Re: [Bacula-users] client-side data encryption without routine access to private key
On Tue, 17 Feb 2009, Landon Fuller wrote: > On Feb 17, 2009, at 8:48 AM, Martin Simmons wrote: > >> That sounds backwards to me. Shouldn't the encrypter (backup) use the >> public key to keep the data safe? Then only the decrypter (restore) >> can read the data, using the private key. > > Right. A symmetric session key is used for each backup run, which is > encrypted for all provided public keys and stored along-side the > encrypted data. This is how the "master" public key feature is > implemented. Thanks to Martin and Landon both for confirming this. I was aware of the existence of the session key, but stupidly skated over it in my original post. >> The private key is needed during backup if you use PKI Signatures. > > Right. Currently, enabling PKI encryption also enables signing, but the > encryption implementation does not require this, and the private key is > not necessary for encrypting the backups. > > However -- if you disable signing, there is no other validation > mechanism. One could add HMAC support without too much effort, but you > lose non-repudiation of the backups, as any recipient that can verify > the HMAC may also generate a valid one. I can live with that; data authentication isn't as important to me as encryption (ie, I'm more worried that real data will get into the wrong hands than that wrong data will get into the real hands). Would you know if I can disable signing in the configuration, or must I recompile; and if the latter, is it a config option or will I need to mess with the source myself? Thanks to all who have tried to help me with this so far. Tom Yates Cambridge, UK. -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] client-side data encryption without routine access to private key
On Feb 17, 2009, at 8:48 AM, Martin Simmons wrote: That sounds backwards to me. Shouldn't the encrypter (backup) use the public key to keep the data safe? Then only the decrypter (restore) can read the data, using the private key. Right. A symmetric session key is used for each backup run, which is encrypted for all provided public keys and stored along-side the encrypted data. This is how the "master" public key feature is implemented. The private key is needed during backup if you use PKI Signatures. Right. Currently, enabling PKI encryption also enables signing, but the encryption implementation does not require this, and the private key is not necessary for encrypting the backups. However -- if you disable signing, there is no other validation mechanism. One could add HMAC support without too much effort, but you lose non-repudiation of the backups, as any recipient that can verify the HMAC may also generate a valid one. Cheers, -landonf PGP.sig Description: This is a digitally signed message part -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] Offsite backup solution
It was a couple of years ago I first brought this up. I guess you and I are the only one who would find a cross-sd migration/copy useful. The answer I got was "not likely unless you're paying for it", which is certainly fair enough, but I also got the feeling that the idea wasn't well received in general, and that it probably wouldn't be easy to integrate into the main code base. I could be wrong of course.. In my world it would be ideal if I could copy jobs (yes, like rsync) from one SD to another during the day, with a bandwidth limit. I'll have to give the idea of rsyncing disk volumes themselves another look Berend Dekens wrote: Hi all, After trying the new beta's which hold Copy Jobs support I discovered that a copy job (just like a migration job) can only transfer data from one storage pool to another within *the same* storage daemon. Because I wanted to use this for offsite backups this won't work for me. I tried to get offsite backups by doing a local backup first to the local SD and then another backup to the remote SD. This works fine when backupping but when you need to recover data (and you are using incrementals or differentials instead of full backups) the SD which you told to perform the restore will most likely ask for backup volumes which are part of the remote pool and remote SD. For some reason it seems that bacula can't keep the pool data seperate so this way of offsite backupping won't work (unless I missed an option somewhere). I now came up with a new plan: the offsite location has its own Bacula backup system with a seperate director and clients. The local bacula shares the storage daemon of the remote system (making scheduling a tad tricky to prevent 2 directors wanting to run jobs on the same SD). If I let the remote director backup the local systems, the data is completely offsite (including database) - giving me what I want. The biggest problem here is redundancy: I need to configure both directors for all clients (local and remote), all file sets used and add new schedules. Besides that I reckon this would/should/could work - right? Regards, Berend Dekens P.S. Hasn't anybody created a graphical configuration program for bacula yet? ^^ -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users __ Scanned by Google Message Security - Leaving Seaman Paper begin:vcard fn:Jeff Dickens n:Dickens;Jeff org:Seaman Paper Company email;internet:j...@seamanpaper.com title:IT Manager tel;work:978-632-1513 x269 version:2.1 end:vcard -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] bacula-fd starts and then crash (leaving an empty file in /var/lock/subsys/bacula-fd)
On Tue, Feb 17, 2009 at 10:54 PM, John Drescher wrote: >> FileDaemon { # this is me >> Name= client.bacula.com-fd >> FDport = 9102 # where we listen for the >> director >> WorkingDirectory= /var/lib/bacula >> Pid Directory = /var/run/bacula >> Maximum Concurrent Jobs = 20 >> FDAddress = 127.0.0.1 >> } >> > > With 127.0.0.1 you will not be able to the fd. I mean this will only > work if this is also the machine with the director and SD. > That did not come out right. Use the external IP address network communication between the fd and sd and the fd and director will not work with 127.0.0.1 unless the director and SD run on the same machine. John -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] bacula-fd starts and then crash (leaving an empty file in /var/lock/subsys/bacula-fd)
> FileDaemon { # this is me > Name= client.bacula.com-fd > FDport = 9102 # where we listen for the > director > WorkingDirectory= /var/lib/bacula > Pid Directory = /var/run/bacula > Maximum Concurrent Jobs = 20 > FDAddress = 127.0.0.1 > } > With 127.0.0.1 you will not be able to the fd. I mean this will only work if this is also the machine with the director and SD. John -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
[Bacula-users] bacula-fd starts and then crash (leaving an empty file in /var/lock/subsys/bacula-fd)
Hi, I try to install a client on a Redhat ES 4. I've installed this rpm : bacula-client-2.4.2-1.el4.i386.rpm I've udpated the configuration file for the client to this : Director { Name = home.bacula.com-dir Password = "thepwd" } # # Restricted Director, used by tray-monitor to get the # status of the file daemon # Director { Name = home.bacula.com-mon Password = "thepwd" Monitor = yes } # # "Global" File daemon configuration specifications # FileDaemon { # this is me Name= client.bacula.com-fd FDport = 9102 # where we listen for the director WorkingDirectory= /var/lib/bacula Pid Directory = /var/run/bacula Maximum Concurrent Jobs = 20 FDAddress = 127.0.0.1 } Messages { Name = Standard director = home.bacula.com-dir = all, !skipped, !restored } (name & password changed) When I start bacula-fd (service bacula-fd start) It says OK, but crahses just after service bacula-fd status gives : [r...@cllient bacula]# service bacula-fd status bacula-fd dead but subsys locked I can't see no log in /var/log/messages... Any Idea ? Thomas. PS : My Server version is 2.4.2-1ubuntu6 on ubuntu 8.10 -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] Perception of Bacula (was: products based on bacula)
Interesting problem. I was the one who started the previous thread about the naming. >When I'm talking with the management of a potential customer, I >neither use the tag line, nor do we read over the website together... >it's more that I offer a solution which can do this and that, works >reliably as shown by some things, and so on. It's called Bacula, is >open source, etc. pp. My previous and current experience is opposite. I work or have worked very closely with CIO/CTOs of various lines of businesses at our firm (Fortune 10 company) which has close to 70k servers. You would be amazed how much these people know the technical aspects of software since most of them were previous programmers but came to the darkside -- MBA :-) These are the final decision makers. My team is very hesitant to propose open source software primarily because of strange names (assuming the license is free enough). >In fact, if they want to talk about those things, they probably know a >web server called "apache", whose name is also quite ridiculous. Or >think about "Thunderbird" - that's a complete nonsense name if you >want to relate it to the products function - Bacula, at least, refers >to the actual function of the product. The name "Apache" is weird indeed but you are also stating Bacucla's has the reputation of the world's most popular Webserver. In addition, Apache is a "frontend" application, where backup software is considered extreme backend. >Given the company's intentions, if you're sure that tag line has to go >or to be replaced, I would suggest you start a poll on this mailing >list and forward the result... I'm pretty sure Kern (who's IP the name >and tag line are, probably) will consider any such request, though I'm >also sure he's quite fond of both name and tag line (actually, by now, >I share that fondness :-) Many people face this. For instance, we initially suggested "PostgreSQL" for one of our Retail Data warehouse -- 500TB at that time -- and the execs were frightened. Once we changed the name to "EnterpriseDB" and stated we have a support contract with them it was a done deal. The end users have been extremely happy and the cost were almost 20x cheaper than compared RDBMS. I think Bacucla should take a page from Apple's marketing department, instead of calling their next OS revision, "Uncia uncia" they are calling it "Snow Leopard" which is in line of their naming scheme and easy to present to the end user. Personally, I think Bacula is a great product. Its a good replacement for TSM to a certain degree and extremely cost cutting but I doubt it will make a lot of leadway to the enterprise without proper marketing. However, it will be popular in SMB sector. Just my 2 cents On Wed, Feb 4, 2009 at 3:15 PM, Arno Lehmann wrote: > Hi, > > 04.02.2009 18:13, Foo wrote: >> On Sat, 31 Jan 2009 08:02:14 +0100, Dan Langille wrote: >> >>> On Jan 30, 2009, at 3:07 PM, Arno Lehmann wrote: >> When I'm talking with the management of a potential customer, I neither use the tag line, nor do we read over the website together... >> >> Right, so you filter. Which is not always possible. > > Well, I agree, though personally, I never encountered such a > situation. Which might be because, most of the time now, potential > customers contact me, and not vice versa :-) > In fact, if they want to talk about those things, they probably know a web server called "apache", whose name is also quite ridiculous. >> >> It's not how fanciful a name is, but the (unintended) connotations. > > I really fail to see the negative connotations... still. > >> >>> All product evaluation should start with a list of requirements. We all >>> know about requirements collection. From there, you evaluate the >>> available products. Often points are awarded for various features. >> >> In my case we are byond the requirements stage, this is about selling it >> to third parties. Incidentally, I got a reply which concisely stated that >> no third party software may be installed, so the issue was deftly avoided, >> but I'm pretty sure the above played a part. >> >>> I have yet to see any requirements which specified "nice name" or >>> "non-tacky by line". >> >> Sure, but back in the real world marketing is king. The current Bacula >> marketing doesn't score points in some quarters, whether you like it or >> not (and eventually if you want to compete you have to compromise, whether >> you have 'do no evil' as your motto or not (see China)). >> >>> We have much bigger and better fish to fry. Worrying about potential >>> users who clearly do not have their priorities in order is not on our >>> top 10 list. >> >> Hey, I'm just trying to help, illustrated with example. > > ... and I guess the fact that people still read and answer this thread > shows you we appreciate that! > >>> If we were out to make money, these issues have much more merit. >> >> I thought that was the object of Bacula Systems. > > Hmm... in fac
Re: [Bacula-users] Offsite backup solution
> Hi Robert If you are working on it try to use pdo extension This can > greatly improve the base user which would be interested > > Use bacula with sqlite -> config in sqlite with pdo > Use bacula with mysql -> config in mysql with pdo > Use bacula with postgresql -> config in postgresql with pdo > Use bacula with oracle -> config in oracle with pdo > etc ... > > But with all options present in bacula, changing time to time for > different version > with the possibly of using one director at one version client with > another and sd a third (even if not recommended) > I'm just imaging that would give you too much work. > > vi, emacs [put the name of your favorite text editor] rocks in case of > bacula > > GUI ? there's gedit, kate, x-term+vi :- I'm using Symfony with Propel, but I'll look into pdo. The idea is that this will be very flexible so that anyone could easily add new directives without touching the code. That way new features in the future don't need to wait for the config tool. Robert -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] Offsite backup solution
> vi, emacs [put the name of your favorite text editor] rocks in case of bacula > > GUI ? there's gedit, kate, x-term+vi :- > > I use nano via ssh for the most part with my >30 clients, >75 jobs, multiple SDs, external database, > 15 pools . I have my configuration files (50+) arranged in a folder hierarchy and make extensive use of the @ directive. John -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] Offsite backup solution
Robert LeBlanc wrote: >> P.S. Hasn't anybody created a graphical configuration program for bacula >> yet? ^^ > > I'm working on one using PHP and MySQL, I'm hoping to be able to pull the > configuration straight from MySQL for the Director and SD. The FD doesn't > change so much so I was going to just spit out a file to put on the FD. Hi Robert If you are working on it try to use pdo extension This can greatly improve the base user which would be interested Use bacula with sqlite -> config in sqlite with pdo Use bacula with mysql -> config in mysql with pdo Use bacula with postgresql -> config in postgresql with pdo Use bacula with oracle -> config in oracle with pdo etc ... But with all options present in bacula, changing time to time for different version with the possibly of using one director at one version client with another and sd a third (even if not recommended) I'm just imaging that would give you too much work. vi, emacs [put the name of your favorite text editor] rocks in case of bacula GUI ? there's gedit, kate, x-term+vi :- -- Bruno Friedmann -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] mt Command and Tape ONLINE status
Lenny does have mt-st http://packages.debian.org/lenny/mt-st so you could try that, instead of gnu mt. I just looked at the mtx-changer from lenny, and it looks like it should work with either mt (as in the one that returns ONLINE, and the one that just returns 'drive status'), so I do not know why it is not. I thought that none of the Debian mt ever returned ONLINE only 'drive status'. Thomas wrote: > booth versions are from the cpio package: > > zlato:~# mt --version > mt (GNU cpio 2.9) > zlato:~# /etc/bacula/mt --version > mt (GNU cpio 2.6) > > so "grep mt-st" will not match > and the current default mtx-changer will not work > with the actual version of gnu mt. > > -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] Bacula+Exabyte VXA2
Matthew Conley wrote: > Curious is anyone using a VXA2 with their bacula? I wanted to see the > storage part of other bacula config files. I'm using a VXA-320 with the packetloader changer. Would that help? -- Mark Nienberg Sent from an invalid address. Please reply to the group. -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] client-side data encryption without routine access to private key
> On Tue, 17 Feb 2009 07:07:19 -0800, Kevin Keane said: > > > The above manual page on data encryption says that the encryption involves > > three steps: > > > > 1. The File daemon generates a session key. > > 2. The FD encrypts that session key via PKE for all recipients (the > > file daemon, any master keys). > > 3. The FD uses that session key to perform symmetric encryption on the > > data. > > > > None of that seems to me to require the client's private key; only the > > public one. > Step 2 requires the FD's private key, I think - the documentation isn't > explicit on which key it uses for the encryption. But the private key is > the one that would make the most sense here. Otherwise, anybody who has > access to the public master key could access the backup. That sounds backwards to me. Shouldn't the encrypter (backup) use the public key to keep the data safe? Then only the decrypter (restore) can read the data, using the private key. The private key is needed during backup if you use PKI Signatures. __Martin -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
[Bacula-users] Bacula+Exabyte VXA2
Curious is anyone using a VXA2 with their bacula? I wanted to see the storage part of other bacula config files. -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] mt Command and Tape ONLINE status
Brian Debelius schrieb: > There are 2 different mt programs. One is from cpio (i think), and the > other is from the mt-st package. I think you are having problems > detecting which mt you have. > > At the beginning of mtx-changer is a case function that sets the ready > string for wait_for_drive. The newer mtx-changer script correctly > handles this. > > I think you need to modify your mtx-changer to look like this (or use > the current mtx-changer) > > Linux) > ready="ONLINE" > if test -f /etc/debian_version ; then >mt --version | grep "mt-st" > /dev/null 2>&1 >if test $? -eq 1; then > ready="drive status" >fi > fi > booth versions are from the cpio package: zlato:~# mt --version mt (GNU cpio 2.9) zlato:~# /etc/bacula/mt --version mt (GNU cpio 2.6) so "grep mt-st" will not match and the current default mtx-changer will not work with the actual version of gnu mt. > Thomas wrote: >> without tape i get this output >> >> lenny: >> time mt -f /dev/nst1 status >> mt: /dev/nst1: rmtopen failed: Kein Medium gefunden >> >> real2m0.530s >> user0m0.000s >> sys 0m0.000s >> >> etch >> time /etc/bacula/mt -f /dev/nst1 status >> /etc/bacula/mt: /dev/nst1: Kein Medium gefunden >> >> real0m0.016s >> user0m0.000s >> sys 0m0.000s >> >> >> the new mt version needs 2 minutes >> >> Arno Lehmann schrieb: >> >>> Hi, >>> >>> 17.02.2009 09:48, Thomas wrote: >>> Hi List, yesterday i did an upgrade from etch to lenny. after the update bacula was no longer able to verify that the tapes are loaded correctly. >>> ... >>> but the mt output shows no ONLINE zlato:~# mt -f /dev/nst0 status drive type = 114 drive status = 1224736768 sense key error = 0 residue count = 0 file number = 0 block number = 0 zlato:~# this is the output from the etch mt: /etc/bacula/mt -f /dev/nst0 status drive type = Generic SCSI-2 tape drive status = 1224736768 sense key error = 0 residue count = 0 file number = 4 block number = 0 Tape block size 0 bytes. Density code 0x49 (unknown). Soft error count since last status=0 General status bits on (8101): EOF ONLINE IM_REP_EN zlato:~# mt --version mt (GNU cpio 2.9) zlato:~# /etc/bacula/mt --version mt (GNU cpio 2.6) zlato:~# zlato:~# strings /bin/mt | grep -i online zlato:~# strings /etc/bacula/mt | grep -i online ONLINE zlato:~# currently i use the etch mt, but what was the correct way to use the lenny mt? (compiling mt from source does not help, the output is identically to the lenny mt, so it looks not like a debian problem) >>> This seems to be a problem because the current mt produces different >>> output... it would be best if you ran mt without a tape loaded and >>> compared the output, so we can see what actually indicates a tape >>> loaded and ready. >>> >>> Arno >>> >>> Regards Thomas >> >> > -- [:O]###[O:] -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] client-side data encryption without routine access to private key
Hi, Disclaimer: I haven't used bacula encryption. Just read the documentation and used to teach PKI. Tom Yates wrote: > I'm curious about encryption; specifically, encrypting the data on the > client-side before the storage daemon lays it down to tape. > > I've read http://www.bacula.org/en/dev-manual/Data_Encryption.html, and it > seems to suggest that the client *requires* both the client's private key > and the client's public key. Certainly, when I give the client a "PKI > Keypair =" file which contains only the public key, I get an "Error: > openssl.c:86 Unable to read private key from file ERR=error:0906D06C:PEM > routines:PEM_read_bio:no start line". > > But what I'm trying to do here is make a machine, and its backup tapes, > safe from physical seizure. The root FS of the machine is unencrypted > (and so, therefore, is the /etc/bacula directory); the file system I'm > worried about is normally encrypted. > With a PKI, you don't usually protect from physical seizure by avoiding the user of the private key, but by using its own separate key. If the machine is compromised, you simply revoke the FD key server-side. That makes the private key worthless. Since the private key is not actually used to encrypt the backups, your backups would still be recoverable. > I've tried giving the FD a .pem file which includes an encrypted private > key, in the hope that it would ask for a passphrase at start time (in the > manner of apache), but instead I get "openssl.c:86 Unable to read private > key from file: ERR=error:0906A068:PEM routines:PEM_do_header:bad password > read", so that's not working. > That makes sense, and is really not the best solution anyway. > The above manual page on data encryption says that the encryption involves > three steps: > > 1. The File daemon generates a session key. > 2. The FD encrypts that session key via PKE for all recipients (the file > daemon, any master keys). > 3. The FD uses that session key to perform symmetric encryption on the > data. > > None of that seems to me to require the client's private key; only the > public one. Step 2 requires the FD's private key, I think - the documentation isn't explicit on which key it uses for the encryption. But the private key is the one that would make the most sense here. Otherwise, anybody who has access to the public master key could access the backup. It probably actually uses double-encryption, using the public master key to keep the session key from being read by unauthorized parties. > Only restoration, or some other act requiring the decryption > of the filestream, seems to me to require the client's private key. Or is > there some other signing phase going on, that I'm not catching on to? > Yes, I think so. Remember that the data stream is not encrypted using any public or private key at all! Instead, it uses the session key, which is a symmetric encryption. Also, keep track of what, exactly, you are trying to protect against. If you are worried about the client data being stolen, and your backup accessed remotely through it, you may use a different strategy from if you are worried about the backup tapes being compromised. If the server tapes are in a secure location, maybe they don't need to be encrypted at all? In that case, you could simply use an SSH tunnel to do the actual backup and keep the data secure in transit. The main advantage such a solution would have is that SSH is a well-proven and well-understood configuration, so it is less likely that you accidentally open security holes. -- Kevin Keane Owner The NetTech Find the Uncommon: Expert Solutions for a Network You Never Have to Think About Office: 866-642-7116 http://www.4nettech.com This e-mail and attachments, if any, may contain confidential and/or proprietary information. Please be advised that the unauthorized use or disclosure of the information is strictly prohibited. The information herein is intended only for use by the intended recipient(s) named above. If you have received this transmission in error, please notify the sender immediately and permanently delete the e-mail and any copies, printouts or attachments thereof. -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] mt Command and Tape ONLINE status
There are 2 different mt programs. One is from cpio (i think), and the other is from the mt-st package. I think you are having problems detecting which mt you have. At the beginning of mtx-changer is a case function that sets the ready string for wait_for_drive. The newer mtx-changer script correctly handles this. I think you need to modify your mtx-changer to look like this (or use the current mtx-changer) Linux) ready="ONLINE" if test -f /etc/debian_version ; then mt --version | grep "mt-st" > /dev/null 2>&1 if test $? -eq 1; then ready="drive status" fi fi Thomas wrote: > without tape i get this output > > lenny: > time mt -f /dev/nst1 status > mt: /dev/nst1: rmtopen failed: Kein Medium gefunden > > real2m0.530s > user0m0.000s > sys 0m0.000s > > etch > time /etc/bacula/mt -f /dev/nst1 status > /etc/bacula/mt: /dev/nst1: Kein Medium gefunden > > real0m0.016s > user0m0.000s > sys 0m0.000s > > > the new mt version needs 2 minutes > > Arno Lehmann schrieb: > >> Hi, >> >> 17.02.2009 09:48, Thomas wrote: >> >>> Hi List, >>> >>> yesterday i did an upgrade from etch to lenny. >>> after the update bacula was no longer able to verify >>> that the tapes are loaded correctly. >>> >> ... >> >>> but the mt output shows no ONLINE >>> >>> >>> zlato:~# mt -f /dev/nst0 status >>> drive type = 114 >>> drive status = 1224736768 >>> sense key error = 0 >>> residue count = 0 >>> file number = 0 >>> block number = 0 >>> zlato:~# >>> >>> this is the output from the etch mt: >>> >>> /etc/bacula/mt -f /dev/nst0 status >>> drive type = Generic SCSI-2 tape >>> drive status = 1224736768 >>> sense key error = 0 >>> residue count = 0 >>> file number = 4 >>> block number = 0 >>> Tape block size 0 bytes. Density code 0x49 (unknown). >>> Soft error count since last status=0 >>> General status bits on (8101): >>> EOF ONLINE IM_REP_EN >>> >>> >>> zlato:~# mt --version >>> mt (GNU cpio 2.9) >>> zlato:~# /etc/bacula/mt --version >>> mt (GNU cpio 2.6) >>> zlato:~# >>> >>> zlato:~# strings /bin/mt | grep -i online >>> zlato:~# strings /etc/bacula/mt | grep -i online >>> ONLINE >>> zlato:~# >>> >>> >>> currently i use the etch mt, but what was the correct way to use the lenny >>> mt? >>> (compiling mt from source does not help, the output is identically to the >>> lenny mt, >>> so it looks not like a debian problem) >>> >> This seems to be a problem because the current mt produces different >> output... it would be best if you ran mt without a tape loaded and >> compared the output, so we can see what actually indicates a tape >> loaded and ready. >> >> Arno >> >> >>> Regards >>> >>> Thomas >>> > > -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] Finding performance issues
Hi ! (private) HKS wrote: > It seems more and more likely to me that this is a Bacula-specific > issue. What else can I dig into to try to resolve this? Can you check how many queries per second you get on the database while backing up ? Spooling makes no difference i take it ? Does attribute spooling make a difference ? (Spool Attributes = yes) If you didn`t check out attribute spooling yet it could still be a problem with the database. If it is you should see higher transfer speed during the backup. After the backup the attributes are commited to the database and THIS takes quite a while. At least that is what i can see on my system. I can see it inserting with about 250 - 300 queries per second ... never goes higher ... and for filesets with 10 million files that takes quite a while to commit ... Database, Attribute-Spool-Files, MySQL-Temp Files and Backup-Files are all on different arrays ... -- Daniel HoltkampRiege Software International GmbH System Administration Mollsfeld 10 40670 Meerbusch, Germany Phone: +49-2159-9148-41 mail: holtkamp [at] riege.comFax: +49-2159-9148-11 . Riege Software International GmbH Fon: +49 (2159) 9148 0 Mollsfeld 10 Fax: +49 (2159) 9148 11 40670 MeerbuschWeb: www.riege.com GermanyE-Mail: holtk...@riege.com ------ Handelsregister: Managing Directors: Amtsgericht Neuss HRB-NR 4207 Christian Riege USt-ID-Nr.: DE120585842Gabriele Riege Johannes Riege . YOU CARE FOR FREIGHT, WE CARE FOR YOU -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
[Bacula-users] client-side data encryption without routine access to private key
I'm curious about encryption; specifically, encrypting the data on the client-side before the storage daemon lays it down to tape. I've read http://www.bacula.org/en/dev-manual/Data_Encryption.html, and it seems to suggest that the client *requires* both the client's private key and the client's public key. Certainly, when I give the client a "PKI Keypair =" file which contains only the public key, I get an "Error: openssl.c:86 Unable to read private key from file ERR=error:0906D06C:PEM routines:PEM_read_bio:no start line". But what I'm trying to do here is make a machine, and its backup tapes, safe from physical seizure. The root FS of the machine is unencrypted (and so, therefore, is the /etc/bacula directory); the file system I'm worried about is normally encrypted. I've tried giving the FD a .pem file which includes an encrypted private key, in the hope that it would ask for a passphrase at start time (in the manner of apache), but instead I get "openssl.c:86 Unable to read private key from file: ERR=error:0906A068:PEM routines:PEM_do_header:bad password read", so that's not working. The above manual page on data encryption says that the encryption involves three steps: 1. The File daemon generates a session key. 2. The FD encrypts that session key via PKE for all recipients (the file daemon, any master keys). 3. The FD uses that session key to perform symmetric encryption on the data. None of that seems to me to require the client's private key; only the public one. Only restoration, or some other act requiring the decryption of the filestream, seems to me to require the client's private key. Or is there some other signing phase going on, that I'm not catching on to? Am I missing something, or is the only way to make this work to put the bacula FD's keys in plaintext, inside the encrypted filesystem? Tom Yates Cambridge, UK. -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
[Bacula-users] verify job with differences doesn't finish and blocks storage
Hi, lately I've seen that verify jobs that have differences just doesn't finish. bacula 2.4.4-b1, psql *st dir [...] Running Jobs: JobId Level Name Status == 9602 VolumeT VerifyVU0EF005-Absicherung-MPC-Volume2.2009-02-15_11.05.43.05 is running 9644 VolumeT VerifyVU0EM003.2009-02-17_07.06.00.27 has verify differences 9652 FullVU0EM003-FBR.2009-02-17_13.15.54.51 is running [...] *st client=VU0EM003 VU0EM003 Version: 2.2.8 (26 January 2008) x86_64-pc-linux-gnu debian 4.0 Daemon started 03-Feb-09 11:39, 33 Jobs run since started. Heap: heap=1,679,360 smbytes=311,531 max_bytes=464,196 bufs=193 max_bufs=362 Sizeof: boffset_t=8 size_t=8 debug=0 trace=0 Running Jobs: JobId 9644 Job VerifyVU0EM003.2009-02-17_07.06.00.27 is running. Verify Job started: 17-Feb-09 07:06 Files=105,275 Bytes=0 Bytes/sec=0 Errors=0 Files Examined=105,275 Processing file: /..long path. SDReadSeqNo=2844194 fd=7 [...] The job status doesn't change (Files Examined). * st stor [...] Running Jobs: Reading: Verify Volume to Catalog Restore job VerifyVU0EM003.2009-02-17_07 JobId=9644 Volume="vu0em003-inc-0470" pool="VU0EM003-Disk-Incremental" device="VU0EM003-DISK" (/data/bacula-storage/vu0em003) [...] Used Volume status: 06D142L3 on device "LTO3" (/dev/ULTRIUM-TD3) Reader=0 writers=0 devres=0 volinuse=0 vu0em003-inc-0470 on device "VU0EM003-DISK" (/data/bacula-storage/vu0em003) Reader=1 writers=0 devres=0 volinuse=1 [...] The last thing I see in the log file is 17-Feb 07:23 VUMEM004-dir JobId 9644: New file: .long path So, no activity since 7 hours. This is starting to be annoying because the volumes are then locked until I cancel thee job. Any ideas? Ralf -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] mt Command and Tape ONLINE status
without tape i get this output lenny: time mt -f /dev/nst1 status mt: /dev/nst1: rmtopen failed: Kein Medium gefunden real2m0.530s user0m0.000s sys 0m0.000s etch time /etc/bacula/mt -f /dev/nst1 status /etc/bacula/mt: /dev/nst1: Kein Medium gefunden real0m0.016s user0m0.000s sys 0m0.000s the new mt version needs 2 minutes Arno Lehmann schrieb: > Hi, > > 17.02.2009 09:48, Thomas wrote: >> Hi List, >> >> yesterday i did an upgrade from etch to lenny. >> after the update bacula was no longer able to verify >> that the tapes are loaded correctly. > ... >> but the mt output shows no ONLINE >> >> >> zlato:~# mt -f /dev/nst0 status >> drive type = 114 >> drive status = 1224736768 >> sense key error = 0 >> residue count = 0 >> file number = 0 >> block number = 0 >> zlato:~# >> >> this is the output from the etch mt: >> >> /etc/bacula/mt -f /dev/nst0 status >> drive type = Generic SCSI-2 tape >> drive status = 1224736768 >> sense key error = 0 >> residue count = 0 >> file number = 4 >> block number = 0 >> Tape block size 0 bytes. Density code 0x49 (unknown). >> Soft error count since last status=0 >> General status bits on (8101): >> EOF ONLINE IM_REP_EN >> >> >> zlato:~# mt --version >> mt (GNU cpio 2.9) >> zlato:~# /etc/bacula/mt --version >> mt (GNU cpio 2.6) >> zlato:~# >> >> zlato:~# strings /bin/mt | grep -i online >> zlato:~# strings /etc/bacula/mt | grep -i online >> ONLINE >> zlato:~# >> >> >> currently i use the etch mt, but what was the correct way to use the lenny >> mt? >> (compiling mt from source does not help, the output is identically to the >> lenny mt, >> so it looks not like a debian problem) > > This seems to be a problem because the current mt produces different > output... it would be best if you ran mt without a tape loaded and > compared the output, so we can see what actually indicates a tape > loaded and ready. > > Arno > >> Regards >> >> Thomas > -- [:O]###[O:] -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] How to properly escape Linux shell commands for ClientRunBeforeJob?
On Mon, 16 Feb 2009 14:56:34 +0100, Frank Sweetser wrote: > The problem isn't that you're not escaping the shell characters, > the problem is that there's no shell there to treat them as special > characters in the first place. From the RunScript section of > http://bacula.org/en/rel-manual/Configuring_Director.html#SECTION00143 Right, so that's probably why the redirection fails as well, thanks. -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
[Bacula-users] SD crash with 2.4.4 on Linux
Hi, I've upgraded our Bacula installation from 2.2.8 just to find out that the storage daemon crashes under load :( Sadly I can't do much debuging since this is a production system. I'll try to downgrade. However here are the facts: Gentoo 32bit vServer-Linux, bacula 2.4.4 (installed via Gentoo ebuild with the folowing USE flags: "bacula-console logrotate mysql python readline ssl tcpd"), backup to disk, ~140 backup jobs per night. Bacula clients still a 2.2.8! The storage daemon just hangs after a while (over night) and doesen't accept any more jobs. All other jobs are stuck with "...is waiting on Storage..." or "...is waiting on max Client jobs" (and that although every client is configured with "SDConnectTimeout = 2 min"... but that's another story) Backups fail with: "Storage daemon didn't accept Device "FileStorage" command". If I simply restart the storage daemon (have to kill it since it doesen't respond to my civillized requests) the backups continue. Did anyone encounter such a problem? Could it be because of the old client version? With 40+ clients I am hesitant to update all at once. Thanks much. Stefan Sorin Nicolin http://nicolinux.org/timr --- Unix guy, Mac head, Rails wannabe, iPhone Dev-ious, Computer Science alumnus, usability guesspert and overall big time visionary -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] mt Command and Tape ONLINE status
Hi, 17.02.2009 09:48, Thomas wrote: > Hi List, > > yesterday i did an upgrade from etch to lenny. > after the update bacula was no longer able to verify > that the tapes are loaded correctly. ... > > but the mt output shows no ONLINE > > > zlato:~# mt -f /dev/nst0 status > drive type = 114 > drive status = 1224736768 > sense key error = 0 > residue count = 0 > file number = 0 > block number = 0 > zlato:~# > > this is the output from the etch mt: > > /etc/bacula/mt -f /dev/nst0 status > drive type = Generic SCSI-2 tape > drive status = 1224736768 > sense key error = 0 > residue count = 0 > file number = 4 > block number = 0 > Tape block size 0 bytes. Density code 0x49 (unknown). > Soft error count since last status=0 > General status bits on (8101): > EOF ONLINE IM_REP_EN > > > zlato:~# mt --version > mt (GNU cpio 2.9) > zlato:~# /etc/bacula/mt --version > mt (GNU cpio 2.6) > zlato:~# > > zlato:~# strings /bin/mt | grep -i online > zlato:~# strings /etc/bacula/mt | grep -i online > ONLINE > zlato:~# > > > currently i use the etch mt, but what was the correct way to use the lenny mt? > (compiling mt from source does not help, the output is identically to the > lenny mt, > so it looks not like a debian problem) This seems to be a problem because the current mt produces different output... it would be best if you ran mt without a tape loaded and compared the output, so we can see what actually indicates a tape loaded and ready. Arno > Regards > > Thomas -- Arno Lehmann IT-Service Lehmann Sandstr. 6, 49080 Osnabrück www.its-lehmann.de -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
[Bacula-users] mt Command and Tape ONLINE status
Hi List, yesterday i did an upgrade from etch to lenny. after the update bacula was no longer able to verify that the tapes are loaded correctly. from the job log: 2009-02-16 16:25:26 3301 Issuing autochanger "loaded? drive 0" command. 2009-02-16 16:25:26 3302 Autochanger "loaded? drive 0", result: nothing loaded. 2009-02-16 16:25:26 3304 Issuing autochanger "load slot 9, drive 0" command. 2009-02-16 16:30:27 Fatal error: 3992 Bad autochanger "load slot 9, drive 0": ERR=Child died from signal 15: Termination. Results=Loading media from Storage Element 9 into drive 0...done Program killed by Bacula watchdog (timeout) 2009-02-16 16:30:27 Fatal error: job.c:1817 Bad response to Append Data command. Wanted 3000 OK data , got 3903 Error append data mtx.log: 20090216-16:34:19 Doing mtx -f /dev/sg2 load 9 0 20090216-16:34:38 Device /dev/nst0 - not ready, retrying... 20090216-16:34:39 Device /dev/nst0 - not ready, retrying... 20090216-16:34:40 Device /dev/nst0 - not ready, retrying... 20090216-16:34:41 Device /dev/nst0 - not ready, retrying... 20090216-16:34:42 Device /dev/nst0 - not ready, retrying... . 20090216-16:39:19 Device /dev/nst0 - not ready, retrying... 5 Minutes of retrying until it was killed. the mtx-changer script greps ONLINE in the mt outpout: ready = ONLINE wait_for_drive() { i=0 while [ $i -le 300 ]; do # Wait max 300 seconds if ${MT} -f $1 status | grep ${ready} >/dev/null 2>&1; then break fi debug "Device $1 - not ready, retrying..." sleep 1 i=`expr $i + 1` done } but the mt output shows no ONLINE zlato:~# mt -f /dev/nst0 status drive type = 114 drive status = 1224736768 sense key error = 0 residue count = 0 file number = 0 block number = 0 zlato:~# this is the output from the etch mt: /etc/bacula/mt -f /dev/nst0 status drive type = Generic SCSI-2 tape drive status = 1224736768 sense key error = 0 residue count = 0 file number = 4 block number = 0 Tape block size 0 bytes. Density code 0x49 (unknown). Soft error count since last status=0 General status bits on (8101): EOF ONLINE IM_REP_EN zlato:~# mt --version mt (GNU cpio 2.9) zlato:~# /etc/bacula/mt --version mt (GNU cpio 2.6) zlato:~# zlato:~# strings /bin/mt | grep -i online zlato:~# strings /etc/bacula/mt | grep -i online ONLINE zlato:~# currently i use the etch mt, but what was the correct way to use the lenny mt? (compiling mt from source does not help, the output is identically to the lenny mt, so it looks not like a debian problem) Regards Thomas -- [:O]###[O:] -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] bacula hang issue. was: bacula sometimes gets stuck when volume wanted is already in a different drive
Hello. I just wanted to inform the list that I worked around the issue by minimizing the number of devices/storages. The problem with this is that there may be only as many parallel jobs as the number of devices. I've created separate devices for the clients having biggest backups, currently the number is 4 and it hasn't caused the problem so far.. PS. If the issue reappears I'll create another thread for that and start debugging it correctly.. currently I just hope it gets solved "by itself" :) -- Silver On Thursday 05 February 2009 23:27:00 Arno Lehmann wrote: > Hi Silver, > > 05.02.2009 12:19, Silver Salonen wrote: > > OK, so.. it seems I'm on my own again.. anyone else experiencing this problem? > > I suggest you start a new thread with all the details - those are not > easily found in the existing mails, and I guess noone here currently > has the spare time to collect all that... > > > The problem (once again): all the jobs that are not waiting for > > execution (or for any other resource), are waiting on storage. > > > > And I still can't understand how can this be a support request and why it > > can't be considered a bug :S > > It can be considered a bug if the developers see good indications for > it... currently, Kern doesn't, so... > > > Could anyone else check the current information and see why it's not a bug? > > ... we need you relevant configuration, status output, and a backtrace > of the SD with debug symbols, all in one place. Or rather, the > developers do, but it would be best to post this here first so others > can check it first. > > > PS. I'm sorry I can't let it go.. but my backups are hung every night :( > > Good reasons to insist on help :-) > > And, fortunately, a good base to collect the necessary information. > > I suggest you start by restarting the complete Bacula suite and > collect debug output from the programs. > > Then leave it run until the problem shows up. Wait a while, and create > the traceback. > > Stop debug output, and shorten the output files to only show the > relevant information, i.e. what happens shortly before the problem > happens. > > Then write a short, concise description of the problem, and don't > forget the version of the programs, the OS, and the relevant > environment details you're running under. > > And then let's see if someone sees something interesting there. > > Arno -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users