl \
    php-cgi \
    openssl \
    curl \
    wget \
    unzip \
    gnupg \
    && apt-get clean

RUN curl https://www.baculasystems.com/dl/keys/BaculaSystems-Public-Signature-08-2017.asc | apt-key add -

RUN echo "deb https://www.baculasystems.com/dl/${CUSTOMER_AREA}/debs/bin/${BEE_VERSION}/bookworm-64/ bookworm main" > /etc/apt/sources.list.d/baculasystems.list

RUN apt-get update && apt-get install -y \
    bacula-enterprise-common \
    bacula-enterprise-console \
    bacula-enterprise-rest-api \
    bacula-enterprise-client \
    bacula-enterprise-postgresql \
    && apt-get clean -y

WORKDIR /opt/bacula/rest-api

EXPOSE 80 443

CMD ["/usr/sbin/lighttpd", "-D", "-f", "/opt/bacula/rest-api/etc/lighttpd.conf"]

To build the image, you need to run with several arguments:

• CUSTOMER_AREA: The customer area string to access Bacula packages.

• BACULA_USER_ID: The uid of Bacula user.

• BACULA_GROUP_ID: The uid of Bacula group.

• BEE_VERSION: Bacula version that you want to install.

And now, you need to build the image with these arguments:

docker build --no-cache \
--build-arg CUSTOMER_AREA="<customer_area>" \
--build-arg BACULA_USER_ID="$(id -u bacula)" \
--build-arg BACULA_GROUP_ID="$(id -g bacula)" \
--build-arg BEE_VERSION="<bee_version>" \
-t <docker-image-name> .

One example to build the image with previous command would be:

docker build --no-cache \
--build-arg CUSTOMER_AREA="customer_area_123" \
--build-arg BACULA_USER_ID="$(id -u bacula)" \
--build-arg BEE_VERSION="18.1" \
-t bee-rest-api:18.1 .

With the last command we create a new Docker image.

Note

This process will have to do each time we want to update the BEE version.

Docker configuration

REST API Settings

When you use Docker, all files inside the container are ephimeral, except when you use volumes. We have to create a new volume to save the REST API settings.

To do that, we need to create a new file with rest-api settings. We recommend write this file in /opt/bacula/etc/rest-api-settings.conf. .. note:: Bacula user must have read and write permissions.

If you want, you can write the next example:

[db1]
type = "pgsql"
name = "bacula"
login = "bacula"
password = ""
ip_addr = ""
port = "5432"

[bconsole]
bin_path = "/opt/bacula/bin/bconsole"
cfg_path = "/opt/bacula/etc/bconsole.conf"
use_sudo = "0"

[tools]
bdirjson = "/opt/bacula/bin/bdirjson"
bsdjson = "/opt/bacula/bin/bsdjson"
bfdjson = "/opt/bacula/bin/bfdjson"
bbconsjson = "/opt/bacula/bin/bbconsjson"
use_sudo = "0"

[api]
username = "root"
password = "3adffd10731f1e0c2d1a61b0d6676596"
enable_oauth2 = "1"
log_level = "1"
self_signed_cert = 1
rest_tmp_directory = /opt/bacula/working/rest/

Note

You can login with user root and password Bacula. After you login you can modify these parameters.

Note

You can disable oauth2 authentification if you put “0” in ‘enable_oauth2’ parameter.

Note

Create or check that the owner of host’s directory of variable ‘rest_tmp_directory’ is ‘bacula’ user.

Run the Docker container

The basic command to run the container from a Docker image is:

docker run \
--restart always \
--user $(id -u bacula) \
<<-v host_path:container_path ...>> \
<<-p host_port:container_port ...>> \
--name container_name \
<<docker_image:tag>>

We need to add to this command several parameters.

Docker ports

The format to link the host ports with Docker container is:

-p host_port:container_port

Docker volumes

The docker volumes are the way to do persistent data inside the container or share data between host and container.

The format to indicate one volume is:

-v <host-path>:<container_path>:<mode>

Note

The default mode is read/write.

We need to share several files and folders:

• Bacula configuration: | -v /opt/bacula/etc:/opt/bacula/etc:ro | | .. note:: We need to take care about BConsole configuration. If your address configuration point to localhost, you must to change to IP or name reachable for container.

• Bweb binaries: | -v /opt/bweb/bin/:/opt/bweb/bin:ro

• Database Unix socket: | -v /var/run/postgresql:/var/run/postgresql | | .. note:: If in our host, we have other path, we need to change only the host_path.

• REST API Settings: | -v /opt/bacula/etc/rest-api-settings.conf:/opt/bacula/rest-api/www/protected/Data/settings.conf | | .. note:: If in our host, we have other path, we need to change only the host_path.

Examples

• Example 1: | - REST API will listen in host port 4443 | - Database authentication type will be peer. | - Database communication will be using Unix socket. | - Oauth2 will be disabled.

Docker run command:

docker run \
--restart always \
--user $(id -u bacula) \
-v /opt/bacula/etc/:/opt/bacula/etc/:ro \
-v /opt/bweb/bin/:/opt/bweb/bin/:ro \
-v /var/run/postgresql/:/var/run/postgresql \
-v /opt/bacula/etc/rest-api-settings.conf:/opt/bacula/rest-api/www/protected/Data/settings.conf \
-p 4443:443 \
--name bee-rest \
bee-rest-api:18.0.7

REST API Settings:

[db1]
type = "pgsql"
name = "bacula"
login = "bacula"
password = ""
ip_addr = ""
port = "5432"

[bconsole]
bin_path = "/opt/bacula/bin/bconsole"
cfg_path = "/opt/bacula/etc/bconsole.conf"
use_sudo = "0"

[tools]
bdirjson = "/opt/bacula/bin/bdirjson"
bsdjson = "/opt/bacula/bin/bsdjson"
bfdjson = "/opt/bacula/bin/bfdjson"
bbconsjson = "/opt/bacula/bin/bbconsjson"
use_sudo = "0"

[api]
username = "root"
password = "3adffd10731f1e0c2d1a61b0d6676596"
enable_oauth2 = "0"
log_level = "1"

• Example 2: | - Rest API will listen in host port 443 | - Database authentication type will be md5 | - The database communication will be using default docker network | - Own SSL certificates | - Oauth2 will be enabled

Docker run command:

docker run \
--restart always \
--user $(id -u bacula) \
-v /opt/bacula/etc/:/opt/bacula/etc/:ro \
-v /opt/bweb/bin/:/opt/bweb/bin/:ro \
-v /opt/bacula/etc/rest-api-settings.conf:/opt/bacula/rest-api/www/protected/Data/settings.conf \
-v /etc/ssl/certs/bee-server.crt:/opt/bacula/rest-api/etc/server.crt:ro \
-v /etc/ssl/certs/bee-server.pem:/opt/bacula/rest-api/etc/server.pem:ro \
-p 443:443 \
--name bee-rest \
bee-rest-api:18.0.7

REST API settings:

[db1]
type = "pgsql"
name = "bacula"
login = "bacula"
password = "bacula"
ip_addr = "172.17.0.1"
port = "5432"

[bconsole]
bin_path = "/opt/bacula/bin/bconsole"
cfg_path = "/opt/bacula/etc/bconsole.conf"
use_sudo = "0"

[tools]
bdirjson = "/opt/bacula/bin/bdirjson"
bsdjson = "/opt/bacula/bin/bsdjson"
bfdjson = "/opt/bacula/bin/bfdjson"
bbconsjson = "/opt/bacula/bin/bbconsjson"
use_sudo = "0"

[api]
username = "root"
password = "3adffd10731f1e0c2d1a61b0d6676596"
enable_oauth2 = "1"
log_level = "1"

Note

The ip_addr parameter is the host IP using the default docker network interface.

Advanced settings

Own SSL certificate

To change SSL certificate that REST-API uses, you need to add a new volumes when you run the container:

-v <<path/to/crt/inside/host>>:/opt/bacula/rest-api/etc/server.crt:ro \
-v <<path/to/pem/inside/host>>:/opt/bacula/rest-api/etc/server.pem:ro

Docker network

If we use database peer authentification, we can omit this section. We need to check it this authentification type is allowed in our database configuration.

If we run the docker container in the same host that Bacula director and the Catalog database. We must allow the connection between docker container and host. To do that you can two options:

• Use host network: The container shares the same network that host. This options may have security problems. | Because the container uses the same network pipe that host. If you want to continue with this way, | we need to add the next option when you run the container: | .. code-block:: none | –network host | | .. note:: In this case, we need to allow access from localhost in your database configuration. If you choose this option, you should remove the port options in Docker run command, because this options uses host ports directly.

• Use/Create a docker network (this is default). | .. note:: In this case, we need to allow access from ip of docker container in our database configuration.

Connect to REST-API

After run the docker container, you can access to REST API panel using your browser:

https://<host IP or hostname>:<host port>/panel

Postman Oauth2 example

In this example, we assumed that server direction is: https://192.168.1.141 and the Bweb is: https://192.168.1.141:9180/.

In REST-API Panel:

• User Name: RestUser

• User ID: xZlh2w1KCybHwRrZv46srui6HATADmZb

• User Secret: ce86fbF261BdF71e5e86fb8Ba1f0adECD7F6FF7c

• Redirect URI: https://192.168.1.141/

• Scope: /*

• BConfig URI: http://192.168.1.141:9180/

• BConfig User: admin

• BConfig Password: Bacula

In Postman authorization area:

• Type: OAuth2.0

• Add authorization data to: Request Headers

• Header Prefix: Bearer

• Token Name: <Whatever you want>

• Grant Type: Authorization Code

• Callback URL: https://192.168.1.141/

• Authorize using browser: Disabled

• Auth URL: https://192.168.1.141/v2/authorize/

• Access Token URL: https://192.168.1.141/v2/request_token/

• Client ID: xZlh2w1KCybHwRrZv46srui6HATADmZb

• Client Secret: ce86fbF261BdF71e5e86fb8Ba1f0adECD7F6FF7c

• Scope: /*

• State: 3

• Client Authentification: Send client credentials in body

If you want to do a custom configuration, see more details in Configuration.

See also

Previous articles:

• Installation via Packages

Go back to: Installation.