Customize Unattended Acronis Cyber Agent Installation on Linux

Starting the agent for the Acronis Cyber Cloud 9.0, it's possible to customize the Acronis Cyber Agent installation using command line parameters. In this article, we'll navigate common customization scenarios for Linux systems.

Secure your workloads with the Acronis Cyber Protection

Secure your workloads with the Acronis Cyber Protection

Install the Agent on Linux

When you call the agent installer with the --help parameter, you receive the full list of available setup program parameters.

sudo ./CyberProtect_AgentForLinux_x86_64.bin --help

Please, check that you meet all pre-requirements before installing the agent.

To add the Acronis Backup modules to Linux kernel, setup program needs the following Linux packages:
- the package with kernel headers or sources. The package version must match the kernel version;
- the GNU Compiler Collection (GCC) compiler system. The GCC version must be the one with which the kernel was compiled;
- the Make tool;
- the Perl interpreter;
- the libelf-dev, libelf-devel, or elfutils-libelf-devel libraries for building kernels starting with 4.15 and configured with CONFIG_UNWINDER_ORC=y. For some distributions, such as Fedora 28, they need to be installed separately from kernel headers

For your reference, we put the complete list of these parameters below. If you are interested in specific scenarios, please skip that table.  

Parameter Description
-v, --version show version information
--product-info print product info
--snapapi-list print binary snapapi versions
--file-protector-list print binary file protector versions
--components-list print installer components
  -a, --auto automatic (unattended) setup
--skip-prereq-check skip prerequisites check
--force-weak-snapapi force weak snapapi (do not try to build)
--force-weak-file-protector force weak file_protector (do not try to build)
 --skip-svc-start skip services start
  -t, --strict  make all warnings into errors
 -n, --nodeps ignore dependencies during unattended setup
 -u, --uninstall uninstall
 -u, --uninstall uninstall
 --purge deprecated, equivalent to --uninstall
 --no-purge do not remove logs and configuration settings during uninstallation, requires --uninstall
 -s, --disable-native-shared  Use own redistributable libraries even if they are already present in the system
 -d, --debug verbose log information
 --tmp-dir=STRING specifies a directory used for storing temporary files during the installation (the default is /var/tmp/)
 -i, --id=STRING specifies component to be installed (only for unattended installation)

For the time of this article written, there are three components available:
BackupAndRecoveryAgent -- Agent for Linux
AgentForPCS -- Agent for Virtuozzo
OracleAgentFeature -- Agent for Oracle
  -e, --ssl=STRING use ssl
 -p, --port=STRING port address
--skip-registration skip registration on rain/ams
 -C, --rain=STRING Cyber Protection service URL
-g, --login=STRING The login of an account under which the agent will be registered in the Cyber Protection service
 -w, --password=STRING  The password of an account under which the agent will be registered in the Cyber Protection service
 --token=STRING Registration token
 --tenant=STRING The organization ID where the agent will be registered
 --register-with-credentials Force registration with credentials
--reg-transport=STRING Type of transport that will be used for agent registration.

To register via https without certificate verification, specify https.

To register via https with certificate verification using system CA, specify https-ca-system.

To register via https with certificate verification using CA bundle delivered with the product, specify https-ca-bundle.

To register via https with certificate verification using pinned public key, specify https-pinned-public-key. In this case parameter reg-transport-pinned-public-key must be specified.
--reg-transport-pinned-public-key=STRING  Pinned public key. If this parameter is specified, parameter reg-transport must be equal to reg-transport-pinned-public-key or be omitted.
--http-proxy-host=STRING IP/name of HTTP proxy server
--http-proxy-port=INT Port of HTTP proxy server
 --http-proxy-login=STRING Login for HTTP proxy server
--http-proxy-password=STRING Password for HTTP proxy server
 -B, --packages-bundle=STRING bundle with packages file name
--language=STRING force language, available languages:en,bg,cs,da,de,es,fr,ko,id,it,hu,ms,nl,ja,nb,pl,pt,pt_BR,ru,fi,sr,sv,tr,zh,zh_TW
--options-file=STRING options file, use it to hide sensitive info from ps
 --allow-experimental-file-protector Use less restrictive file protector supported OS limitations
--force-file-protector Always install file protector kernel module
--disable-file-protector Disable file protector kernel module
  -?, --help Show help message
 --usage Display brief usage message

A lot of customization can be realized using those parameters. However, there are common ones that we explain in detail below.

Unattended Installation

The classic customization of the agent installation is an unattended installation. The simplest way to do it is just specified -a parameter. However, it's not enough as the agent should be registered to the Acronis Cyber Cloud to work. The simplest option is an automated registration using either a user name and password or a registration token. If, for some reason, you need to register the agent lately, use --skip-registration parameter during the installation and then register the agent using the registration utility command-line tool.

To only install the Agent for Linux only with the no-UI show and skip the registration 

sudo ./CyberProtect_AgentForLinux_x86_64.bin -a --skip-registration --id=BackupAndRecoveryAgent

To register the agent using account and password after the installation

/usr/lib/Acronis/RegisterAgentTool/RegisterAgent -o register -t cloud -a {dc-url} -u {login} -p {password}

An example

/usr/lib/Acronis/RegisterAgentTool/RegisterAgent -o register -t cloud -a https://dev-cloud.acronis.com -u stas.pavlov@nowhere.com -p ItisaVeryStrongPassword1991?

To register the agent using a token after the installation

/usr/lib/Acronis/RegisterAgentTool/RegisterAgent -o register -t cloud -a {dc-url} --token {token}

An example

/usr/lib/Acronis/RegisterAgentTool/RegisterAgent -o register -t cloud -a https://dev-cloud.acronis.com --token 0454-BAA1-4A1F

To install the Agent for Linux only and register with login and password

sudo ./CyberProtect_AgentForLinux_x86_64.bin -a --id=BackupAndRecoveryAgent --login={login} --password={password} -C {dc-url}

An example

sudo ./CyberProtect_AgentForLinux_x86_64.bin -a --id=BackupAndRecoveryAgent --login=stas.pavlov@nowhere.com --password=ItisaVeryStrongPassword1991? -C https://dev-cloud.acronis.com

To install the Agent for Linux only and register with a token

sudo ./CyberProtect_AgentForLinux_x86_64.bin -a --id=BackupAndRecoveryAgent --token={token} -C {dc-url}

An example

sudo ./CyberProtect_AgentForLinux_x86_64.bin -a --id=BackupAndRecoveryAgent --token=0454-BAA1-4A1F -C https://dev-cloud.acronis.com

The token can be generated either from the Management Console Add device form or using Acronis Cyber Platform API. It can be either only with user information or as well with protection plan information. Please, see details here https://developer.acronis.com/blog/posts/automate-acronis-agent-installations-with-protection-plan-applying/.  

Hide the Agent System Tray Appearance

As the Acronis Cyber Protect expects to protect Linux servers, there is no try component and UI.

Register the Agent and Apply a Protection Plan

After the agent is registered in the Acronis Cyber Cloud, a protection plan should be applied to a device protected. It can be done with different approaches. However, when any endpoint-centric RMM is already in use, it might raise a demand to not only install and register the agent but apply a plan as well from a device.

To implement that approach you need to use a token registration process with the token included a protection plan.

This is a two-step process. The first step is the unattended agent installation and registration with a token which is included a protection plan. The second step is using that token and a bash script to apply the included in the token protection plan to the device. 

The unattended installation is covered above, so we only focus on the second scripting part.

During the agent registration, a new resource is registered in the Acronis Cyber Cloud. After that, it's possible to apply a protection plan to that resource. Below you can find an example without error handling. As well, you need somehow to know that the agent installer is finished their tasks. It might be done in many ways, for example, you can pull a resource id from the config file until you have it.

################################################
# Variables
################################################

_reg_token={put_the_agent_registratio_toke_with_a_protection_plan_included_here|example:0454-BAA1-4A1F}

_base_url={put_your_DC_Url_here_ending_with_backslash|example:https://dev-cloud.acronis.com/}

################################################
# Helper functions
################################################

# XML config file needs to be parsed to find resource id
# We will use a simple example from https://stackoverflow.com/questions/893585/how-to-parse-xml-in-bash
# As it's well documented in that post 

_read_dom () {
    local IFS=\>
    read -d \< ENTITY CONTENT
    local RET=$?
    TAG_NAME=${ENTITY%% *}
    ATTRIBUTES=${ENTITY#* }
    return $RET
}

# Read config file, find value tag with name InstanceID and echo CONTENT
_parse_dom () {
    if [[ $TAG_NAME = "value" ]] ; then
        eval local $ATTRIBUTES
        if [[ $name = "InstanceID" ]] ; then
            echo $CONTENT
            exit
        fi
     fi
}

# Below you can find some helper functions to call Acronis REST API
# Print errors info to STDERR and exit execution
_die() { printf ":: %s\n\n" "$*" >&2; exit 1; }


# Pipe JSON from file, extract JSON property, remove quotas from the property's value
_get_access_token_from_file(){ jq '.access_token' < "${1}" | sed -e 's/^"//' -e 's/"$//'; }

# POST API call with Bearer Authentication
# $1 - an API endpoint to call
# $2 - Content-Type
# $3 - urlencoded data 1st param
# $4 - urlencoded data 2st param
_post_api_call_bearer_urlencoded () {

  local _response_body
  local _response_code

  curl	-s \
		-X POST \
		--url "${_base_url}${1}" \
		-H "Authorization: Bearer ${_access_token}" \
		-H "Accept: application/json" \
		-H "Content-type: ${2}" \
		--data-urlencode "${3}" \
		--data-urlencode "${4}" \
		-w "\n%{http_code}" | {
			read -r _response_body
			read -r _response_code

			_response "${_response_body}"

			if [[ $_response_code = 20* ]] ; then
  				echo "${_response_body}"
			else
				_die "The POST API Call with the endpoint ${1} is unsuccessful with response code: ${_response_code}." "${_response_body}"
			fi
		}
}

# POST API call with Bearer Authentication
# $1 - an API endpoint to call
# $2 - Content-Type
# $3 - POST data
_post_api_call_bearer () {

  local _response_body
  local _response_code

  curl	-s \
		-X POST \
		--url "${_base_url}${1}" \
		-H "Authorization: Bearer ${_access_token}" \
		-H "Accept: application/json" \
		-H "Content-type: ${2}" \
		--data-raw "${3}" \
		-w "\n%{http_code}" | {
			read -r _response_body
			read -r _response_code

			_response "${_response_body}"

			if [[ $_response_code = 20* ]] ; then
  				echo "${_response_body}"
			else
				_die "The POST API Call with the endpoint ${1} is unsuccessful with response code: ${_response_code}." "${_response_body}"
			fi
		}
}

################################################
# Actual flow for applying a protection plan
################################################

# You need appropriate right to read /etc/Acronis/BackupAndRecovery.config file
# Put resource id to the file for the script debug simplicity
while _read_dom; do
    _parse_dom
done < /etc/Acronis/BackupAndRecovery.config > ~/resourceId.txt

# Remove quotas and put resource id into the variable
_resource_id=$(cat ~/resourceId.txt | sed -e 's/^"//' -e 's/"$//';)

# Exchange registration token to authorization token
_post_api_call_bearer_urlencoded "idp/token" \
					"application/x-www-form-urlencoded" \
					"grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer"  \
					"assertion=${_reg_token}"  \
					 > ~/access_token.json

# Get access_token from file
_access_token=$(_get_access_token_from_file "~/access_token.json")

# Construct JSON to apply a protection plan
_json='{
     "context": {
         "items": [
             "'$_resource_id'"
         ]
     }
}'

# To apply a protection plan
# POST API call using function defined in basis_functions.sh
# with following parameters
# $1 - an API endpoint to call
# $2 - Content-Type
# $3 - POST data
# The result is stored in results.json file
_post_api_call_bearer "api/policy_management/v4/applications" \
					"application/json" \
					"${_json}" > "~/results.json"

There is a dedicated article for that topic with more details explained.  Please, see details here https://developer.acronis.com/blog/posts/automate-acronis-agent-installations-with-protection-plan-applying/.    

Summary

Now you know how to customize the Acronis Cyber Agent installation on Linux. In the following article, we'll discuss the same topics for macOS; the Windows article can be found here https://developer.acronis.com/blog/posts/customize-unattended-acronis-cyber-agent-installation-on-windows/.

For further API learning, register at our Platform Program or Developer Network on https://developer.acronis.com site.

Find our public Postman API collection for standard automation and integration tasks https://explore.postman.com/grey-rocket-585331 or use our GitHub examples https://github.com/acronis.

Updated
Stas Pavlov
Technology Evangelist
Acronis Cyber Agent
Acronis Cyber Platform