Veeam Hardened Repository rev 02

Veeam Hardened Repository provides a secure, immutable backup repository for Veeam Backup & Replication. It runs as an isolated LXC container on the storage server, using ZFS-backed ZVOLs formatted with XFS as the backup storage target.

Note: Veeam Hardened Repository is delivered as an optional Small Update (the xc-veeam-hdrep module). This article describes revision 02. If your system was updated to a newer revision, refer to the matching Extension:Veeam_Hardened_Repository_rev_NN article.

The "hardened" property is the result of two complementary mechanisms working together:

• Immutable backups — Veeam writes backups to the XFS repository with the Make recent backups immutable for N days setting enabled. While immutability is in effect, backup files cannot be modified or deleted from outside Veeam, protecting them from ransomware and accidental removal. The XFS filesystem is formatted with reflink support, which also enables Veeam's fast-clone (synthetic backup) optimisation.
• Minimal attack surface — the dedicated locveeam account is granted elevated privileges only during the initial Veeam onboarding handshake, then sudo is removed immediately afterwards. SSH access on port 22522 is disabled after onboarding completes, closing the inbound path entirely.

The role of the xc-veeam-hdrep module is to provision the XFS-on-ZVOL repository and orchestrate this temporary-privilege/SSH handshake. Veeam enforces immutability; the module enforces privilege minimisation.

Before running the setup, ensure the following are in place:

• A ZFS storage pool with sufficient free space.
• One or more ZVOLs with veeam in the name (the setup script discovers ZVOLs by this keyword).
• Network access to the storage server from the Veeam Backup & Replication console.

The repository container exposes a web-based console at:

 https://<server-ip>:4200/veeam-hdrep

Open this URL in a browser and accept the self-signed certificate warning. The console gives direct shell access to the container for running the initial setup and any subsequent maintenance commands.

Setup is performed once, using the interactive make_veeam_repo script included in the container. All steps below are run inside the container console.

1. Connect to the container console at https://<server-ip>:4200/veeam-hdrep.
2. Navigate to the tools directory and run the setup script:

 cd /tools
 sudo ./make_veeam_repo

1. Follow the interactive prompts described in the sections below.

The script creates the dedicated locveeam account (UID 1000) used exclusively for Veeam access. If the account does not yet exist, you will be prompted to set a password for it.

The script prompts you to select a ZFS pool where the _veeam_logs dataset will be created. This dataset is mounted at /var/lib/veeam inside the container and stores Veeam service logs. The container automatically relocates this dataset out of the pool filesystem and unmounts /Pools during setup — no user action is required for this.

Note: If a _veeam_logs dataset already exists in the selected pool, back up its contents before proceeding.

The script lists all ZVOLs whose path contains veeam. Enter the numbers of the ZVOLs you want to use as backup repositories, separated by spaces.

For each selected ZVOL:

• If the ZVOL is already XFS-formatted, it is used as-is.
• If the ZVOL is not XFS-formatted, the script will warn that all data on the ZVOL will be erased. Type format to confirm, or anything else to cancel.

Formatting uses optimised XFS parameters for backup workloads:

Parameter	Value	Purpose
Block size	4096 bytes	Standard block size
Reflink	enabled	Efficient data deduplication at the XFS level
CRC	enabled	Metadata integrity checksums

For each formatted ZVOL, the script:

• Creates a mount point at /mnt/<zvol_name>.
• Adds an entry to /etc/fstab with the following XFS options:
  • noatime,nodiratime — disables access-time updates to reduce write overhead
  • nodiscard — disables TRIM for ZFS-backed storage compatibility
  • logbufs=8,logbsize=32k — XFS journal tuning for write-heavy workloads
  • nofail — system boots even if the mount is unavailable
• Sets ownership to locveeam:locveeam and permissions to 700.

The script configures automated filesystem trimming (fstrim) via cron. You will be prompted to choose a schedule:

• Daily
• Weekly (Mondays)
• Monthly (1st of the month)

A custom start time in 24-hour format can be selected for each option.

SSH is enabled on port 22522 and configured to allow access for the locveeam user. The non-standard port is intentional — it avoids conflicts with the host SSH service and is required in the Veeam Backup & Replication repository configuration.

After the repository volumes are prepared, the script temporarily grants locveeam sudo access. This allows the Veeam agent to perform its initial configuration steps (such as installing transport components) when you connect from the Veeam console.

The script pauses and waits for you to complete the Veeam-side setup (described in the next section). Once you confirm, sudo access is removed and SSH is disabled to harden the repository.

With the storage prepared and locveeam temporarily elevated, complete the Veeam Backup & Replication wizard to register the repository. These steps are performed in the Veeam Backup & Replication console on your Windows backup server.

Note: Do not press Enter in the container console until you have completed all steps in this section and Veeam has finished deploying its transport components. The make_veeam_repo script is waiting at that prompt — pressing Enter removes sudo and disables SSH, which will interrupt a Veeam deployment still in progress.

1. In the Veeam Backup & Replication console, navigate to Backup Infrastructure → Backup Repositories.
2. Right-click Backup Repositories and select Add Backup Repository.
3. When prompted for the repository type, select Direct attached storage.

On the next screen, select Linux (Hardened Repository).

Enter a display name for the repository and click Next.

1. Click Add New next to the server field and enter the IP address or hostname of the storage server.
2. When prompted for credentials, click Add and choose Single-use credentials for hardened repository.
3. Enter the following:

• Username: locveeam
• Password: the password set during make_veeam_repo
• SSH port: 22522

1. Leave Elevate account privileges automatically enabled. The make_veeam_repo script has already granted temporary sudo to locveeam — no root password and no permanent sudoers entry are required.
2. When prompted, review and trust the server's SSH fingerprint.

Veeam will connect over SSH and install its Transport and Installer services on the container.

1. Click Populate to load the available storage.
2. Select /mnt/<zvol_name> — the XFS repository created by the script.

You may optionally append a subdirectory, for example /mnt/<zvol_name>/backups.

On the Repository step of the wizard, verify the following settings:

• Use fast cloning on XFS volumes — ensure this is checked. It is supported because the repository uses XFS with reflink enabled, and it reduces storage consumption for synthetic full backups.
• Make recent backups immutable for — set this to the number of days matching your retention requirement. Backups will be protected from modification or deletion for this period.

Click Next.

1. On the Mount Server step, the Veeam Backup & Replication server is pre-selected as the default mount server — click Next.
2. Review the summary and click Apply, then Finish.

Return to the container console where make_veeam_repo is still waiting. Confirm that Veeam has finished deploying its transport components (the wizard completed without errors), then press Enter.

The script will:

• Remove sudo from locveeam.
• Disable SSH on port 22522.

The repository is now hardened. The locveeam account remains active for Veeam's internal data-path use, but no interactive login path remains open.

Path (inside container)	Purpose
/mnt/<zvol_name>	Backup data storage (XFS on ZVOL)
/var/lib/veeam	Veeam log dataset (ZFS dataset)
/var/lib/veeam/log/	Veeam service log files
/etc/fstab	Volume mount configuration
/etc/ssh/sshd_config	SSH daemon configuration (port 22522)
/etc/cron.d/fstrim_*	Automated trim schedules

From the container console:

 df -h /mnt/<zvol_name>

 sudo fstrim /mnt/<zvol_name>

 mountpoint /mnt/<zvol_name>
 mount | grep /mnt/<zvol_name>

 journalctl -u ssh
 journalctl -u veeam-ds-logs
 tail -f /var/log/auth.log

Do not run system package updates inside the container. The container has limited disk space, and updates are delivered as new container revisions through the standard small-update mechanism.

• ZVOLs must include "veeam" in the name. The setup script discovers ZVOLs by searching for this keyword in their device path. ZVOLs without it will not appear in the selection list.
• Formatting is destructive. Selecting a non-XFS ZVOL and confirming with format irreversibly erases all data on that ZVOL. Verify your selection before confirming.
• No in-container package updates. Due to disk space constraints, running apt upgrade or similar inside the container is not supported. Updates are delivered as new container revisions.
• SSH is a transient onboarding channel only. Veeam connects once over SSH on port 22522 using the password set for locveeam (single-use credentials) to deploy its Data Mover. Backup traffic afterwards does not use SSH. The setup script automatically disables SSH at the finalize step (after you press Enter to confirm onboarding is complete), so SSH key authentication is not required for normal operation. If you later need manual shell access, re-enable SSH and add public keys to /home/locveeam/.ssh/authorized_keys inside the container.

• Initial release of Veeam Hardened Repository container.
• Interactive setup script (make_veeam_repo) for user account, ZVOL selection, XFS formatting, and SSH configuration.
• Automated fstrim scheduling via cron.
• Temporary sudo workflow for Veeam transport component installation.
• Log dataset support (_veeam_logs ZFS dataset mounted at /var/lib/veeam).

---

For further customization or troubleshooting, refer to the upstream Veeam documentation or contact Open-E support.