Re: [Bacula-users] Bacula 9.6.5 TLS issue - solved in 9.6.6
On 10/8/20 7:54 PM, Josip Deanovic wrote: > In case one is using database cluster in round-robin setup, one > of the master nodes could start lagging which could have unpredictable > effects on most applications (unless synchronous communication is > in use). Exactly, which is why this is safe ONLY with a synchronous cluster. There is no way to ever make native asynchronous replication fully multiple-write safe. There will ALWAYS be the possibility of silent race conditions which will result in inconsistent data. -- Phil Stracchino Babylon Communications ph...@caerllewys.net p...@co.ordinate.org Landline: +1.603.293.8485 Mobile: +1.603.998.6958 ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] Bacula 9.6.5 TLS issue - solved in 9.6.6
On 2020-10-08 15:54, Phil Stracchino wrote: On 10/8/20 9:11 AM, Josip Deanovic wrote: Do you have to turn off attribute spooling with 9.6.3 and 9.6.6? Disabling attribute spooling will inflict noticeable performance degradation. Unfortunately, yes, because the attribute spooling code — at least for the MySQL driver — is broken. It caches all of the attribute data in a temporary table until the job is done, then dumps it all into the DB at once, ignoring the configured write batch size. If the job copies more than 128K files, this exceeds Galera 3's hard writeset limit. I see. Thank you for explaining it. I used to use MySQL for a long time and had no problems because I didn't use Galera MySQL cluster with Bacula. If it honored the batch size setting, it would be perfectly fine. That said, I probably would not have done the spooling that way in the first place. I would have cached the attribute data in memory until I had $BATCHSIZE records, then written them directly to the DB in a batch. I honestly think this would perform better than saving them all until the end of the job and then ogging the DB with potentially millions of records at once. That is ALWAYS a bad idea. I'd write and offer a patch — in fact I'd overhaul the entire MySQL driver — but I don't know nearly enough C++. I don't know how these things are implemented in Bacula. It's possible that Bacula team did it because they thought that it would help setting up HA for the Bacula director daemon. In case one is using database cluster in round-robin setup, one of the master nodes could start lagging which could have unpredictable effects on most applications (unless synchronous communication is in use). With some applications, depending on how they utilize database, it could lead to some kind of interlocks which would need to be solved by the cluster software or otherwise it could lead to long or indefinite timeouts. Round-robin with database nodes (master-master) is usually fine for applications that produce small queries and don't have to create awfully complex relations. Otherwise, database cluster software would need to take care about locking which brings in the question of synchronous communication and the overall performance gain from such setup. I am aware that some decisions in Bacula regarding dealing with database connections are not the best. For example, if you use a Copy which is configured to select like 300 jobs to copy, Bacula would open 600 connections to the database. Those connections would stay opened until jobs are finished. For each Copy job that completes, two connections would get released. And if your database has connection limit set below the number of connections Bacula temporary needs, Bacula-dir would segfault. I have experienced it with Postgres and I have found old posts in the mailing list archives claiming that the same problem exists with MySQL as well. There are few ways to workaround the problem with too many connections but Bacula director shouldn't segfault. -- Josip Deanovic ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] Bacula 9.6.5 TLS issue - solved in 9.6.6
On 10/8/20 9:11 AM, Josip Deanovic wrote: > On 2020-10-08 14:56, Phil Stracchino wrote: >> High availability, fundamentally. I'd honestly prefer to be using >> Percona XtraDB Cluster, but there is no working, maintained ebuild for >> Gentoo Linux — and enterprise customers ARE going to try to use it >> against HA clusters, so we'd better be sure it works. Which it does, >> as >> long as attribute spooling is disabled (and you're not using Director >> 9.6.5). > > Do you have to turn off attribute spooling with 9.6.3 and 9.6.6? > Disabling attribute spooling will inflict noticeable performance > degradation. Unfortunately, yes, because the attribute spooling code — at least for the MySQL driver — is broken. It caches all of the attribute data in a temporary table until the job is done, then dumps it all into the DB at once, ignoring the configured write batch size. If the job copies more than 128K files, this exceeds Galera 3's hard writeset limit. If it honored the batch size setting, it would be perfectly fine. That said, I probably would not have done the spooling that way in the first place. I would have cached the attribute data in memory until I had $BATCHSIZE records, then written them directly to the DB in a batch. I honestly think this would perform better than saving them all until the end of the job and then ogging the DB with potentially millions of records at once. That is ALWAYS a bad idea. I'd write and offer a patch — in fact I'd overhaul the entire MySQL driver — but I don't know nearly enough C++. -- Phil Stracchino Babylon Communications ph...@caerllewys.net p...@co.ordinate.org Landline: +1.603.293.8485 Mobile: +1.603.998.6958 ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] Bacula 9.6.5 TLS issue - solved in 9.6.6
On 2020-10-08 14:56, Phil Stracchino wrote: Well, I understand that perspective, but this problem appeared instantly as soon as I upgraded to 9.6.5, with a DB configuration I've been using for years without a hiccup. I could turn the problem on and off like a lightswitch by updating *ONLY* the Director to 9.6.5 or rolling it back to 9.6.3, even if connecting directly to the local DB node without using HAproxy. 9.6.5 Director, even without HAproxy: About one in three jobs hang. 9.6.3 Director, even WITH Haproxy: No hangs. So far, 9.6.6. is behaving like 9.6.3. Interesting. In that case you are probably right. Are you using MariaDB cluster because you need high availability or because you want to achieve higher database throughput? High availability, fundamentally. I'd honestly prefer to be using Percona XtraDB Cluster, but there is no working, maintained ebuild for Gentoo Linux — and enterprise customers ARE going to try to use it against HA clusters, so we'd better be sure it works. Which it does, as long as attribute spooling is disabled (and you're not using Director 9.6.5). Do you have to turn off attribute spooling with 9.6.3 and 9.6.6? Disabling attribute spooling will inflict noticeable performance degradation. -- Josip Deanovic ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] Bacula 9.6.5 TLS issue - solved in 9.6.6
On 10/8/20 8:45 AM, djosip+n...@linuxpages.net wrote: > On 2020-10-08 14:24, Phil Stracchino wrote: >> >> Well, so far, it's only been a few days, so my conclusions are >> cautious. >> But they are cautiously optimistic. So far, with the Director still >> using HAproxy to round-robin DB connectins to my MariaDB cluster, I >> have >> not seen a single hung job, But only about a dozen jobs have run so >> far. >> >> On 9.6.5 I would have expected to see one or more hung jobs by now, but >> I won't feel safe in declaring the problem gone until it's gone at >> least >> a couple of weeks without a hung job. > > Ah, I didn't get it that you are using MariaDB cluster. > > It is quite possible that your problems are not directly related > to Bacula but to the database cluster setup which means that > new Bacula version will not solve your problem. Well, I understand that perspective, but this problem appeared instantly as soon as I upgraded to 9.6.5, with a DB configuration I've been using for years without a hiccup. I could turn the problem on and off like a lightswitch by updating *ONLY* the Director to 9.6.5 or rolling it back to 9.6.3, even if connecting directly to the local DB node without using HAproxy. 9.6.5 Director, even without HAproxy: About one in three jobs hang. 9.6.3 Director, even WITH Haproxy: No hangs. So far, 9.6.6. is behaving like 9.6.3. > Are you using MariaDB cluster because you need high availability > or because you want to achieve higher database throughput? High availability, fundamentally. I'd honestly prefer to be using Percona XtraDB Cluster, but there is no working, maintained ebuild for Gentoo Linux — and enterprise customers ARE going to try to use it against HA clusters, so we'd better be sure it works. Which it does, as long as attribute spooling is disabled (and you're not using Director 9.6.5). -- Phil Stracchino Babylon Communications ph...@caerllewys.net p...@co.ordinate.org Landline: +1.603.293.8485 Mobile: +1.603.998.6958 ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] Bacula 9.6.5 TLS issue - solved in 9.6.6
On 2020-10-08 14:24, Phil Stracchino wrote: Well, so far, it's only been a few days, so my conclusions are cautious. But they are cautiously optimistic. So far, with the Director still using HAproxy to round-robin DB connectins to my MariaDB cluster, I have not seen a single hung job, But only about a dozen jobs have run so far. On 9.6.5 I would have expected to see one or more hung jobs by now, but I won't feel safe in declaring the problem gone until it's gone at least a couple of weeks without a hung job. Ah, I didn't get it that you are using MariaDB cluster. It is quite possible that your problems are not directly related to Bacula but to the database cluster setup which means that new Bacula version will not solve your problem. Are you using MariaDB cluster because you need high availability or because you want to achieve higher database throughput? If it's only high availability you are after, it might a good idea to stop using round-robin. Regards! ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] Bacula 9.6.5 TLS issue - solved in 9.6.6
On 10/6/20 4:56 AM, djosip+n...@linuxpages.net wrote: > On 2020-10-06 02:07, Phil Stracchino wrote: >> On 9/28/20 12:33 PM, Phil Stracchino wrote: >>> test phase 1: All clients and Storage on 9.6.6, Director still on >>> 9.6.3 >>> No hung jobs so far. I plan to leave it this way for at least a week >>> before upgrading the Director to 9.6.6. as well. >> >> OK, a week of no issues and monthly full backups just ran. I am now >> updating the Director from 9.6.3 to 9.6.6. No other changes. >> >> Fingers crossed. > > > I am eager to hear about your conclusions. Good luck. Well, so far, it's only been a few days, so my conclusions are cautious. But they are cautiously optimistic. So far, with the Director still using HAproxy to round-robin DB connectins to my MariaDB cluster, I have not seen a single hung job, But only about a dozen jobs have run so far. On 9.6.5 I would have expected to see one or more hung jobs by now, but I won't feel safe in declaring the problem gone until it's gone at least a couple of weeks without a hung job. -- Phil Stracchino Babylon Communications ph...@caerllewys.net p...@co.ordinate.org Landline: +1.603.293.8485 Mobile: +1.603.998.6958 ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] Bacula 9.6.5 TLS issue - solved in 9.6.6
On 2020-10-06 02:07, Phil Stracchino wrote: On 9/28/20 12:33 PM, Phil Stracchino wrote: test phase 1: All clients and Storage on 9.6.6, Director still on 9.6.3 No hung jobs so far. I plan to leave it this way for at least a week before upgrading the Director to 9.6.6. as well. OK, a week of no issues and monthly full backups just ran. I am now updating the Director from 9.6.3 to 9.6.6. No other changes. Fingers crossed. I am eager to hear about your conclusions. Good luck. Regards! -- Josip Deanovic ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] Bacula 9.6.5 TLS issue - solved in 9.6.6
On 9/28/20 12:33 PM, Phil Stracchino wrote: On 2020-09-27 15:27, Phil Stracchino wrote: I'm going to re-test the job-hanging problem that I encountered with 9.6.5 Director and see whether that is resolved in 9.6.6 as well. It mysteriously appeared between 9.6.3 and 9.6.5, with luck it has vanished as mysteriously. test phase 1: All clients and Storage on 9.6.6, Director still on 9.6.3 No hung jobs so far. I plan to leave it this way for at least a week before upgrading the Director to 9.6.6. as well. OK, a week of no issues and monthly full backups just ran. I am now updating the Director from 9.6.3 to 9.6.6. No other changes. Fingers crossed. -- Phil Stracchino Babylon Communications ph...@caerllewys.net p...@co.ordinate.org Landline: +1.603.293.8485 Mobile: +1.603.998.6958 ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] Bacula 9.6.5 TLS issue - solved in 9.6.6
On 2020-09-27 15:27, Phil Stracchino wrote: > I'm going to re-test the job-hanging problem that I encountered with > 9.6.5 Director and see whether that is resolved in 9.6.6 as well. It > mysteriously appeared between 9.6.3 and 9.6.5, with luck it has vanished > as mysteriously. test phase 1: All clients and Storage on 9.6.6, Director still on 9.6.3 No hung jobs so far. I plan to leave it this way for at least a week before upgrading the Director to 9.6.6. as well. -- Phil Stracchino Babylon Communications ph...@caerllewys.net p...@co.ordinate.org Landline: +1.603.293.8485 Mobile: +1.603.998.6958 ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] Bacula 9.6.5 TLS issue - solved in 9.6.6
On 2020-09-27 02:57, Josip Deanovic wrote: > So I am writing here to inform people who might experienced the > TLS error with bacula-fd 9.6.5 on Centos 7 and Centos 6 that Bacula > 9.6.6 has solved that problem. I'm going to re-test the job-hanging problem that I encountered with 9.6.5 Director and see whether that is resolved in 9.6.6 as well. It mysteriously appeared between 9.6.3 and 9.6.5, with luck it has vanished as mysteriously. -- Phil Stracchino Babylon Communications ph...@caerllewys.net p...@co.ordinate.org Landline: +1.603.293.8485 Mobile: +1.603.998.6958 ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] Bacula 9.6.5 TLS issue - solved in 9.6.6
Very good! Thanks for info! :) Best regards, -- Mario. søn. 27. sep. 2020 kl. 09:06 skrev Josip Deanovic < djosip+n...@linuxpages.net>: > Hello, > > I have stumbled upon bug in Bacula 9.6.5 on Centos 7 and Centos 6 > where bacula-fd would fail starting with error mentioning TLS > not being able to find ciphers. > > Configuration of the file daemons is correct and it works without > modifications with stock Centos 7 (5.2) and Centos 6 (5.0) Bacula > file daemons. Centos 8 is working fine with 9.6.5 without issues. > > I have failed to find the cause and few days ago Bacula 9.6.6 was > released so I tried that version and the TLS problem was gone. > > So I am writing here to inform people who might experienced the > TLS error with bacula-fd 9.6.5 on Centos 7 and Centos 6 that Bacula > 9.6.6 has solved that problem. > > > Regards! > > -- > Josip Deanovic > > > ___ > Bacula-users mailing list > Bacula-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/bacula-users > ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
[Bacula-users] Bacula 9.6.5 TLS issue - solved in 9.6.6
Hello, I have stumbled upon bug in Bacula 9.6.5 on Centos 7 and Centos 6 where bacula-fd would fail starting with error mentioning TLS not being able to find ciphers. Configuration of the file daemons is correct and it works without modifications with stock Centos 7 (5.2) and Centos 6 (5.0) Bacula file daemons. Centos 8 is working fine with 9.6.5 without issues. I have failed to find the cause and few days ago Bacula 9.6.6 was released so I tried that version and the TLS problem was gone. So I am writing here to inform people who might experienced the TLS error with bacula-fd 9.6.5 on Centos 7 and Centos 6 that Bacula 9.6.6 has solved that problem. Regards! -- Josip Deanovic ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] bacula and tls. Can't get that working
Verify the keyUsage of your certs.. Try to create a cert with all usages: keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign, encipherOnly, decipherOnly 2011/11/8 Oliver Hoffmann o...@dom.de Hi all, it is such a hassle to get that running. Could someone guide me please? 1. What I did I made my own CA using this guide: https://help.ubuntu.com/community/OpenSSL Now I have a CA and self-signed keys. So there are server_crt.pem, server_key.pem and cacert.pem. The common name is always ba-server.some.domain. I altered the file index.txt.attr. Now it reads unique_subject = no. Of course I read this one: http://www.bacula.org/de/dev-manual/Bacula_TLS_Communication.html and then that one: http://www.devco.net/pubwiki/Bacula/TLS/ which was quite helpful. I tried to have an encrypted communication between the director and bconsole as a first attempt but it doesn't work. bconsole.conf looks like: Director { Name = ba-server-dir DIRport = 9101 address = ba-server.some.domain Password = mypw TLS Enable = yes TLS Require = yes TLS CA Certificate File = /etc/bacula/certs/cacert.pem TLS Certificate = /etc/bacula/certs/server_crt.pem TLS Key = /etc/bacula/certs/server_key.pem } bacula-dir.conf (just the upper part): Director {# define myself Name = ba-server-dir DIRport = 9101# where we listen for UA connections QueryFile = /etc/bacula/scripts/query.sql WorkingDirectory = /var/lib/bacula PidDirectory = /var/run/bacula Password = mypw Messages = Daemon DirAddress = ba-server.some.domain Heartbeat Interval = 60 Maximum Concurrent Jobs = 20 TLS Enable = yes TLS Require = yes # TLS Verify Peer = yes # TLS Allowed CN = ba-server.some.domain TLS CA Certificate File = /etc/bacula/certs/cacert.pem TLS Certificate = /etc/bacula/certs/server_crt.pem TLS Key = /etc/bacula/certs/server_key.pem } I used TLS Verify Peer and TLS Allowed CN as well before. 2. What I got: Connecting to Director ba-server.some.domain:9101 TLS negotiation failed Director authorization problem. Most likely the passwords do not agree. If you are using TLS, there may have been a certificate validation error during the TLS handshake. Please see http://www.bacula.org/en/rel-manual/Bacula_Freque_Asked_Questi.html#SECTION00376 for help. In the log file I see: 08-Nov 17:16 ba-server-dir JobId 0: Error: tls.c:92 Error with certificate at depth: 0, issuer = /CN=ba-server.some.domain and so on ERR=26:unsupported certificate purpose Thus I searched for unsupported certificate purpose and found out that nsCertType was set to server. Means both certs have a purpose called server. I made a new crt/key with client. No success. I couldn't find either how to set nsCertType to nothing or if bacula is able to ignore such a setting. Thanks for help! Greetings, Oliver -- RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1 ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users Thank you. After a while I figured out how to do this. Furthermore I had nsCertType = server in my caconfig.cnf and commented it. Now I see: Certificate purposes: SSL client : Yes SSL client CA : No SSL server : Yes SSL server CA : No Netscape SSL server : Yes Netscape SSL server CA : No S/MIME signing : Yes S/MIME signing CA : No S/MIME encryption : Yes S/MIME encryption CA : No CRL signing : Yes CRL signing CA : No Any Purpose : Yes Any Purpose CA : Yes OCSP helper : Yes OCSP helper CA : No With such a cert the communication bconsole -- director finally works. Next I tried to get the local fd talking TLS (with the same cacert, crt and key), but: 09-Nov 18:01 ba-server-fd: Fatal Error at filed.c:556 because: Konnte TLS context für Director nicht initialisieren ba-server-dir in /etc/bacula/bacula-fd.conf. The German sentence means Couldn't initialize TLS context for director ba-server-dir. Eventually I got it. The problem was FQDN in the cert but not at FDAddress =. Hence the major issues with TLS and bacula are FQDN confusion and purposes of certs. That's what I experienced and that's what I found all the time while searching the web. Cheers, Oliver -- RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1 ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
[Bacula-users] bacula and tls. Can't get that working
Hi all, it is such a hassle to get that running. Could someone guide me please? 1. What I did I made my own CA using this guide: https://help.ubuntu.com/community/OpenSSL Now I have a CA and self-signed keys. So there are server_crt.pem, server_key.pem and cacert.pem. The common name is always ba-server.some.domain. I altered the file index.txt.attr. Now it reads unique_subject = no. Of course I read this one: http://www.bacula.org/de/dev-manual/Bacula_TLS_Communication.html and then that one: http://www.devco.net/pubwiki/Bacula/TLS/ which was quite helpful. I tried to have an encrypted communication between the director and bconsole as a first attempt but it doesn't work. bconsole.conf looks like: Director { Name = ba-server-dir DIRport = 9101 address = ba-server.some.domain Password = mypw TLS Enable = yes TLS Require = yes TLS CA Certificate File = /etc/bacula/certs/cacert.pem TLS Certificate = /etc/bacula/certs/server_crt.pem TLS Key = /etc/bacula/certs/server_key.pem } bacula-dir.conf (just the upper part): Director {# define myself Name = ba-server-dir DIRport = 9101# where we listen for UA connections QueryFile = /etc/bacula/scripts/query.sql WorkingDirectory = /var/lib/bacula PidDirectory = /var/run/bacula Password = mypw Messages = Daemon DirAddress = ba-server.some.domain Heartbeat Interval = 60 Maximum Concurrent Jobs = 20 TLS Enable = yes TLS Require = yes # TLS Verify Peer = yes # TLS Allowed CN = ba-server.some.domain TLS CA Certificate File = /etc/bacula/certs/cacert.pem TLS Certificate = /etc/bacula/certs/server_crt.pem TLS Key = /etc/bacula/certs/server_key.pem } I used TLS Verify Peer and TLS Allowed CN as well before. 2. What I got: Connecting to Director ba-server.some.domain:9101 TLS negotiation failed Director authorization problem. Most likely the passwords do not agree. If you are using TLS, there may have been a certificate validation error during the TLS handshake. Please see http://www.bacula.org/en/rel-manual/Bacula_Freque_Asked_Questi.html#SECTION00376 for help. In the log file I see: 08-Nov 17:16 ba-server-dir JobId 0: Error: tls.c:92 Error with certificate at depth: 0, issuer = /CN=ba-server.some.domain and so on ERR=26:unsupported certificate purpose Thus I searched for unsupported certificate purpose and found out that nsCertType was set to server. Means both certs have a purpose called server. I made a new crt/key with client. No success. I couldn't find either how to set nsCertType to nothing or if bacula is able to ignore such a setting. Thanks for help! Greetings, Oliver -- RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1 ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] bacula and tls. Can't get that working
Verify the keyUsage of your certs.. Try to create a cert with all usages: keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign, encipherOnly, decipherOnly 2011/11/8 Oliver Hoffmann o...@dom.de Hi all, it is such a hassle to get that running. Could someone guide me please? 1. What I did I made my own CA using this guide: https://help.ubuntu.com/community/OpenSSL Now I have a CA and self-signed keys. So there are server_crt.pem, server_key.pem and cacert.pem. The common name is always ba-server.some.domain. I altered the file index.txt.attr. Now it reads unique_subject = no. Of course I read this one: http://www.bacula.org/de/dev-manual/Bacula_TLS_Communication.html and then that one: http://www.devco.net/pubwiki/Bacula/TLS/ which was quite helpful. I tried to have an encrypted communication between the director and bconsole as a first attempt but it doesn't work. bconsole.conf looks like: Director { Name = ba-server-dir DIRport = 9101 address = ba-server.some.domain Password = mypw TLS Enable = yes TLS Require = yes TLS CA Certificate File = /etc/bacula/certs/cacert.pem TLS Certificate = /etc/bacula/certs/server_crt.pem TLS Key = /etc/bacula/certs/server_key.pem } bacula-dir.conf (just the upper part): Director {# define myself Name = ba-server-dir DIRport = 9101# where we listen for UA connections QueryFile = /etc/bacula/scripts/query.sql WorkingDirectory = /var/lib/bacula PidDirectory = /var/run/bacula Password = mypw Messages = Daemon DirAddress = ba-server.some.domain Heartbeat Interval = 60 Maximum Concurrent Jobs = 20 TLS Enable = yes TLS Require = yes # TLS Verify Peer = yes # TLS Allowed CN = ba-server.some.domain TLS CA Certificate File = /etc/bacula/certs/cacert.pem TLS Certificate = /etc/bacula/certs/server_crt.pem TLS Key = /etc/bacula/certs/server_key.pem } I used TLS Verify Peer and TLS Allowed CN as well before. 2. What I got: Connecting to Director ba-server.some.domain:9101 TLS negotiation failed Director authorization problem. Most likely the passwords do not agree. If you are using TLS, there may have been a certificate validation error during the TLS handshake. Please see http://www.bacula.org/en/rel-manual/Bacula_Freque_Asked_Questi.html#SECTION00376 for help. In the log file I see: 08-Nov 17:16 ba-server-dir JobId 0: Error: tls.c:92 Error with certificate at depth: 0, issuer = /CN=ba-server.some.domain and so on ERR=26:unsupported certificate purpose Thus I searched for unsupported certificate purpose and found out that nsCertType was set to server. Means both certs have a purpose called server. I made a new crt/key with client. No success. I couldn't find either how to set nsCertType to nothing or if bacula is able to ignore such a setting. Thanks for help! Greetings, Oliver -- RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1 ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users -- William Felipe Welter -- Consultor em Tecnologias Livres william.wel...@4linux.com.br www.4linux.com.br -- RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
[Bacula-users] Bacula and TLS
I'm trying to get TLS working with bacula, I'm following the instructions on this web site: http://www.devco.net/pubwiki/Bacula/TLS/ I came to this statement Repeat this certificate creation steps - create a key, csr and cert - for each of your clients and directors My question is, is it possible to setup TLS and Bacula with the same certs and keys? Do I really have to create and sign a cert for *every* client I want to back up? I have hundreds of machines, I hope there is an easier way of doing this. Thank you! mike -- All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2 ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] Bacula and TLS
Am 30.06.2011 20:28, schrieb Mike Hobbs: I'm trying to get TLS working with bacula, I'm following the instructions on this web site: http://www.devco.net/pubwiki/Bacula/TLS/ I came to this statement Repeat this certificate creation steps - create a key, csr and cert - for each of your clients and directors My question is, is it possible to setup TLS and Bacula with the same certs and keys? Do I really have to create and sign a cert for *every* client I want to back up? I have hundreds of machines, I hope there is an easier way of doing this. Hi Mike, Clients sharing the same key can quite easily obtain access to files backed up from a different client. If this is acceptable, you could also use the same key. If not, you might be able to automate key creation and distribution in some way (scripting, puppet, ... whatever you like). Regards Ansgar -- All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2 ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
[Bacula-users] Bacula and TLS
After reading http://www.bacula.org/dev-manual/Bacula_TLS_Communication.html, I can't figure out how to set up bacula to use TLS and what's the meaning of the options. Is there any howto about setting up TLS in bacula? Currently I'm doing backups through the internet so I'd like to set a secure connection as soon as possible. In the docs I've seen: TLS CA Certificate File = /usr/local/etc/ssl/ca.pem # This is a server certificate, used for incoming # console connections. TLS Certificate = /usr/local/etc/ssl/backup1/cert.pem TLS Key = /usr/local/etc/ssl/backup1/key.pem How can I generate? /usr/local/etc/ssl/backup1/cert.pem /usr/local/etc/ssl/backup1/key.pem /usr/local/etc/ssl/ca.pem -- Adrián Ribao Martínez signature.asc Description: This is a digitally signed message part. - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] Bacula and TLS
Adrián Ribao Martínez wrote: After reading http://www.bacula.org/dev-manual/Bacula_TLS_Communication.html, NOTE, you are reading the development manual, for a yet to be released version of Bacula. I suspect you should be reading the released manual: http://www.bacula.org/rel-manual/Bacula_TLS_Communication.html However, I also suspect the two chapters are identical in this case. I can't figure out how to set up bacula to use TLS and what's the meaning of the options. Is there any howto about setting up TLS in bacula? I wrote one: http://www.freebsddiary.org/bacula-tls.php Currently I'm doing backups through the internet so I'd like to set a secure connection as soon as possible. In the docs I've seen: TLS CA Certificate File = /usr/local/etc/ssl/ca.pem # This is a server certificate, used for incoming # console connections. TLS Certificate = /usr/local/etc/ssl/backup1/cert.pem TLS Key = /usr/local/etc/ssl/backup1/key.pem How can I generate? /usr/local/etc/ssl/backup1/cert.pem /usr/local/etc/ssl/backup1/key.pem /usr/local/etc/ssl/ca.pem Certificate generation deserves a topic all on its own. There are many howtos for that. I used cacert.org for generating my certificate. -- Dan Langille BSDCan - The Technical BSD Conference : http://www.bsdcan.org/ PGCon - The PostgreSQL Conference: http://www.pgcon.org/ - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
[Bacula-users] Bacula and TLS, without client certificates...
Ok, now my bacula setup are rather decent, next step enable TLS. I've looked at FAQ, HOWTOs, manual... but i've not found an answer to this question. Can i enable TLS without 'client' (fd) certificate, but only 'server' (dir) certificates, as usually done by SSL/TLS apps/protocols (https, ldaps, ...)? I think that the 'hash/password' is for me a sufficient security/identification measue, and i don't want to generate and deploy certificates for all the client. Speaking pratically: a setup like: bacula-dir.conf: Director { TLS Enable = yes TLS Required = yes TLS Verify Peer = no TLS CA Certificate File = /etc/ssl/certs/LNFFVG.pem TLS Certificate = /etc/ssl/certs/LNFFVGTrinity.pem TLS Key = /etc/ssl/private/LNFFVGTrinity.pem [...other non-TLS conf...] bacula-fd.conf Director { TLS Enable = yes TLS Required = yes TLS Verify Peer = yes TLS CA Certificate File = /etc/ssl/certs/LNFFVG.pem [...other non-TLS conf...] -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia''http://www.sv.lnf.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)sv.lnf.it tel +39-0434-842711 fax +39-0434-842797 - SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] Bacula and TLS, without client certificates...
Marco Gaiarin wrote: Ok, now my bacula setup are rather decent, next step enable TLS. I've looked at FAQ, HOWTOs, manual... but i've not found an answer to this question. Can i enable TLS without 'client' (fd) certificate, but only 'server' (dir) certificates, as usually done by SSL/TLS apps/protocols (https, ldaps, ...)? No, since from an SSL perspective, all of the bacula daemons end up acting as both client and server. The director connects to the fd, the fd connects to the sd, etc. -- Frank Sweetser fs at wpi.edu | For every problem, there is a solution that WPI Senior Network Engineer | is simple, elegant, and wrong. - HL Mencken GPG fingerprint = 6174 1257 129E 0D21 D8D4 E8A3 8E39 29E3 E2E8 8CEC - SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] Bacula and TLS, without client certificates...
Marco Gaiarin wrote: Ok, now my bacula setup are rather decent, next step enable TLS. I've looked at FAQ, HOWTOs, manual... but i've not found an answer to this question. Can i enable TLS without 'client' (fd) certificate, but only 'server' (dir) certificates, as usually done by SSL/TLS apps/protocols (https, ldaps, ...)? I think that the 'hash/password' is for me a sufficient security/identification measue, and i don't want to generate and deploy certificates for all the client. Speaking pratically: a setup like: bacula-dir.conf: Director { TLS Enable = yes TLS Required = yes TLS Verify Peer = no TLS CA Certificate File = /etc/ssl/certs/LNFFVG.pem TLS Certificate = /etc/ssl/certs/LNFFVGTrinity.pem TLS Key = /etc/ssl/private/LNFFVGTrinity.pem [...other non-TLS conf...] bacula-fd.conf Director { TLS Enable = yes TLS Required = yes TLS Verify Peer = yes TLS CA Certificate File = /etc/ssl/certs/LNFFVG.pem [...other non-TLS conf...] I am pretty use you need a TLS Certificate on each client. -- Dan Langille - http://www.langille.org/ BSDCan - The Technical BSD Conference: http://www.bsdcan.org/ - SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] bacula and tls
On Oct 4, 2007, at 5:01 PM, Dave wrote: Hello, Is anyone using tls with the latest bacula? I've installed the latest server on both FreeBSD via ports, and a CentOS 5 box, and i'm getting the same tls error, unable to load certification information on both. I just upgraded our primary backup server from 2.0.3 to 2.2.5, and it's working just fine. I'd suggest triple checking the permissions on the certificates it's trying to load. -landonf PGP.sig Description: This is a digitally signed message part - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now http://get.splunk.com/___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] bacula and tls
Hello, Thanks for your reply. I did recheck those permissions, they are 644 shouldn't have a problem reading them. These are also the same certs the storage and file daemons load, so i am confused. If i can provide any additional information let me know. Thanks. Dave. - Original Message - From: Landon Fuller [EMAIL PROTECTED] To: Dave [EMAIL PROTECTED] Cc: bacula-users@lists.sourceforge.net Sent: Thursday, October 18, 2007 5:23 PM Subject: Re: [Bacula-users] bacula and tls - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now http://get.splunk.com/ ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] [Bacula-devel] TLS - required/enabled
On Tuesday 05 September 2006 01:25, Dan Langille wrote: On 4 Sep 2006 at 17:42, Kern Sibbald wrote: On Monday 04 September 2006 16:53, Dan Langille wrote: I've found that TLS Require = yes stops comms from working. I needed TLS Enable = yes. This is with a 1.38.8 Director and a bacula-client-1.38.11_1. Does that make sense? With just TLS Require = yes and not TLS Enable = yes, I get: 04-Sep 10:45 bacula-dir: *Console*.2006-09-04_10.45.22 Fatal error: Authorization problem: Remote server did not advertise required TLS support. If I change to TLS Enable = yes, then the status command works. The bacula-fd.conf specifies: TLS Enable = yes TLS Require = yes If more details are required, I can provide them. That sounds perfectly logical to me. OK, then let me add to the equation. With this in the client resource on bacula-dir.conf: TLS Require= yes TLS Enable = yes And this in the bacula-fd.conf: TLS Enable = yes TLS Require = yes we get: Fatal error: Authorization problem: Remote server did not advertise required TLS support. When? What have you done, started the daemons? If I remove TLS Require= yes from bacula-dir.conf, status works just fine. Oh, so you are doing some Status command. From what (bconsole?), and what kind of status command? And what is defined in the bconsole (or whatever) conf file concerning TLS? - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] [Bacula-devel] TLS - required/enabled
On 4 Sep 2006 at 17:42, Kern Sibbald wrote: On Monday 04 September 2006 16:53, Dan Langille wrote: I've found that TLS Require = yes stops comms from working. I needed TLS Enable = yes. This is with a 1.38.8 Director and a bacula-client-1.38.11_1. Does that make sense? With just TLS Require = yes and not TLS Enable = yes, I get: 04-Sep 10:45 bacula-dir: *Console*.2006-09-04_10.45.22 Fatal error: Authorization problem: Remote server did not advertise required TLS support. If I change to TLS Enable = yes, then the status command works. The bacula-fd.conf specifies: TLS Enable = yes TLS Require = yes If more details are required, I can provide them. That sounds perfectly logical to me. OK, then let me add to the equation. With this in the client resource on bacula-dir.conf: TLS Require= yes TLS Enable = yes And this in the bacula-fd.conf: TLS Enable = yes TLS Require = yes we get: Fatal error: Authorization problem: Remote server did not advertise required TLS support. If I remove TLS Require= yes from bacula-dir.conf, status works just fine. -- Dan Langille : Software Developer looking for work my resume: http://www.freebsddiary.org/dan_langille.php - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
[Bacula-users] bacula console tls
Hello, I'm trying to get tls going on bacula 1.38.11. I've created and installed keys via the howto at: http://www.eclectica.ca/howto/ssl-cert-howto.php This part went fine and the relevant portions of my config are below. I've restarted the daemons and all worked fine, i did not get any errors. When i atempted to connect with bconsole i got an authorization error: #bconsole -c bconsole.conf Connecting to Director zeus:9101 Authorization problem: Remote server requires TLS. Director authorization problem. Most likely the passwords do not agree. If you are using TLS, there may have been a certificate validation error during the TLS handshake. Please see http://www.bacula.org/rel-manual/faq.html#AuthorizationErrors for help. I've checked that location, and i've verified the names match. I'm running a local dns server and have added an a record for the bacula entry. I'm suspecting i have my tls options defined incorrectly. Any help appreciated. Thanks. Dave. # host bacula.example.com bacula.example.com has address 192.168.0.3 bconsole.conf: Director { Name = bacula-dir DIRport = 9101 address = bacula.example.com Password = xxx } bacula-fd.conf: # # List Directors who are permitted to contact this File daemon # Director { Name = bacula-dir Password = xxx TLS Require = yes TLS Verify Peer = yes # Allow only the Director to connect TLS Allowed CN = bacula.example.com TLS CA Certificate File = /usr/local/etc/bacula/cacert.pem # This is a server certificate. It is used by connecting # directors to verify the authenticity of this file daemon TLS Certificate = /usr/local/etc/bacula/cert.pem TLS Key = /usr/local/etc/bacula/key.pem } bacula-sd.conf: Storage { # definition of myself Name = bacula-sd SDPort = 9103 # Director's port WorkingDirectory = /var/db/bacula Pid Directory = /var/run Maximum Concurrent Jobs = 20 # These TLS configuration options are used for incoming # file daemon connections. Director TLS settings are handled # below. TLS Require = yes # Peer certificate is not required/requested -- peer validity # is verified by the storage connection cookie provided to the # File Daemon by the director. TLS Verify Peer = no TLS CA Certificate File = /usr/local/etc/bacula/cacert.pem # This is a server certificate. It is used by connecting # file daemons to verify the authenticity of this storage daemon TLS Certificate = /usr/local/etc/bacula/cert.pem TLS Key = /usr/local/etc/bacula/key.pem } # # List Directors who are permitted to contact Storage daemon # Director { Name = bacula-dir Password = xxx TLS Require = yes # Require the connecting director to provide a certificate # with the matching CN. TLS Verify Peer = yes TLS Allowed CN = bacula.example.com TLS CA Certificate File = /usr/local/etc/bacula/cacert.pem # This is a server certificate. It is used by the connecting # director to verify the authenticity of this storage daemon TLS Certificate = /usr/local/etc/bacula/cert.pem TLS Key = /usr/local/etc/bacula/key.pem } Device { Name = FileStorage Media Type = File Archive Device = /backup/bacula LabelMedia = yes; # lets Bacula label unlabeled media Random Access = Yes; AutomaticMount = yes; # when device opened, read it RemovableMedia = no; AlwaysOpen = no; } bacula-dir.conf: Director {# define myself Name = bacula-dir DIRport = 9101# where we listen for UA connections QueryFile = /usr/local/share/bacula/query.sql WorkingDirectory = /var/db/bacula PidDirectory = /var/run Maximum Concurrent Jobs = 3 Password = xxx Messages = Daemon TLS Require = yes TLS Verify Peer = yes TLS Allowed CN = [EMAIL PROTECTED] TLS CA Certificate File = /usr/local/etc/bacula/cacert.pem # This is a server certificate # used for incoming console connections from the first client TLS Certificate = /usr/local/etc/bacula/cert.pem TLS Key = /usr/local/etc/bacula/key.pem } # Definition of file storage device Storage { Name = File Address = bacula.example.com# N.B. Use a fully qualified name here SDPort = 9103 Password = xxx Device = FileStorage Media Type = File TLS Require = yes TLS CA Certificate File = /usr/local/etc/bacula/cacert.pem # This is a client certificate, used by the director to # connect to the storage daemon TLS Certificate = /usr/local/etc/bacula/cert.pem TLS Key = /usr/local/etc/bacula/key.pem } - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net