SQL Reporting Server – Self Certificate & Veeam ONE

Veeam One is a splendid Advanced Analysis and Reporting tool for virtual and backup environments.

In an Enterprise architecture, the Veeam One roles are distributed on different Servers.

Let’s talk about the DataBase ( MS-SQL ), the Reporting Server ( SSRS ) and obviously the Veeam ONE Server ( VOS )

In this article, I will illustrate how you can streamline your reporting by creating an encrypted connection between Veeam ONE and the Reporting Server at the same time.

The procedure consists of three macro phases.

  1. The first creates the certificate that enables the HTTPS encrypted connection on the SSRS server.
  2. In the second, you configure SSRS to accept HTTPS connections.
  3. In the third, we configure the Veeam ONE server to use SSRS for reporting.

1- Creation of the certificate

If there is no certificate authority installed in your domain (like mine), you need to create a Self-Signed certificate.

Let’s see how to proceed:

On the SSRS , start a PowerShell console as administrator and run the following commands:

  1. New-SelfSignedCertificate -CertStoreLocation cert: \ LocalMachine \ my -dnsname NAMESERVER -NotAfter (Get-Date) .AddMonths (60) (replace NAMESERVER with your Server name).
  2. $ pwd = ConvertTo-SecureString ” yourpassword ” -asplainText -force (replace your password with a complicated one of your choice).
  3. $ file = ” C: \ MyFolder \ SQLcertificate.pfx ” (this is the location where the certificate will be exported ).
  4. Export-PFXCertificate -cert cert: \ LocalMachine \ My \< Thumbprint created from the output of the first command> -file $ file -Password $ pwd ( Copy the certificate to the file created in step 3 ).
  5. Import-PfxCertificate -FilePath $ file cert: \ LocalMachine \ root -Password $ pwd ( imports the certificate into the SSRS ).

Now it’s time to copy the SQLcertificate.pfx file (point 3) into the VOS and proceed with its installation as indicated in the next lines.

  1. Double click on the file and in the first window choose ” Local Machine “.
  2. When prompted for the password , provide the one set in step 2.
  3. On the next screen select ” Place all certificates in the following store “, and after selecting Browse, select from the ” Trusted Root Certification Authorities ” list.
  4. Ok and after selecting Next, finish the installation.

2- SSRS configuration

Using the SSRS configuration manager it is possible to set the HTTPS connection as shown in images 1,2 and 3.

Picture 1

picture 2

Picture 3

3- Veeam ONE configuration

Images 4 and 5 show how to configure VOS to use SSRS to generate reports.

Picture 4

Picture 5

Note 1: From image 5 we can see that it is possible to test the connection via the Test Connection button.

Note 2: The details on which ports open in the firewalls are documented in the guide. ( helpcenter.veeam.com) ; remember to add port 443 ūüôā

See you soon

Kubernetes: The components

In previous articles we have seen some details of how the Kubernetes architecture is built.

Today the working mechanisms of the Kubernetes engine will be described indicating the name of each component; to remain faithful to the comparison of the car engine, we will speak of the camshafts, valves, bearings, … that belong to the Cloud Native

Note 1: The installation of k8s in Datacenter, Cloud, and Laboratory will not be discussed, the network has already made comprehensive tutorials available.

To familiarize yourself with k8s I recommend using Minikube (Linux platform) Docker Desktop (Windows & Mac platform).

Let’s begin!

Kubernetes Master:It is the main node of the cluster on which three processes that are vital for the existence of the cluster run.

  • kube-apiserver
  • kube-controller-manager
  • Kube-scheduler

In the master node, there is also the DataBase etcd, which stores all configurations created in the cluster.

The nodes that take care of running the applications and therefore the services are said worker node. The processes present on the worker node I’m:

  • Kubelet
  • kube-proxy

kubectl : AND’ The official Kubernetes client ( CLI ) through which you can manage the cluster ( Kube-apiserver ) using the API.

Some simple examples of kubectl commands are:

  • kubectl version (indicates the version of k8s installed)
  • kubectl get nodes (find out the number of nodes in the cluster)
  • kubectl describe nodes nodes-1 (shows the health status of the node, the platform on which k8s is running (Google, AWS, ….) and the allocated resources (CPU, RAM)).

Kube-Proxy : He is responsible for managing networking, from Routing to Load Balancing rules.

Note 2 : K8s will try to use them all libraries available at the level of operating system .

Container Runtime : It is the foundation on which the k8s technology rests.

kubernetes supports several runtimes among which we remember, container-d , cri-o , rktlet .

Note 3 : The runtime Docker it has been deprecated in favor of those that use interfaces CRI ; Docker images will still continue to work in the cluster.

The objects Kubernetes base are:

  • Pod
  • Services
  • Volumes
  • Namespace

THE controller provide additional functionality and are:

  • ReplicaSet
  • Deployment
  • StatefulSet
  • DaemonSet
  • Job

Between Deployment it is imperative to mention Kube-DNS which provides name resolution services. Since kubernetes version 1.2 the name has changed to Core-dns.

Add-On : they are used to configure further cluster functions and are placed inside the name space kube-system (such as Kube-Proxy, Kube-DNS, kube-Dashboard)

Add-ons are categorized according to their use:

  • Add-on of Netwok policy . (For example the NSX-T add-on takes care of the communication between the K8s environment and VMware)
  • Add-on Infrastructural (For example KubeVirt which allows connection with virtual architectures)
  • Add-on of Visualization and Control (For example Dashboard a web interface for K8s).

For commissioning, Add-ons use controllers DaemonSet And Deployment .

The image in figure 1 summarizes what has just been explained.

Figure 1

Take care and see you soon.

Kubernets: Know the details

A good way to describe cloud-native environments is to refer to the image of your car.

The container is the engine, k8s is the electronic control unit that manages the proper functioning of the vehicle, the drivers, indicating the route and the destination, select the type of service to be provided.

Today’s article will reveal some architectural details to understand how “the car” manages to reach its destination in an efficient way.

Containers are of two types:

The first is called System Container. It is the bodywork of the car (I mean from the plates to seats, steering wheel, gear lever and accessories).

Often for simplicity of creation, it is a Virtual Machine (VM) with Linux operating system (it can also be Windows).

The most common services present in the VM are ssh , cron and syslog , the File System is of type ext3, ext4, etc.

The second type is called Application Container and is the place where the image will carry out the activities.

Note1: The image is not a single large file. They are usually multiple files which, through an internal cross-pointing system, allow the application to operate correctly.

The Container application (from now on container only), has an operating mode based on a rigid logic, where all levels (layers) have the peculiarity of communicating with each other and are interdependent.

Figure 1

This approach is very useful as it is able to manage the changes that may occur over time in an effective and hierarchical way.

Let’s take an example: When a service configuration change occurs, for which Layer C is updated, Layer A and B are not affected, which means that they must NOT be modified in turn.

Since Developers like to refine their own images (program files) rather than dependencies, it makes sense to set the service logic in the mode indicated in figure 2 where the dependencies are not affected by a new image.

Figure 2

Note2 : The File system on which the images are placed (in the example of the car engine we are talking about pistons, connecting rods, shafts …) is mainly of three different types:

  • Overlay
  • Overlay 2
  • AUFS

Note3 : A good advice on the security side is not to build the architecture so that the passwords are contained in the images ( Baked in – Cooked)

One of the splendid innovations introduced in the container world is the management of images:

In a classic high-reliability environment, the application is installed on every single node of the cluster.

In containers, the application is downloaded and deployed only when the workload requires more resources than a new cluster node with a new image.

For this reason, the images are saved in “virtual” warehouses, which can be local or distributed on the internet. They are called “Register Server”.

The most famous are Docker Hub, Google Container Registry, Amazon Elastic Container Registry, Azure Container Registry.

We conclude this article by talking about the management of resources associated with a service.

The container platform uses two features called Cgroup and NameSpace to allocate resources that work at the kernel level.

The purpose of the Cgroup is to assign the correct resources ( CPU & RAM ).

Name spaces have the purpose of grouping the different processes and making sure that they are isolated from each other ( Multitenancy ).

The type of NameSpace can affect all the components of the service as indicated in the list below.

  • Cgroup
  • PID
  • Users
  • Mount
  • Network
  • IPC (Interprocess communication)
  • UTS (allows a single system to appear with different host and domain names and with different processes, useful in case of migration)

An example of limiting the resources of an application is shown in Figure 3 where thegable image, downloaded from the Register Server grcgp, has a limit of RAM and CPU resources allocated.

Figure 3

Soon

Cloud Native Kubernetes: Flow and Job Opportunities

This new article aims to indicate the new job opportunities created by a cloud-native environment.

Image n ¬į 1 shows the four main levels required by the architecture to function correctly ( left rectangular part).

On the right side ( circles ) are represented the occupations of the operator with respect to every single level.

Picture 1

Bottom up:

1- Storage and Network Operators ( SNOs ) are responsible for managing the hardware architecture.

Role activity number may decrease if deployed in a public cloud or IaaS (Infrastructure as a Service)

2- The Operating System Operator ( OSO ) works at the level of the operating system where the k8s service is running.

The OSO needs expertise in Linux and Windows . Skills in virtualization architecture such as VMware , RedHat , Nutanix , etc. are often required.

If the architecture has been leased from the public cloud or in an IaaS in general, the skills must cover this new architecture.

3- The orchestrator operator (OO) works with the core of the cloud-native administration environment. This world needs a lot of new skills.

Automation is the child of orchestration.

The main concept is that the OO should have sufficient skills to be able to follow all the processes of “Continuous Integration” and “Continuous Delivery” (often called CI / CD ).

Image 2 gives an idea about it

The central arrows show the flow to allow the delivery of a service.

For every single arrow, there are new tools to know to manage the entire release of the service.

Just a few examples: to test the environment you can work with cucumber or Cypress.io, for distribution and construction you can use Jenkins … and so on …

Image 2

Note 1 There are so many platforms available that choosing the right one can be very challenging

4- The development operator is the role of the people who are writing lines of code. They often use software to run businesses like Jira Core and Trello.

Note 2: In my personal opinion, the vendor who creates a software layer capable of centrally managing all these 6 core activities will have a competitive advantage over their competitors.

The big vendors are already playing: RedHat is working from the beginning with its platform ( OpenStack ), VMware has released Tanzu, Nutanix with Carbonite and Microsoft will play its role with the new version of Windows 2022 .

The only good suggestion I can give you is to study this new and fantastic world.

See you soon and take care of yourself

Veeam Backup Office 365 & Cloud Connect

In the last few days, I have been contacted by a Service Provider to design a solution to back up the Microsoft Office 365 environment.

Actually, four months ago, I wrote three articles to show how to set up the environment using a great job of Niels and Timothy, creators and deployers the Martini project.

All details are available clicking  Veeam Backup Office 365 & Cloud Connect,

https://lnx.gable.it/home-page/2020/11/02/vbo-365-portal-a-nice-project-just-behind-the-corner/

Why the Service Provider needs a different way to implement this service?
I think that the two main reasons were:

1) SP has already a Cloud Connect architecture and it wants to use it in all possible scenarios.
2) SP needs always official support from Vendor before implementing any project and the Martini is not. To be clearer, the RestFul Api technology inside VBO is totally supported, the Martini portal isn’t because it is not a Veeam product.

Before continuing the read, there is one requirement to respect: VBR Cloud Connect and VBO-365 have to be installed on the same server (a Windows Server).

Let’s start!

Picture 1 shows the high-level architecture.

Enhanced Self Service Restore in Backup for Office 365 v2.0 - VIRTUALIZATION IS LIFE!Picture 1

The service provider architecture is shown on the right part of picture 1 and it is composed of VBO-365 and the Cloud Connect architectures, while the left part shows the tenant architecture where VBR Server has been installed.

Which are the actions that can be performed by the Tenant?

Backup: the tenant can’t access the VBO-365 console. It means the Tenat can’t set up or launch any sort of backup. In other words, the backup tasks are a managed services.

Restore: The tasks can be driven by the administrator of the Microsoft Office 365 organization through the use of Veeam Explores. The Cloud Connect technology creates the tunnel to connect the two entities.

Note 1: When VBR is installed by default all Veeam Explorers are installed.

I mean that not just the traditional Veeam Explorers (for Active Directory, SQL, Oracle, Exchange, Share-points) are installed but also the Explorer for One Drive and Teams. that are specific for Microsoft 365 technology.

Note 2: Does this scenario require  VBR license?

Yes, but you can use the free community edition.

The point to highlight during the setup is the authentication task that allows the explorer to communicate with VBO-365:

From the VBO-365 console selecting “General Options” (Picture 2) and from the¬† authentication tab enabling the tenant authentication¬† you can catch your goal (please for security reason use your own certificate) (Picture 3)

Picture 2

Picture 3

Let’s switch to my demo environment:

1. The Service Provider VBO-365 console, has three Microsoft 365 organizations with a backup job each  (Picture 4). Two of those use modern authentication, the third the basic one.

Picture 4

2. The Cloud-Connect architecture has been set up in order to create a tenant called  Demo-VBO (Picture 5).

Picture 5

  • The VBR Tenant Console shows how the connection towards the service provider has been set up (Picture 6).

Picture 6

The following video shows the tasks performed by the tenant to restore his data (Exchange/Sharepoint/One-Drive/Teams items) located at the Service Provider site.

Video 1

That’s all for now, take care and see you soon

VBO-365 Portal: A nice project just behind the corner – Part 1

A service provider asked me to help him to design a backup service where the main topic was Microsoft 365.

I’m sure many of you already know and already use Veeam Backup for Office 365.

It is an excellent solution to address an end-user request and to allow a Service provider to supply a managed service.

But what about unmanaged service?

In other words: is it possible to give an admin of an organization a way to perform backup and restore by himself in a multi-tenant architecture?

The answer came from the great job of two Veeam guys.

Niels Engelen and Timothy De Win have developed a web portal leveraging the native VBO-365 RESTFul-API that allows the service provider to score the goal. The project is called MARTINI.

Just a note before starting: the articles have been written “for dummy”; the scope is explaining step by step the procedure I followed to design service.

To remember: 

  1. This is not a Veeam Project so it is NOT officially supported.
  2. For more details about the software used and to remain updated, please refer to the blog sites of Niels and Timothy (http://blog.dewin.me/).
  3. .ake a look at the official Veeam guide to know the hardware, software requirements of VBO-365.
  4. Please contact your security specialists to be sure it responds to your security standard.
  5. This article has been written using VBO-365 v.4. Please read carefully the second article to learn how to fix with VBO-365 v.5.

Design and Implementation:

The smallest architecture you can design is composed of one VBO-server and one Portal server.

In these articles the names of these 2 servers are in order:

a) VBO-365  (Windows 2019)
b) VBO-Portal (Linux ubuntu 20-04)

A video that explains how to install VBO-365 software is available at the following link: Installing VBO365.

Ready to start? Let’s go!

a) Commands 1/2 update and upgrade the packages installed Linux Server to the last release

1- sudo apt update
2- sudo apt upgrade

b) Command 3 installs the unzip package

3- sudo apt-get install unzip wget

c) Command 4 downloads the martini package,  command 5 unzips it in /usr/bin directory

4- wget https://dewin.me/martini/martini-cli.zip
5- sudo unzip martini-cli.zip -d /usr/bin/

d) Now it’s time to setup Martini.

6- sudo martini-cli setup

It requires and automatically installs the following packages:

apache2, mysql-server mysql-client, PHP, php-xml,  composer, zip unzip php-mysql and Terraform.

At the end of this setup the screen output shows the following output.

#MySQL commands:
CREATE DATABASE martini;
CREATE USER ‘martinidbo’@’localhost’ IDENTIFIED WITH mysql_native_password BY ‘mypasswordthatissupersecret’;
GRANT ALL ON martini.* TO ‘martinidbo’@’localhost’;
# Ubuntu older
GRANT USAGE ON *.* TO ‘martinidbo’@’localhost’ WITH MAX_QUERIES_PER_HOUR 0;
# Ubuntu 20.04
GRANT USAGE ON *.* TO ‘martinidbo’@’localhost’;

Now connect to mySQL DB using the following command:

mysql -u root -p

If the error shown in picture 1 appears it is necessary to follow the procedure described below:

Picture 1

– sudo mysql
Рselect user,host,plugin from mysql.user; output -> root | localhost | auth_socket 

the output is shown in picture 2 and it checks the plugin used for any MySQL users.

Picture 2

If it is auth_socket to user root just change it with the following command

– update mysql.user set plugin=’mysql_native_password’ where user=’root’;
– select user,host,plugin from mysql.user; output root | localhost | mysql_native_password

the output shown in picture 3 confirms it is correctly changed.

Picture 3

– flush privileges;

quit

Now retype the previous command (mysql -u root -p) and please continue with the procedure if it still doesn’t work as shown in picture 4 :

Picture 4

– sudo /etc/init.d/mysql stop
– sudo mkdir -p /var/run/mysqld
– sudo chown mysql:mysql /var/run/mysqld
– sudo mysqld_safe –skip-grant-tables &
– mysql -u root

– ALTER USER ‘root’@’localhost’ IDENTIFIED BY ‘new_password‘;

– flush privileges;
– quit

at this point reboot the server.

The command mysql -u root -p  shows the following output:

Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.

Let’s go back to martini checking if the database and the new user have been created with the command:

mysql> show databases;

If it doesn’t appear use the following steps:
– use mysql
– show tables;
– CREATE USER ‘martinidbo’@’localhost’ IDENTIFIED BY ‘mypassword-‘;
– GRANT ALL PRIVILEGES ON * . * TO ‘martinidbo’@’localhost’;
– FLUSH PRIVILEGES;
– CREATE DATABASE martini;

Now re-launch the martini setup command

– sudo martini-cli setup

selecting no when the prompt asks if it is the first run and follow the easy wizard as shown in picture 5.

Picture 5

The last commands are:

– sudo chown thegable:thegable .martiniconfig
– martini-cli –server http://localhost/api connect

and if you have enabled the firewall just open the web default port

– sudo ufw allow 80/tcp

Now open a web browser (Picture 6) and point out to the VBO-portal server  IP address and you can see the login to Martini page.

Picture 6

In the next article, we are going to cover how to set it up and some useful detail to use it.

That’s all for now guys.