Re: [Bacula-users] Restores very slow while selecting files
On Thu, 13 Apr 2017, Tom Yates wrote: > On Wed, 12 Apr 2017, Martin Simmons wrote: > >> Does that file tree have a lot of hard links (I think the add command only >> makes those queries for hard links)? If so, then using Bacula 7 might help >> (see "restore optimizespeed" in >> http://www.bacula.org/downloads/Bacula-7.4.0/ReleaseNotes). > > That might well be it. "find . -type f -links +1" says that, of the ten > million or so files in that tree, around a million have more than one > hard link (some have several hundred, don't ask me why). > > If the client will permit it, I'll investigate "restore optimizespeed" and > report back. Thank you! So it turns out that going to 7.4.7 was enough. The FD clients all stayed on CentOS 6's 5.0.0, and seem to be fine (though testing continues). "optimizespeed=true" seems to be the default in 7.x; in the first test the upgrade cut the time for the "add home" phase from twenty-some HOURS to about eight SECONDS. We have made no further changes, though we gratefully note Kern's list of other improvements we could make if things start to drag again. Thanks to all, but especially Martin and Kern, for help with this. Bacula's back on the menu! Tom Yates Cambridge, UK. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] Restores very slow while selecting files
On Wed, 12 Apr 2017, Martin Simmons wrote: > Does that file tree have a lot of hard links (I think the add command only > makes those queries for hard links)? If so, then using Bacula 7 might help > (see "restore optimizespeed" in > http://www.bacula.org/downloads/Bacula-7.4.0/ReleaseNotes). That might well be it. "find . -type f -links +1" says that, of the ten million or so files in that tree, around a million have more than one hard link (some have several hundred, don't ask me why). If the client will permit it, I'll investigate "restore optimizespeed" and report back. Thank you! Tom Yates Cambridge, UK. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] Restores very slow while selecting files
On Wed, 12 Apr 2017, Francisco Javier Funes Nieto wrote: The missing question, which Database Catalog are you using ? The catalogue database is on MySQL, again using the version that comes with CentOS 6 (5.1.73). -- Tom Yates - http://www.teaparty.net-- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
[Bacula-users] Restores very slow while selecting files
I've got a fairly big filesystem (3TB, 15M files) of which I want to (test) restore a part. I know that if the backend DB is slow the "Building file list" stage can take some time, but I have it striped over a 5-SAS-disc RAID-0, and this step takes only about eight minutes. The problems start once I navigate to the directory I want restored (which admittedly contains the bulk of the files and about half the total space), and do an "add home". The current job has been stuck on this step for over 15 hours, now. When I strace bacula-dir I see a lot of: [pid 26711] write(6, "P\0\0\0\3SELECT FilenameId FROM File"..., 84) = 84 [pid 26711] read(6, "\1\0\0\1\1@\0\0\2\3def\6bacula\10Filename\10Fi"..., 16384) = 102 [pid 26711] poll([{fd=6, events=POLLIN|POLLPRI}], 1, 0) = 0 (Timeout) [pid 26711] write(6, "m\0\0\0\3SELECT FileId, LStat, MD5 F"..., 113) = 113 [pid 26711] read(6, "\1\0\0\1\0030\0\0\2\3def\6bacula\4File\4File\6F"..., 16384) = 249 [pid 26711] poll([{fd=6, events=POLLIN|POLLPRI}], 1, 0) = 0 (Timeout) [pid 26711] write(6, "P\0\0\0\3SELECT FilenameId FROM File"..., 84) = 84 [pid 26711] read(6, "\1\0\0\1\1@\0\0\2\3def\6bacula\10Filename\10Fi"..., 16384) = 102 [pid 26711] poll([{fd=6, events=POLLIN|POLLPRI}], 1, 0) = 0 (Timeout) [pid 26711] write(6, "m\0\0\0\3SELECT FileId, LStat, MD5 F"..., 113) = 113 [pid 26711] read(6, "\1\0\0\1\0030\0\0\2\3def\6bacula\4File\4File\6F"..., 16384) = 250 [pid 26711] poll([{fd=6, events=POLLIN|POLLPRI}], 1, 0) = 0 (Timeout) So I presume it's stepping through the built directory tree querying the database about each of these files. Problem is that any restore that takes ~24 hours just to kick off is not making my clients happy. The CentOS 6 server has 16GB of memory and does not seem short of it (negligible swap usage). We're currently using the CentOS 6 bacula packages, which are v5.0.0. I tried building 5.2.13 from source, upgrading, and running that, but it wasn't noticeably better, so I downgraded again. I'm happy to go to a still-later version if there is reason to think that this step is better optimised in that version. If building custom indexes would help, I'm open to that, too. If I'm doing something fundamentally stupid, it would be really useful to know! Apart from "don't restore your home area", does anyone have any advice? Thanks. -- Tom Yates - Teaparty Network Central - +44/0 1223 704038 -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] client-side data encryption without routine access to private key
On Wed, 18 Feb 2009, Martin Simmons wrote: > Does the private key have to be the one associated with the public key? > It looks like the code loads them separately, so perhaps another > solution is to use two key pairs and make a pem file containing the > public key of one and the private key of the other (assuming openssl > allows that)? Elegant, and it works. I made two keypairs (risby-sign and risby-encrypt) and put risby-sign.key and risby-encrypt.cert) into the PEM file specified in "PKI Keypair =". The fd process restarted fine, did a test backup fine. When I tried a test restore, it fails (as it should) with "restore.c:488 Failed to initialize decryption context for /tmp/bacula-restores/big/home/madhatta/TESTFILE". When I replace the PEM file with one containing both halves of the encryption key (risby-encrypt.key and risby-encrypt.cert) and restart the FD, the restore still errors on validating the signature ("restore.c:839 Signature validation failed for file /tmp/bacula-restores/big/home/madhatta/TESTFILE: ERR=Signature is invalid") (which is expected, because now it has *neither* part of the signing keypair), but the file restores correctly: 4bed0f14512d1290931529b1bc233a0bfe362614 /big/home/madhatta/TESTFILE 4bed0f14512d1290931529b1bc233a0bfe362614 /tmp/bacula-restores/big/home/madhatta/TESTFILE As I say: elegant - and thank you! -- Tom Yates - http://www.teaparty.net -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] client-side data encryption without routine access to private key
On Tue, 17 Feb 2009, Landon Fuller wrote: > On Feb 17, 2009, at 8:48 AM, Martin Simmons wrote: > >> That sounds backwards to me. Shouldn't the encrypter (backup) use the >> public key to keep the data safe? Then only the decrypter (restore) >> can read the data, using the private key. > > Right. A symmetric session key is used for each backup run, which is > encrypted for all provided public keys and stored along-side the > encrypted data. This is how the "master" public key feature is > implemented. Thanks to Martin and Landon both for confirming this. I was aware of the existence of the session key, but stupidly skated over it in my original post. >> The private key is needed during backup if you use PKI Signatures. > > Right. Currently, enabling PKI encryption also enables signing, but the > encryption implementation does not require this, and the private key is > not necessary for encrypting the backups. > > However -- if you disable signing, there is no other validation > mechanism. One could add HMAC support without too much effort, but you > lose non-repudiation of the backups, as any recipient that can verify > the HMAC may also generate a valid one. I can live with that; data authentication isn't as important to me as encryption (ie, I'm more worried that real data will get into the wrong hands than that wrong data will get into the real hands). Would you know if I can disable signing in the configuration, or must I recompile; and if the latter, is it a config option or will I need to mess with the source myself? Thanks to all who have tried to help me with this so far. Tom Yates Cambridge, UK. -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
[Bacula-users] client-side data encryption without routine access to private key
I'm curious about encryption; specifically, encrypting the data on the client-side before the storage daemon lays it down to tape. I've read http://www.bacula.org/en/dev-manual/Data_Encryption.html, and it seems to suggest that the client *requires* both the client's private key and the client's public key. Certainly, when I give the client a "PKI Keypair =" file which contains only the public key, I get an "Error: openssl.c:86 Unable to read private key from file ERR=error:0906D06C:PEM routines:PEM_read_bio:no start line". But what I'm trying to do here is make a machine, and its backup tapes, safe from physical seizure. The root FS of the machine is unencrypted (and so, therefore, is the /etc/bacula directory); the file system I'm worried about is normally encrypted. I've tried giving the FD a .pem file which includes an encrypted private key, in the hope that it would ask for a passphrase at start time (in the manner of apache), but instead I get "openssl.c:86 Unable to read private key from file: ERR=error:0906A068:PEM routines:PEM_do_header:bad password read", so that's not working. The above manual page on data encryption says that the encryption involves three steps: 1. The File daemon generates a session key. 2. The FD encrypts that session key via PKE for all recipients (the file daemon, any master keys). 3. The FD uses that session key to perform symmetric encryption on the data. None of that seems to me to require the client's private key; only the public one. Only restoration, or some other act requiring the decryption of the filestream, seems to me to require the client's private key. Or is there some other signing phase going on, that I'm not catching on to? Am I missing something, or is the only way to make this work to put the bacula FD's keys in plaintext, inside the encrypted filesystem? Tom Yates Cambridge, UK. -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] ERR=Device or resource busy
On Mon, 5 Jun 2006, Kern Sibbald wrote: > Unfortunately, Bacula is sufficiently demanding that it often brings out > driver problems that don't show up using most Unix tape utilities, which > tend to be rather "simple" minded. They either simply write() or read(). > Bacula uses quite a lot more features of the drive. just in case anyone tracks down my original mail to the list, and wonders how i resolved it, i should point out i've fixed it. it seems that it was hardware. basically, something on my old system was going south. i suspect it was the processor, as it was so hard to track down, but i shotgunned the entire system (except for the HDD, which i had no reason to suspect, the PSU, which had only just been replaced in an earlier attempt to solve the problem, and the SCSI card, which i can't afford to replace and which i have some confidence in) and put in new motherboard, memory, processor, fan, video card and case. the new system came up and immediately started running bacula just fine. enormous thanks to kern for responding quickly, informatively and personally. -- Tom Yates - [EMAIL PROTECTED] - http://www.teaparty.net Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] ERR=Device or resource busy
On Mon, 5 Jun 2006, Kern Sibbald wrote: > I'm running on kernel-2.6.16-1.2122_FC5 and not seeing the problems you are. > However, I have only been running that system several days. > > I recommend the following things (obviously 2-4 are unnecessary if 1 > fixes the problem): > > 1. This still looks most like a kernel driver problem to me. Backing up to > kernel-2.6.16-1.2111 would most likely clear up this point. i'll try that as soon as i can clear time for a reboot, and will let the list know if that fixes it. knowing that you're running .2122 makes me a bit less worried (i feared some major API change that broke bacula across the board, instead of a just a driver issue with my SCSI card) - but i don't want to be at .2111 forever. if i could produce some kind of error that didn't involve bacula, i could log it with redhat's bugzilla, and try to make progress on that front. > 2. Rebuild and reinstall Bacula (in case there are some library changes). done that, both for 1.38.8 (make distclean; ./configure) and 1.38.9 (built from freshly unpacked tarball) - for that very reason. > 3. Clean your tape drive. good idea, i'll try it - but that way i can use dd to read and write to and from a blank tape (and, oddly, label it under 1.38.9 - but not then inventory it with an 'update slots=1 scan') makes me disinclined to suspect dirty tape heads. is that wrong reasoning? > 4. Mark the current Volume as Used and try a different one. tried. six tapes - three full, one part-full, two blank - *all* fail to read in an 'update slots scan', with the same error. thanks for such a prompt, useful response with so much to try in it. news as it's made. -- Tom Yates - http://www.teaparty.net ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
[Bacula-users] ERR=Device or resource busy
On Fri, 2 Jun 2006, Kern Sibbald wrote: > This could be a problem with tapes, but the error message "Device or > resource busy" not a normal error message for tape error. It looks more > like some sort of driver problem (OS/Kernel driver, tape drive firmware, > SCSI controller, or Bacula). i've been consistently getting those with every single bacula operation on my FC5 box (running the storage director) since i upgraded the kernel from kernel-2.6.16-1.2111_FC5 to kernel-2.6.16-1.2122_FC5 (specifically, i keep getting "ERR=block.c:945 Read error at file:blk 0:0 on device "Drive0" (/dev/nst0). ERR=Device or resource busy." i confess that i haven't rebooted with the old kernel to check things still work, but upgrading from bacula 1.38.8 to 1.38.9 (on the sd box) hasn't helped. mtx-changer still works, and when bacula's stopped i can still dd data off the tape. can anyone shed any light on why this might be happening? -- Tom Yates Cambridge, UK. ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users