Reference
snagent Hypervisor Host Agent
The CloudStack KVM hypervisor host agent used for efficient host-assisted changed-block tracking.
Definition
snagent is the Sendense hypervisor host agent for CloudStack KVM. It runs on supported KVM hypervisor hosts and supports efficient host-assisted changed-block tracking and host-side extent-map collection for configured storage backends.
snagent is installed on the hypervisor host, not inside the protected VM. It works with SNAs: when supported storage is in use, it provides an extent map that the SNA receives through QEMU guest tools.
When It Is Used
snagent is used by default when CloudStack KVM storage configured in SHA for the site or VM is QCOW NFS, ZFS, or LINSTOR DRBD and the agent path is available. RAW Block uses Sendense CBT rather than snagent.
Efficiency, not a hard dependency
When snagent is available for supported storage, it improves read efficiency by providing extent-map information. Without it, EBA-ST still uses Sendense CBT.
Host-Side Backup Flow
Host-assisted backup on a supported backend
On the host
Consistent Snapshot
snagent prepares a storage-level snapshot of the protected disk using the mechanism appropriate to the configured backend.
Changed or allocated
Extent Collection
snagent collects the changed extents for an incremental, or the allocated extents for a full.
Via QEMU guest tools
SNA Reads Extents
The SNA receives the extent information and reads only the identified extents.
After the backup
Host Cleanup
snagent removes its host-side snapshot and checkpoint state so no stale artifacts accumulate.
Deployment
Installation is a one-line command generated by SHA and gated by a one-time install token. Tokens are valid from 5 minutes to 24 hours (60 minutes by default), can be revoked before use, and are consumed by a single successful enrollment. The installer downloads the agent from SHA, installs it as a system service, enrolls the host, and starts the agent; the operator then confirms the host appears in SHA with its identity, version, and last check-in.
Hosts need root access, a KVM/libvirt hypervisor with systemd, and Linux x86-64. Reinstalling with a fresh token is supported; enrollment creates a new host record, and the superseded record should be revoked or deleted in the GUI.
Connectivity And Security
All agent-to-SHA communication is initiated by the agent as outbound HTTPS on TCP 443: a heartbeat about every 2 minutes, a configuration check-in about every 3 minutes, and update downloads. SHA never opens a connection to the host and never pushes commands, so no inbound firewall rules toward hypervisor hosts are required.
Each host agent binds to exactly one SHA - the enrollment identity holds a single hub endpoint and credential, and there is no multi-hub registration or failover. In service-provider deployments, enroll hypervisor hosts with the provider-managed SHA, not a tenant SHA; moving a host to a different SHA means re-enrolling it.
Agents on different hosts coordinate directly over mutual TLS. Certificates are issued automatically by a Sendense-managed private certificate authority: each agent generates its key locally (it never leaves the host), SHA verifies every signing request against the enrolled host identity, certificates renew automatically starting 30 days before expiry, and peer requests are accepted only from hosts on the current SHA-distributed trust list. Revoking a host in the GUI immediately invalidates its access and removes it from that trust list.
snagent deployment and connectivity
Every host agent connects outbound to exactly one SHA. Agents coordinate host-to-host over mutual TLS, and each agent attaches snapshot data to the SNA on its own host.
Exactly one hub per agent
The agent belongs to whichever SHA issued its install token, and the identity holds a single hub endpoint. In service-provider deployments that should be the provider-managed SHA - never a tenant SHA.
Updates via check-in
The operator sets a fleet target version in SHA. Agents learn it at their next check-in, verify the download's checksum, defer while backup work is in flight, and apply with a health gate that rolls back automatically on failure.
Data Locality On LINSTOR
For VMs on LINSTOR DRBD (ZFS-backed) storage, the agent reads from the local storage layer, so a backup can only be dispatched to an SNA on a host that holds a usable, up-to-date data copy of every one of that VM's volumes. If no such host also runs an SNA, the backup fails with "No suitable backup appliance available for this VM" - there is no fallback.
The check is per VM at backup time. Plan appliance placement so every protected VM has at least one data-copy-holding host that also runs an SNA; in many clusters that means running an SNA on all or most data-holding hosts. After each backup, agents share incremental tracking state across data-holding hosts, so incrementals survive VM or appliance movement.
QCOW NFS is not locality-bound: any healthy assigned SNA can be used, and requests are routed to the agent on the VM's host over the mutual-TLS peer channel when needed.
What Happens Without snagent
If snagent is not installed, not applicable, or unavailable, or the configured backend is RAW Block, Sendense still protects the environment using SNA, EBA Smart Transport, Sendense CBT, and EBA deduplication.
snagent improves supported CloudStack KVM deployments; it is not required for every Sendense deployment.
What snagent Is Not
- snagent is not the SNA. The SNA is the backup proxy that sends protected data to SHA.
- snagent is not a guest operating system agent; it runs on the hypervisor host, not inside protected VMs.
- snagent is not a generic agent for every platform or workload type.
Related Docs