I’ve been meeting a few challenges with running an instance of bacula-fd in each of my jails. Most of them are related to networking. Perhaps my deployment strategies are imposing too many restrictions.
The challenges arise on the jail hosts which are not behind my firewall at home. Each of those servers is accessible through a VPN, but the individual jails on those servers are not. The backup of the jail host is performed over the VPN, as is various monitoring of the server itself.
The problems arise with running bacula-fd in the jail. Because the connection to bacula-fd would be in the clear, TLS must be implemented. This requires certificates, which adds work.
You also need to create an additional logical Storage entity which is accessible from outside your firewall. There are also changes required to cater for pool changes. Most of my jobs look like this:
Pool: "FullFile" (From Job FullPool override) Catalog: "MyCatalog" (From Client resource) Storage: "CreyFile" (From Pool resource)
If the jail was accessible via the VPN, all of these problem would go away. What is a reasonable way to have 20 jails on a VPN? Ideally, this would be the same VPN as the jail host, but it does not have to be.