[Fwd: Re: strange planner problems]
Craig Dewick wrote: > > Hi to help those of you who know about the internals of Amanda's components, I've attached last night's amanda report which shows all the network unreachable messages. > > You'll note that they occur even for the actual tape host machine along with two other machines which are all here in the same room with no firewall of any sort. > > My theory at the moment is that the packets are for some reason ending up at my ADSL >router which doesn't know what to do since the port numbers would get automatically >blocked by it's default firewall settings. This could mean that I have the basic network >config for my main Cisco router set up incorrectly but this problem which Amanda is >displaying has never occured with any other software or port that I know of before. I'm >not sure if it's a router config issue or an Amanda issue at the moment. Hi, Could it be that 'other software' which uses a specific port has already defined a SPAT (static Port Address Translation) in the cisco router? If bsdtcp is used, only port 10080 is used on the client side. Hope this helps! --Kevin Till Ref: http://www.cisco.com/warp/public/794/827spat.html ip nat inside source static tcp 192.168.0.5 80 171.68.1.1 80 extendable !--- This statement performs the static address translation for the Web server. !--- With this statement, users that try to reach 171.68.1.1 port 80 (www) are !--- automatically redirected to 192.168.0.5 port 80 (www). In this case !--- it is the Web server. -- Thank you! Kevin Till Zmanda Management Console (ZMC) now available at http://zmanda.com --- Begin Message --- Craig Dewick wrote: Hi to help those of you who know about the internals of Amanda's components, I've attached last night's amanda report which shows all the network unreachable messages. You'll note that they occur even for the actual tape host machine along with two other machines which are all here in the same room with no firewall of any sort. My theory at the moment is that the packets are for some reason ending up at my ADSL router which doesn't know what to do since the port numbers would get automatically blocked by it's default firewall settings. This could mean that I have the basic network config for my main Cisco router set up incorrectly but this problem which Amanda is displaying has never occured with any other software or port that I know of before. I'm not sure if it's a router config issue or an Amanda issue at the moment. Hi, Could it be that 'other software' which uses a specific port has already defined a SPAT (static Port Address Translation) in the cisco router? If bsdtcp is used, only port 10080 is used on the client side. Hope this helps! --Kevin Till Ref: http://www.cisco.com/warp/public/794/827spat.html ip nat inside source static tcp 192.168.0.5 80 171.68.1.1 80 extendable !--- This statement performs the static address translation for the Web server. !--- With this statement, users that try to reach 171.68.1.1 port 80 (www) are !--- automatically redirected to 192.168.0.5 port 80 (www). In this case !--- it is the Web server. Craig. *** THE DUMPS DID NOT FINISH PROPERLY! Hostname: jedi Org : ORBnet Config : ORBnet Date: September 25, 2007 These dumps were to tape ORBnet05. The next tape Amanda expects to use is: ORBnet06. FAILURE AND STRANGE DUMP SUMMARY: yoda /dev/dsk/c0t0d0s0 lev 0 FAILED [port open: Network is unreachable] jedi /dev/dsk/c0t0d0s0 lev 0 FAILED [port open: Network is unreachable] yoda /dev/dsk/c0t0d0s0 lev 0 FAILED [port open: Network is unreachable] jedi /dev/dsk/c0t0d0s0 lev 0 FAILED [port open: Network is unreachable] lios /dev/dsk/c3t1d0s0 lev 0 FAILED [port open: Network is unreachable] jedi /dev/dsk/c0t0d0s6 lev 0 FAILED [port open: Network is unreachable] lios /dev/dsk/c3t1d0s0 lev 0 FAILED [port open: Network is unreachable] jedi /dev/dsk/c0t0d0s6 lev 0 FAILED [port open: Network is unreachable] yoda /dev/dsk/c0t0d0s6 lev 0 FAILED [port open: Network is unreachable] jedi /dev/dsk/c0t0d0s3 lev 0 FAILED [port open: Network is unreachable] yoda /dev/dsk/c0t0d0s6 lev 0 FAILED [port open: Network is unreachable] jedi /dev/dsk/c0t0d0s3 lev 0 FAILED [port open: Network is unreachable] yoda /dev/dsk/c2t2d0s3 lev 0 FAILED [port open: Network is unreachable] jedi /dev/dsk/c0t0d0s7 lev 0 FAILED [port open: Network is unreachable] yoda /dev/dsk/c2t2d0s3 lev 0 FAILED [port open: Network is unreachable] jedi /dev/dsk/c0t0d0s7 lev 0 FAILED [port open: Network is unreachable] yoda /dev/dsk/c0t1d0s7 lev 0 FAILED [port open: Network is unreachable] yoda /dev/dsk/c0t1d0s7 lev 0 FAILED [port open: Ne
Re: Troubleshooting new Amanda client: Amanda user?
Zembower, Kevin wrote:
Kevin, thanks so much for writing. I appreciate your suggestions and
questions.
Here's /etc/xinet.d/amanda:
[EMAIL PROTECTED] ~]# cat /etc/xinetd.d/amanda
# default: off
# description: The client for the Amanda backup system.\
# This must be on for systems being backed up\
# by Amanda.
service amanda
{
socket_type = dgram
protocol= udp
wait= yes
user= amanda
group = disk
server = /usr/lib/amanda/amandad
disable = no
}
[EMAIL PROTECTED] ~]#
No 'auth' seems to be indicated.
It's running the defullt, bsd.
The disklist entry for the 'tobaccodev' host on the tapehost is:
[EMAIL PROTECTED]:~$ grep tobaccodev /etc/amanda/DBackup/disklist
# tobaccodev host
# Uncomment when internal DNS set up for tobaccodev
tobaccodev /dev/mapper/VolGroup00-LogVol00 tar #tobaccodev: /
tobaccodev /dev/sda1 tar #tobaccodev:
/boot
[EMAIL PROTECTED]:~$
No 'auth' is indicated there, either. The 'tar' dumptype is defined on
the tapehost with:
define dumptype global {
comment "Global definitions"
index yes
}
define dumptype tar {
global
program "GNUTAR"
}
Also, something may have just changed because of changes in my
tobaccodev:~amanda/.amandahosts file, based on suggestions from Gene
Heskett. This file now reads:
[EMAIL PROTECTED] ~]# cat ~amanda/.amandahosts
centernet.jhuccp.org backup amdump amindexd amidxtaped
cn2.jhuccp.org backup amdump amindexd amidxtaped
[EMAIL PROTECTED] ~]#
This seems to now have caused the amanda log files to be written:
[EMAIL PROTECTED] ~]# ls -la /var/log/amanda/amandad.200706221*
-rw-r- 1 amanda disk 2525 Jun 22 14:26
/var/log/amanda/amandad.20070622142641.debug
-rw-r- 1 amanda disk 2525 Jun 22 15:02
/var/log/amanda/amandad.20070622150238.debug
[EMAIL PROTECTED] ~]# cat /var/log/amanda/amandad.20070622150238.debug
amandad: debug 1 pid 8055 ruid 0 euid 33: start at Fri Jun 22 15:02:38
2007
amandad: version 2.5.0p2
amandad: build: VERSION="Amanda-2.5.0p2"
amandad:BUILT_DATE="Sun Jan 7 04:49:22 EST 2007"
amandad:BUILT_MACH="Linux builder5.centos.org 2.6.9-42.0.3.ELsmp
#1 SMP Fri Oct 6 06:28:26 CDT 2006 i686 i686 i386 GNU/Linux"
amandad:CC="gcc"
amandad:CONFIGURE_COMMAND="'./configure'
'--build=i686-redhat-linux-gnu' '--host=i686-redhat-linux-gnu'
'--target=i386-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr'
'--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin'
'--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include'
'--libdir=/usr/lib' '--libexecdir=/usr/lib/amanda'
'--localstatedir=/var/lib' '--sharedstatedir=/usr/com'
'--mandir=/usr/share/man' '--infodir=/usr/share/info' '--enable-shared'
'--disable-static' '--disable-dependency-tracking'
'--with-index-server=amandahost' '--with-tape-server=amandahost'
'--with-config=DailySet1'
'--with-gnutar-listdir=/var/lib/amanda/gnutar-lists'
'--with-smbclient=/usr/bin/smbclient'
'--with-dumperdir=/usr/lib/amanda/dumperdir' '--with-amandahosts'
'--with-user=amanda' '--with-group=disk' '--with-tmpdir=/var/log/amanda'
'--with-gnutar=/bin/tar' '--with-ssh-security'"
amandad: paths: bindir="/usr/bin" sbindir="/usr/sbin"
amandad:libexecdir="/usr/lib/amanda" mandir="/usr/share/man"
amandad:AMANDA_TMPDIR="/var/log/amanda"
amandad:AMANDA_DBGDIR="/var/log/amanda" CONFIG_DIR="/etc/amanda"
amandad:DEV_PREFIX="/dev/" RDEV_PREFIX="/dev/r"
amandad:DUMP="/sbin/dump" RESTORE="/sbin/restore" VDUMP=UNDEF
amandad:VRESTORE=UNDEF XFSDUMP=UNDEF XFSRESTORE=UNDEF
VXDUMP=UNDEF
amandad:VXRESTORE=UNDEF SAMBA_CLIENT="/usr/bin/smbclient"
amandad:GNUTAR="/bin/tar" COMPRESS_PATH="/bin/gzip"
amandad:UNCOMPRESS_PATH="/bin/gzip" LPRCMD="/usr/bin/lpr"
amandad:MAILER="/usr/bin/Mail"
amandad:listed_incr_dir="/var/lib/amanda/gnutar-lists"
amandad: defs: DEFAULT_SERVER="amandahost" DEFAULT_CONFIG="DailySet1"
amandad:DEFAULT_TAPE_SERVER="amandahost"
amandad:DEFAULT_TAPE_DEVICE="null:" HAVE_MMAP HAVE_SYSVSHM
amandad: LOCKING=POSIX_FCNTL SETPGRP_VOID DEBUG_CODE
amandad:
Re: Troubleshooting new Amanda client: Amanda user?
Zembower, Kevin wrote: I'm trying to get a new Amanda client working with my existing Amanda system. My tapehost is a Debian/GNU 4.0 system named 'centernet.jhuccp.org.' It uses 'backup' as the Amanda username. My client is host 'tobaccodev.jhuccp.org' with CentOS 5, using 'amanda' as the Amanda user. The client 'amanda' has a ~/.amandahosts file containing: [EMAIL PROTECTED] ~]# cat /var/lib/amanda/.amandahosts centernet.jhuccp.org backup cn2.jhuccp.org backup [EMAIL PROTECTED] ~]# I have netstat output showing amanda listening, /etc/xinet.d/amanda with proper (I think) configuration, tcpdump with packets arriving for amanda from centernet, but the tapehost reports: [EMAIL PROTECTED]:~$ amcheck -c DBackup tobaccodev Amanda Backup Client Hosts Check WARNING: tobaccodev: selfcheck request failed: timeout waiting for ACK Client check: 1 host checked in 30.019 seconds, 1 problem found (brought to you by Amanda 2.5.1p1) [EMAIL PROTECTED]:~$ I'm running iptables on tobaccodev, but I set up a firewall rule according to http://wiki.zmanda.com/index.php/How_To:Set_Up_iptables_for_Amanda that I thought should have worked: [EMAIL PROTECTED] ~]# iptables -t filter -A INPUT -p udp -m udp -s centernet.jhuccp.org --dport 10080 -j ACCEPT [EMAIL PROTECTED] ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere ACCEPT udp -- centernet.jhuccp.org anywhereudp dpt:amanda I can't find any Amanda log files on the client tobaccodev. Can anyone point out what I'm doing wrong? Is there any other diagnostic I can run or send in to help troubleshoot this problem? what dumptype(particular what auth) is used? Please list /etc/xinet.d/amanda file. Additional auth (bsdtcp, bsdudp) are added to Amanda 2.5.1. Please see http://wiki.zmanda.com/index.php/Configuring_bsd/bsdudp/bsdtcp_authentication -- Thank you! Kevin Till Zmanda Management Console (ZMC) now available at http://zmanda.com
Re: One partition of remote machine, "all estimate failed" since 2007-May-30
Glenn Gillis wrote: Every day for the last few weeks (since May 30) one partition of a remote machine fails with an "all estimate failed" error. The exact error is: FAILURE AND STRANGE DUMP SUMMARY: luna.elaw.org /zope lev 0 FAILED [disk /zope, all estimate failed] If I run "amcheck daily" as the "operator" user before the job runs, I receive this message during the "Backup Client Hosts Check" portion: "ERROR: luna.elaw.org: [could not access /dev/ad0s1e (/zope): Permission denied]" Despite that error, I cannot find a permissions problem; the permissions on the root directory are "drwxr-xr-x root:wheel" and on the /zope directory "drwxr-xr-x root:wheel". Inside the /zope directory, everything (at least at the top level) is drwxr-xr-x zope:zope. I've been backing up both of these systems with Amanda for several years and haven't ever had estimates for a partition just stop working. I'm running Amanda version 2.4.5p1, gtar-1.13.25 on the Amanda host; and gtar-1.16_2 on the remote host. Both hosts are running FreeBSD 4.11-RELEASE-p26. I've looked in the /tmp/amanda/*.debug files, as suggested in this thread: <http://forums.zmanda.com/archive/index.php/t-299.html>, but haven't found anything that looks troublesome. Anyone have any thoughts about where to look from here? have you upgraded the gtar on the client recently? gtar 1.16 returns 1 when it sees size of a file changes. It's a new behavior that breaks Amanda prior to Amanda-2.5.1p2. See: http://wiki.zmanda.com/index.php/FAQ:What_versions_of_GNU_Tar_are_Amanda-compatible%3F -- Thank you! Kevin Till Zmanda Management Console (ZMC) now available at http://zmanda.com
Re: old server 2.4.2p2 fails to backup newer client 2.5.1p1
Jon LaBadie wrote: On Tue, Jun 05, 2007 at 04:19:52PM -0700, Kevin Till wrote: Carl D. Blake wrote: I am running a 2.4.2p2 amanda server which is attempting to backup a machine with 2.5.1p1 amanda client (Debian Etch). The server is backing up several machines, but it seems to have trouble with the machines which are running 2.5.1p1 client. The symptom is that the server reports that the sendsize failed. The messages in the amdump log file are: ... the 2.5.1p1 client need to run auth="bsd" which is the only auth the Amanda 2.4.2p2 server understands. Kevin, does this mean that the 2.5.1 default authentication is different than in the 2.4 releases and thus breaks backward compatibility without some config changes? Hi Jon, no. default auth for 2.5.1 is still "bsd". I just want to make sure that the machine is set up as such -- Thank you! Kevin Till Zmanda Management Console (ZMC) now available at http://zmanda.com
Re: old server 2.4.2p2 fails to backup newer client 2.5.1p1
: time 0.028: (sockaddr_in *)0xb7f44070 = { 2, 632, 10.0.1.135 }
amandad: time 0.028: received ACK pkt:
<<<<<
security_close(handle=0x8050140, driver=0xb7f330e0 (BSD))
amandad: time 30.031: pid 19080 finish time Fri Jun 1 19:00:31 2007
and the sendsize debug file on the client machine says:
sendsize: debug 1 pid 19081 ruid 34 euid 34: start at Fri Jun 1
19:00:01 2007
sendsize: version 2.5.1p1
Could not open conf file "/etc/amanda/amanda-client.conf": No such file
or directory
I've tried adding an empty amanda-client.conf file, but it doesn't make
any difference. Running amcheck works fine - the server doesn't report
any problems in attempting to access the 2.5.1p1 client, it's only when
the actual dump occurs and then sendsize fails. If I downgrade the
version of amanda to 2.4.4p3 then it seems to work fine. Any
suggestions?
the 2.5.1p1 client need to run auth="bsd" which is the only auth the Amanda 2.4.2p2 server
understands.
Please refer:
http://wiki.zmanda.com/index.php/Configuring_bsd/bsdudp/bsdtcp_authentication
--
Thank you!
Kevin Till
Zmanda Management Console (ZMC) now available at http://zmanda.com
Re: Encrypted backup's w/2.5.x
Donofrio, Lewis wrote: Does amanda still need a patched gnutar script to obtain gpg encrypted backup's. no. Data encryption is built in to Amanda 2.5.1 Moreover does it still 'hamper amrestores?' no. Please refer to this document for detail. "Secure Network Backups in a Heterogeneous Environment in the Time it Takes to Have Pizza Delivered" http://www.zmanda.com/quick-backup-setup.html --ie do I need a second tty to tell amtape to change tapes between expand function of amrestore? __ Lewis [EMAIL PROTECTED] Cell: (734) 323-8776 -- Thank you! Kevin Till Zmanda Management Console (ZMC) now available at http://zmanda.com
Re: only amrecover with bsdauth
Alan Pearson wrote: As I'm sure you've seen I'm having difficulty getting amrecover to do krb5. So is there anyway I can make just amrecover do bsdauth ? I'd settle for just that host (which is also the tape server) Do I just set auth=bsdtcp on that host in my xinetd conf and adjust .amandahosts accordingly ? yes. Start amrecover with -0 auth=bsdtcp. Or add auth "bsdtcp" to /etc/amanda/amanda-client.conf -- Thank you! Kevin Till Amanda documentation: http://wiki.zmanda.com Amanda forums:http://forums.zmanda.com
Re: amrecover with krb5 - amindexd problems ?
alan pearson wrote:
Kevin
Full marks for a correct answer, I'd another service called 'amanda' in there
from who knows when !
So it's all disabled ... and I can be sure it's only k5amanda playing now
Interestingly though now amrecover can't connect even with k5amanda only
running..
AMRECOVER Version 2.5.1p2. Contacting server on qtvsrv1 ...
[request failed: timeout waiting for ACK]
Alan,
try:
amreover -o auth=krb5
No amandad debug file is produced. But if I do
telnet qtvsrv1 k5amanda
I get connected and a debug file produced.
Strange.
Big thanks though, I'm a bit further on now. If anyone else has any more
clues...
- Original Message
From: Kevin Till <[EMAIL PROTECTED]>
To: Alan Pearson <[EMAIL PROTECTED]>
Cc: amanda-users@amanda.org
Sent: Wednesday, 28 February, 2007 9:17:47 PM
Subject: Re: amrecover with krb5 - amindexd problems ?
Alan Pearson wrote:
A little update,
You notice below that amandad has been told to use krb5 auth ?
This from the debug log :
security_handleinit(handle=0x934f660, driver=0x1cbfa0 (BSD))
amandad: time 0.003: accept recv REQ pkt:
<<<<<
SERVICE amindexd
OPTIONS features=feff9ffeff7f;auth=bsd;
auth=bsd ??? I don't think so.
This leads me to believe amandad is ignoring all server_args, which I
think I confirmed by experimentation. It doesn't matter what I put in
server_args, they get ignored. xinetd is not complaining about anything
which leads me to believe my syntax is all fine etc...
Hi Alan,
although I cannot confirm that krb5 support is working fine in 2.5.1p2, I can assure you
that server_args is working fine.
I suspect that another amanda process which runs bsd is started by xinetd. I would try to
put "disable = yes" to k5amanda. Restart xinetd, see if you see the same result.
--Kevin
Any help appreciated !
---
AlanP
On 28 Feb 2007, at 16:21, Alan Pearson wrote:
Guys
Trying to use amrecover like so :
[EMAIL PROTECTED] amandad]# amrecover DailySet1 -d /dev/nst0 -t qtvsrv1
-s qtvsrv1
AMRECOVER Version 2.5.1p2. Contacting server on qtvsrv1 ...
NAK: amindexd: invalid service
/etc/xinetd/k5amanda :
service k5amanda
socket_type = stream
protocol = tcp
wait = no
user = root
group = backup
server = /usr/libexec/amandad
server_args = -auth=krb5 amdump amindexd amidxtaped
}
Debug from amandad
[EMAIL PROTECTED] amandad]# cat amandad.20070228162001.debug
amandad: debug 1 pid 15440 ruid 1083 euid 1083: start at Wed Feb 28
16:20:01 2007
security_getdriver(name=BSD) returns 0xcecfa0
amandad: version 2.5.1p2
amandad: build: VERSION="Amanda-2.5.1p2"
amandad:BUILT_DATE="Thu Feb 1 03:24:00 GMT 2007"
amandad:BUILT_MACH="Linux qa-apps 2.6.9-42.ELsmp #1 SMP Wed
Jul 12 23:27:17 EDT 2006 i686 i686 i386 GNU/Linux"
amandad:CC="gcc"
amandad:CONFIGURE_COMMAND="'./configure' '--with-krb5-
security' '--with-user=amanda' '--with-group=backup' '--with-
config=DailySet1' '--sbindir=/usr/sbin' '--libexecdir=/usr/libexec'
'--libdir=/usr/lib' '--with-configdir=/etc/amanda' '--with-gnutar-
listdir=/var/amanda/gnutar-lists' '--mandir=/usr/share/man'"
amandad: paths: bindir="/usr/local/bin" sbindir="/usr/sbin"
amandad:libexecdir="/usr/libexec" mandir="/usr/share/man"
amandad:AMANDA_TMPDIR="/tmp/amanda" AMANDA_DBGDIR="/tmp/ amanda"
amandad:CONFIG_DIR="/etc/amanda" DEV_PREFIX="/dev/"
amandad:RDEV_PREFIX="/dev/r" DUMP="/sbin/dump"
amandad:RESTORE="/sbin/restore" VDUMP=UNDEF VRESTORE=UNDEF
amandad:XFSDUMP=UNDEF XFSRESTORE=UNDEF VXDUMP=UNDEF
VXRESTORE=UNDEF
amandad:SAMBA_CLIENT="/usr/bin/smbclient" GNUTAR="/bin/gtar"
amandad:COMPRESS_PATH="/bin/gzip" UNCOMPRESS_PATH="/bin/gzip"
amandad:LPRCMD="/usr/bin/lpr" MAILER="/usr/bin/Mail"
amandad:listed_incr_dir="/var/amanda/gnutar-lists"
amandad: defs: DEFAULT_SERVER="qa-apps" DEFAULT_CONFIG="DailySet1"
amandad:DEFAULT_TAPE_SERVER="qa-apps" HAVE_MMAP HAVE_SYSVSHM
amandad:LOCKING=POSIX_FCNTL SETPGRP_VOID DEBUG_CODE
amandad:AMANDA_DEBUG_DAYS=4 BSD_SECURITY KRB5_SECURITY
RSH_SECURITY
amandad:USE_AMANDAHOSTS CLIENT_LOGIN="amanda" FORCE_USERID
HAVE_GZIP
amandad:COMPRESS_SUFFIX=".gz" COMPRESS_FAST_OPT="--fast"
amandad:COMPRESS_BEST_OPT="--best" UNCOMPRESS_OPT="-dc"
amandad: time 0.000: dgram_recv(dgram=0xcef584, timeout=0,
fromaddr=0xcff570)
amandad: time 0.000: (sockaddr_in *)0xcff570 = { 2, 516, 17
Re: amrecover with krb5 - amindexd problems ?
Alan Pearson wrote:
A little update,
You notice below that amandad has been told to use krb5 auth ?
This from the debug log :
security_handleinit(handle=0x934f660, driver=0x1cbfa0 (BSD))
amandad: time 0.003: accept recv REQ pkt:
<<<<<
SERVICE amindexd
OPTIONS features=feff9ffeff7f;auth=bsd;
auth=bsd ??? I don't think so.
This leads me to believe amandad is ignoring all server_args, which I
think I confirmed by experimentation. It doesn't matter what I put in
server_args, they get ignored. xinetd is not complaining about anything
which leads me to believe my syntax is all fine etc...
Hi Alan,
although I cannot confirm that krb5 support is working fine in 2.5.1p2, I can assure you
that server_args is working fine.
I suspect that another amanda process which runs bsd is started by xinetd. I would try to
put "disable = yes" to k5amanda. Restart xinetd, see if you see the same result.
--Kevin
Any help appreciated !
---
AlanP
On 28 Feb 2007, at 16:21, Alan Pearson wrote:
Guys
Trying to use amrecover like so :
[EMAIL PROTECTED] amandad]# amrecover DailySet1 -d /dev/nst0 -t qtvsrv1
-s qtvsrv1
AMRECOVER Version 2.5.1p2. Contacting server on qtvsrv1 ...
NAK: amindexd: invalid service
/etc/xinetd/k5amanda :
service k5amanda
socket_type = stream
protocol = tcp
wait = no
user = root
group = backup
server = /usr/libexec/amandad
server_args = -auth=krb5 amdump amindexd amidxtaped
}
Debug from amandad
[EMAIL PROTECTED] amandad]# cat amandad.20070228162001.debug
amandad: debug 1 pid 15440 ruid 1083 euid 1083: start at Wed Feb 28
16:20:01 2007
security_getdriver(name=BSD) returns 0xcecfa0
amandad: version 2.5.1p2
amandad: build: VERSION="Amanda-2.5.1p2"
amandad:BUILT_DATE="Thu Feb 1 03:24:00 GMT 2007"
amandad:BUILT_MACH="Linux qa-apps 2.6.9-42.ELsmp #1 SMP Wed
Jul 12 23:27:17 EDT 2006 i686 i686 i386 GNU/Linux"
amandad:CC="gcc"
amandad:CONFIGURE_COMMAND="'./configure' '--with-krb5-
security' '--with-user=amanda' '--with-group=backup' '--with-
config=DailySet1' '--sbindir=/usr/sbin' '--libexecdir=/usr/libexec'
'--libdir=/usr/lib' '--with-configdir=/etc/amanda' '--with-gnutar-
listdir=/var/amanda/gnutar-lists' '--mandir=/usr/share/man'"
amandad: paths: bindir="/usr/local/bin" sbindir="/usr/sbin"
amandad:libexecdir="/usr/libexec" mandir="/usr/share/man"
amandad:AMANDA_TMPDIR="/tmp/amanda" AMANDA_DBGDIR="/tmp/ amanda"
amandad:CONFIG_DIR="/etc/amanda" DEV_PREFIX="/dev/"
amandad:RDEV_PREFIX="/dev/r" DUMP="/sbin/dump"
amandad:RESTORE="/sbin/restore" VDUMP=UNDEF VRESTORE=UNDEF
amandad:XFSDUMP=UNDEF XFSRESTORE=UNDEF VXDUMP=UNDEF
VXRESTORE=UNDEF
amandad:SAMBA_CLIENT="/usr/bin/smbclient" GNUTAR="/bin/gtar"
amandad:COMPRESS_PATH="/bin/gzip" UNCOMPRESS_PATH="/bin/gzip"
amandad:LPRCMD="/usr/bin/lpr" MAILER="/usr/bin/Mail"
amandad:listed_incr_dir="/var/amanda/gnutar-lists"
amandad: defs: DEFAULT_SERVER="qa-apps" DEFAULT_CONFIG="DailySet1"
amandad:DEFAULT_TAPE_SERVER="qa-apps" HAVE_MMAP HAVE_SYSVSHM
amandad:LOCKING=POSIX_FCNTL SETPGRP_VOID DEBUG_CODE
amandad:AMANDA_DEBUG_DAYS=4 BSD_SECURITY KRB5_SECURITY
RSH_SECURITY
amandad:USE_AMANDAHOSTS CLIENT_LOGIN="amanda" FORCE_USERID
HAVE_GZIP
amandad:COMPRESS_SUFFIX=".gz" COMPRESS_FAST_OPT="--fast"
amandad:COMPRESS_BEST_OPT="--best" UNCOMPRESS_OPT="-dc"
amandad: time 0.000: dgram_recv(dgram=0xcef584, timeout=0,
fromaddr=0xcff570)
amandad: time 0.000: (sockaddr_in *)0xcff570 = { 2, 516, 172.16.1.9 }
security_handleinit(handle=0x8e49660, driver=0xcecfa0 (BSD))
amandad: time 0.003: accept recv REQ pkt:
<<<<<
SERVICE amindexd
OPTIONS features=feff9ffeff7f;auth=bsd;
>>>>>
amandad: time 0.003: amindexd: invalid service
amandad: time 0.003: sending NAK pkt:
<<<<<
ERROR amindexd: invalid service
>>>>>
amandad: dgram_send_addr(addr=0xbfef92b0, dgram=0xcef584)
amandad: time 0.003: (sockaddr_in *)0xbfef92b0 = { 2, 516, 172.16.1.9 }
amandad: dgram_send_addr: 0xcef584->socket = 0
security_close(handle=0x8e49660, driver=0xcecfa0 (BSD))
amandad: time 29.999: pid 15440 finish time Wed Feb 28 16:20:31 2007
Anyone any ideas ? Any help appreciated !
---
AlanP
--
Thank you!
Kevin Till
Amanda documentation: http://wiki.zmanda.com
Amanda forums:http://forums.zmanda.com
RE: Error trying to encrypt backups: Password must be at least 20 characters
Can you make the content of .am_passphrase to be 20 chars long? It's a requirement by aespipe on some platform, I guess. Oscar Ricardo Silva <[EMAIL PROTECTED]> said: > I'm pretty sure this isn't necessarily a problem with amanda but more of one > with the utilities used to encrypt the backups. I'm using amanda 2.5.1p3 and > attempting to encrypt the transmission and storage of backups. I've done this > on a few machines, and this one is running FreeBSD 4.11 along with the > following > utilities: > > aespipe 2.3c > gnupg 1.4.2 > tar 1.13.25 > amgtar - script > bz2aespipe - script > amaespipe - script > > Whenever I try to run the backup on this machine I see an error in > sendbackup.x: > > > sendbackup: debug 1 pid 53407 ruid 1002 euid 1002: start at Mon Feb 19 > 11:28:33 > 2007 > sendbackup: version 2.5.1p3 > Reading conf file "/usr/local/amanda25/etc/amanda/amanda-client.conf". > Reading conf file "/usr/local/amanda25/etc/amanda/daily/amanda-client.conf". > sendbackup: debug 1 pid 53407 ruid 1002 euid 1002: rename at Mon Feb 19 > 11:28:33 > 2007 >sendbackup req: >parsed request as: program `GNUTAR' > disk `/var' > device `/var' > level 0 > since 1970:1:1:0:0:0 > options `|;auth=ssh;index;' > sendbackup: start: backup.client.utexas.edu:/var lev 0 > sendbackup-gnutar: time 0.052: doing level 0 dump as listed-incremental to > '/usr/local/amanda25/gnutar-lists/backup.client.utexas.edu_var_0.new' > sendbackup-gnutar: time 0.053: doing level 0 dump from date: 1970-01-01 > 0:00:00 > GMT > sendbackup: time 0.054: spawning /usr/local/amanda25/libexec/runtar in > pipeline > sendbackup: argument list: runtar daily gtar --create --file - --directory > /var > --one-file-system --listed-incremental > /usr/local/amanda25/gnutar-lists/backup.client.utexas.edu_var_0.new --sparse > --ignore-failed-read --totals . > sendbackup-gnutar: time 0.055: /usr/local/amanda25/libexec/runtar: pid 53410 > sendbackup: time 0.055: started backup > sendbackup: time 0.130: started index creator: "/usr/local/bin/amgtar -tf - > 2>/dev/null | sed -e 's/^\.//'" > sendbackup: time 1.583: 118: strange(?): Error: Password must be at least 20 > characters. > > > > and sendsize exits without error. > > I haven't seen this "Password must be ..." error on any of the other systems > where I'm using this setup. In the amanda users home directory I've created: > > .am_passphrase > .gnupg/am_key.gpg > > both with permissions of 0600 and the contents of amanda-client.conf are: > > auth "ssh" > ssh_keys "/.ssh/id_rsa_amrecover" > > > Any information would be extremely appreciated. > > > Oscar > > > >
Re: SSH problems
Hi,
could it be the estimate is taking longer than the etimeout value? Try to increase
etimeout in amanda.conf.
Hope this helps!
Stephen Carville wrote:
I am trying to get ssh authenticaion working on the amanda server to
itself. Amcheck -lc gives me a clean bill of health but the backups
still fail. The older 2.4.5 clients using BSD security still work fine
but the SSH eludes me.
On the backup called 'daily1" all directories return: lev 0 FAILED
[hmm, disk was stranded on waitq]
Is it because there are too many directories? (132) Is there a limit to
how many amanda can handle?
On the backup name "flood" using BSD the errors are even more weird:
amazon /NFS/tigris_backup/FLOOD/channel6 lev 0 FAILED [dumps too
big, 5 KB, but cannot incremental dump new disk]
amazon /NFS/tigris_backup/FLOOD/control lev 0 FAILED [dumps too
big, 167010 KB, but cannot incremental dump new disk]
amazon /NFS/tigris_backup/FLOOD/channel4 lev 0 FAILED [dumps too
big, 1844050 KB, but cannot incremental dump new disk]
amazon /NFS/tigris_backup/FLOOD/channel5 lev 0 FAILED [dumps too
big, 4590435 KB, but cannot incremental dump new disk]
amazon /NFS/euphrates_backup/GIS/logarch lev 0 FAILED [dumps too
big, 7943595 KB, but cannot incremental dump new disk]
amazon /NFS/tigris_backup/FLOOD/logarch lev 0 FAILED [dumps too
big, 8175800 KB, but cannot incremental dump new disk]
??? 5 KB is too big?!?! I double checked and my disktype is still set as:
define tapetype AIT2 {
comment "AIT-2 with 230m tapes"
length 43778 mbytes
filemark 3120 kbytes
speed 5371 kps
}
That error makes no sense to me at all.
$ amadmin daily version
build: VERSION="Amanda-2.5.1p2"
BUILT_DATE="Wed Jan 31 16:44:06 PST 2007"
BUILT_MACH="Linux amazon.totalflood.com 2.6.11-1.35_FC3smp #1 SMP
Mon Jun 13 01:17:35 EDT 2005 i686 i686 i386 GNU/Linux"
CC="gcc"
CONFIGURE_COMMAND="'./configure' '--with-user=amanda'
'--with-group=adm' '--with-ssh-security'
'--with-gnutar=/usr/local/bin/tar'"
paths: bindir="/usr/local/bin" sbindir="/usr/local/sbin"
libexecdir="/usr/local/libexec" mandir="/usr/local/man"
AMANDA_TMPDIR="/tmp/amanda" AMANDA_DBGDIR="/tmp/amanda"
CONFIG_DIR="/usr/local/etc/amanda" DEV_PREFIX="/dev/"
RDEV_PREFIX="/dev/" DUMP="/sbin/dump"
RESTORE="/sbin/restore" VDUMP=UNDEF VRESTORE=UNDEF
XFSDUMP=UNDEF XFSRESTORE=UNDEF VXDUMP=UNDEF VXRESTORE=UNDEF
SAMBA_CLIENT="/usr/bin/smbclient"
GNUTAR="/usr/local/bin/tar" COMPRESS_PATH="/bin/gzip"
UNCOMPRESS_PATH="/bin/gzip" LPRCMD="/usr/bin/lpr"
MAILER="/usr/bin/Mail"
listed_incr_dir="/usr/local/var/amanda/gnutar-lists"
defs: DEFAULT_SERVER="amazon.totalflood.com"
DEFAULT_CONFIG="DailySet1"
DEFAULT_TAPE_SERVER="amazon.totalflood.com" HAVE_MMAP
HAVE_SYSVSHM LOCKING=POSIX_FCNTL SETPGRP_VOID DEBUG_CODE
AMANDA_DEBUG_DAYS=4 BSD_SECURITY RSH_SECURITY USE_AMANDAHOSTS
CLIENT_LOGIN="amanda" FORCE_USERID HAVE_GZIP
COMPRESS_SUFFIX=".gz" COMPRESS_FAST_OPT="--fast"
COMPRESS_BEST_OPT="--best" UNCOMPRESS_OPT="-dc"
For the time bing, I've dropped back to 2.4.5p2 which cannot handle the
number of directories in daily1 but will still backup most of the
systems. I guess some backup is better than no backup :-)
--
Thank you!
Kevin Till
Amanda documentation: http://wiki.zmanda.com
Amanda forums:http://forums.zmanda.com
Re: amrecover problem
Eric Doutreleau wrote: Kevin Till a écrit : Axel Seguin wrote: Obviously the client tries to contact the server on port 10080, shouldn't it try to reach the server on port 10082? How can I change that? In ~/.amandahosts on the client I have : amdump Any help would be greatly appreciated. Hi, there is an update on Amanda 2.5.1. To enable different auth mechanism, amandad needs to run on the server. And it will start amindexd and amidxtaped accordingly. Please see http://wiki.zmanda.com/index.php/Configuring_bsd/bsdudp/bsdtcp_authentication well i have seen that but i have a lot of old amanda configuration and i would like to use "amoldrecover". amoldrecover will try to connect to port 10082 on the server. This particular server must run amindexd and amidxtaped in the Amanda 2.5.0 format. See: http://wiki.zmanda.com/index.php/Quick_start#Configuring_xinetd_on_server Hope this helps. -- Thank you! Kevin Till Amanda documentation: http://wiki.zmanda.com Amanda forums:http://forums.zmanda.com
Re: amrecover problem
Axel Seguin wrote: Obviously the client tries to contact the server on port 10080, shouldn't it try to reach the server on port 10082? How can I change that? In ~/.amandahosts on the client I have : amdump Any help would be greatly appreciated. Hi, there is an update on Amanda 2.5.1. To enable different auth mechanism, amandad needs to run on the server. And it will start amindexd and amidxtaped accordingly. Please see http://wiki.zmanda.com/index.php/Configuring_bsd/bsdudp/bsdtcp_authentication -- Thank you! Kevin Till Amanda documentation: http://wiki.zmanda.com Amanda forums:http://forums.zmanda.com
Re: Sendsize Timeout Errors
John E Hein wrote: This has been working for me for the past 4+ years. But if I ever start hitting the ~64 KiB udp per socket limit, something else will have to be tried (as described in the above message). As of Amanda 2.5.1, we have added bsdtcp auth which uses tcp exclusively. As a result, UDP packet size limitation is eliminated. Reference: http://wiki.zmanda.com/index.php/Configuring_bsd/bsdudp/bsdtcp_authentication -- Thank you! Kevin Till Amanda documentation: http://wiki.zmanda.com Amanda forums:http://forums.zmanda.com
Re: "not allowed to execute service amindexd"
Deb Baddorf wrote: Amanda help gurus: My backup server NODEX is the only node (so far) to run at 2.5.1p1. So other client nodes aren't having this problem, but NODEX acting as a client (and also the server) has this complaint: NODEX> amrecover daily AMRECOVER Version 2.5.1p1. Contacting server on NODEX ... NAK: user root from NODEX is not allowed to execute the service amindexd: Please add "amindexd amidxtaped" to the line in /home/operator/.amandahosts So, okay, I changed the .amandahosts line from OLD: NODEX root to NEW:NODEX root amindexd amidxtaped Now the error message changes, but I still can't run amrecover: NODEX> amrecover daily AMRECOVER Version 2.5.1p1. Contacting server on NODEX ... NAK: amindexd: invalid service Hi, xinetd/inted format has changed in 2.5.1. Please see: http://wiki.zmanda.com/index.php/Configuring_bsd/bsdudp/bsdtcp_authentication -- Thank you! Kevin Till Amanda documentation: http://wiki.zmanda.com Amanda forums:http://forums.zmanda.com
Re: Upgrade failure?
Gardiner Leverett wrote: Something that might help, I found this in the sendbackup file (I wrapped it around with line breaks): [snip] sendbackup: time 1626.684: 87: normal(|): DUMP: dumping (Pass IV) [regular files] sendbackup: time 3426.909: 112: strange(?): sed: couldn't write 43 items to stdout: Broken pipe sendbackup: time 4964.241: index tee cannot write [Broken pipe] sendbackup: time 4964.265: pid 2566 finish time Mon Dec 4 11:17:16 2006 sendbackup: time 4964.284: 112: strange(?): sendbackup: index tee cannot write [Broken pipe] sendbackup: time 4964.451: 87: normal(|): DUMP: Broken pipe sendbackup: time 4964.472: 87: normal(|): DUMP: The ENTIRE dump is aborted. sendbackup: time 4964.476: error [/sbin/dump returned 3] sendbackup: time 4964.476: pid 2564 finish time Mon Dec 4 11:17:16 2006 Hi, how is /mnt/usbdrive mounted? Amanda automatically runs the native filesystem dump program. It will run xfsdump for XFS filesystems, vxdump for Veritas filesystems, vdump for AdvFS (Tru64), dump for other filesystems. I suspect dump cannot hanlde /mnt/usbdrive. Consider using gnutar instead. See http://wiki.zmanda.com/index.php/Backup_client#Backup_programs -- Thank you! Kevin Till Amanda documentation: http://wiki.zmanda.com Amanda forums:http://forums.zmanda.com
Re: Infinite loop - still looping...
is /etc directory permission similar to the following: drwxr-xr-x 85 root root 12288 Oct 17 12:13 /etc Please list the content of /etc/xinetd.d/amanda* file? Need to make sure the service is started by amandabackup --Kevin Brad Willson wrote: Amanda Tape Server Host Check - Holding disk /data/amanda: 185 GB disk space available, that's plenty slot 1: read label `B001', date `X' NOTE: skipping tape-writable test Tape B001 label ok NOTE: host info dir /etc/amanda/DailySet1/curinfo/hostname0 does not exist NOTE: it will be created on the next run. NOTE: index dir /etc/amanda/DailySet1/index/hostname0 does not exist NOTE: it will be created on the next run. NOTE: host info dir /etc/amanda/DailySet1/curinfo/hostname1 does not exist NOTE: it will be created on the next run. NOTE: index dir /etc/amanda/DailySet1/index/hostname1 does not exist NOTE: it will be created on the next run. NOTE: host info dir /etc/amanda/DailySet1/curinfo/hostname2 does not exist NOTE: it will be created on the next run. NOTE: index dir /etc/amanda/DailySet1/index/hostname2 does not exist NOTE: it will be created on the next run. Server check took 17.575 seconds Amanda Backup Client Hosts Check ERROR: hostname1: [can not read/write /etc/amandates: Permission denied] ERROR: hostname0: [can not read/write /etc/amandates: Permission denied] WARNING: hostname2: selfcheck request failed: timeout waiting for ACK Client check: 12 hosts checked in 29.827 seconds, 3 problems found (brought to you by Amanda 2.5.1) I've checked permissions, xinetd configs, firewall, and SELinux settings; all appear to be correct. -- Thank you! Kevin Till Amanda documentation: http://wiki.zmanda.com Amanda forums:http://forums.zmanda.com
Re: still no backups due to permissions problem in 2.5.1
Steve Newcomb wrote: Dear Amanda maintainers... As already noted, my ssh problems are all solved, BUT... I still have no backups at all, since upgrading to 2.5.1. The server creates the directory on the holdingdisk (that directory has a timestamp as its name), and then Amanda complains that it can't write anything on it. Then it deletes that (still empty) directory. While it lasts, that empty directory is owned by root. Its permissions are drwx--. If it were owned by amanda (my Amanda user is "amanda"), I suspect I wouldn't be having these problems. Or if the permissions included group write/search permissions. The same kind of problem applies to my tapelist file. Amanda changes its permissions, and then it can't read it during the next run. which prevents any tapers from doing any useful work. Does anyone have any ideas about why this is happening? Is my amanda.conf file THAT weird? I'm attaching it herewith. Hi Steve, we haven't seen this problem before and I can't see how this could be possible by looking at the Amanda code. what operating system is the Amanda server running on? How do you start amdump? In /tmp/amanda/server/$config directory, could you list the driver.*.debug file. It lists the ruid and euid of the user running the driver process. Lastly, do "cd /; ls -lR /nobackup/AMANDASPOOL" -- Thank you! Kevin Till Amanda documentation: http://wiki.zmanda.com Amanda forums:http://forums.zmanda.com
Re: amanda over ssh
Amanda Backup Client Hosts Check Host key verification failed. WARNING: dimanche.coolheads.com: selfcheck request failed: EOF on read from dimanche.coolheads.com Client check: 1 host checked in 0.137 seconds, 1 problem found does dimanche.coolheads.com (the fqdn version) in the server's .ssh/known_hosts file? If not, add it and see if it helps. -- Thank you! Kevin Till Amanda documentation: http://wiki.zmanda.com Amanda forums:http://forums.zmanda.com
Re: amrecover question
McGraw, Robert P. wrote: I have upgraded to amanda 2.5.1. I need to restore a file and when I run amrecover I get the following AMRECOVER Version 2.5.1. Contacting server on zorn ... NAK: user root from zorn.math.purdue.edu is not allowed to execute the service amindexd: Please add "amindexd amidxtaped" to the line in /local/Amanda/amanda/.amandahosts I did not get this under 2.4.5p1. Is this a new check under 2.5.1? In Amanda 2.5.1, amrecover uses Security API. Changes to xinetd configuration and .amandahosts files are required. Please see the following wiki page for detail: http://wiki.zmanda.com/index.php/Configuring_bsd/bsdudp/bsdtcp_authentication -- Thank you! Kevin Till Amanda documentation: http://wiki.zmanda.com Amanda forums:http://forums.zmanda.com
RE: amrecover fails in rel 2.5.1 with NAK: amindexd: invalid service
David Trusty <[EMAIL PROTECTED]> said: > I just installed release 2.5.1 on a SUSE 10.1 machine. I was able > to do a backup fine, but when I try to run amrecover, I get this error: > > # amrecover Monthly > AMRECOVER Version 2.5.1. Contacting server on localhost ... > NAK: amindexd: invalid service > > The amcheck command shows no errors. > > Any ideas? In Amanda 2.5.1, amrecover uses Security API. Changes to xinetd configuration is required. Please see the following wiki page for detail: http://wiki.zmanda.com/index.php/Configuring_bsd/bsdudp/bsdtcp_authentication
Re: amanda over ssh
Steve, In the Amanda client .ssh/authorized_keys file, try to use ip address instead of fqdn name in the from field, e.g: from="192.26.10.10",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="/usr/lib/amanda/amandad -auth=ssh amdump" ssh-rsa key please list the complete output of "amcheck $config". Kevin Till Steve Newcomb wrote: In answer to my request for suggestions as to why Amanda 2.5.1 doesn't seem to work with auth=ssh on our network, Jean-Louis Martineau <[EMAIL PROTECTED]> writes: Anything about ssh in your system log? Nothing in /var/log/syslog of the client. However, in /var/log/auth.log, the following is the typical result of an amcheck of that client (manche): Sep 20 11:26:16 manche sshd[9614]: Accepted publickey for amanda from 192.168.1.2 port 40157 ssh2 Sep 20 11:26:16 manche sshd[9616]: (pam_unix) session opened for user amanda by (uid=0) Sep 20 11:26:25 manche sshd[9616]: (pam_unix) session closed for user amanda ...and that's all. (I don't know why the above says uid=0. Everywhere on our network, including on host "manche", user "amanda" is uid 1003.) Could you ssh from the server to the client without amanda? Yes. No data comes back, which I suppose is normal, given that the login is locked to amandad on the client, as the instructions suggest. Anyway, the login evidently succeeds. Did it create /tmp/amanda/amanda/amandad.*.debug files? Yes, here's a typical one: amandad: debug 1 pid 30936 ruid 1003 euid 1003: start at Tue Sep 19 17:15:50 2006 security_getdriver(name=ssh) returns 0xa7f7c260 amandad: version 2.5.1 amandad: build: VERSION="Amanda-2.5.1" amandad:BUILT_DATE="Tue Sep 19 16:43:08 EDT 2006" amandad:BUILT_MACH="Linux manche 2.6.16-2-686 #1 Fri Aug 18 19:01:49 UTC 2006 i686 GNU/Linux" amandad:CC="gcc" amandad:CONFIGURE_COMMAND="'./configure' '--prefix=/usr/amanda' '--sysconfdir=/etc' '--localstatedir=/var/amanda' '--with-user=amanda' '--with-group=disk' '--with-config=coolheads' '--with-ssh-security' '--with-buffered-dump' '--without-server'" amandad: paths: bindir="/usr/amanda/bin" sbindir="/usr/amanda/sbin" amandad:libexecdir="/usr/amanda/libexec" mandir="/usr/amanda/man" amandad:AMANDA_TMPDIR="/tmp/amanda" AMANDA_DBGDIR="/tmp/amanda" amandad:CONFIG_DIR="/etc/amanda" DEV_PREFIX="/dev/" amandad:RDEV_PREFIX="/dev/" DUMP=UNDEF RESTORE=UNDEF VDUMP=UNDEF amandad:VRESTORE=UNDEF XFSDUMP=UNDEF XFSRESTORE=UNDEF VXDUMP=UNDEF amandad:VXRESTORE=UNDEF SAMBA_CLIENT="/usr/bin/smbclient" amandad:GNUTAR="/bin/tar" COMPRESS_PATH="/bin/gzip" amandad:UNCOMPRESS_PATH="/bin/gzip" LPRCMD="/usr/bin/lpr" amandad:MAILER="/usr/bin/Mail" amandad:listed_incr_dir="/var/amanda/amanda/gnutar-lists" amandad: defs: DEFAULT_SERVER="manche" DEFAULT_CONFIG="coolheads" amandad:DEFAULT_TAPE_SERVER="manche" HAVE_MMAP HAVE_SYSVSHM amandad:LOCKING=POSIX_FCNTL SETPGRP_VOID DEBUG_CODE amandad:AMANDA_DEBUG_DAYS=4 BSD_SECURITY RSH_SECURITY USE_AMANDAHOSTS amandad:CLIENT_LOGIN="amanda" FORCE_USERID HAVE_GZIP amandad:COMPRESS_SUFFIX=".gz" COMPRESS_FAST_OPT="--fast" amandad:COMPRESS_BEST_OPT="--best" UNCOMPRESS_OPT="-dc" ...and that's all it says. I tried compiling it for the client both with and without buffered dump. Also, with and without server. Same result in all cases. Thanks for the use of your brain, Jean-Louis! -- Steve Steven R. Newcomb, Consultant Coolheads Consulting Co-editor, Topic Maps International Standard (ISO/IEC 13250) Co-editor, draft Topic Maps -- Reference Model (ISO/IEC 13250-5) [EMAIL PROTECTED] http://www.coolheads.com direct: +1 540 951 9773 main: +1 540 951 9774 fax:+1 540 951 9775 208 Highview Drive Blacksburg, Virginia 24060 USA (Confidential to all US government personnel to whom this private letter is not addressed and who are reading it in the absence of a specific search warrant: You are violating the law and you are co-conspiring to subvert the Constitution that you are sworn to defend. You can either refuse to commit this crime, or you can expect to suffer criminal sanctions in the future, when the current administration of the United States of America has been replaced by one that respects the rule of law. I do not envy you for having to make this difficult choice, but I urge you to make it wisely.) -- Thank you! Kevin Till Amanda documentation: http://wiki.zmanda.com Amanda forums:http://forums.zmanda.com
Re: amanda over ssh
Hi, see if the following wiki page helps: http://wiki.zmanda.com/index.php/Configuring_SSH_authentication Steve Newcomb wrote: We've been using Amanda continuously since 1999. Amanda has minimized our backup effort and headaches and it has saved us from serious data losses on several occasions. Brava! I was delighted to see that 2.5.1 now supports ssh, and if I could just get it to work, it would be a godsend to us. I have done everything that docs/howto-auth.txt specifies for the use of SSH. Unfortunately, the best result I can get from amcheck is: Amanda Backup Client Hosts Check WARNING: manche.coolheads.com: selfcheck request failed: EOF on read from manche.coolheads.com Client check: 1 host checked in 0.299 seconds, 1 problem found (brought to you by Amanda 2.5.1) So I think I'm connecting to the client OK, because it responds promptly. And, if I delete the auth "ssh" line from my dumptype, the response, after a 30-second delay, is: Amanda Backup Client Hosts Check WARNING: manche.coolheads.com: selfcheck request failed: timeout waiting for ACK Client check: 1 host checked in 30.010 seconds, 1 problem found (brought to you by Amanda 2.5.1) So I think the ssh is probably working OK. When using amdump, the dumps and reports from clients to servers are supposed to go through the same ssh connection that the server establishes to the client, right? If not, how is it supposed to work? The reason I need to use ssh is that it's the ONLY way I can get to one of the machines. (The way I have been backing it up is with a lot of attention and effort, using tar. Yuck.) Client and server are both running Linux 2.6.16-2-686. I configured/compiled Amanda on both the server and the client with the following options: ./configure --prefix=/usr/amanda --sysconfdir=/etc --localstatedir=/var/amanda --with-user=amanda --with-group=disk --with-ssh-security Anybody have a clue? Anything I should try? -- Steve Steven R. Newcomb, Consultant Coolheads Consulting Co-editor, Topic Maps International Standard (ISO/IEC 13250) Co-editor, draft Topic Maps -- Reference Model (ISO/IEC 13250-5) [EMAIL PROTECTED] http://www.coolheads.com direct: +1 540 951 9773 main: +1 540 951 9774 fax:+1 540 951 9775 208 Highview Drive Blacksburg, Virginia 24060 USA (Confidential to all US government personnel to whom this private letter is not addressed and who are reading it in the absence of a specific search warrant: You are violating the law and you are co-conspiring to subvert the Constitution that you are sworn to defend. You can either refuse to commit this crime, or you can expect to suffer criminal sanctions in the future, when the current administration of the United States of America has been replaced by one that respects the rule of law. I do not envy you for having to make this difficult choice, but I urge you to make it wisely.) -- Thank you! Kevin Till Amanda documentation: http://wiki.zmanda.com Amanda forums:http://forums.zmanda.com
Re: Failed with strange errors
Nick Brockner wrote: Hi All, I am new to amanda, and I have just set up a backup scheme and am trying to test (using 2.5.1). When I have only one of my remote hosts in the disklist, the backup will run fine. When I add the other remote host as well as the localhost (also a web server), I am seeing the errors below. Can anyone help me out? Hi, run "amcheck config_name" first, it will report any failure and suggestion for correction. -Kevin Till Looking through amdump doesn't really help me any, as it says basically the same thing. I am lost. In email results (obscured hostnames for security): FAILURE AND STRANGE DUMP SUMMARY: /boot lev 0 FAILED [cannot read header: got 0 instead of 32768] /boot lev 0 FAILED [cannot read header: got 0 instead of 32768] /boot lev 0 FAILED [too many dumper retry: "[request failed: timeout waiting for ACK]"] / lev 0 FAILED [cannot read header: got 0 instead of 32768] / lev 0 FAILED [too many dumper retry: "[request failed: timeout waiting for ACK]"] / lev 0 FAILED [cannot read header: got 0 instead of 32768] /faculty lev 0 FAILED [cannot read header: got 0 instead of 32768] /faculty lev 0 FAILED [cannot read header: got 0 instead of 32768] /faculty lev 0 FAILED [too many dumper retry: "[request failed: timeout waiting for ACK]"] /usr lev 0 FAILED [cannot read header: got 0 instead of 32768] /tmp lev 0 FAILED [cannot read header: got 0 instead of 32768] /tmp lev 0 FAILED [too many dumper retry: "[request failed: timeout waiting for ACK]"] /tmp lev 0 FAILED [cannot read header: got 0 instead of 32768] / lev 0 STRANGE /usr lev 0 was successfully retried Thanks in advance, Nick Brockner Systems Administrator Hamilton College -- Thank you! Kevin Till Amanda documentation: http://wiki.zmanda.com Amanda forums:http://forums.zmanda.com
Re: Port NNNN not secure (revisited)
Mike Allen wrote: Kevin Till wrote: Mike Allen wrote: Kevin Till wrote: Mike Allen wrote: try configure with "--with-tcpportrange=5,50100 --with-udpportrange=512,1023 ..." and recompile. Open the corresponding ports in the firewall setup. The reason udp port 34932 was tried because Amanda cannot find a reserved udp port that it can use. The following occurred while compiling with the values you suggested: Hi, add "-with-tcpportrange=5,50100 --with-udpportrange=512,1023" to whatever you have in your configure line. For example: ./configure --with-user=amandabackup --with-group=disk -with-tcpportrange=5,50100 --with-udpportrange=512,1023 Run configure again and make install. After configuring both the ta;e server and the client with the suggested portranges above I got the following: 14:46:02.501703 IP famrad.familyradio.org.47737 > familyserv.familyradio.org.amanda: UDP, length: 123 14:46:02.543577 IP familyserv.familyradio.org.amanda > famrad.familyradio.org.47737: UDP, length: 50 14:46:02.544603 IP familyserv.familyradio.org.amanda > famrad.familyradio.org.47737: UDP, length: 109 14:46:02.549035 IP famrad.familyradio.org.47737 > familyserv.familyradio.org.amanda: UDP, length: 50 Notice the reference to port 47737 which is outside the range(s) specified. I have a feeling I am doing something really stupid! Any help will be greatly appreciated. Is there a firewall in between? If it's iptables, you can tell by running "iptables -L". The page below could be helpful too. http://wiki.zmanda.com/index.php/Configuration_with_iptables Mike Kevin: A properly configured Juniper-Networks firewall made no difference. I have noticed something else that might have a bearing. The version of Amanda-server software is 2.5.0p2 and the client software is 2.4.5p1. (the latest FreeBSD ports versions). Could this be the reason for this problem? Possible, it's all depend how the FreeBSD Amanda client is configured. On the client, do: #amadmin config version |grep CONFIGURE_COMMAND it will tell if the Amanda Client is configured with --with-tcpportrange --with-udpportrange or not. Hope this helps! -- Thank you! Kevin Till Amanda documentation: http://wiki.zmanda.com Amanda forums:http://forums.zmanda.com
Re: Need help restoring: -p doesn't seem to work
Sean Noonan wrote: freebee# amrestore -p /dev/nsa0 freebee aacd0s1f | gzip -d | restore - ivf - Verify tape and initialize maps amrestore: missing file header block amrestore: 2: skipping freebee.aacd0s1e.20060721.0 amrestore: 10: reached end of information gzip: stdin: unexpected end of file End-of-tape encountered Tape is not a dump tape freebee# - What did amverify said about that tape? Amverify ran without errors. Specifically: freebee# su -m operator -c 'amverify Get1Free' No tape changer... Tape device is /dev/nsa0... Verify summary to [EMAIL PROTECTED] Defects file is /tmp/amanda/amverify.37453/defects amverify Get1Free Wed Jul 26 08:11:49 PDT 2006 Using device /dev/nsa0 Waiting for device to go ready... Rewinding... Processing label... Volume Get1FreeDailyLTO2-17, Date 20060721 Rewinding... Checked freebee.aacd0s1e.20060721.0 Checked freebee.aacd0s1a.20060721.0 Checked freebee.aacd0s1f.20060721.0 Checked freebee.aacd0s1g.20060721.0 End-of-Information detected. Rewinding... freebee# - Are you sure you have a backup for aacd0s1f on that tape? Yes. At least the above amverify output indicates so. Also, remember that I can (if I had the disk space) do a amrestore if I don't try to use "-p" and do an interactive session. So yes, aacd0s1f is on that tape. And it's a level 0 dump. - Can you restore to a disk and then see what type of file you get from the restore? That would allow you to make faster test with gunzip, restore or whatever without reading the tape again and again. I'm sorry but I'm not sure what you mean by this--I'm not the sharpest knife in the drawer. I don't have the disk space to restore the entire file, otherwise I wouldn't need to pipe the output of amrestore and I wouldn't have a problem in the first place. However, your idea has me thinking about trying to use mount_smbfs to a NAS device. Maybe that'll work and give me the temporary necessary disk space I need to restore. have you tried using amrecover? If "index" is on in the dumptype during amdump, the amanda index server will give the listing of the files in aacd0s1f and you can choose what files to extract. I have also tested "amrestore -p", it's working fine for me. -- Thank you! Kevin Till Amanda documentation: http://wiki.zmanda.com Amanda forums:http://forums.zmanda.com
Re: Fwd: The Coyote Den AMANDA MAIL REPORT FOR July 24, 2006
888.6 USAGE BY TAPE: Label Time Size %NbNc Dailys-19 0:00 1102M 13.0 2 0 NOTES: planner: Incremental of coyote:/root bumped to level 3. planner: Incremental of coyote:/amanda bumped to level 4. planner: Incremental of gene:/home bumped to level 2. taper: tape Dailys-19 kb 1128608 fm 2 [OK] big estimate: coyote /var 2 est: 17Mout 10M DUMP SUMMARY: DUMPER STATS TAPER STATS HOSTNAME DISK L ORIG-MB OUT-MB COMP% MMM:SSKB/s MMM:SSKB/s --- - - coyote /amanda 0 FAILED coyote /bin 1 FAILED coyote /boot 1 FAILED coyote /dev 1 FAILED coyote /dos 0 FAILED coyote /etc 1 FAILED coyote /home 0 FAILED coyote /lib 1 FAILED coyote /opt 1 FAILED coyote /root 0 FAILED coyote /sbin 1 FAILED coyote /tmp 1 FAILED coyote /usr/X11R6 1 FAILED coyote /usr/bin 1 FAILED coyote /usr/dlds-misc 1 FAILED coyote /usr/dlds-rpms1 FAILED coyote /usr/dlds-tgzs 1 FAILED coyote /usr/games1 FAILED coyote /usr/i386-glibc21-linux 1 FAILED coyote /usr/include 1 FAILED coyote /usr/kerberos 1 FAILED coyote /usr/lib 1 FAILED coyote /usr/libexec 1 FAILED coyote /usr/local 1 FAILED coyote /usr/man 1 FAILED coyote /usr/movies 1 FAILED coyote /usr/music1 FAILED coyote /usr/pix 1 FAILED coyote /usr/sbin 1 FAILED coyote /usr/share 2 FAILED coyote /usr/src 1 FAILED coyote /var 2 68 10 14.1 0:2 488.1 0:0 25826.2 gene /bin 1 FAILED gene/boot 1 FAILED gene /etc 1 FAILED gene/home 2 FAILED gene /lib 1 FAILED gene/opt 1 FAILED gene /root 1 FAILED gene/sbin 1 FAILED gene /usr/bin 1 FAILED ---- gene/usr/local 1 FAILED gene /usr/src 0 3608 1093 30.3 90:4 205.4 0:2 38143.9 gene/var 1 FAILED (brought to you by Amanda version 2.5.1b1-20060723) --- -- Thank you! Kevin Till Amanda documentation: http://wiki.zmanda.com Amanda forums:http://forums.zmanda.com
Re: Restoring from tape when Amanda server failed
gil naveh wrote: Thanks but I tried to strip the header as well and it gave me teh same error message! If it's compressed, it need to be uncompressed first. Do something like: dd if=/dev/tape bs=32k skip=1 |gzip -dc | ufsrestore if - */Matt Hyclak <[EMAIL PROTECTED]>/* wrote: On Wed, Jul 19, 2006 at 02:07:42PM -0700, gil naveh enlightened us: > Thanks for all the help, but I have a problem to restore the files. > When I type: > root@ # dd if=/dev/rmt/0n ibs=64k | ufsrestore if - > I recieve the following error message: > read: Invalid argument > 0+0 records in > 0+0 records out > Volume is not in dump format > > But as far as I know it should be in a dump format!!! – because in the > Amanda.conf I defined the backup as: > You forgot to strip off the amanda header at the beginning of the file. Usually this is dd if=/dev/tape bs=32k skip=1 -- Matt Hyclak Department of Mathematics Department of Social Work Ohio University (740) 593-1263 -- Thank you! Kevin Till Amanda documentation: http://wiki.zmanda.com Amanda forums:http://forums.zmanda.com
Re: Solaris 8 inetd killing amandad
Chris Cameron wrote: Have 2 working Solaris machines being backed up by Amanda. Trying to add a 3rd, I just copy the amanda directory from one client to the new client, same way I installed the other one. Made an Amanda user, group other, add amanda entries to services, and entry to inetd.conf When I run amcheck I see this in my messages log on the new server: Jul 18 16:00:12 app01 inetd[169]: [ID 858011 daemon.warning] /opt/amanda/libexec/amandad: Killed Jul 18 16:00:50 app01 last message repeated 38 times Jul 18 16:00:51 app01 inetd[169]: [ID 667328 daemon.error] amanda/udp server failing (looping), service terminated ldd on amandad doesn't show any missing libraries. I've recompiled Amanda on the new machine, same problem. Tried different users, same problem. Anybody know what I've done here? what is the amanda entry in /etc/inet/inetd.conf? Try "truss /opt/amanda/libexec/amandad" and see if there is anything obviously wrong. -- Thank you! Kevin Till Amanda documentation: http://wiki.zmanda.com Amanda forums:http://forums.zmanda.com
Re: Port NNNN not secure (revisited)
Mike Allen wrote: Kevin Till wrote: Mike Allen wrote: try configure with "--with-tcpportrange=5,50100 --with-udpportrange=512,1023 ..." and recompile. Open the corresponding ports in the firewall setup. The reason udp port 34932 was tried because Amanda cannot find a reserved udp port that it can use. The following occurred while compiling with the values you suggested: Hi, add "-with-tcpportrange=5,50100 --with-udpportrange=512,1023" to whatever you have in your configure line. For example: ./configure --with-user=amandabackup --with-group=disk -with-tcpportrange=5,50100 --with-udpportrange=512,1023 Run configure again and make install. After configuring both the ta;e server and the client with the suggested portranges above I got the following: 14:46:02.501703 IP famrad.familyradio.org.47737 > familyserv.familyradio.org.amanda: UDP, length: 123 14:46:02.543577 IP familyserv.familyradio.org.amanda > famrad.familyradio.org.47737: UDP, length: 50 14:46:02.544603 IP familyserv.familyradio.org.amanda > famrad.familyradio.org.47737: UDP, length: 109 14:46:02.549035 IP famrad.familyradio.org.47737 > familyserv.familyradio.org.amanda: UDP, length: 50 Notice the reference to port 47737 which is outside the range(s) specified. I have a feeling I am doing something really stupid! Any help will be greatly appreciated. Is there a firewall in between? If it's iptables, you can tell by running "iptables -L". The page below could be helpful too. http://wiki.zmanda.com/index.php/Configuration_with_iptables Mike -- Thank you! Kevin Till Amanda documentation: http://wiki.zmanda.com Amanda forums:http://forums.zmanda.com
Re: Port NNNN not secure (revisited)
Mike Allen wrote: try configure with "--with-tcpportrange=5,50100 --with-udpportrange=512,1023 ..." and recompile. Open the corresponding ports in the firewall setup. The reason udp port 34932 was tried because Amanda cannot find a reserved udp port that it can use. The following occurred while compiling with the values you suggested: Hi, add "-with-tcpportrange=5,50100 --with-udpportrange=512,1023" to whatever you have in your configure line. For example: ./configure --with-user=amandabackup --with-group=disk -with-tcpportrange=5,50100 --with-udpportrange=512,1023 Run configure again and make install. make install-data-hook chown operator /usr/local/man/man8/amanda.8 chgrp operator /usr/local/man/man8/amanda.8 chown operator /usr/local/man/man8/amanda.conf.5 chown: /usr/local/man/man8/amanda.conf.5: No such file or directory *** Error code 1 Stop in /usr/ports/misc/amanda-client/work/amanda-2.4.5p1/man. *** Error code 1 Stop in /usr/ports/misc/amanda-client/work/amanda-2.4.5p1/man. *** Error code 1 Stop in /usr/ports/misc/amanda-client/work/amanda-2.4.5p1/man. *** Error code 1 Stop in /usr/ports/misc/amanda-client/work/amanda-2.4.5p1. Why is it looking in /usr/local/man/man8 for a man5 manual page? I have seen this before. Mike -- Thank you! Kevin Till Amanda documentation: http://wiki.zmanda.com Amanda forums:http://forums.zmanda.com
Re: Port NNNN not secure (revisited)
Mike Allen wrote: After some helpful email from Frank Smith off-list I have decided to try a different approach to slve my problem: Here is an excerpt from my tape-server /etc/services file. amanda 20080/udp #Dump server control amandaidx 20082/tcp #Amanda indexing amidxtape 20083/tcp #Amanda tape indexing Note that I am not using the standard ports for amanda et al. A tcpdump from the client end of the communication between host 'familyserv' and host 'famrad' went as follows: 14:57:55.661773 IP familyserv.familyradio.org.ssh > famrad.familyradio.org.44233: P 1048606257:1048606385(128) ack 4160186819 win 33304 14:57:55.665181 IP famrad.familyradio.org.44233 > familyserv.familyradio.org.ssh: . ack 128 win 33240 123825301 449488402> 14:58:06.382636 IP famrad.familyradio.org.34932 > familyserv.familyradio.org.amanda: UDP, length: 119 14:58:06.423680 IP familyserv.familyradio.org.amanda > famrad.familyradio.org.34932: UDP, length: 50 14:58:06.424676 IP familyserv.familyradio.org.amanda > famrad.familyradio.org.34932: UDP, length: 109 14:58:06.428009 IP famrad.familyradio.org.34932 > familyserv.familyradio.org.amanda: UDP, length: 50 Since both ends are supposedy configured for tcpportrange=512.1023 and udpportrange=5,50100 try configure with "--with-tcpportrange=5,50100 --with-udpportrange=512,1023 ..." and recompile. Open the corresponding ports in the firewall setup. The reason udp port 34932 was tried because Amanda cannot find a reserved udp port that it can use. -- Thank you! Kevin Till Amanda documentation: http://wiki.zmanda.com Amanda forums:http://forums.zmanda.com
Re: filename ... has invalid characters
John Franks wrote: Hi Toralf, First off, I rather like your approach to configuration files. A little research shows that the explicit test was introduced to plug a security hole reported by PERL... See BUG #1353481 for more information. I'm piping in here, and expanding the audience to include amanda_hackers, since the change seems to impact my work on allowing spaces in file names. (Currently checked into sourceforge 2.5.1 branch.) The current check is a little too strict and will strip out spaces and control characters, all of which are valid according to POSIX rules. (POSIX allows any character except '/' or NULL is allowable.) I'm proposing an alternate solution to our mutual problems: Sanitize file name by simply rejecting any '..' path component in a configuration name. This should allow any arbitrary character in the configuration name and prevent any attempts to use a configuration outside of the amanda configuration directory. Toralf: will this work for you? Hackers: will this pass security muster? Hi John, I like your proposal and it will work nicely for amstatus. For other Amanda applications, we need to filter user input carefully especially in the cases that the user-input will be passed to mail-cmd, exec() and system(). -- Thank you! Kevin Till Amanda documentation: http://wiki.zmanda.com Amanda forums:http://forums.zmanda.com
Re: HOST DOWN error connecting to new client
ot;owl" DEFAULT_TAPE_DEVICE="null:" amandad:HAVE_MMAP HAVE_SYSVSHM LOCKING=POSIX_FCNTL SETPGRP_VOID amandad:DEBUG_CODE AMANDA_DEBUG_DAYS=4 BSD_SECURITY RSH_SECURITY amandad:USE_AMANDAHOSTS CLIENT_LOGIN="amanda" FORCE_USERID HAVE_GZIP amandad:COMPRESS_SUFFIX=".gz" COMPRESS_FAST_OPT="--fast" amandad:COMPRESS_BEST_OPT="--best" UNCOMPRESS_OPT="-dc" amandad: time 29.954: pid 27781 finish time Tue Jun 6 17:05:01 2006 == My xinetd setup for Amanda appears to be correct, and the path specified in the server section does exist. /etc/services has several entries for Amanda. They are: amanda 10080/tcp # amanda backup services amanda 10080/udp # amanda backup services kamanda 10081/tcp # amanda backup services (Kerberos) kamanda 10081/udp # amanda backup services (Kerberos) amandaidx 10082/tcp # amanda backup services amidxtape 10083/tcp # amanda backup services Any other ideas? Thanks! Matt I've rebooted both servers to rule out any network wackiness, and I'm still having the same problem. A chkconfig shows that the Amanda service is in fact running under xinetd. I was wondering if there's any other way to connect directly to the machine to see if it is in fact answering requests on those ports? Would a simple NMAP scan work? Can I telnet to the ports and get some kind of response? Since amanda*.debug on the client got created, it seems to me the server did the initial contact to the client successfully. Just selfcheck didn't get executed. Do you have the following file on the client: /usr/local/libexec/selfcheck /usr/local/libexec/noop /usr/local/libexec/sendsize Yes, "nmap -sU -sV host" should report 10080/udp is open on the client. -- Thank you! Kevin Till Amanda documentation: http://wiki.zmanda.com Amanda forums:http://forums.zmanda.com
Re: error redirecting stderr to fd 51
McGraw, Robert P. wrote: I still seem to be having a problem getting a good backup. Seems something always pops up. planner: build: VERSION="Amanda-2.5.0p1" planner:BUILT_DATE="Sat Apr 29 15:42:05 EDT 2006" planner:BUILT_MACH="SunOS zorn.math.purdue.edu 5.10 Generic_118833-03 sun4u sparc SUNW,Sun-Fire-280R" I noticed that that the four "dumping" jobs seemed to hang. zorn->[309] > amstatus --config daily --date Using /var/amanda/daily/amdump from Tue May 2 14:30:35 EDT 2006 20060502 bers:/ 0 m finished (14:42:59) 20060502 bessel:/0 4592m finished (14:47:27) 20060502 zorn:/export/csw0 1322m dumping0m (14:34:14) 20060502 zorn:/export/users-aar 00m finished (14:35:43) 20060502 zorn:/export/users-aduchkov 0 448m finished (14:37:09) 20060502 zorn:/export/users-aedquist 0 59m dumping0m (14:33:43) 20060502 zorn:/export/users-aendicot 0 18m finished (14:31:46) 20060502 zorn:/export/users-agabriel 0 777m dumping0m (14:34:29) 20060502 zorn:/export/users-nlucier 0 8931m finished (15:10:54) 20060502 zorn:/export/users-rmcgraw 0 1430m dumping0m (14:33:59) I went to /tmp/amanda and ran ##R##-zorn->[351] ##> grep -i error * sendbackup.20060502143344.debug:sendbackup: time 0.000: error redirecting stderr to fd 51: Bad file number sendbackup.20060502143359.debug:sendbackup: time 0.000: error redirecting stderr to fd 51: Bad file number sendbackup.20060502143414.debug:sendbackup: time 0.000: error redirecting stderr to fd 51: Bad file number sendbackup.20060502143429.debug:sendbackup: time 0.000: error redirecting stderr to fd 51: Bad file number I cat'ed on of the debug files ##R##-zorn->[360] ##> cat sendbackup.20060502143359.debug sendbackup: debug 1 pid 23380 ruid 30002 euid 30002: start at Tue May 2 14:33:59 2006 sendbackup: version 2.5.0p1 parsed request as: program `GNUTAR' disk `/export/users-rmcgraw' device `/export/fssnap/users' level 0 since 1970:1:1:0:0:0 options `|;auth=BSD;index;include-file=./rmcgraw;' sendbackup: time 0.000: error redirecting stderr to fd 51: Bad file number sendbackup: time 0.000: pid 23380 finish time Tue May 2 14:33:59 2006 1) Can anybody tell me what the "error redirecting stderr to fd 51: Bad file number" means? I googled the message but found nothing. Could it be that Amanda on Solaris is hitting the 256 open file descriptors limit? (it's 1024 on most Linux system) run /usr/bin/ulimit to see what it reports. I believe root user can change the limit. -- Thank you! Kevin Till Amanda documentation: http://wiki.zmanda.com Amanda forums:http://forums.zmanda.com
Re: FreeBSD client
John Clement wrote: Some of you might remember I'm piecing together a previous, non-working, installation of amanda. The help I've received off here has been great, so thanks again! The next piece in this puzzle is a FreeBSD (5.4) machine that appears to have amanda already installed. I can't find any documentation on getting the client working on BSD so started going by all the information I've gleened troubleshooting the Linux machines here. I can't find a .amandahosts file, do I need to create this and if so where? Or should this information go somewhere else? I assume /tmp/amanda should exist on the machine and be writable and ownder by operator:operator (operator being the default username the client seems to install by, and operator being BSD's equiv of 'disk' group), is this so? do "amadmin test version" the output of the above command tells how it's configured and where the log will be kept and etc. -- Thank you! Kevin Till Amanda documentation: http://wiki.zmanda.com Amanda forums:http://forums.zmanda.com
Re: new linux client install
John Clement wrote: Having read through some of the documentation it seemed a fairly straight forward thing to install an Amanda client. However, I used an rpm for it, having been forced to upgrade my tar software too but it appears to be running as amandabackup and in /var/lib... So I'm now getting the following: amandad: time 0.002: accept error: access as amandabackup not allowed from [EMAIL PROTECTED]: cannot open /var/lib/amanda/.amandahosts: Permission denied amandad: time 0.002: sending NAK pkt: <<<<< ERROR access as amandabackup not allowed from [EMAIL PROTECTED]: cannot open /var/lib/amanda/.amandahosts: Permission denied >>>>> at the bottom of my amcheck. I've confirmed that the file is owned and chmoded correctly: -rw--- 1 amandabackup disk 109 Apr 25 14:23 .amandahosts If I change the ownership or permissions it complains, so I think they are correct. In the .amandahosts file I have server.domain.tld amanda server amanda server.domain.tld amandabackup #added incase it made a difference server amandabackup #added incase it made a difference So can anyone make any suggestions? I suspect that amandad on the client was started by amanda (instead of amandabackup as it should be). could you show the content of /etc/xinetd.d/amanda* #cat /etc/xinetd.d/amanda* the "user" field should be "amandabackup" -- Thank you! Kevin Till Amanda documentation: http://wiki.zmanda.com Amanda forums:http://forums.zmanda.com
Re: Estimate timeouts after upgrade and easy way to test just one backup target
Jon LaBadie wrote: selinux turned on in FC5? probably not in rh9. FC5 is on my radar but I have not actually worked on it yet. From reading FC5 selinux FAQ, amanda is one of the daemon that's protected even in the targeted policy. /sbin/sestatus to tell the status of the SELinux running. system-config-securitylevel to configure SELinux -- Thank you! Kevin Till Amanda documentation: http://wiki.zmanda.com Amanda forums:http://forums.zmanda.com
Re: 2.5.0 compile problems on HP-UX 10.10
stan wrote:
Here's the line that causes the error:
char *aparent = vstralloc(parent_dir, "/", include, NULL);
Any sugestiosn as to wheer to begin on resoloving this?
see if this patch help:
--- calcsize.c 9 Mar 2006 16:51:41 - 1.36
+++ calcsize.c 29 Mar 2006 15:45:08 - 1.37
@@ -24,7 +24,7 @@
* file named AUTHORS, in the root directory of this distribution.
*/
/*
- * $Id: calcsize.c,v 1.36 2006/03/09 16:51:41 martinea Exp $
+ * $Id: calcsize.c,v 1.37 2006/03/29 15:45:08 martinea Exp $
*
* traverse directory tree to get backup size estimates
*/
@@ -329,10 +329,11 @@
int l;
int parent_len;
int has_exclude = !is_empty_sl(exclude_sl) && use_gtar_excl;
+char *aparent;
if(parent_dir == NULL || include == NULL) return;
-char *aparent = vstralloc(parent_dir, "/", include, NULL);
+aparent = vstralloc(parent_dir, "/", include, NULL);
if(stat(parent_dir, &finfo) != -1)
parent_dev = finfo.st_dev;
--
Thank you!
Kevin Till
Amanda documentation: http://wiki.zmanda.com
Amanda forums:http://forums.zmanda.com
Re: port 35280 not secure
Anne Wilson wrote: On Monday 03 April 2006 19:50, Anne Wilson wrote: Kevin said: amcheck is not setuid root on the source tree so it fails to bind a privileged port while perform host check. I've made sure now that all the /usr/local/sbin/ executables are owned root:disk, and amcheck is setuid. What else needs to be setuid? Changed ownership to amanda:disk, but still seeing the same errors. the installed amcheck should be used, not the one in the source tree. The installed amcheck should have permission similar to the following: ls -la /usr/local/sbin/amcheck -rwsr-x--- 1 root disk 63345 Apr 3 10:45 /usr/local/sbin/amcheck Is there a firewall between the client and the server? If so, see http://wiki.zmanda.com/index.php/Firewalls_%26_NAT -- Thank you! Kevin Till Amanda documentation: http://wiki.zmanda.com Amanda forums:http://forums.zmanda.com
Re: port 35280 not secure
Gene Heskett wrote: On Monday 03 April 2006 13:39, Anne Wilson wrote: And I've been helping her offlist. This error is what you get when you run the amcheck built in the /home/amanda/amanda-version/server-src tree, I just tried it and got similar squawks. Running it normally, no squawks. amcheck is not setuid root on the source tree so it fails to bind a privileged port while perform host check. I have been helped, off-list, to configure amanda, and it looks as though I am at last ready to run, except that I am seeing the following: Amanda Backup Client Hosts Check ERROR: NAK borg: host borg: port 35280 not secure This was a new error to me also, verified by my doing it here with a ./amcheck as amanda, while sitting in the server-src tree borg is the host on which amanda will be running. Could someone please point me to what needs doing? Thanks Anne -- Thank you! Kevin Till Amanda documentation: http://wiki.zmanda.com Amanda forums:http://forums.zmanda.com
Re: ssh AUTH howto?
Jason Castonguay wrote:
Hi list,
Maybe I missed something in the documentation, wiki, faq, forum, or in
the list archives, but besides adding ssh authentication in the dumptype
what steps does one take to use it?
I assume its using keys and the amanda backup user then runs a command
via ssh. Does it only use amandad over it? How about recovery? Does this
mean if use ssh, amanda will only use ssh for communication between the
two machines?
Thanks.
PS Would any debian users/developers here please give me feedback on
the amanda 2.5 packages I built?
http://www.solutionsforprogress.com/~jcastonguay/
They still need a bit of polish, but work for me.
one more thing, needs to configure Amanda with --with-ssh-security.
It will install dumper/amcheck non-suid.
--Kevin
1. set "auth ssh" in the dumptype
2. both server and client must be configured exactly the same
a. username needs to be the same
b. location of amandad binaries needs to be the same
c. a sourceforge RFE bug to request the above restrictions configurable.
3. ssh-keygen -t rsa
it will create ~amanda_user/.ssh/id_rsa and ~amanda_user/.ssh/id_rsa.pub
copy ~amanda_user/.ssh/id_rsa.pub to the client machine and append it
to ~amanda_user/.ssh/authorized_keys
chmod 600 ~amanda_user/.ssh/authorized_keys
4. ssh-add
{will prompt for the passphrase}
{it will add the RSA identities to the authentication agent}
5. run amdump as you normally do.
( amrecover/amrestore has not been updated to make use of Security API
to support auth=ssh)
I will add the above to wiki.zmanda.com
--Kevin Till
Zmanda
--
Thank you!
Kevin Till
Amanda documentation: http://wiki.zmanda.com
Amanda forums:http://forums.zmanda.com
Re: ssh AUTH howto?
Jason Castonguay wrote:
Hi list,
Maybe I missed something in the documentation, wiki, faq, forum, or in
the list archives, but besides adding ssh authentication in the dumptype
what steps does one take to use it?
1. set "auth ssh" in the dumptype
2. both server and client must be configured exactly the same
a. username needs to be the same
b. location of amandad binaries needs to be the same
c. a sourceforge RFE bug to request the above restrictions
configurable.
3. ssh-keygen -t rsa
it will create ~amanda_user/.ssh/id_rsa and ~amanda_user/.ssh/id_rsa.pub
copy ~amanda_user/.ssh/id_rsa.pub to the client machine and append it
to ~amanda_user/.ssh/authorized_keys
chmod 600 ~amanda_user/.ssh/authorized_keys
4. ssh-add
{will prompt for the passphrase}
{it will add the RSA identities to the authentication agent}
5. run amdump as you normally do.
( amrecover/amrestore has not been updated to make use of Security API
to support auth=ssh)
I will add the above to wiki.zmanda.com
--Kevin Till
Zmanda
I assume its using keys and the amanda backup user then runs a command
via ssh. Does it only use amandad over it? How about recovery? Does this
mean if use ssh, amanda will only use ssh for communication between the
two machines?
Thanks.
PS Would any debian users/developers here please give me feedback on
the amanda 2.5 packages I built?
http://www.solutionsforprogress.com/~jcastonguay/
They still need a bit of polish, but work for me.
--
Thank you!
Kevin Till
Amanda documentation: http://wiki.zmanda.com
Amanda forums:http://forums.zmanda.com
Re: Attempt to contact amanda gives sshd error -- dont know why sshd is involved!
Jon LaBadie wrote: On Thu, Mar 30, 2006 at 01:01:29PM -0800, Kevin Till wrote: Lengyel, Florian wrote: An amanda client that used to work on a debian host, before an apt-get update and an apt-get upgrade, and an installation of opennms (which installed the silly daemon identd for postgres) now gives me timeouts when I try Hi, What version of Amanda are you using? ssh support was added to Amanda 2.5.0. ?ssh support? is it optional/default/??? What parts might use it? optional which is part of the implementation to use the Security API. Default is "auth bsd". amdump will use it. I wonder why Florian would be hitting it (i.e. even using any aspect of ssh) by simply upgrading an existing amanda installation? please see other posts on this thread. -- Thank you! Kevin Till Amanda documentation: http://wiki.zmanda.com Amanda forums:http://forums.zmanda.com
Re: Attempt to contact amanda gives sshd error -- dont know why sshd is involved!
Lengyel, Florian wrote: An amanda client that used to work on a debian host, before an apt-get update and an apt-get upgrade, and an installation of opennms (which installed the silly daemon identd for postgres) now gives me timeouts when I try Hi, What version of Amanda are you using? ssh support was added to Amanda 2.5.0. the "Did not receive identification string from:::10.10.32.247" should not have anything to do with Amanda. Seems to me someone try to login as amanda to that machine. Couple things to check, is amandad started correctly on the client? 1) /etc/init.d/xinetd restart and see if there is any error on /var/log/messages. 2) any error in /tmp/amanda/amcheck*.debug? Thanks! --Kevin Till Zmanda amcheck -m Daily /var/log/secure gives me this: [EMAIL PROTECTED] log]# tail secure Mar 30 13:15:03 amanda sshd[19449]: Did not receive identification string from:::10.10.32.247 Mar 30 13:20:03 amanda sshd[19495]: Did not receive identification string from:::10.10.32.247 Mar 30 13:25:03 amanda sshd[19538]: Did not receive identification string from:::10.10.32.247 Mar 30 13:30:04 amanda sshd[19584]: Did not receive identification string from:::10.10.32.247 Mar 30 13:32:24 amanda xinetd[2244]: START: amanda pid=19702 from=10.10.32.250 Mar 30 13:32:24 amanda xinetd[2244]: START: amanda pid=19705 from=10.10.32.250 Mar 30 13:35:04 amanda sshd[20042]: Did not receive identification string from:::10.10.32.247 Mar 30 13:40:05 amanda sshd[20088]: Did not receive identification string from:::10.10.32.247 Mar 30 13:45:05 amanda sshd[20131]: Did not receive identification string from:::10.10.32.247 [EMAIL PROTECTED] log]# -- Thank you! Kevin Till Amanda documentation: http://wiki.zmanda.com Amanda forums:http://forums.zmanda.com
Re: Odd amrecover and amverify issue in 2.5.0b2 (SOLVED)
Anthony Valentine wrote:
Anthony Valentine wrote:
Hello everyone!
I am having an odd issue with amverify and amrecover and am wondering
if anyone can tell me why?
Using 2.5.0b2 (upgraded from 2.4.2), the amdump seems to run fine,
without any errors in the status e-mail, but I am getting some strange
output when running amverify and amrecover.
These two issues have now been fixed! I am posting the solution to the
list so that it hits the archive and can help others with the same issues.
Anthony,
thanks for verifying the fixes! Both fixes are in Amanda sourceforge CVS
and will be included in the upcoming Amanda 2.5.0 release.
--
Thank you!
Kevin Till
Amanda documentation: http://wiki.zmanda.com
Amanda forums:http://forums.zmanda.com
The amverify problem was solved with this patch from Kevin Till:
--- amverify.sh.in 24 Feb 2006 04:44:59 - 1.35
+++ amverify.sh.in 15 Mar 2006 23:56:47 -
@@ -460,6 +460,9 @@
elif [ -n "$EOF" ]; then
report "End-of-Tape detected."
break
+ elif [ -n "$EOI" ]; then
+report "End-of-Information detected."
+break
else
report "** Error detected ($FILE)"
echo "$VOLUME ($FILE):" >>$DEFECTS
The amrecover problem was solved with this patch from John Franks:
Index: ChangeLog
===
RCS file: /cvsroot/amanda/amanda/ChangeLog,v
retrieving revision 1.1595
diff -r1.1595 ChangeLog
0a1,6
> 2006-03-06 John Franks <[EMAIL PROTECTED]>
> * recover-src/extract_list.c:
> 1) Don't add '.' directory twice to tar extract list.
> 2) Don't prepend extra '/' to extract patterns starting with
'/'.
> 3) Convert "/" extract pattern to "*" equivalent.
>
Index: recover-src/extract_list.c
===
RCS file: /cvsroot/amanda/amanda/recover-src/extract_list.c,v
retrieving revision 1.95
diff -r1.95 extract_list.c
482,484c482,495
< if (strcmp(disk_path, "/") == 0)
< path_on_disk = stralloc2("/", regex);
< else {
---
> if (strcmp(disk_path, "/") == 0) {
> if (*regex == '/') {
> if (strcmp(regex, "/[/]*$") == 0) {
> /* We want '/' to match everything in directory... */
> path_on_disk = stralloc("/[^/]*[/]*$");
> } else {
> /* No mods needed if already starts with '/' */
> path_on_disk = stralloc(regex);
> }
> } else {
> /* Prepend '/' */
> path_on_disk = stralloc2("/", regex);
> }
> } else {
1550c1561,1562
< restore_args[j++] = stralloc2(".", fn->path);
---
> else
> restore_args[j++] = stralloc2(".", fn->path);
Thanks everyone, for all your help!
Re: Odd amrecover and amverify issue in 2.5.0b2
Hi Anthony,
The following patch should fix the amverify problem, could you give it a
try?
--- amverify.sh.in 24 Feb 2006 04:44:59 - 1.35
+++ amverify.sh.in 15 Mar 2006 23:56:47 -
@@ -460,6 +460,9 @@
elif [ -n "$EOF" ]; then
report "End-of-Tape detected."
break
+ elif [ -n "$EOI" ]; then
+report "End-of-Information detected."
+break
else
report "** Error detected ($FILE)"
echo "$VOLUME ($FILE):" >>$DEFECTS
Anthony Valentine wrote:
amrestore: missing file header block
amrestore: WARNING: not at start of tape, file numbers will be offset
amrestore: missing file header block
amrestore: missing file header block
amrestore: missing file header block
amrestore: missing file header block
amrestore: missing file header block
amrestore: missing file header block
amrestore: missing file header block
amrestore: missing file header block
amrestore: missing file header block
amrestore: missing file header block
amrestore: 10: reached end of information
** No header
0+0 in
0+0 out
Too many errors.
--
Thank you!
Kevin Till
Amanda documentation: http://wiki.zmanda.com
Amanda forums:http://forums.zmanda.com
Re: request failed: timeout waiting for ACK
Stefan Herrmann wrote: Am 01.03.2006 um 23:21 schrieb Kevin Till: that's the email i got from the last amdump: These dumps were to tape hourly025. The next 2 tapes Amanda expects to use are: a new tape, a new tape. FAILURE AND STRANGE DUMP SUMMARY: pille.hq.imos.net /usr lev 1 FAILED [cannot read header: got 0 instead of 32768] pille.hq.imos.net /usr lev 1 FAILED [too many dumper retry] pille.hq.imos.net /usr lev 1 FAILED [cannot read header: got 0 instead of 32768] pille.hq.imos.net /var lev 1 FAILED [cannot read header: got 0 instead of 32768] pille.hq.imos.net /var lev 1 FAILED [too many dumper retry] pille.hq.imos.net /var lev 1 FAILED [cannot read header: got 0 instead of 32768] pille.hq.imos.net / lev 0 FAILED [cannot read header: got 0 instead of 32768] pille.hq.imos.net / lev 0 FAILED [too many dumper retry] pille.hq.imos.net / lev 0 FAILED [cannot read header: got 0 instead of 32768] pille.hq.imos.net /opt lev 1 FAILED [cannot read header: got 0 instead of 32768] pille.hq.imos.net /opt lev 1 FAILED [too many dumper retry] pille.hq.imos.net /opt lev 1 FAILED [cannot read header: got 0 instead of 32768] is firewall running on the client? If so, it needs to open some TCP ports for DATA/MESG/INDEX communication. no packet filter on server and client, they are both running in an internal network. ok, any errors in /tmp/amanda/sendbackup.*.debug or /tmp/amanda/runtar.*.debug? -- Thank you! Kevin Till Amanda documentation: http://wiki.zmanda.com Amanda forums:http://forums.zmanda.com
Re: request failed: timeout waiting for ACK
Stefan Herrmann wrote:
Am 23.02.2006 um 16:15 schrieb Paul Bijnens:
On 2006-02-23 15:54, Stefan Herrmann wrote:
i think there was no useful information in the leftout part, but look
for yourself:
Yes indeed. No REQ packet at all.
Are you sure this debug file is the result from a amdump request,
and not one of those that were generated by all different commands
to solve this strange problem?
e.g. starting amandad from the command line, gives exactly the
same output ?
yes i am sure, this was from the amdump run...
Are the datestamps consistent with the amdump.1 file?
Another thing to use a network packet dumper to see if the packet
got dropped/lost somewhere.
Both on the server and the client, and verify if the client receives
what the server sends.
tcpdump -X -s 1500 udp and port 10080
that's the email i got from the last amdump:
These dumps were to tape hourly025.
The next 2 tapes Amanda expects to use are: a new tape, a new tape.
FAILURE AND STRANGE DUMP SUMMARY:
pille.hq.imos.net /usr lev 1 FAILED [cannot read header: got 0
instead of 32768]
pille.hq.imos.net /usr lev 1 FAILED [too many dumper retry]
pille.hq.imos.net /usr lev 1 FAILED [cannot read header: got 0
instead of 32768]
pille.hq.imos.net /var lev 1 FAILED [cannot read header: got 0
instead of 32768]
pille.hq.imos.net /var lev 1 FAILED [too many dumper retry]
pille.hq.imos.net /var lev 1 FAILED [cannot read header: got 0
instead of 32768]
pille.hq.imos.net / lev 0 FAILED [cannot read header: got 0
instead of 32768]
pille.hq.imos.net / lev 0 FAILED [too many dumper retry]
pille.hq.imos.net / lev 0 FAILED [cannot read header: got 0
instead of 32768]
pille.hq.imos.net /opt lev 1 FAILED [cannot read header: got 0
instead of 32768]
pille.hq.imos.net /opt lev 1 FAILED [too many dumper retry]
pille.hq.imos.net /opt lev 1 FAILED [cannot read header: got 0
instead of 32768]
is firewall running on the client? If so, it needs to open some TCP
ports for DATA/MESG/INDEX communication.
--Kevin Till
STATISTICS:
Total Full Incr.
Estimate Time (hrs:min)0:02
Run Time (hrs:min) 0:06
Dump Time (hrs:min)0:00 0:00 0:00
Output Size (meg) 0.00.00.0
Original Size (meg) 0.00.00.0
Avg Compressed Size (%) -- -- --
Filesystems Dumped0 0 0
Avg Dump Rate (k/s) -- -- --
Tape Time (hrs:min)0:00 0:00 0:00
Tape Size (meg) 0.00.00.0
Tape Used (%) 0.00.00.0
Filesystems Taped 0 0 0
Chunks Taped 0 0 0
Avg Tp Write Rate (k/s) -- -- --
USAGE BY TAPE:
Label Time Size %NbNc
hourly025 0:000M0.0 0 0
NOTES:
planner: Adding new disk pille.hq.imos.net:/.
taper: tape hourly025 kb 0 fm 0 [OK]
DUMP SUMMARY:
DUMPER STATS
TAPER STATS
HOSTNAME DISKL ORIG-MB OUT-MB COMP% CRYPT% MMM:SS KB/s
MMM:SS KB/s
--
pille.hq.imo / 0 FAILED
--
pille.hq.imo /opt1 FAILED
--
pille.hq.imo /usr1 FAILED
--
pille.hq.imo /var1 FAILED
--
(brought to you by Amanda version 2.5.0b2)
and i did also the tcpdump test. after the estimates the amanda server
contacts the client but doesnt
get an answer. this is the last packet:
12:52:33.488055 IP amanda.hq.imos.net.909 > pille.hq.imos.net.amanda:
UDP, length 261
0x: 4500 0121 0017 4000 4011 8af1 c0a8 96ce [EMAIL
PROTECTED]@...
0x0010: c0a8 96a4 038d 2760 010d e3d1 416d 616e ..'`Aman
0x0020: 6461 2032 2e35 2052 4551 2048 414e 444c da.2.5.REQ.HANDL
0x0030: 4520 3030 302d 3030 3030 3030 3037 2053 E.000-0007.S
0x0040: 4551 2031 3134 3130 3634 3734 380a 5345 EQ.1141064748.SE
0x0050: 4355 5249 5459 2055 5345 5220 616d 616e CURITY.USER.aman
0x0060: 6461 0a53 4552 5649 4345 2073 656e 6462 da.SERVICE.sendb
0x0070: 6163 6b75 700a 4f50 5449 4f4e 5320 6665 ackup.OPTIONS.fe
0x0080: 6174 7572 6573 3d66 6566 6639 atures=feff9
0x0090: 6566 6630 333b 686f 7374 6e61 ffe03;hostna
0x00a0: 6d65 3d70 696c 6c65 2e68 712e 696d 6f73 me=pille.hq.imos
0x00b0: 2e6e 6574 3b0a 474e 5554 4152 202f 6f70 .net;.GNUTAR./op
0x00c0: 7420 2031 2032 3030 363a 323a 3232 3a
Re: encryption with 2.5.0b2
Jon LaBadie wrote: On Thu, Feb 23, 2006 at 03:50:11PM -0800, Kevin Till wrote: Josef Wolf wrote: On Wed, Feb 22, 2006 at 03:34:44PM -0800, Kevin Till wrote: Amanda users have used aespipe in the past, so it's there. Hmmm, AFAIK is aespipe part of loop-aes and loop-aes is deprecated because the kernel developers want to switch to devmapper. Please correct me and clarify if I'm wrong. devmapper seems to be merged into the mainline Linux and loop-aes has not. However, for the purpose of backup encryption, it's still a valid solution. Debian and Gentoo distribute it and it's actively maintained by the author. devmapper/loop-aes/aespipe, all linux'isms ?? And some as kernel facilities? How do they fit with compiling amanda on unix, various BSDs, Solaris, AIX, Tru64, HP-UX, OSX, and/or cygwin? no problem. Encryption is an optional dumptype feature. Only the hooks which make no specific assumption on what kind of encryption are compiled in. -- Thank you! Kevin Till Amanda documentation: http://wiki.zmanda.com Amanda forums:http://forums.zmanda.com
Re: encryption with 2.5.0b2
Josef Wolf wrote: On Wed, Feb 22, 2006 at 03:34:44PM -0800, Kevin Till wrote: - What is the point to uuencode and encrypt (with gpg) random data to generate the key? Since the passphrase is stored on the same host, protecting the key with the passprase is not of much use (IMHO). It illustrates the method of using multi-key which a strong point of aespipe. OK, I see. "multi-key" was the magic word that (after some googling) made me understand what's going on here. AFAICS, multi-keys can prevent watermark-attacks? Are there more advantages to them? basically to make dictionary attack almost impossible given that the passphrase is not in the wrong hand. And it's a symmetric encryption and to facilitate automatic backup, the passphrase has to be stored somewhere. This is (one) of the reasons why I'd prefer a pubkey method: You don't have the passphrase lying around on a networked box. Yes. Keep in mind that the passphrase (be it in symmetric or public-key encryption cases) still need to be properly stored and managed. I know, you can store the private-key of the public-key method offline and only use it for backup recover. - Why using aespipe at all? Is there any reason not to use gpg? AFAICS, aespipe introduces only an additinal layer of complexity. Amanda users have used aespipe in the past, so it's there. Hmmm, AFAIK is aespipe part of loop-aes and loop-aes is deprecated because the kernel developers want to switch to devmapper. Please correct me and clarify if I'm wrong. devmapper seems to be merged into the mainline Linux and loop-aes has not. However, for the purpose of backup encryption, it's still a valid solution. Debian and Gentoo distribute it and it's actively maintained by the author. I believe aespipe gives better performance since gpg is doing more than just encryption. AFAIK, gpg does compression in addition to encryption. But then you need to compare gzip+aespipe against gpg. Or did you mean something different? gpg also does mdc (modification detection code). - Since the server says whether/which encryption is to be used, the server can request unencrypted backups from the client. This implies that the server has to be trusted. Use "auth ssh/krb4/krb5" to enable transport encryption. I am not about transport encryption here. I am about not trusting the amanda server. That's how ssh will help here. When server starts the process(/usr/bin/ssh -l amandabackup ../amandad) on the client. The client sshd will perform RSA based authentication on the server. It improves security. What if the server is totally compromised? It's time to look at SELinux(Redhat) and or AppArmor(SuSE) -- Thank you! Kevin Till Amanda documentation: http://wiki.zmanda.com Amanda forums:http://forums.zmanda.com
Re: Still: Problems with amrestore - please HELP - stderr output
Radek Cisz wrote: When I run amrestore like this amrestore -f 0 -p /dev/nst0 localhost sda2 | restore -ivb2 -f - I got message: Verify tape and initialize maps Input is from a local file/pipe amrestore: 0: skipping start of tape: date 20060223 label EPIP2 amrestore: 1: restoring localhost.sda2.20060223.0 restore: Tape is not a dump tape Error 32 (Broken pipe) offset 1024+1024, wrote 0 amrestore: pipe reader has quit in middle of file. Of course I CAN RESTORE it on production server where it was backed up ! ? wait, amrestore does not go across the network to the server to retrieve image. (Amrecover will.) "Amrestore extracts backup images from the tape mounted on tapedevice or from the holding disk file" -- Thank you! Kevin Till Amanda documentation: http://wiki.zmanda.com Amanda forums:http://forums.zmanda.com
Re: encryption with 2.5.0b2
Josef Wolf wrote: Hello! Now that 2.5.0b2 seems to run pretty stable, I'd like to try the new encryption functionality. I've read wiki.zmanda.com/index.php/Encryption, but have still some questions: - What is the point to uuencode and encrypt (with gpg) random data to generate the key? Since the passphrase is stored on the same host, protecting the key with the passprase is not of much use (IMHO). It illustrates the method of using multi-key which a strong point of aespipe. And it's a symmetric encryption and to facilitate automatic backup, the passphrase has to be stored somewhere. - Why using aespipe at all? Is there any reason not to use gpg? AFAICS, aespipe introduces only an additinal layer of complexity. Amanda users have used aespipe in the past, so it's there. I believe aespipe gives better performance since gpg is doing more than just encryption. Yes, gpg will work as well. You can even use gpg to deploy public-key encryption on Amanda. - Since the server says whether/which encryption is to be used, the server can request unencrypted backups from the client. This implies that the server has to be trusted. Use "auth ssh/krb4/krb5" to enable transport encryption. -- Thank you! Kevin Till Amanda documentation: http://wiki.zmanda.com Amanda forums:http://forums.zmanda.com
Re: Release of amanda-2.5.0b2
Jon LaBadie wrote:
On Wed, Feb 22, 2006 at 07:47:02AM +0100, Josef Wolf wrote:
On Thu, Jan 19, 2006 at 07:31:08PM -0500, Jean-Louis Martineau wrote:
The Amanda core team is pleased to announce the release of Amanda
2.5.0b2. It is stable and we hope to release 2.5.0 soon. test it and
report it if you find a bug in this release.
The mail reports that are mailed by amdump have bogus numbers in the
MMM:SS columns. For example: this line comes from the logfile:
SUCCESS dumper host.do.main /m/b 20060222 2 [sec 115.740 kb 142504 kps 1231.2
orig-kb 521380]
SUCCESS chunker host.do.main /m/b 20060222 2 [sec 115.822 kb 142504 kps 1230.6]
And this is what the mail contains:
STATISTICS:
Run Time (hrs:min) 0:14
DUMPER STATSTAPER STATS
HOSTNAME DISK L ORIG-MB OUT-MB COMP% CRYPT% MMM:SS KB/s MMM:SS KB/s
-
host.do.main /m/b 2 509139 27.3 1:561231.2 N/A N/A
The real dump duration was about 115 seconds, but amdump says 1231.2 minutes.
Note that the "kps" filed in the logfile contains the value that is reported
my the mail.
I think it is missing data in the new column, CRYPT% --- What is that?
I have checked in code to remove "CRYPT%".
If the data are moved over one column it makes more sense, 116sec == 1:56,
1231 == 1231.
The following patch by John Franks will help too:
--- server-src/conffile.c 28 Jan 2006 01:40:13 - 1.122
+++ server-src/conffile.c 18 Feb 2006 01:55:07 - 1.123
@@ -25,7 +25,7 @@
*University of Maryland at College Park
*/
/*
- * $Id: conffile.c,v 1.122 2006/01/28 01:40:13 paddy Exp $
+ * $Id: conffile.c,v 1.123 2006/02/18 01:55:07 jfranks Exp $
*
* read configuration file
*/
@@ -144,12 +144,12 @@
{ "Disk", 1, 11, 11, 0, "%-*.*s", "DISK" },
{ "Level", 1, 1, 1, 0, "%*.*d", "L" },
{ "OrigKB", 1, 7, 0, 0, "%*.*f", "ORIG-KB" },
-{ "OutKB", 0, 7, 0, 0, "%*.*f", "OUT-KB" },
-{ "Compress", 0, 6, 1, 0, "%*.*f", "COMP%" },
-{ "DumpTime", 0, 7, 7, 0, "%*.*s", "MMM:SS" },
-{ "DumpRate", 0, 6, 1, 0, "%*.*f", "KB/s" },
+{ "OutKB", 1, 7, 0, 0, "%*.*f", "OUT-KB" },
+{ "Compress", 1, 6, 1, 0, "%*.*f", "COMP%" },
+{ "DumpTime", 1, 7, 7, 0, "%*.*s", "MMM:SS" },
+{ "DumpRate", 1, 6, 1, 0, "%*.*f", "KB/s" },
{ "TapeTime", 1, 6, 6, 0, "%*.*s", "MMM:SS" },
-{ "TapeRate", 0, 6, 1, 0, "%*.*f", "KB/s" },
+{ "TapeRate", 1, 6, 1, 0, "%*.*f", "KB/s" },
{ NULL, 0, 0, 0, 0, NULL, NULL }
};
--
Thank you!
Kevin Till
Amanda documentation: http://wiki.zmanda.com
Amanda forums:http://forums.zmanda.com
Re: Problems with amrestore - please HELP
Hi, Maybe this is some issue with encryption? not likely. Data encryption is new to Amanda 2.5.0.2. amrestore sends all warnings/error to stderr. Try "amrestore -f 0 ..." and send us the stderr output. Maybe rpm package was compiled with it? I dont know how to check it . "amadmin config_name version" will tell you the flags that are configured in. --Kevin Till -- Thank you! Kevin Till Amanda documentation: http://wiki.zmanda.com Amanda forums:http://forums.zmanda.com
Re: Self check failing
Lengyel, Florian wrote: I'm getting an amanda self-check failure from amcheck daily: I suppose this was due to the mysterious disconnect of one server (m248)... another one (nept) is running, but after removing a duplicate uid for amanda in the NIS maps, it stopped working. Amanda Backup Client Hosts Check WARNING: nept.gc.cuny.edu: selfcheck request timed out. Host down? WARNING: m248.gc.cuny.edu: selfcheck request timed out. Host down? Hi, do you use xinetd? If so, try to restart it and see if there is any error message to the syslog. Looks like amcheck cannot connect to amandad on the client. WARNING: rdhcp: selfcheck reply timed out. WARNING: m254.gc.cuny.edu: selfcheck reply timed out. WARNING: amanda: selfcheck reply timed out. Client check: 8 hosts checked in 100.158 seconds, 5 problems found (brought to you by Amanda 2.4.4p3) -- Thank you! Kevin Till Amanda documentation: http://wiki.zmanda.com Amanda forums:http://forums.zmanda.com
Re: gzip trailing garbage
Greg Troxel wrote: I'm using 2.4.5p1 on NetBSD with Kerberos encryption and authentication. I tried to verify some tapes and found that 'gzip -t' failed on the restored files. On investigation, after adding some better diagnostics to gzip (NetBSD's own), I found that the problem was that the last 32K block was padded with zeros. Unflushed dumps in the holding directory have this problem for remote dumps (krb encrypted), but not local ones. On an older amanda install, not using krb4, I don't have this problem. Is anyone else seeing this? Hi Greg, Yes, I have seen it with the new data encryption in Amanda 2.5. gzip will ignore the trailing zero and give out advisory about trailing garbage. While bzip2 does not ignore trailing zeros. I have yet found out what part of Amanda code is responsible for the trailing zeros though. -- Thank you! Kevin Till Amanda documentation: http://wiki.zmanda.com Amanda forums:http://forums.zmanda.com
Re: Still get ERROR [host fw.my.co.uk: port 62679 not secure] after I added my ipchain rule:
Paul Bijnens wrote: On 02/14/2006 04:56 PM, Chuck Amadi Systems Administrator wrote: I have just edited my firewall and added a ipchain rule but I still got an error as below: Amanda Backup Client Hosts Check ERROR: server.my.co.uk: [host fw.smtl.co.uk: port 62679 not secure] This seems to be a result of the NAT in ipchains: it changes the source port to someting over 6. Here is my take on the scenario: let's concentrate on the amdump part for the time being. 1) your Amanda Backup server is a package from SuSE, cannot be recompiled. So first you need to find out if --with-udpportrange is compiled in with the SuSE package. To find out, do: amadmin configname version |grep --with-udpportrange If --with-udpportrange is compiled in, you need to make sure the Amanda Backup server can use those ports to connect to the Amanda Backup client. >> ERROR: server.my.co.uk: [host fw.smtl.co.uk: port 62679 not secure] this indicates that the server is trying to connect to the client using udp port 62679. 2) there could be a NAT issue, but we need to resolve 1) first. --Kevin However, why is the name "fw.smtl.co.uk"? I did not know that ipchains used uses NAT for traffic to the firewall itself too? Make really really sure that the amandaserver does bind to a port from the udp-port range: In one window start as root: # tcpdump port 10080 In another window, to the "amcheck". And verify the that port on the amandaserver is one from 1001-1009. This could also happen when amcheck lost the suid root bit (but I believe that it would complain about that before you get that far). A possible workaround here is to recompile the software on the client to not fail on a "non secure" port. That notion of "secure port" (ports < 1024 require root priviledge to open), is in these days not a strong security check anyway, where anyone can install a workstation or boot from a live-CD and be root to open any port < 1024. I have setup my fw rules as below: # Amanda Client - Enterprise random udp forks to Nemesis Server ipchains -A input -i $EXTERNAL_INTERFACE -p udp -s 193.XX.XX.XXX 1001:1009 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p udp -s 193.XX.XX.XXX 10080:10083 -j ACCEPT Outgoing packets are allowed from behind our firewall and all forwaded to our main file server that is the same server for amanda backup tape server I do not remember anymore, but maybe there is a possibility to not do NAT for a certain portrange/host ? I re compiled amanda client as below: ./configure --with-user=amanda --with-group=disk --with-configdir=/etc/amanda --with-udpportrange=1001, 1009 --with-tcpportrange=11000, 11300 -- Thank you! Kevin Till Amanda documentation: http://wiki.zmanda.com Amanda forums:http://forums.zmanda.com
Re: WARNING: server.my.co.uk: selfcheck request timed out. Host down? this is a private IP address.
chuck.amadi wrote: Cheers I did google this But I am using ipchains. iptables replaces ipchains. ipchains is pretty much obsolete now, I would upgrade to iptables. Are there any examples for me to look at. the basic idea should be the same. *Assume all outgoing packets are accepted/allowed.* For amdump to work, you need to open up: backup client : 10080(udp), a small range of tcp ports for data transfer e.g. 11000:11030 (recompile amanda with --with-tcpportrange=11000,11030) For amrecover to work, you need to open up: backup server: 10082(udp), 10083(udp), a small range of tcp ports for data transfer e.g. 11000:11030 (recompile amanda with --with-tcpportrange=11000,11030) -- Thank you! Kevin Till Amanda documentation: http://wiki.zmanda.com Amanda forums:http://forums.zmanda.com
Re: Release of amanda-2.5.0b2
Josef Wolf wrote:
On Tue, Feb 07, 2006 at 08:58:30PM +0100, Josef Wolf wrote:
Below, I tried to amfetchdump host.do.main:/m/b. Only full dumps were
done of this DLE. This DLE is available seven times on the tapes:
lv dumpdate chunks on tape
a. 0 20060204 VOL08:7, VOL08:8, VOL08:9, VOL09:1, VOL09:1
b. 0 20060204 VOL10:1, VOL10:2, VOL10:3, VOL10:4, VOL10:5
c. 0 20060205 VOL10:10, VOL10:11, VOL01:1, VOL01:2, VOL01:3
d. 0 20060205 VOL02:7, VOL02:8, VOL02:9, VOL03:1, VOL03:2
e. 0 20060205 VOL04:1
f. 0 20060207 VOL04:7, write aborted due to full tape.
g. 0 20060207 VOL05:1
Tapings a..d were done with tape_splitsize=500mb
Tapings b, d and e were done by autoflush because of bug#1425436.
All dumps are compressed.
Below is a transcript attached. There are several problems I see here:
1. VOL05:1 (this is the newest non-broken available dump) is _not_
considered for retrieval at all.
2. Instead, amfetchdump _tries_ to get the (broken) VOL04:7.
3. But instead of VOL04:7 it gets the (older) VOL04:1. There seems to be
no attempt to further search for VOL04:7
4. The order of tapes seems to be wired. I would have expected
VOL05 VOL02 VOL03 VOL10 (how they were sceduled)
or VOL05 VOL04 VOL10 (last available for every dumpdate)
or VOL05 VOL10 VOL01 VOL08 VOL09 (first available for every dumpdate)
or some such.
5. When trying to append the second chunk to the first one, amfetchdump
fails with "Bad file descriptor". The resulting dump (uncompressed)
is 527620009 bytes long.
6. Next problem is with amrecover, but it seems to be closely related
with the "Bad file descriptor" problem. Unfortunately, I don't have a
transcript for this problem, because the system crashed. Here's the
description:
When I tried to retrieve the above mentioned DLE mentioned in line c
with amrecover, the system (Athlon 1800+, 500MB RAM, 2G swap,
suse-10.0) freezed, but vterm switching and pinging from a different
host worked. This reminds me of overcommitments caused by memory-hogs.
After reboot, I noticed following file in the slot-directory
of the vtape directory:
-rw--- 1 amanda disk 527630347 Feb 7 07:52 info
Notice that the length is almost the same as in 5. This file starts with
following contents:
position 0
AMANDA: FILE 20060205 raven.wolf.local /m/b lev 0 comp .gz program /bin/tar
To restore, position tape at start of file and run:
dd if= bs=32k skip=1 | /usr/bin/gzip -dc | /bin/tar -f... -
Notice the first line "position 0" which seems to be the original
contents of the info file. At position 32779 (that is,
strlen("position 0\n")+32kb) starts a tar file which turns out to be
the first chunk of the dump I tried to restore.
This looks like amrecover writes the dump to the wrong file descriptor.
The error message from amfetchdump looks as if amfetchdump has a similar
problem.
Here is the transcript:
host:/ # amfetchdump ppc host.do.main /m/b
5 tape(s) needed for restoration
changer: got exit: 0 str: 4 10 1 1
The following tapes are needed: VOL04 VOL02 VOL10 VOL01 VOL03
Press enter when ready
Looking for tape VOL04...
changer: got exit: 0 str: 4 10 1 1
changer_query: changer return was 10 1 1
changer_query: searchable = 1
changer_find: looking for VOL04 changer is searchable = 1
changer_search: VOL04
changer: got exit: 0 str: 4 file:/m/amchanger/ppc
amfetchdump: slot 4: date 20060207 label VOL04 (exact label match)
Scanning VOL04 (slot 4)
amfetchdump: 1: restoring FILE: date 20060205 host host.do.main disk /m/b lev
0 comp .gz program /bin/tar
amfetchdump: Search of VOL04 complete
Looking for tape VOL02...
changer: got exit: 0 str: 4 10 1 1
changer_query: changer return was 10 1 1
changer_query: searchable = 1
changer_find: looking for VOL02 changer is searchable = 1
changer_search: VOL02
changer: got exit: 0 str: 2 file:/m/amchanger/ppc
amfetchdump: slot 2: date 20060206 label VOL02 (exact label match)
Scanning VOL02 (slot 2)
amfetchdump: 7: restoring split dumpfile: date 20060205 host host.do.main
disk /m/b part 1/5 lev 0 comp .gz program /bin/tar
amfetchdump: 8: restoring split dumpfile: date 20060205 host host.do.main
disk /m/b part 2/5 lev 0 comp .gz program /bin/tar
amfetchdump: appending to host.do.main._m_b.20060205.0.1
restore: write error: Bad file descriptor
gzip: stdin: unexpected end of file
host:/ #
Hello!
Are there no opinions about those problems? I think at least points
5. and 6. are serious problems. Opinions?
Josef,
can you make sure you have restore-src/restore.c revision 1.19 or above?
One fix went it on r1.19 which resolved one file descriptor problem.
--
Thank you!
Kevin Till
Amanda documentation: http://wiki.zmanda.com
Amanda forums:http://forums.zmanda.com
Re: WARNING: server.my.co.uk: selfcheck request timed out. Host down? this is a private IP address.
Chuck Amadi Systems Administrator wrote: Hi List I had a look on the amanda client less /tmp/amanda less amandad.20060213153537.debug Here is the debug report: Amanda 2.4 REQ HANDLE 003-E0990808 SEQ 1139841004 SECURITY USER amanda SERVICE noop OPTIONS features=feff9ffe0f; amandad: time 9.815: it is not an ack amandad: time 9.815: sending REP packet: Amanda 2.4 REP HANDLE 003-E0990808 SEQ 1139841004 ERROR [host fw.my.co.uk: port * not secure] amandad: time 18.975: got packet: Amanda 2.4 REQ HANDLE 003-E0990808 SEQ 1139841004 SECURITY USER amanda SERVICE noop OPTIONS features=feff9ffe0f; amandad: time 18.975: it is not an ack amandad: time 18.975: sending REP packet: Thus I assume I need to add rules for the Firewall server: Any examples or notes Hi Chuck, there is some info about iptables firewall setup at http://wiki.zmanda.com/index.php/Configuration_with_iptables -- Thank you! Kevin Till Amanda documentation: http://wiki.zmanda.com Amanda forums:http://forums.zmanda.com
Re: First try at backing up other clients
Paul Bijnens wrote: The solution is correct, but the explanation is wrong. It is not the estimate that times out. The estimate works fine because it uses UDP instead of TCP (and with the partial replies used in recent versions, the connection does not time out). But the "error" channel over TCP when doing the backup itself can time out. Here is what I mailed to the original question: Paul, that's correct. It's the MESG or INDEX channel that could be timed out. [correction made to wiki.zmanda.com] --Kevin Glenn English wrote: On Sun, 2005-11-20 at 19:36 +0100, Paul Bijnens wrote: Turns out the problem was the iptables packet filter on the amanda client. iptables has a timeout for idle TCP connections that was breaking the connection to the server before the initial estimate of the backup size was done (because it took so long to go through the huge DLE). The solution is to decrease the time between keepalive packets: 'echo 90 > /proc/sys/net/ipv4/tcp_keepalive_time' I don't think this will help, because the estimates are exchanged using UDP traffic. The setting did it, but my understanding of why is wrong. As I said to Paul off list, I put the default value back and watched last night's backup. The three ~12GB estimates came in, and the timeouts happened during the data transfers (Connection reset by peer). I don't understand this. Now I do, see below. iptables times out and breaks a TCP connection on time, even if 100% of the bandwidth of that connection is being used?? I doubt it I set the timeout to 90 and reran a backup by hand. The data transfers are working. In other words, increasing iptables' TCP timeout seems to be necessary for amanda backups of huge DLEs, but I don't understand why. ... It says in the amanda dox ( http://www.amanda.org/docs/portusage.html ) AMANDA also uses TCP connections for transmitting the backup image, messages and (optionally) the index list from a client back to the dumper process on the tape server. A process called sendbackup is started by amandad on the client. It creates two (or three, if indexing is enabled) TCP sockets and sends their port numbers back to dumper in a UDP message. Then dumper creates and binds TCP sockets on its side and connects to the waiting sendbackup. This sounds a lot like FTP to me. Maybe it's the messages connection that's timing out. Aha, that makes more sense. Yes indeed, the data is transferred with one TCP connection, and the stderr output is transferred over another TCP connection (and if you do indexing, the table of contents is yet another TCP connection. And yes, if there are not many errors, there is no traffic, except the at the end, summarizing the number of bytes transferred and speed. That can time out yes indeed! And indeed, the above settings helps in this case. -- Thank you! Kevin Till Amanda documentation: http://wiki.zmanda.com Amanda forums:http://forums.zmanda.com
Re: First try at backing up other clients
Glenn English wrote: On Mon, 2006-02-06 at 10:19 -0800, Kevin Till wrote: Gordon J. Mills III wrote: Thanks Stefan, I do have iptables running on the client since it is my firewall machine. There is another problem with amanda and iptables that made me crazy for quite a while. It doesn't sound like it's your problem, but just in case, here's a note I wrote to myself: If a DLE is large and the client is behind an iptables firewall, the estimate can timeout. This is because iptables has a timeout (30 minutes) to kill inactive TCP connections, and the estimate takes longer than that.The kernel sends keepalive packets on TCP, but the default time (2 hours (7200 seconds)) is longer than the iptables timeout so iptables decides the connection has been abandoned and tears it down. To fix this by setting the kernel keepalive time to 15 minutes, login as root on the client and: 'echo 900 >/proc/sys/net/ipv4/tcp_keepalive_time' see http://documents.made-it.com/iptables-timeout.html The client's keepalive timeout is reset to 2 hours every time it reboots. Thanks Glenn! I have added the notes to http://wiki.zmanda.com/index.php/Configuration_with_iptables#Additional_Notes -- Thank you! Kevin Till Amanda documentation: http://wiki.zmanda.com Amanda forums:http://forums.zmanda.com
Re: First try at backing up other clients
Gordon J. Mills III wrote: Thanks Stefan, I do have iptables running on the client since it is my firewall machine. It is currently set to allow all connections from the internal network to the fw though. There is always a chance that I have mangled something there though :-). I will check out the article you cited below. Monitoring the fw logs I see connections from the backup server to the fw on 10080 being accepted. However on the fw machine in the amanda sendbackup logs I see: sendbackup: try_socksize: send buffer size is 65536 sendbackup: time 0.001: stream_server: waiting for connection: 0.0.0.0.50084 sendbackup: time 0.001: stream_server: waiting for connection: 0.0.0.0.50085 sendbackup: time 0.001: stream_server: waiting for connection: 0.0.0.0.50086 sendbackup: time 0.006: waiting for connect on 50084, then 50085, then 50086 sendbackup: time 30.001: stream_accept: timeout after 30 seconds sendbackup: time 30.001: timeout on data port 50084 sendbackup: time 59.997: stream_accept: timeout after 30 seconds sendbackup: time 59.997: timeout on mesg port 50085 sendbackup: time 89.992: stream_accept: timeout after 30 seconds sendbackup: time 89.992: timeout on index port 50086 sendbackup: time 89.992: pid 16879 finish time Sat Feb 4 18:09:20 2006 Any suggestions? Gordon, the Amanda Client is wating on port 50084, 50085 and 50086. The Amanda server will be using ports in the TCPPORTRANGE to communicate with the Amanda Client. To see if your Amanda is configured with TCPPORTRANGE, do the following: amadmin config version |grep with-tcpportrange --Kevin Thanks, Gordon -Original Message- From: Stefan G. Weichinger [mailto:[EMAIL PROTECTED] Sent: Saturday, February 04, 2006 2:28 PM To: [EMAIL PROTECTED] Subject: Re: First try at backing up other clients Gordon J. Mills III wrote: I am having a problem backing up another host with my amanda server. This is my first try at backing up another linux machine. These are both debian machines. The tape server can backup itself just fine. I installed amanda-common and amanda-client on the client machine. I setup the amandahosts file. On the tape server I added the client to the disklist, etc. If I run amcheck it gives no errors and says all clients are fine. But when I run the backup (amdump) I get an error for the remote client. Here are the lines out of amdump.1: dumper: stream_client: connect to 10.10.10.3.50037 failed: Connection refused driver: result time 69.587 from dumper0: TRY-AGAIN 00-1 could not connect to data port: Connection refused After that it tries again with the same result. Can someone please point me in the right direction. I know its probably something stupid but I cannot figure it out. Using vtapes, 2.4.5p1 Any firewall active on server and/or client? These issues are very often related to AMANDA's usage of high ports. I don't know how the maintainer of the Debian-AMANDA-pkgs has configured the software, but there are configure-options to choose the port-range AMANDA uses. Maybe read http://wiki.zmanda.com/index.php/Configuration_with_iptables for a start and look for any active firewalling rules. Stefan. -- Thank you! Kevin Till Amanda documentation: http://wiki.zmanda.com Amanda forums:http://forums.zmanda.com
Re: Release of amanda-2.5.0b2
Josef Wolf wrote: On Thu, Feb 02, 2006 at 12:24:24AM +0100, Paul Bijnens wrote: Yes a documentation error. tape_splitsize is a dumptype option. Already fixed. Thanks! BTW: I noticed some wired formatting in the documentation. But I don't know whether this problem is related to my tools here which are used to build the docu. For example amanda(8) says: //some-pc/home normalpw //another-pc/disk otheruser%otherpw.fi With clear text passwords, this file should obviously be tightly p rotected. It only needs to be readable by the Amanda-user on the Samba server. (line much too long here) Hi Josef, the Amanda manpages is built out of xml source so sometimes the conversion to man format doesn't come out the way we want it. I fixed the above, however, I have noticed the table at the end of amanda.8 is not formatted correctly and I am looking for a fix. Basically, xsltproc doesn't convert to man format properly. Thanks! --Kevin or from amcheck(8): WARNING: skipping tape test because amdump or amflush seem to be run- ning, WARNING: if they are not, you must run amcleanup (warning) It looked to amcheck like either amdump or amflush [ ... ] WARNING: compress is not executable, server-compression and indexing will not work (warning) Compression program compress is not executable, so [ ... ] (second line from paragraph needs more indentation) -- Thank you! Kevin Till Amanda documentation: http://wiki.zmanda.com Amanda forums:http://forums.zmanda.com
Re: amrestore: could not stat disklist:/var2/amandadumps/tape02
did the amdump run successfully? 1) go to backup-dir/data 2) look for the file 1.myhost.mynetwork.com._etc_amanda.0 3) what does the header of the above file say? it should be something similar to AMANDA: FILE 20060105 myhost.mynetwork.com /etc/amanda/ lev 0 comp .gz program /bin/amgtar To restore, position tape at start of file and run: dd if= bs=32k skip=1 | /usr/local/sbin/amgtar -f ... - ^L Ong Loeng Seng wrote: Hi Kevin, I did run multiple daily dumps in a day but it was okay before I changed amgtar permission etc. I'll run once a day and see if there is any changes after 5 days of full dumps. Following is the latest amtrmidx: /tmp/amanda/amtrmidx.20060109170452.debug amtrmidx: debug 1 pid 8319 ruid 33 euid 33: start at Mon Jan 9 17:04:52 2006 /usr/local/libexec/amtrmidx: version 2.4.5p1 myhost.mynetwork.com /etc/amanda myhost.mynetwork.com /home/SCOUTNET/loeng.ong/Desktop amtrmidx: pid 8319 finish time Mon Jan 9 17:04:53 2006 You have new mail in /var/spool/mail/root /var/log/amanda/amindexd file: amindexd.20060108094717.debug amindexd: debug 1 pid 3825 ruid 33 euid 33: start at Sun Jan 8 09:47:17 2006 amindexd: version 2.4.5 amindexd: time 0.000: < 220 myhost AMANDA index server (2.4.5) ready. amindexd: time 0.001: > SECURITY USER root amindexd: time 0.001: bsd security: remote host myhost.mynetwork.com user root local user amanda amindexd: time 0.001: amandahosts security check passed amindexd: time 0.001: < 200 Access OK amindexd: time 0.041: > FEATURES feff9ffe7f amindexd: time 0.041: < 200 FEATURES feff9ffe7f amindexd: time 0.081: > DATE 2006-01-08 amindexd: time 0.081: < 200 Working date set to 2006-01-08. amindexd: time 0.121: > SCNF DailySet1 amindexd: time 0.123: < 200 Config set to DailySet1. amindexd: time 0.162: > HOST myhost.mynetwork.com amindexd: time 0.162: < 200 Dump host set to myhost.mynetwork.com. amindexd: time 0.203: > DISK / amindexd: time 0.203: < 501 Disk myhost.mynetwork.com:/ is not in your disklist. amindexd: time 0.243: > DISK rootfs amindexd: time 0.243: < 501 Disk myhost.mynetwork.com:rootfs is not in your disklist. amindexd: time 57.763: > HOST myhost.mynetwork.com amindexd: time 57.763: < 200 Dump host set to myhost.mynetwork.com. amindexd: time 65.261: > DISK /etc/amanda amindexd: time 65.261: < 200 Disk set to /etc/amanda. amindexd: time 65.301: > OISD / amindexd: time 65.301: < 500 No dumps available on or before date "2006-01-08" amindexd: time 1814.577: > QUIT amindexd: time 1814.578: < 200 Good bye. amindexd: time 1814.578: pid 3825 finish time Sun Jan 8 10:17:31 2006 I am confused now. my disklist is recognised in amtrmidx file but not in amindexd file ?? -- Loeng On Mon, 2006-01-09 at 09:57 -0800, Kevin Till wrote: Ong Loeng Seng wrote: Hi Kevin, Hi Ong Loeng, I have done quite a bit of amrecover testing on 2.4.5 and I know it works very well. In /tmp/amanda directory, find the latest amindexd*.debug see if there is any error after the line amindexd: uncompress command: /usr/bin/gzip -dc .. --Kevin It does say that it can contact the index server. This is the output when I run "amrecover -C DailySet1" AMRECOVER Version 2.4.5p1. Contacting server on myhost.mynetwork.com ... 220 myhost AMANDA index server (2.4.5) ready. 200 Access OK Setting restore date to today (2006-01-08) 200 Working date set to 2006-01-08. Warning: no log files found for tape DailySet104 written 2006-01-02 Warning: no log files found for tape DailySet103 written 2006-01-02 Warning: no log files found for tape DailySet102 written 2006-01-02 Warning: no log files found for tape DailySet101 written 2006-01-02 Warning: no log files found for tape DailySet105 written 2006-01-02 Scanning /var/tmp... 200 Config set to DailySet1. 200 Dump host set to myhost.mynetwork.com. Trying disk / ... Trying disk rootfs ... Can't determine disk and mount point from $CWD '/root' amrecover> sethost myhost.mynetwork.com 200 Dump host set to myhost.mynetwork.com. amrecover> setdisk /etc/amanda 200 Disk set to /etc/amanda. No index records for disk for specified date If date correct, notify system administrator What do you think? On Fri, 2006-01-06 at 15:34 -0800, Kevin Till wrote: did amrecover connect to the right index server? Do you see something similar to the following? AMRECOVER Version 2.4.5p1. Contacting server on ... ... 220 boston AMANDA index server (2.4.5p1) ready. 200 Access OK Ong Loeng Seng wrote: Hi Paul, I understand now. Thanks. However, I 've got another problem : when I run amrecover -C "DailySet1" ... Setting restore date to today (2006-01-05) 200 Working date set to 2006-01-05. Scanning /var/tmp... 200 Config set to DailySet1. 200 Dump host set to myhost.mynetwork.com. Trying disk / ... Trying disk rootfs ... Can't determine disk and mount point from $CWD '/usr/lo
Re: amrestore: could not stat disklist:/var2/amandadumps/tape02
Ong Loeng Seng wrote:
Hi Kevin,
Hi Ong Loeng,
I have done quite a bit of amrecover testing on 2.4.5 and I know it
works very well.
In /tmp/amanda directory, find the latest amindexd*.debug see if there
is any error after the line
amindexd: uncompress command: /usr/bin/gzip -dc ..
--Kevin
It does say that it can contact the index server.
This is the output when I run "amrecover -C DailySet1"
AMRECOVER Version 2.4.5p1. Contacting server on myhost.mynetwork.com ...
220 myhost AMANDA index server (2.4.5) ready.
200 Access OK
Setting restore date to today (2006-01-08)
200 Working date set to 2006-01-08.
Warning: no log files found for tape DailySet104 written 2006-01-02
Warning: no log files found for tape DailySet103 written 2006-01-02
Warning: no log files found for tape DailySet102 written 2006-01-02
Warning: no log files found for tape DailySet101 written 2006-01-02
Warning: no log files found for tape DailySet105 written 2006-01-02
Scanning /var/tmp...
200 Config set to DailySet1.
200 Dump host set to myhost.mynetwork.com.
Trying disk / ...
Trying disk rootfs ...
Can't determine disk and mount point from $CWD '/root'
amrecover> sethost myhost.mynetwork.com
200 Dump host set to myhost.mynetwork.com.
amrecover> setdisk /etc/amanda
200 Disk set to /etc/amanda.
No index records for disk for specified date
If date correct, notify system administrator
What do you think?
On Fri, 2006-01-06 at 15:34 -0800, Kevin Till wrote:
did amrecover connect to the right index server?
Do you see something similar to the following?
AMRECOVER Version 2.4.5p1. Contacting server on ... ...
220 boston AMANDA index server (2.4.5p1) ready.
200 Access OK
Ong Loeng Seng wrote:
Hi Paul,
I understand now. Thanks.
However, I 've got another problem : when I run amrecover -C "DailySet1"
...
Setting restore date to today (2006-01-05)
200 Working date set to 2006-01-05.
Scanning /var/tmp...
200 Config set to DailySet1.
200 Dump host set to myhost.mynetwork.com.
Trying disk / ...
Trying disk rootfs ...
Can't determine disk and mount point from $CWD
'/usr/local/amanda-2.4.5p1'
amrecover> setdisk /etc/amanda
200 Disk set to /etc/amanda.
No index records for disk for specified date
If date correct, notify system administrator
My amanda configuration, includes this ...
...
indexdir "/var/lib/amanda/DailySet1/index" # index directory
define dumptype hard-disk-tar {
comment "Back up to hard disk instead of tape - using tar"
holdingdisk no
index yes
priority high
program "GNUTAR"
strategy noinc
}
and my disklist file content:
myhost.mynetwork.com /etc/amanda hard-disk-tar
...
This is the content
of /var/lib/amanda/DailySet1/index/myhost.mynetwok.com/_etc_amanda
-rw--- 1 amanda disk 115 Jan 5 16:50 20060105_0.gz
It was okay before I do chmod 755 to amaespipe and amgtar files
Following are the files:
-rwxr-xr-x 1 root root 2244 Jan 5 12:06 amaespipe
-rwxr-xr-x 1 root root554 Jan 5 12:04 amgtar
I thought it was a script, so I need to do chmod, am I right? Because
amanda was complaining about GNUTAR program, which should execute amgtar
instead of tar. Since then, it got index problem. I don't understand
why?
Then I thought I might need to reconfigure and recompile amanda, which I
did, but the problem still persists.
Did I miss something?
On Tue, 2006-01-03 at 12:53 +0100, Paul Bijnens wrote:
Ong Loeng Seng wrote:
amrecover> settape
myhost.mynetwork.com:amanda.conf:/var2/amandadumps/tape02
Using tape "amanda.conf:/var2/amandadumps/tape02" from server
myhost.mynetwork.com.
What is this??? Is that the name of your tape device???
When you are using the "FILE" driver, the name is:
myhost.mynetwork.com:file:/var2/amandadumps/tape02
(where "tape02" is the parent of the "data" subdirectory)
[...]
Continue [?/Y/n/s/t]? Y
EOF, check amidxtaped..debug file on myhost.mynetwork.com
amrecover: short block 0 bytes
UNKNOWN file
amrecover: Can't read file header
Indeed, that's exactly what is to be expected.
[...]
amidxtaped: time 0.000: > DEVICE=disklist:/var2/amandadumps/tape02
THis time, you tried something else! This file is not from the same
run as the script above. But it is wrong just as well.
The backup file is definitely in /var2/amandadumps/tape02 directory.
I don't understand why amrestore says no such file or directory?
If /var2/amandadumps/tape02 has a subdirectory named "data" which
contains the backup file, then the syntax is:
settape myhost.mynetwork.com:file:/var2/amandadumps/tape02
The word "file" in the middle is not a placeholder, but is needed
litterally.
If you are using the chg-disk changer, then it is best to add these
lines to amanda.conf:
amrecover_changer "changer"
amrecover_do_fsf true
amrecover_check_labe
Re: amrestore: could not stat disklist:/var2/amandadumps/tape02
did amrecover connect to the right index server?
Do you see something similar to the following?
AMRECOVER Version 2.4.5p1. Contacting server on ... ...
220 boston AMANDA index server (2.4.5p1) ready.
200 Access OK
Ong Loeng Seng wrote:
Hi Paul,
I understand now. Thanks.
However, I 've got another problem : when I run amrecover -C "DailySet1"
...
Setting restore date to today (2006-01-05)
200 Working date set to 2006-01-05.
Scanning /var/tmp...
200 Config set to DailySet1.
200 Dump host set to myhost.mynetwork.com.
Trying disk / ...
Trying disk rootfs ...
Can't determine disk and mount point from $CWD
'/usr/local/amanda-2.4.5p1'
amrecover> setdisk /etc/amanda
200 Disk set to /etc/amanda.
No index records for disk for specified date
If date correct, notify system administrator
My amanda configuration, includes this ...
...
indexdir "/var/lib/amanda/DailySet1/index" # index directory
define dumptype hard-disk-tar {
comment "Back up to hard disk instead of tape - using tar"
holdingdisk no
index yes
priority high
program "GNUTAR"
strategy noinc
}
and my disklist file content:
myhost.mynetwork.com /etc/amanda hard-disk-tar
...
This is the content
of /var/lib/amanda/DailySet1/index/myhost.mynetwok.com/_etc_amanda
-rw--- 1 amanda disk 115 Jan 5 16:50 20060105_0.gz
It was okay before I do chmod 755 to amaespipe and amgtar files
Following are the files:
-rwxr-xr-x 1 root root 2244 Jan 5 12:06 amaespipe
-rwxr-xr-x 1 root root554 Jan 5 12:04 amgtar
I thought it was a script, so I need to do chmod, am I right? Because
amanda was complaining about GNUTAR program, which should execute amgtar
instead of tar. Since then, it got index problem. I don't understand
why?
Then I thought I might need to reconfigure and recompile amanda, which I
did, but the problem still persists.
Did I miss something?
On Tue, 2006-01-03 at 12:53 +0100, Paul Bijnens wrote:
Ong Loeng Seng wrote:
amrecover> settape
myhost.mynetwork.com:amanda.conf:/var2/amandadumps/tape02
Using tape "amanda.conf:/var2/amandadumps/tape02" from server
myhost.mynetwork.com.
What is this??? Is that the name of your tape device???
When you are using the "FILE" driver, the name is:
myhost.mynetwork.com:file:/var2/amandadumps/tape02
(where "tape02" is the parent of the "data" subdirectory)
[...]
Continue [?/Y/n/s/t]? Y
EOF, check amidxtaped..debug file on myhost.mynetwork.com
amrecover: short block 0 bytes
UNKNOWN file
amrecover: Can't read file header
Indeed, that's exactly what is to be expected.
[...]
amidxtaped: time 0.000: > DEVICE=disklist:/var2/amandadumps/tape02
THis time, you tried something else! This file is not from the same
run as the script above. But it is wrong just as well.
The backup file is definitely in /var2/amandadumps/tape02 directory.
I don't understand why amrestore says no such file or directory?
If /var2/amandadumps/tape02 has a subdirectory named "data" which
contains the backup file, then the syntax is:
settape myhost.mynetwork.com:file:/var2/amandadumps/tape02
The word "file" in the middle is not a placeholder, but is needed
litterally.
If you are using the chg-disk changer, then it is best to add these
lines to amanda.conf:
amrecover_changer "changer"
amrecover_do_fsf true
amrecover_check_label true
and then you can just do from within amrecover:
settape changer
See: http://wiki.zmanda.com/index.php/File_driver
--
Thank you!
Kevin Till
Amanda documentation: http://wiki.zmanda.com
Amanda forums:http://forums.zmanda.com
Re: /etc/dumpdates
One data point, I enabled SELinux's targeted policy: [EMAIL PROTECTED] ~]$ sestatus SELinux status: enabled SELinuxfs mount:/selinux Current mode: permissive Mode from config file: permissive Policy version: 18 Policy from config file:targeted Policy booleans: allow_ypbindinactive dhcpd_disable_trans inactive httpd_disable_trans inactive httpd_enable_cgiactive httpd_enable_homedirs active httpd_ssi_exec active httpd_tty_comm inactive httpd_unified active mysqld_disable_transinactive named_disable_trans inactive named_write_master_zonesinactive nscd_disable_trans inactive ntpd_disable_trans inactive portmap_disable_trans inactive postgresql_disable_transinactive snmpd_disable_trans inactive squid_disable_trans inactive syslogd_disable_trans inactive winbind_disable_trans inactive ypbind_disable_transinactive amanda( 2.5.0b1) backup and recover work fine. Does anyone else have successful or failure cases on amanda running on selinux to report? Thanks! --Kevin Kevin Till wrote: Paul Seniuk wrote: Matt, Well you were right and that worked. Annoying story to it ...collegue decided to upgrade the box to FC4 and not tell me. The upgrade turned SELinux on by default. Hi Paul, so what was the real problem? FC4 installation changed the owner on /etc/dumpdates? My understanding is that FC4 only enforces targeted policy which only protectes a few daemons and amanda is not one of them. So amanda should work fine even when selinux (default targeted policy) is enabled. Thanks! --Kevin Paul Seniuk Hosting Division, Thinktel Communications -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Hyclak Sent: Monday, December 19, 2005 4:06 PM To: amanda-users@amanda.org Subject: Re: /etc/dumpdates On Mon, Dec 19, 2005 at 05:45:45PM -0500, Paul Seniuk enlightened us: Perms on /etc/dumpdates is: -rw-rw-r-- 1 root disk 172 Dec 16 02:37 dumpdates Would anything be logged about failing to create /etc/dumpdates (get that long pole out, I used the RPM version for CentOS) ? For 'fun', I tried putting the perms to 777 ..still same error Any feedback on this would be appreciated :) Do you by chance have SELinux enabled on this machine and not on the others? Matt -- Matt Hyclak Department of Mathematics Department of Social Work Ohio University (740) 593-1263 -- Thank you! Kevin Till Amanda documentation: http://wiki.zmanda.com Amanda forums:http://forums.zmanda.com
Re: /etc/dumpdates
Paul Seniuk wrote: Matt, Well you were right and that worked. Annoying story to it ...collegue decided to upgrade the box to FC4 and not tell me. The upgrade turned SELinux on by default. Hi Paul, so what was the real problem? FC4 installation changed the owner on /etc/dumpdates? My understanding is that FC4 only enforces targeted policy which only protectes a few daemons and amanda is not one of them. So amanda should work fine even when selinux (default targeted policy) is enabled. Thanks! --Kevin Paul Seniuk Hosting Division, Thinktel Communications -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Hyclak Sent: Monday, December 19, 2005 4:06 PM To: amanda-users@amanda.org Subject: Re: /etc/dumpdates On Mon, Dec 19, 2005 at 05:45:45PM -0500, Paul Seniuk enlightened us: Perms on /etc/dumpdates is: -rw-rw-r-- 1 root disk 172 Dec 16 02:37 dumpdates Would anything be logged about failing to create /etc/dumpdates (get that long pole out, I used the RPM version for CentOS) ? For 'fun', I tried putting the perms to 777 ..still same error Any feedback on this would be appreciated :) Do you by chance have SELinux enabled on this machine and not on the others? Matt -- Matt Hyclak Department of Mathematics Department of Social Work Ohio University (740) 593-1263 -- Thank you! Kevin Till Amanda documentation: http://wiki.zmanda.com Amanda forums:http://forums.zmanda.com
Re: beep! (encryption, multiplexing...)
Paddy Sreenivasan wrote: On 12/29/05, Paul Bijnens <[EMAIL PROTECTED]> wrote: Just because it's almost newyear, and I have seen The Light... (or was that just an illusion?) Some thoughts about the new proposed features, concerning: - multiplexing the data streams, error stream, index stream, over one TCP connection (this would make passing firewalls and NAT so much easier and safer) Yes. Multiplexing the data streams/error stream/index stream over one connection is a good idea. Kevin Till has done some investigation in this area. I hope he will comment on this. Hi Paul, yes, multuplexing is a good idea. It not only makes amanda-firewall setup easier but also improves transport security with the stream based tcp protocol. I plan to first cleanup the port assignment issue. Currently, amanda will use *any* open port if port in the TCPPORTRANGE, UDPPORTRANGE is not available. I will look into the TCP multiplexing next. - encrypting the data stream between client and server (just being discussed in a separate thread on -users, hence CC there too) Doesn't SSH support in 2.5.0 address this issue? - stronger/alternative authentication (is that server really The One? Currently needing kerberos I believe, which most people do not even have!) See above. I agree with Paddy that ssh provides transport encryption and authentication. The only caveat is that the amanda binary needs to be installed at the same location in the server as well as in the client since server is running: /path/ssh -l client.zmanda.com $libexecdir/amandad to start the backup process. Thanks! --Kevin What would people find of implementing BXXP as alternative for the new generation Amanda server/client protocols? 2.5.0b1 has client/server communication abstracted out as an API called secure API (http://wiki.zmanda.com/index.php/Secure_API). We should look at enhancing this API instead of creating new API. Paddy See: http://beepcore.org/ Disclaimer: - I have just played around a little with the Net::BEEP::Lite perl module, which does not even do the multiplexing, but the C-implementation seems to be more complete (still labelled beta though and no activity noted in the last 2 years). - AFAIK there are not yet many REAL applications using the protocol. Many other interesting projects seem dead too. The C-library that is alive is: http://vortex.aspl.es/ but even that one is far from finished. Even if it isn't good enough, we can find idea's there too :-) -- Thank you! Kevin Till Amanda documentation: http://wiki.zmanda.com Amanda forums:http://forums.zmanda.com
Re: new feature: client-side, server-side encryption dumptype option
Brian Cuttler wrote: The amanda disklist allows optional encryption, selected per DLE ? Hi Brian, the new encrypt option is added to dumptype. So yes, you can specify encryption on some DLE but not others. You can also choose to encrypt on the client *or* server side. Can you say, never encrypt the file system(s), root, etc, with the requisit binaries, key ring, etc and encrypt everything else ? yes. Another point I want to add is that while public-key encryption allows you to encrypt the data with just the public-key and store away the private-key. It does requires more computational resources, thus much slower than symmetric encryption. And we should pay more attention to ssh as the transport encryption solution due to its simplicity to use and setup. OpenSSH version 4.3 is rumored to have native tunneling support too: http://www.securityfocus.com/columnists/375 -- Thank you! Kevin Till Amanda documentation: http://wiki.zmanda.com Amanda forums:http://forums.zmanda.com
Re: new feature: client-side, server-side encryption dumptype option
Greg Troxel wrote: In 2.4, there is a "kencrypt" option that uses Kerberos to negotiate a session key and encrypts the dumps from the client to the server. They are then in the clear on the holding disk and tape. This protects against eavesdroppers on the wire, but not someone who can get the tapes. At the same time, it doesn't threaten the availability of backups at all, since there is no long-term key management problem. It would be nice to use the word 'encrypt' and variations like kencrypt to mean only transport-level encryption, and use some other word for applying encryption to dumps at a client that is expected to end up on the tape. While using similar mechanisms, these are very different concepts with very different consequences. Hi Greg, good point. Would "data_encryption" be more appropriate? Or do you have any suggestion? -- Thank you! Kevin Till Amanda documentation: http://wiki.zmanda.com Amanda forums:http://forums.zmanda.com
Re: new feature: client-side, server-side encryption dumptype option
Jon LaBadie wrote: On Sun, Dec 11, 2005 at 11:07:09AM -0800, Kevin Till wrote: Yes, the reference encrypt script program provided is based on symmetric encryption. I'm working on the asymmetric (public/private) encryption solution. The infrastructure will support asymmetric encryption just fine. Since amanda adds header information to the dump image, mdc (modification detection code) cannot be supported at this point. Other than that, it's working: As amanda does not modify the actual dump image, could "mdc" be applied to just the dump image itself ignoring the 32K header? Hi Jon, I have to think about it but it could be that the binary file was manipulated somehow during dump and restore. BTW, I just find a solution to the problem. It's to create ASCII encrypted output when encrypting. So the dump file is encrypted in ASCII. It passed the mdc tests during amrestore, the only side-effect is the dump file size is increased by 35% (vs the normal, binary encryption). So user have the choices here. If message authentication is needed, encrypt it in ASCII. Otherwise, --disable-mdc to save some disk space. -- Thank you! Kevin Till Amanda documentation: http://wiki.zmanda.com Amanda forums:http://forums.zmanda.com
Re: new feature: client-side, server-side encryption dumptype option
Josef Wolf wrote: On Sat, Dec 10, 2005 at 09:12:49AM -0800, Kevin Till wrote: Great! Thanks for your afford to bring encryption into amanda's core. I have not taken a close look on it yet. From the description, I have the impression that this solution is based on symmetric encryption. Yes, the reference encrypt script program provided is based on symmetric encryption. I'm working on the asymmetric (public/private) encryption solution. The infrastructure will support asymmetric encryption just fine. Since amanda adds header information to the dump image, mdc (modification detection code) cannot be supported at this point. Other than that, it's working: $amdump header information: more 1.boston.zmanda.com._usr_tmp_bacula_bacula.0 AMANDA: FILE 20051211 boston.zmanda.com /usr/tmp/bacula/bacula lev 0 comp N crypt enc program /bin/gtar client_encrypt /usr/local/bin/bin/amgcrypt client_decrypt_option -d To restore, position tape at start of file and run: dd if= bs=32k skip=1 | /usr/local/bin/bin/amgcrypt -d | /bin/gtar -f... - ^L $amrestore-f 0 file:/backups/amanda/ amrestore: 1: restoring boston.zmanda.com._usr_tmp_bacula_bacula.20051211.0 You need a passphrase to unlock the secret key for user: "amanda <[EMAIL PROTECTED]>" 1024-bit RSA key, ID CF522ABC, created 2005-12-11 gpg: encrypted with 1024-bit RSA key, ID CF522ABC, created 2005-12-11 "amanda <[EMAIL PROTECTED]>" gpg: ring trust w/o key gpg: WARNING: message was not integrity protected amrestore: 2: reached end of tape: date DATE -- Thank you! Kevin Till Amanda documentation: http://wiki.zmanda.com Amanda forums:http://forums.zmanda.com
new feature: client-side, server-side encryption dumptype option
Hi, I have added a dumptype option, "encrypt". Code has been committed to the sourceforge, rpm will be available next week on www.zmanda.com. I have updated the encryption section on : http://wiki.zmanda.com/index.php/Backup_server#Server-side_and_Client-side_encryption At the same time, I have also incorporated Matthieu Lochegnies's custom compress patch. Now that you can specify your own compression program. Information is added to http://wiki.zmanda.com/index.php/Backup_server#Custom_Compression AMANDA.CONF(5) man page is also updated with the information. I have tested it on different configuration, performing amdump, amrestore and amrecover: a) client-compress, server-encrypt b) client-compress, client-encrypt c) server-compress, server-encrypt Please use it and send us your feedback to http://forums.zmanda.com/showthread.php?t=8 Thanks! -- Kevin Till Amanda Developer Amanda documentation: http://wiki.zmanda.com Amanda forums:http://forums.zmanda.com
Re: Which ports to open in which direction...
David Leangen wrote:
does your current setup work for you? I guess it should work
most of the time. In your case, it'll fail when it couldn't find an
open port in tcp 5:50100 or in udp 700:710.
Actually, I haven't yet had time to see this through all the way. I was
hoping that the docs would be clear about which ports I need to open (and
only which ports), but I find I'm a bit confused...
I was hoping for some clarification, and I thought the wiki page would be
the best instrument to do this so that others may profit.
In any case, I have no problems with my local connections, but I need to
figure out which ports to open for my remote connections.
This is as far as my understanding goes. Think you could clarify the rest of
the process for me?
IP Traffic
Waiting state:
RHost listens on 10080/udp
FWHost listens on 10080/udp
LHost listens on 10080/udp
TSHost listens on 10080/udp
amdump process begins:
TSHost sends request to RHost on port 10080/udp (via FWHost)
TSHost sends request to FWHost on port 10080/udp
TSHost sends request to LHost on port 10080/udp
TSHost sends request to localhost on port 10080/udp
amandad process begins on each client:
xHost accepts request on 10080/upd
xHost replies to TSHost on a port in --with-tcpportrange
The above is taken from the wiki page:
http://wiki.zmanda.com/index.php/Configuration_with_iptables
What happens after each host replies to the tape server host over
{--with-tcpportrange}? Or is that all?
that should be it for backing up if the ports within tcpportrange can be
found. Otherwise, it's currently subjected to the [*] below.
Then for amrecover, it needs privileged (< 1024) TCP ports for
communication to the server. That could be why amrecover is problmatic
in firewall environment. It uses up to 3 ports.
I am working on changing -with-tcpportrange, -with-updportrange to be
configurable in amanda.conf. I likely need to split them into three
categories:
udp_privileged_port_range
tcp_privileged_port_range {new}
tcp_normal_port_range
Will update with more information soon.
[*]Currently, amanda will try the tcpportrange/udpportrange first. If it
couldn't find an open port in that range, it will try to get ANY open
port. In this case, it will fail in your firewall setup.
--
Thank you!
Kevin Till
Amanda documentation: http://wiki.zmanda.com
Amanda forums:http://forums.zmanda.com
Re: amrecover from the DMZ
Matt Hyclak wrote: On Thu, Nov 10, 2005 at 02:32:41PM -0500, Guy Dallaire enlightened us: 2005/11/10, Matt Hyclak <[EMAIL PROTECTED]>: Which ports does amrecover use to contact the tape server ? 10082 tcp and 10083 tcp. amrecover needs a privileged tcp port to connect to the server. It's the only amanda program that requires privileged "TCP" port -- Thank you! Kevin Till Amanda documentation: http://wiki.zmanda.com Amanda forums:http://forums.zmanda.com
Re: Which ports to open in which direction...
David Leangen wrote: http://wiki.zmanda.com/index.php/Configuration_with_iptables Hi Dave, does your current setup work for you? I guess it should work most of the time. In your case, it'll fail when it couldn't find an open port in tcp 5:50100 or in udp 700:710. Currently, amanda will try the tcpportrange/udpportrange first. If it couldn't find an open port in that range, it will try to get ANY open port. In this case, it will fail in your firewall setup. I'm working to correct this mis-behavior. -- Thank you! Kevin Till Amanda documentation: http://wiki.zmanda.com Amanda forums:http://forums.zmanda.com
Re: Which ports to open in which direction...
David Leangen wrote: http://wiki.zmanda.com/index.php/Configuration_with_iptables Hi Dave, does your current setup work for you? I guess it should work most of the time. In your case, it'll fail when it couldn't find an open port in tcp 5:50100 or in udp 700:710. Currently, amanda will try the tcpportrange/udpportrange first. If it couldn't find an open port in that range, it will try to get ANY open port. In this case, it will fail in your firewall setup. I'm working to correct this mis-behavior. -- Thank you! Kevin Till Amanda documentation: http://wiki.zmanda.com Amanda forums:http://forums.zmanda.com
