VAL v6 with B&R v12 - additional transport and installer services

[eider]

Since upgrading to B&R 12 and VAL v6, two additional service are installed on system:
- Veeam Transport Service
- Veeam Installer Service

Both reside in /opt, register themselves with systemd and store logs to a different directory (/var/log/VeeamBackup, as opposed to agent's /var/log/veeam).

These services were not necessary previously and require additional ports to be opened on managed devices; something that was not necessary before. Are these services necessary or is that a bug? I believe in B&R v11 these services were installed only on servers that were part of backup infrastructure (proxies, etc.), not individual managed computers.

These services are also not present in your APT/YUM repositories, which means they can not be managed this way, raising interesting question - why is agent in these repositories then if it does not as stand-alone application anymore?

Additionally, directory /var/log/VeeamBackup is world-readable and contains some interesting logs, such as direct base64-encoded config provided to agent when provisioning it to use B&R repository.

[PTide]

Hi,

Those are services that are required if you switched to single-use credentials for Linux Agent. Did you do that after the upgrade?

As for the logs being observable - we'll look into that, thank you for noticing.

Thanks!

[eider]

No, I did not switch to a single-use credentials (or at least have not done so manually; maybe B&R migration process did that for me); my desired setup has Linux devices with agents accessible via SSH by B&R and authentication happens over ssh-pubkey which is configured in B&R.

EDIT: Just checked to confirm and the credentials are still stored in B&R. If I read documentation correctly to switch to single-use I'd need to click Add->Single-use->Linux private key...

[PTide]

In v12 VBR manages agents via those two services (transport and deployer) by default. If you shutdown the corresponding ports VBR will failover to SSH (if there are credentials available).
That is, at this point you can either shutdown ports 6162 and 6160, or you can forbid the server to accept SSH from VBR and remove the credentials from VBR - agent management will keep working.

Thanks!

[eider]

Thanks for response. If these service will be used regardless of credential type then there's no reason for me to stick with old permanent SSH access. I'll switch all my devices to single-use credentials and eliminate need for SSH.