Veeam ONE ansible installation inconsistencies

[mboswell]

Hi all.

Hope this is the right place for this question. I'm using the veeamhub.veeam ansible collection: https://galaxy.ansible.com/veeamhub/veeam.

There is an inconsistency between the VBR role and the ONE role in the SQL authentication strategy -- VBR uses SQL auth and ONE uses Windows auth, and this makes the roles incompatible with each other on the same machine without modifying the tasks and variables. I can, of course, modify the code and make it work for myself in a lab environment, but when working with AWX and ephemeral execution environments I'd have to submit a PR to get any changes into the galaxy collection for use in production.

So my question is this: Is there some technical reason for the inconsistency? Is it best practice to use Windows authentication with ONE? Our typical use case is VBR and ONE on the same VM in an isolated environment (no AD DS). Thanks for any insight; this will help inform my automation strategy going forward.

Thanks,

Matt

[HannesK]

Hello,
SQL authentication for Backup & Replication is usually to avoid chicken-egg issues (domain down, SQL auth fails, no restore possible).

In general, it's recommended to use Windows Authentication for security reasons. That explains the inconsistency to me.

@chris.arceneaux, anything to add from your side?

Our typical use case is VBR and ONE on the same VM

in general, I would avoid that. But probably, as you are a service provider, it's about many very small (just a few dozen VMs) environments?

Best regards,
Hannes

[chris.arceneaux]

In agreement with Hannes.

I'll add that pull requests are welcomed as this is an open source project.

[mboswell]

Thanks. This is exactly the input I needed. Another approach (and probably the best practice) other than to put ONE on a separate VM would be just to automate the steps to add the Windows ONE user to the SQL instance that already exists if VBR installs first. I'll try a few things and see what works best.

[RomanK]

Hello Matthew,

It is possible to install VBR and ONE on the same machine for labs and small environments. There are a lot of scalability considerations though.

Did I understand correctly, that you suggest an option for Veeam ONE installer to search for the SQL instance with VBR and add a user automatically or this is related to the ansible only?

By the way, I've downloaded VAS 11a and tried to install it on a new machine in my lab. That is what I got as defaults


Thanks

[mboswell]

My concern is with ansible only. Specifically it's that the SQL auth is hard coded to Windows auth in the installer options: "VM_MN_SQL_AUTHENTICATION=0" which makes the ONE server install tasks incompatible with the VBR install tasks without modification. My initial thought was to make that a variable but if Windows auth is the best practice I'll look at other methods for making the installer coexist with VBR.

And yes, we have a lot of small environments. I'll bring up the possibility of separating VBR and ONE onto individual VMs but scalability hasn't been a problem so far; we're talking about customer environments with no more than a few dozen VMs usually.

[chris.arceneaux]

An update for those who might find this thread:

Starting with version 12.1, it's now possible to choose a different SQL authentication method for Veeam Backup & Replication and Veeam Backup Enterprise Manager using this Ansible collection.