The Bacula Tutorial jail server

One of the challenges of providing hands-on demonstrations is giving everyone their own sandbox to play in. I don’t want people to spend time on installing software. I want people to learn about the software in question, specifically Bacula. With this in mind, I’ve been building up a solution based on FreeBSD 9.1, ZFS, and jails.

My solution is pretty nifty, but I don’t think it’s anything special. The key is simplicity. The more moving parts, the more likely something is to break in a new environment. I’ll describe what I’ve done, explain what I first tried, and let you decide what makes more sense to you.

The hardware

The hardware was obtained to act as a new gateway, but with ZFS in mind for future use. I spent some time testing various HDD and finally settled on the Toshiba DT01ACA300 (a 3TB SATA drive). Each of the 6 drives are connected directly to the motherboard.

Installing a ZFS-only system

I installed FreeBSD 9.1 on 6x3TB HDD in a raidz3 formation. Installing direct to ZFS is more challenging, but intensely rewarding. I documented what I did on the FreeBSD Forums, complete with the script I used for building up my system. I hope you find that useful. I know I’ll be building my next ZFS system the same way.

Of note:

  1. Each of the disks contains three identical partitions:
    • a boot partition
    • a 2GB freebsd-swap partition
    • a 2.7TB freebsd-zfs partition
    • In addition, this approach leaves 2.5GB unused at the end of HDD to future proof any disk replacements which may be a slightly smaller size.
  2. I use the pjd approach to zfs filesystems for ease of upgrade, with slight modifications based on similar approaches.
  3. I use ezjail for my jails, with each jail in their own ZFS filesystem.

System configuration

The host system has a static IP address of 10.0.44.91 and the jails are on 10.0.44.100-10.0.44.121. Nothing special there at all.

Students connect to a given jail thusly:

$ ssh -A dan@10.0.44.100
Password:

Each jail has the same user, with the same password. The root account has no password.

Once connected, you can get to the database with this command:

[dan@bacula100:~] $ psql -h 10.0.44.91 -U dan bacula100 
psql (9.2.4)
Type "help" for help.

bacula100=# \dt
            List of relations
 Schema |      Name      | Type  | Owner  
--------+----------------+-------+--------
 public | basefiles      | table | bacula
 public | cdimages       | table | bacula
 public | client         | table | bacula
 public | counters       | table | bacula
 public | device         | table | bacula
 public | file           | table | bacula
 public | filename       | table | bacula
 public | fileset        | table | bacula
 public | job            | table | bacula
 public | jobhisto       | table | bacula
 public | jobmedia       | table | bacula
 public | location       | table | bacula
 public | locationlog    | table | bacula
 public | log            | table | bacula
 public | media          | table | bacula
 public | mediatype      | table | bacula
 public | path           | table | bacula
 public | pathhierarchy  | table | bacula
 public | pathvisibility | table | bacula
 public | pool           | table | bacula
 public | restoreobject  | table | bacula
 public | status         | table | bacula
 public | storage        | table | bacula
 public | unsavedfiles   | table | bacula
 public | version        | table | bacula
(25 rows)

bacula100=# 

PostgreSQL

I’m a fan of PostgreSQL and wrote the PostgreSQL backend for Bacula. It should be no surprise that I’m going to use it for a Bacula tutorial.

PostgreSQL has a standard install with postgresql.conf set to listen to the host address only. pg_hba.conf has the following special entries:

host    all             all           10.0.44.0/24            trust

That is, the system trusts all incoming connections from the jails, or indeed any of the tutorial attendees.

The network

I will be running my own wireless network for the tutorial. This ensure that everyone gets onto the right network and my IP addresses are not conflicting with existing networks. I’ll be providing a WAP and everyone will connect to that. The WAP will act as a gateway and everyone will also have Internet access. Because the jails, the jail host, and the students are all on the same subnet, there is no magic to ssh into the jail. it just works. No magic there.

The jail server is using this nifty little box for WIFI access.

The abandoned attempt

In my first attempt, I was very concerned about network conflicts. I was planning to let the server use DHCP to get onto the local wireless network. Then, people would ssh to port 100, to get into the 10.0.44.100 jail. I was going to use pf, nat, and rdr to get everything working. I spent about 4 or 5 hours working on that, and I failed. I am sure it can work. I was just doing it wrong. I think it was my ‘set skip’ rules (see comments at that thread).

Snapshots

I will be using snapshots on each jail. This allows me to restore everything to a clean situation after the students are finished. In the future, it can also allow me to configure various scenarios in advance, and deploy with ease.

The PostgreSQL filesystem is also under snapshot control. Once the lessons are done, I can go back to empty clean databases with a single command.

Future consideration

I think I would like to try the pf/nat/rdr approach, if only to prove it can be done. But the situation I have now is pretty straight forward. I hope it helps your endeavors.

Website Pin Facebook Twitter Myspace Friendfeed Technorati del.icio.us Digg Google StumbleUpon Premium Responsive

Leave a Comment

Scroll to Top