Humphrey, You will want to install bacula using the community repo. I have bacula community installed on 3 different machines, with a mix of physical and virtual.
1. Get your bacula community repository key at the link below. It will claim that it will email you. maybe it will, maybe it won't. if it doesn't, get your key from the page that loads after you complete the 3 field 'contact us' type form on the page linked below. note that it looks like a contact us form, but it's actually how your register for your key. Look for this text in the middle of the page: "You may now access the bacula binaries located here <https://www.bacula.org/packages/REDACTED> (please bookmark this link)." <-- I redacted my key, but you get the idea. https://www.bacula.org/bacula-binary-package-download/ 2. read the installation guide linked below. it was last updated in the days of centos 7, so some changes have occurred since then. however, the general principles still apply. One of the biggest new changes is that rocky linux 9 doesn't allow sha1 signed packages by default. Bacula is signed by a sha1 package. yes this needs fixed, no it hasn't been fixed yet. your only solution will be to globally enable sha1 hashes, or disable crypto signature checking for the bacula package only. https://bacula.org/whitepapers/CommunityInstallationGuide.pdf 3. I have a playbook I use to set these systems up. it looks like a bash script. it IS NOT a bash script. you must read through it and make changes periodically. in particular, I have redacted my bacula repo key. use your own. Also, my last setup was with bacula 15.0.2. I believe 15.0.3 is out now, and you should probably use that instead. paste the repo link into a browser, go back, and find the el9 repo for the most recent version of bacula. use that link instead. plz note that in the instructions I specify to globally enable sha1 package signing. At this point, I might actually prefer to set "gpgcheck=0" for bacula only. Your call. I mention disabling sha1 signing after installing bacula, and it seems that this might cause some annoying messages later. See attached file. Robert Gerber 402-237-8692 r...@craeon.net On Fri, Aug 8, 2025, 10:29 PM Humphrey Bryant via Bacula-users < bacula-users@lists.sourceforge.net> wrote: > Hey All, > > Is it possible to install Bacula-Community from a repository for Rocky > Linux 9.6 ? > > I just finished setup a Rocky Linux 9.6 server which comes with Bacula > Community 11.0.1 as the default in their Base Repo. I am currently running > bacula 13.0.3 on a CentOS 7.x Server that I am trying to retire so I dont > want to downgrade Bacula. Can someone please provide some steps or links to > access a Bacula Repo with Bacula 13 or 15 to install on Rocky Linux 9.6. > > Thanks in advance > > Regards, > > -- > > _______________________________________________ > Bacula-users mailing list > Bacula-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/bacula-users >
Bacula rocky 9 install and configuration process ************ # most of the following has to be done as root. I'm assuming you've done "sudo su -" prior to start. # RL 9 doesn't allow sha1 signing by default. gotta enable it for bacula, and then disable it when we're done. # this is a global allowance, and we don't want that by default since SHA1 is increasingly insecure. update-crypto-policies --set DEFAULT:SHA1 # reboot after this to make sure policy takes effect. Also, verify that the setting took properly with update-crypto-policies --show # import bacula project key cd /tmp wget https://www.bacula.org/downloads/Bacula-4096-Distribution-Verification-key.asc rpm --import Bacula-4096-Distribution-Verification-key.asc rm /tmp/Bacula-4096-Distribution-Verification-key.asc -f #We can verify which keys have been imported to the system like this: rpm -qa gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n' # https://www.bacula.org/packages/REDACTED # Add the following entries to your /etc/yum.repos.d/Bacula.repo file: nano /etc/yum.repos.d/Bacula.repo # note this URL is customized from the install guide to be for RHEL 9! [Bacula-Community] name=CentOS - Bacula - Community baseurl=https://www.bacula.org/packages/REDACTED/rpms/15.0.2/el9/x86_64/ enabled=1 protect=0 gpgcheck=1 # we want to disable all the bacula packages in every repo except the Bacula Community repo. Bacula packages from other repos can break bacula installs from the bacula community repo. # find all bacula packages on every repo with dnf list|grep -i bacula # the repo names will be listed on the right side of the screen. make a note of every repo listed there that ISN'T the bacula community repo. # we will add an exclude line to every repo but the bacula community repo. This is better than adding a global exclude to the /etc/yum.conf file. # list all repo files on the system find /etc/yum.repos.d/ -type f -name '*.repo' # there should certainly be bacula packages in the appstream repo, and maybe in any enabled sub-repos like appstream-debuginfo, appstream-source, etc. # for rocky linux, the appstream repos are in the /etc/yum.repos.d/rocky.repo nano /etc/yum.repos.d/rocky.repo # for alma linux, the appstream repos are located in /etc/yum.repos.d/almalinux-appstream.repo nano /etc/yum.repos.d/almalinux-appstream.repo # In either case, locate the text blocks for any enabled repo that is showing bacula packages, and put at the bottom of the text block: exclude=bacula* # save and exit. # install postgresql and bacula yum install postgresql-server -y service postgresql initdb #output: Hint: the preferred way to do this is now "/usr/bin/postgresql-setup --initdb --unit postgresql" yum install chkconfig -y chkconfig postgresql on yum install bacula-postgresql -y systemctl start postgresql.service su - postgres /opt/bacula/scripts/create_postgresql_database /opt/bacula/scripts/make_postgresql_tables /opt/bacula/scripts/grant_postgresql_privileges exit # give bacula user a shell so I can su into that user chsh -s /bin/bash bacula # add bacula user to tape group usermod -a -G tape bacula # add bacula user to smb_backup group usermod -aG smb_backup bacula # start bacula /opt/bacula/scripts/bacula start # maybe use systemctl start bacula-* instead? systemctl start bacula-dir.service bacula-fd.service bacula-sd.service systemctl status bacula-dir.service bacula-fd.service bacula-sd.service # give my user rwx access to bacula dir. used so I can filezilla into the server and edit stuff from windows setfacl -R -m TYPEYOURUSERNAMEHERE:rwx /opt/bacula/ # make symlinks to all bacula programs in /usr/sbin so they can be ran without a full path cp /opt/bacula/bin/* /usr/sbin -s # If bacula will interact with any bacula components that aren't local to the bacula server # (ie, FD on other machines), enable the RL9 default bacula firewall rule. # please note that this appears to open ports 9101-9103. Not sure if all that is needed. # load the new firewall rule firewall-cmd --add-service=bacula # make firewall settings persist across reboots firewall-cmd --runtime-to-permanent # check active firewall rules firewall-cmd --list-services # Now that bacula is installed, and assuming we don't need to install any more bacula packages, # we should revert the system crypto policies back to their defaults to no longer allow SHA1 to authenticate packages. # We will need to change the crypto policies to allow SHA1 if we need to install or reinstall any packages from the bacula community repo. # view the active policy: update-crypto-policies --show # revert the policy to the system defaults: update-crypto-policies --set DEFAULT # verify the active policy has changed: update-crypto-policies --show # reboot the system # there is a side effect to this crypto policy reversion: # dnf will throw informational errors every time you run it, like the one below. # warning: Signature not supported. Hash algorithm SHA1 not available. # These informational errors aren't related to any action you would be taking with dnf, # unless you were trying to install a package from the bacula community repo. # The errors are annoying and really not great. We'll see what solution is found in time. # perhaps we could remove the bacula package signing key to suppress the errors. # even so, globally allowing the use of SHA1 signed packages is really undesirable from a security perspective. # I'm not aware of a way to allow the use of SHA1 for ONLY the bacula community repo, and not anything else. # we could disable gpg checking in the repo file, but that seems even worse. more granular, but worse. # probably the best solution is to remove the bacula community key after all desired packages are installed. # ... ugh.
_______________________________________________ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
