Bareos active client network setup not working

[John Saruni]

Hi Listers,

I am running Bareos (Director and FD) Version: 18.2.5. I have clients behind a NAT gateway. It is not feasible to configure 1:1 NAT for all the clients. A little research pointed me to a client initiated network connection model. My config files for this model are:

1.Director's client resource

[root@bareos ~]# cat /etc/bareos/bareos-dir.d/client/activeclient.conf
Client {
  Name = activeclient
  Address = ww.xx.yy.zz
  Password = xxxxxxx
  Connection From Director To Client = no
  Connection From Client To Director = yes
  Heartbeat Interval = 60
}
[root@bareos ~]#
 

2.FD's director resource

[root@backup ~]# cat /etc/bareos/bareos-fd.d/director/bareos-dir.conf
Director {
  Name = bareos-dir
  Address = zz.yy.xx.ww
  Password = "[md5]xxxxxxxxxx"
  Connection From Client To Director = yes
}
[root@backup ~]#

All the other director configs (schedule, fileset, jobdef, job, etc) are as per the default model (where the Bareos Director connects to the clients).
The backup job fails with the following errors:
Fatal error: Failed to connect to client "activeclient".
Fatal error: No Job status returned from FD.

This means the director is still initiating requests.
I have confirmed that the FD is running and respective Bareos ports allowed on the firewall
Has anyone successfully implemented the active client model? Please assist

Thanks in advance.

[Jörg Steffens]

The first thing you should check is if the client is connected to the
Director.

For this, use the bconsole.
In there use the command
"status dir"
It shows you the list of clients that are connected to the Director.
Header is:
Client Initiated Connections (waiting for jobs):

If your client does not show up there, it is not connected to the
Director and will therefore fail.

regards,
Jörg

On 13.09.19 at 10:35 wrote John Saruni:

> --
> You received this message because you are subscribed to the Google
> Groups "bareos-users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to bareos-users...@googlegroups.com
> <mailto:bareos-users...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/bareos-users/ecf0c4bf-abcc-483b-a5da-b40d739c788e%40googlegroups.com
> <https://groups.google.com/d/msgid/bareos-users/ecf0c4bf-abcc-483b-a5da-b40d739c788e%40googlegroups.com?utm_medium=email&utm_source=footer>.


--
Jörg Steffens joerg.s...@bareos.com
Bareos GmbH & Co. KG Phone: +49 221 630693-91
http://www.bareos.com Fax: +49 221 630693-10

Sitz der Gesellschaft: Köln | Amtsgericht Köln: HRA 29646
Komplementär: Bareos Verwaltungs-GmbH
Geschäftsführer:
S. Dühr, M. Außendorf, Jörg Steffens, P. Storz

[Spadajspadaj]

Firstly, let me say that - from the security point of view - it's usualy best idea to let the connection come from the director to the clients (you usually connect from safer zone to less safe one).

Secondly - https://docs.bareos.org/TasksAndConcepts/NetworkSetup.html#section-clientinitiatedconnection

"When both connection directions are allowed, the Bareos Director

1. checks, if there is a waiting connection from this client.
2. tries to connect to the client (using the usual timeouts).
3. waits for a client connection to appear (using the same timeout as when trying to connect to a client)."

So I'd try to run debug on client first (run the client with appropriate -d level, run tcpdump/wireshark) to see whether the client tries to connect to daemon. If it does it's up to you to find on the network level why it fails.

I'm also not sure how SELinux copes with client-initiated connections (in case you use SELinux of course).

Best regards,

MK