Bacula Enterprise Installation in Air-Gapped Environment
Note
The guidance provided in this document offers general recommendations for setting up Bacula Enterprise in air-gapped environments. Due to the wide variability in organizational infrastructure, security policies, and operational goals, exact instructions may not be universally applicable.
In secure environments where network isolation is critical, installing and maintaining software requires a different approach. Air-gapped systems—those disconnected from the internet or external networks—demand careful planning to ensure software availability and integrity.
This guide outlines the recommended methods for installing Bacula Enterprise in an air-gapped environment and includes steps for mirroring repositories and managing dependencies for both RPM- and Debian-based Linux systems.
Overview of Air-Gapped Installation Options
There are two main approaches to installing Bacula Enterprise in an air-gapped environment:
-
Mirror the Bacula Enterprise repository and any required third-party repositories (e.g., RHEL, EPEL) on an internet-connected system.
Either move system to air-gapped network, or transfer the mirrored content to the internal network.
Set up an internal web server to host the mirrored repositories.
Optional: use internal DNS to facilitate the connection of upstream internal repositories to air-gapped systems.
Configure repositories on the air-gapped Bacula system to direct to the internal mirrored repository server.
Tools for repository mirroring include:
reposync(Red Hat-based systems)apt-mirror(Debian/Ubuntu)Other tools such as
redhat satellite,debmirror
Package Download and Manual Installation
Download all required Bacula Enterprise packages and dependencies on an internet-connected system.
Transfer the downloaded packages to the air-gapped system.
Manually install the packages using:
dnf install *.rpm(for RPM-based systems)dpkg -i *.deb(for Debian-based systems)
Repository Mirroring
Dependency Mirroring
For RPM-based systems:
Shows dependencies:
# rpm -q --requires bacula-enterprise-clientDownloads all deps as RPM to the
/tmp/packagesfolder:# dnf install --downloadonly --downloaddir=/tmp/packages/ bacula-enterprise-clientFor Debian-based systems:
# apt-rdepends bacula-enterprise-client | grep -oP '^\S+' > deps.txtDownloads all deps:
# cat deps.txt | xargs -n1 apt-get download
APT Repository Mirroring
Installation of apt-mirror: Install
apt-mirrorto handle the mirroring process.sudo apt-get install apt-mirrorConfiguration of apt-mirror: Configure
apt-mirrorby editing the/etc/apt/mirror.listfile to specify which repositories to mirror.# vim /etc/apt/mirror.listAdd repository lines such as:
set base_path /var/spool/apt-mirror
set nthreads 20
set _tilde 0
deb http://archive.ubuntu.com/ubuntu focal main restricted universe multiverse
deb http://archive.ubuntu.com/ubuntu focal-updates main restricted universe multiverse
deb http://archive.ubuntu.com/ubuntu focal-security main restricted universe multiverse
clean http://archive.ubuntu.com/ubuntu
Run apt-mirror: Start the mirroring process.
sudo apt-mirrorSetting up a Web Server: Configure a web server to serve the mirrored repository.
sudo apt-get install apache2 sudo ln -s /var/spool/apt-mirror/mirror /var/www/html/ubuntu
Distribute the GPG Key: Import the GPG key used to sign the mirrored packages and distribute it to the clients.
wget -qO - http://<your_server_ip>/repo_signing_key.gpg | sudo apt-key add -
RPM Repository Mirroring
Installation of reposync: Install reposync and related tools to handle the RPM mirroring.
sudo yum install yum-utils createrepo httpd
Sync the Repository: Use reposync to download the packages and metadata from the specified repository.
sudo reposync --repoid=<repo-id> --download-path=/var/www/html/rpmrepo --download-metadata
Serve the Repository via Web Server: Ensure that the web server (e.g., Apache) is serving the mirrored repository.
sudo ln -s /var/www/html/rpmrepo /var/www/html/myrepo sudo systemctl start httpd sudo systemctl enable httpd
Distribute the GPG Key: Import and distribute the GPG key used to sign the original RPM repository to the clients.
sudo rpm --import http://<your_server_ip>/repo_signing_key.gpg
Client-Side Configuration: Configure the client machines to use the local RPM mirror.
[localrepo] name=Local RPM Mirror baseurl=http://<your_server_ip>/myrepo enabled=1 gpgcheck=1 gpgkey=http://<your_server_ip>/repo_signing_key.gpg
Package Download and Manual Installation
In cases where establishing a complete repository mirror is neither desirable nor essential, you may opt to download the required packages along with their dependencies for future use. The commands for both RPM and Debian-based systems are provided below.
RPM-based Systems (Fedora, CentOS)
Download a Package and Its Dependencies: Use
dnforyumto download a specific package and all its dependencies without installing them.sudo dnf install --downloadonly --downloaddir=/tmp/packages/ bacula-enterprise-fd
List Package Dependencies: To see what dependencies a package requires, you can query them as follows:
rpm -q --requires bacula-enterprise-fd
Debian-based Systems (Ubuntu, Debian)
List and Download Dependencies: Use
apt-rdependsto list and then download the dependencies for a specific package.sudo apt-get install apt-rdepends apt-rdepends bacula-enterprise-fd | grep -oP '^\S+' > deps.txt cat deps.txt | xargs -n1 apt-get download --downloaddir=/tmp/packages/
Creating a Portable Archive
Once all required packages are downloaded to a directory, you can create a tar.gz archive for easy transportation to another system.
cd /tmp
tar -czvf packages.tar.gz packages/
This archive (packages.tar.gz) can then be transferred to and unpacked on another
server where the packages are required. This is particularly useful for systems without
an internet connection or those in secure environments.
To unpack the archive on another system:
tar -xzvf packages.tar.gz -C /desired/path/
See also
Previous articles:
Go back to: Bacula Enterprise Installation.