An alternative to CentOS-based Veeam Repositories

[rciscon]

Last July, CentOS reached it's End of Support Life, and it's time to come up with an alternative solution to replace my many old CentOS-based Veeam Repositories.

Several years ago I started building Veeam Repositories based on CentOS 6 and quickly moving to v7. I did this because our friend Timo had created a wonderful walkthrough on how to do this. His website is still up at: http://blog.dewin.me/2013/05/veeam-and- ... 0312943989

Why did we and many other customers choose this particular solution? In our case it came down to saving money by not running a Microsoft Server OS on the ESXi Host that hosted this Veeam Repository VM. Over a large organization, that ended up saving a LOT of money, and I'd like to continue not paying that money to Microsoft, but Timo's helpful website entry was first created over 11 years ago and CentOS is no longer a viable product to use, in this case because it's a dead OS and there will be no updates.

I've done some searching, and I have been unable to find as similar helpful walkthrough to set up something similar with a newer alternative to CentOS. I am NOT a Linux expert, Timo's walkthrough was ENORMOUSLY helpful.

I know there are people out there who are/were in the same situation that I am, what have you done to resolve this issue? My searches are dominated by Veeam's Hardened Linux Repository, but that's a horse of a different color and not really a replacement for what I'm looking for--a VM that isn't running Windows, but can safely function as a Veeam Repository.

Any help would be greatly appreciated!

--Ray

[mdwophil]

We've done Veeam repositories on AlmaLinux 8 and AlmaLinux 9. The specific commands on that blog post won't be 100% accurate but it should be fairly similar.

The biggest thing you'll want to do is make sure you use XFS for the mount point where you store your Veeam backups.

[Gostev]

@rciscon we recommend using managed hardened repository going forward.

[rciscon]

@Gostev -- My assumption is that the managed hardened repository are NOT recommended to be run as a VM. Is that actually the case?

We do not have the budget to purchase a server with storage to run as a separate device simply for use as a Veeam Repository. The entire reason we did this was to save money on Licensing costs from Microsoft.

I understand the benefits of the managed hardened repository, but we're looking for something much lower budget, i.e. "free".

Thank you for the quick response!

[rciscon]

@mdwophil -- I will take a look at AlmaLinux. While I have heard of XFS, I have never used it. Why would you emphasize the need for it on this VM?

Remember, I'm not planning on running this Linux-based Repository server on a separate physical server--I want a Linux VM that can run on a VMware vSphere ESXi Host.

[Gostev]

@Gostev -- My assumption is that the managed hardened repository are NOT recommended to be run as a VM. Is that actually the case?

VM vs. Physical is a completely perpendicular consideration. No matter which way you go, VMs are not recommended for repositories due to increased attack surface from the hypervisor. And if hacker takes over the hypervisor, they can just delete the entire VM along with all of its data.

Managed hardened repository does not bring any additional or special considerations here.

[mdwophil]

@mdwophil -- I will take a look at AlmaLinux. While I have heard of XFS, I have never used it. Why would you emphasize the need for it on this VM?

Remember, I'm not planning on running this Linux-based Repository server on a separate physical server--I want a Linux VM that can run on a VMware vSphere ESXi Host.

AlmaLinux is one of the several RHEL rebuilds that sprung up after Red Hat/IBM killed off CentOS. RockyLinux is another.

XFS is recommended on all Linux-based repositories entirely due to the fast cloning feature: https://helpcenter.veeam.com/docs/backu ... =120#linux

The official Veeam Managed Hardened Repository is built on RockyLinux (another RHEL rebuild) with XFS for the repository file system.

[rciscon]

@mdwophil -- Thank you very much for this information! I have successfully built a VM based on the Rocky Linux Minimal ISO and with the exception of needed to edit "/etc/ssh/sshd_config" and change "PermitRootLogin yes" from "PermitRootLogin no".

Everything is working so far---I'll keep my fingers crossed!

[Gostev]

@rciscon curious why did you choose this route of installing Rocky yourself? The end result is much less secure repository than using managed hardened repository due to no DISA STIG hardening, time shift protection etc.

[rciscon]

@Gostev -- as I mentioned in my original forum reply to you above in this thread, I need the Linux-based Veeam Repository to be a VM, not a physical server. Mostly because this is a remote location and we have a limited budget.

Everything I've seen regarding Hardened Repositories are on Physical Hardware.

Thank you and @mdwophil for your responses. Veeam employees like YOU are why we're still customers after a decade.

[Gostev]

@rciscon right - I understood your need to use a VM. My question is, why not use a Veeam managed repository for this VM? As I explained above, VM is always a bad choice regardless of whether you build everything yourself or use managed repository from Veeam. However, why make the overall solution even less secure by trying to build it yourself when you're not a Linux expert (according to what you said in the first post)?

[rciscon]

@Gostev -- Now that Veeam has released their Managed Hardened Repository ISO, I think that is the direction I'll be going in the future. This new solution looks like something I've been looking for for many years, thank you!

[tgx]

This sounds like an interesting development.
@Gostev, Do you know if this is still the case:

"Re-installing the base OS while keeping backups is not current possible as all disks will be erased during redeployment. "

It was listed as a line item in this posting:
veeam-backup-replication-f2/managed-har ... 96192.html

For those interested, I have been using OpenSUSE for my hardened repositories with no issues. I definitely like the idea
of a Veeam supplied distro for repositories.

[Gostev]

Yep, unsurprisingly this still remains the case 5 days later

[mcz]

@Gostev -- Now that Veeam has released their Managed Hardened Repository ISO, I think that is the direction I'll be going in the future. This new solution looks like something I've been looking for for many years, thank you!

it is and it is very fast to install/setup. I think there was never a better, faster and more secure way to setup a (hardened) repository.

[tgx]

Yep, unsurprisingly this still remains the case 5 days later

Thanks. Yah, I didn't pay attention to the date of the post.