Xen Server Backup Preparation
EnterpriseBacula Enterprise Only
This solution is only available for Bacula Enterprise. For subscription inquiries, please reach out to sales@baculasystems.com.
Before you start configuring your Backup Jobs you need to configure your XenServer to allows proper network operations with Bacula Enterprise. This part of the prerequisites includes:
enable network access to the XenServer API from the backup server -
HTTP/HTTPS- portstcp:80andtcp:443enable network access to the XenServer NBD service from backup server -
NBD/NBD-SSL- porttcp:10809enable the XAPI NBD server on required network
To enable network access to the XenServer API you should enable and verify the firewall rules:
# iptables -L|grep http
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:https
To enable the XAPI NBD Server you should first check available virtual networks:
# xe network-list
uuid ( RO) : 774e87dd-a096-827a-5a30-6ef9123cfd7b
name-label ( RW): Pool-wide network associated with eth0
name-description ( RW):
bridge ( RO): xenbr0
uuid ( RO) : 9fa3ecb2-6493-2849-e30b-eb772d1dbc1c
name-label ( RW): Host internal management network
name-description ( RW): Network on which guests will be assigned a private link-local IP
bridge ( RO): xenapi
Then you should enable NBD by setting up a nbd-purpose on selected
networks. You can enable the NBD service in FORCEDTLS or NOTLS
mode. You cannot have a mix of normal NBD (FORCEDTLS)
and insecure NBD (NOTLS) networks. To switch the purpose of all
networks, you must first disable normal NBD connections on all networks
before enabling either normal or insecure NBD connections on any
network.
Note
The XenServer vendor recommend to use TLS with NBD connections. When NBD connections with TLS are enabled, any NBD clients that attempt to connect to the XenServer must use TLSv1.2.
The Bacula Enterprise XenServer Plugin will work in either of the available
NBD modes. To enable NBD connections with or without TLS, use the
purpose parameter of the network. Set this parameter to include the
value nbd for FORCEDTLS mode and the value insecure_nbd for
NOTLS mode. Ensure that you wait for the setting to propagate before
attempting to use this network for NBD connections. The time it takes
for the setting to propagate depends on your network and is at least 10
seconds.
Below you can find an example of how to enable the NBD service in
FORCEDTLS mode for selected <network-uuid>.
# xe network-param-add param-name=purpose param-key=nbd uuid=<network-uuid>
Some examples below.
# Remove Insecure
[19:14 po-xcp-ngserver home]# xe network-param-remove param-name=purpose param-key=insecure_nbd uuid=b17e189c-5b13-feb6-c5cf-e509153ce3f0
[19:15 po-xcp-ngserver home]# xe network-param-remove param-name=purpose param-key=insecure_nbd uuid=53265e56-8ca0-db10-2c78-e80c89e2e4dd
# Enable Secure
[19:15 po-xcp-ngserver home]# xe network-param-add param-name=purpose param-key=nbd uuid=e80f1afe-ce32-af6e-a8d2-3047350d44ef
[19:15 po-xcp-ngserver home]# xe network-param-add param-name=purpose param-key=nbd uuid=b17e189c-5b13-feb6-c5cf-e509153ce3f0
[19:15 po-xcp-ngserver home]# xe network-param-add param-name=purpose param-key=nbd uuid=53265e56-8ca0-db10-2c78-e80c89e2e4dd
# Restart Xapi
systemctl restart xapi
For NOTLS mode you should replace param-key=nbd with
param-key=insecure_nbd. You can check the network configuration as
follows:
# xe network-param-list uuid=774e87dd-a096-827a-5a30-6ef9123cfd7b
uuid ( RO) : 774e87dd-a096-827a-5a30-6ef9123cfd7b
name-label ( RW): Pool-wide network associated with eth0
name-description ( RW):
VIF-uuids (SRO): e61b768a-6460-af03-abf5-a2361b5b2f36;
PIF-uuids (SRO): cbeab33d-b1c9-6fcb-bf03-d434c8623628
MTU ( RW): 1500
bridge ( RO): xenbr0
managed ( RO): true
other-config (MRW):
blobs ( RO):
tags (SRW):
default-locking-mode ( RW): unlocked
purpose (SRW): insecure_nbd
If you want to use the NBD service in FORCEDTLS mode you should
setup the Bacula Enterprise plugin using the secure nbd configuration
parameters to use a TLS certificate. Check the certfile, keyfile, cacertfile
and tlshostname parameters for more information.
To use secure, TLS-encrypted and authenticated transport, note that you need to use a certificate and related key trusted by the Xen or XCP-ng server. If you are running a XCP-ng environment or a recent XenServer version, this will be mandatory, as any access to the APIs are protected by default with TLS and a self-signed certificate. More information:
XenServer: https://docs.xenserver.com/en-us/xencenter/current-release/hosts-certificates.html
XCP-ng: https://docs.xcp-ng.org/guides/TLS-certificates-xcpng/
If you plan to override your server certificates and use it with this plugin, below you will find an example of how to generate and install a self-signed one, but note that in most cases, these steps would involve a properly managed Certificate Authority and specific procedures:
# Generate a Certificate with its key
backupteam@example.org:~/certs# openssl req -new -newkey rsa:4096 -x509 -sha256 -days 365 -nodes -out MyCertificate.crt -keyout MyKey.key
Generating a RSA private key
................................................................................................++++
..............................................++++
writing new private key to 'MyKey.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:
# Copy Certificates to XCP-NG Server
scp MyKey.key root@My.Sample.Xen.Server:/tmp
scp MyCertificate.crt root@My.Sample.Xen.Server:/tmp
# Generate a Pem Key on XCP-NG server
openssl req -new -x509 -key /etc/xensource/xapi-ssl.pem -subj '/CN=XCP-ng hypervisor/' -out xcp-ng.csr
# Install Certificates on XCP-NG Server
xe host-server-certificate-install certificate=/tmp/MyCertificate.crt private-key=/tmp/MyKey.key certificate-chain=/home/xcp-ng.csr
# Now use that certificate and key with the plugin parameters 'certfile' and 'keyfile'
Go back to: Xen Plugin: Installation.