Fix typo in --with-baseport configure option

[bacula/docs] / docs / manuals / en / main / monitorconf.tex

%%
%%

\chapter{Monitor Configuration}
\label{_MonitorChapter}
\index[general]{Monitor Configuration }
\index[general]{Configuration!Monitor }

The Monitor configuration file is a stripped down version of the Director
configuration file, mixed with a Console configuration file. It simply
contains the information necessary to contact Directors, Clients, and Storage
daemons you want to monitor. 

For a general discussion of configuration file and resources including the
data types recognized by {\bf Bacula}, please see the 
\ilink{Configuration}{ConfigureChapter} chapter of this manual. 

The following Monitor Resource definition must be defined: 

\begin{itemize}
\item 
   \ilink{Monitor}{MonitorResource} -- to  define the Monitor's
   name used to connect to all the daemons and  the password used to connect to
the Directors. Note, you must not  define more than one Monitor resource in
the  Monitor configuration file.  
\item At least one 
   \ilink{Client}{ClientResource1},  
   \ilink{Storage}{StorageResource1} or  
\ilink{Director}{DirectorResource2} resource, to define the 
daemons to monitor. 
\end{itemize}

\section{The Monitor Resource}
\label{MonitorResource}
\index[general]{Monitor Resource }
\index[general]{Resource!Monitor }

The Monitor resource defines the attributes of the Monitor running on the
network. The parameters you define here must be configured as a Director
resource in Clients and Storages configuration files, and as a Console
resource in Directors configuration files. 

\begin{description}

\item [Monitor]
   \index[fd]{Monitor }
   Start of the Monitor records. 

\item [Name = \lt{}name\gt{}]
   \index[fd]{Name  }
   Specify the Director name used to connect  to Client and Storage, and the
Console name used to connect to Director.  This record is required. 

\item [Password = \lt{}password\gt{}]
   \index[fd]{Password  }
   Where the password is the  password needed for Directors to accept the Console
connection.  This password must be identical to the {\bf Password} specified
in  the {\bf Console} resource of the 
\ilink{Director's configuration}{DirectorChapter} file. This 
record is required if you wish to monitor Directors. 

\item [Refresh Interval = \lt{}time\gt{}]
   \index[fd]{Refresh Interval  }
   Specifies the time to wait  between status requests to each daemon. It can't
be set to less than  1 second, or more than 10 minutes, and the default value
is 5 seconds. 
% TODO: what is format of the time?
% TODO: should the digits in this  definition be spelled out? should
% TODO: this say "time-period-specification" above??)
\end{description}

\section{The Director Resource}
\label{DirectorResource2}
\index[general]{Director Resource }
\index[general]{Resource!Director }

The Director resource defines the attributes of the Directors that are
monitored by this Monitor.

As you are not permitted to define a Password in this resource, to avoid
obtaining full Director privileges, you must create a Console resource in the 
\ilink{Director's configuration}{DirectorChapter} file, using the
Console Name and Password defined in the Monitor resource. To avoid security
problems, you should configure this Console resource to allow access to no
other daemons, and permit the use of only two commands: {\bf status} and {\bf
.status} (see below for an example).

You may have multiple Director resource specifications in a single Monitor
configuration file. 

\begin{description}

\item [Director]
   \index[fd]{Director }
   Start of the Director records. 

\item [Name = \lt{}name\gt{}]
   \index[fd]{Name  }
   The Director name used to identify  the Director in the list of monitored
daemons. It is not required  to be the same as the one defined in the Director's
configuration file.  This record is required. 

\item [DIRPort = \lt{}port-number\gt{}]
   \index[fd]{DIRPort  }
   Specify the port to use to connect  to the Director. This value will most
likely already be set to the value  you specified on the {\bf
\verb:--:with-baseport} option of the  {\bf ./configure} command. This port must be
identical to the  {\bf DIRport} specified in the {\bf Director} resource of
the 
\ilink{Director's configuration}{DirectorChapter} file.  The
default is 9101 so this record is not normally specified. 

\item [Address = \lt{}address\gt{}]
   \index[fd]{Address  }
   Where the address is a host name,  a fully qualified domain name, or a network
address used to connect  to the Director.  This record is required. 
\end{description}

\section{The Client Resource}
\label{ClientResource1}
\index[general]{Resource!Client }
\index[general]{Client Resource }

The Client resource defines the attributes of the Clients that are monitored
by this Monitor.

You must create a Director resource in the 
\ilink{Client's configuration}{FiledConfChapter} file, using the
Director Name defined in the Monitor resource. To avoid security problems, you
should set the {\bf Monitor} directive to {\bf Yes} in this Director resource.


You may have multiple Director resource specifications in a single Monitor
configuration file. 

\begin{description}

\item [Client (or FileDaemon)]
   \index[fd]{Client (or FileDaemon) }
   Start of the Client records.  

\item [Name = \lt{}name\gt{}]
   \index[fd]{Name  }
   The Client name used to identify  the Director in the list of monitored
daemons. It is not required  to be the same as the one defined in the Client's
configuration file.  This record is required.  

\item [Address = \lt{}address\gt{}]
   \index[fd]{Address  }
   Where the address is a host  name, a fully qualified domain name, or a network
address in  dotted quad notation for a Bacula File daemon.  This record is
required. 

\item [FD Port = \lt{}port-number\gt{}]
   \index[fd]{FD Port  }
   Where the port is a port  number at which the Bacula File daemon can be
contacted.  The default is 9102. 

\item [Password = \lt{}password\gt{}]
   \index[fd]{Password  }
   This is the password to be  used when establishing a connection with the File
services, so  the Client configuration file on the machine to be backed up
must  have the same password defined for this Director. This record is 
required. 
\end{description}

\section{The Storage Resource}
\label{StorageResource1}
\index[general]{Resource!Storage }
\index[general]{Storage Resource }

The Storage resource defines the attributes of the Storages that are monitored
by this Monitor.

You must create a Director resource in the 
\ilink{Storage's configuration}{StoredConfChapter} file, using the
Director Name defined in the Monitor resource. To avoid security problems, you
should set the {\bf Monitor} directive to {\bf Yes} in this Director resource.


You may have multiple Director resource specifications in a single Monitor
configuration file. 

\begin{description}

\item [Storage]
   \index[fd]{Storage }
   Start of the Storage records. 

\item [Name = \lt{}name\gt{}]
   \index[fd]{Name  }
   The Storage name used to identify  the Director in the list of monitored
daemons. It is not required  to be the same as the one defined in the Storage's
configuration file.  This record is required. 

\item [Address = \lt{}address\gt{}]
   \index[fd]{Address  }
   Where the address is a host  name, a fully qualified domain name, or a network
address in  dotted quad notation for a Bacula Storage daemon.  This record is
required. 

\item [SD Port = \lt{}port\gt{}]
   \index[fd]{SD Port  }
   Where port is the port to use to  contact the storage daemon for information
and to start jobs.  This same port number must appear in the Storage resource
of the  Storage daemon's configuration file. The default is 9103. 

\item [Password = \lt{}password\gt{}]
   \index[sd]{Password  }
   This is the password to be used  when establishing a connection with the
Storage services. This  same password also must appear in the Director
resource of the Storage  daemon's configuration file. This record is required.

\end{description}

\section{Tray Monitor Security}
\index[general]{Tray Monitor Security}

There is no security problem in relaxing the permissions on
tray-monitor.conf as long as FD, SD and DIR are configured properly, so
the passwords contained in this file only gives access to the status of
the daemons. It could be a security problem if you consider the status
information as potentially dangerous (I don't think it is the case).

Concerning Director's configuration: \\
In tray-monitor.conf, the password in the Monitor resource must point to
a restricted console in bacula-dir.conf (see the documentation). So, if
you use this password with bconsole, you'll only have access to the
status of the director (commands status and .status).
It could be a security problem if there is a bug in the ACL code of the
director.

Concerning File and Storage Daemons' configuration:\\
In tray-monitor.conf, the Name in the Monitor resource must point to a
Director resource in bacula-fd/sd.conf, with the Monitor directive set
to Yes (once again, see the documentation).
It could be a security problem if there is a bug in the code which check
if a command is valid for a Monitor (this is very unlikely as the code
is pretty simple).


\section{Sample Tray Monitor configuration}
\label{SampleConfiguration1}
\index[general]{Sample Tray Monitor configuration}

An example Tray Monitor configuration file might be the following: 

\footnotesize
\begin{verbatim}
#
# Bacula Tray Monitor Configuration File
#
Monitor {
  Name = rufus-mon        # password for Directors
  Password = "GN0uRo7PTUmlMbqrJ2Gr1p0fk0HQJTxwnFyE4WSST3MWZseR"
  RefreshInterval = 10 seconds
}
   
Client {
  Name = rufus-fd
  Address = rufus
  FDPort = 9102           # password for FileDaemon
  Password = "FYpq4yyI1y562EMS35bA0J0QC0M2L3t5cZObxT3XQxgxppTn"
}
Storage {
  Name = rufus-sd
  Address = rufus
  SDPort = 9103           # password for StorageDaemon
  Password = "9usxgc307dMbe7jbD16v0PXlhD64UVasIDD0DH2WAujcDsc6"
}
Director {
  Name = rufus-dir
  DIRport = 9101
  address = rufus
}
\end{verbatim}
\normalsize

\subsection{Sample File daemon's Director record.}
\index[general]{Sample File daemon's Director record. }
\index[general]{Record!Sample File daemon's Director }

Click 
\ilink{here to see the full example.}{SampleClientConfiguration}


\footnotesize
\begin{verbatim}
#
# Restricted Director, used by tray-monitor to get the
#   status of the file daemon
#
Director {
  Name = rufus-mon
  Password = "FYpq4yyI1y562EMS35bA0J0QC0M2L3t5cZObxT3XQxgxppTn"
  Monitor = yes
}
\end{verbatim}
\normalsize

\subsection{Sample Storage daemon's Director record.}
\index[general]{Record!Sample Storage daemon's Director }
\index[general]{Sample Storage daemon's Director record. }

Click 
\ilink{here to see the full example.}{SampleConfiguration} 

\footnotesize
\begin{verbatim}
#
# Restricted Director, used by tray-monitor to get the
#   status of the storage daemon
#
Director {
  Name = rufus-mon
  Password = "9usxgc307dMbe7jbD16v0PXlhD64UVasIDD0DH2WAujcDsc6"
  Monitor = yes
}
\end{verbatim}
\normalsize

\subsection{Sample Director's Console record.}
\index[general]{Record!Sample Director's Console }
\index[general]{Sample Director's Console record. }

Click 
\ilink{here to see the full
example.}{SampleDirectorConfiguration} 

\footnotesize
\begin{verbatim}
#
# Restricted console used by tray-monitor to get the status of the director
#
Console {
  Name = Monitor
  Password = "GN0uRo7PTUmlMbqrJ2Gr1p0fk0HQJTxwnFyE4WSST3MWZseR"
  CommandACL = status, .status
}
\end{verbatim}
\normalsize