Re: [Bacula-users] Restoring encrypted files to a different host

[Dan Langille]

On Wed, Mar 24, 2021, at 3:37 PM, Shawn Rappaport wrote:
> What do I need to do in order to be able to restore from one server to the 
> other? Do I need to copy the private key from portal02-px to portal01-px and 
> update bacula-fd.conf on them as well? 

Yes, but note, I have never tried this.

> If so, what would I put in bacula-fd.conf?

Basically, the same as what you had in the other client for PKI Keypair

see

https://www.bacula.org/11.0.x-manuals/en/main/Data_Encryption.html

--
  Dan Langille
  d...@langille.org

___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users

[Bacula-users] Restoring encrypted files to a different host

[Shawn Rappaport]

I'm using TLS and encryption for some sensitive backup clients. I'm running 
Bacula 9.0.6 on the Director, Storage and Clients, all running CentOS 7.5. I 
just tried to restore some files from a server called portal02-px to a server 
called portal01-px but it failed due to a missing private key:

24-Mar 11:53 bacdirector01-lv.internal.shutterfly.com-dir JobId 143929: Start 
Restore Job RestoreFiles.2021-03-24_11.53.28_40
24-Mar 11:53 bacdirector01-lv.internal.shutterfly.com-dir JobId 143929: Using 
Device "FileChgr1-Dev1" to read.
24-Mar 11:53 bacmedia02-px.internal.shutterfly.com-sd JobId 143929: Ready to 
read from volume "tempe2-weekly-127" on File device "FileChgr1-Dev1" (/data).
24-Mar 11:53 bacmedia02-px.internal.shutterfly.com-sd JobId 143929: Forward 
spacing Volume "tempe2-weekly-127" to addr=2003871821
24-Mar 11:53 bacmedia02-px.internal.shutterfly.com-sd JobId 143929: Elapsed 
time=00:00:02, Transfer rate=4.821 K Bytes/second
24-Mar 11:53 portal01-px.internal.shutterfly.com-fd JobId 143929: Error: 
Missing private key required to decrypt encrypted backup data.
24-Mar 11:53 portal01-px.internal.shutterfly.com-fd JobId 143929: Error: 
Missing private key required to decrypt encrypted backup data.
24-Mar 11:53 portal01-px.internal.shutterfly.com-fd JobId 143929: Error: 
Missing private key required to decrypt encrypted backup data.
24-Mar 11:53 portal01-px.internal.shutterfly.com-fd JobId 143929: Error: 
Missing private key required to decrypt encrypted backup data.
24-Mar 11:53 portal01-px.internal.shutterfly.com-fd JobId 143929: Error: 
Missing private key required to decrypt encrypted backup data.
24-Mar 11:53 portal01-px.internal.shutterfly.com-fd JobId 143929: Error: 
Missing private key required to decrypt encrypted backup data.
24-Mar 11:53 bacdirector01-lv.internal.shutterfly.com-dir JobId 143929: Error: 
Bacula bacdirector01-lv.internal.shutterfly.com-dir 9.0.6 (20Nov17):
  Build OS:   x86_64-pc-linux-gnu redhat (Core)
  JobId:  143929
  Job:RestoreFiles.2021-03-24_11.53.28_40
  Restore Client: portal01-px-fd
  Start time: 24-Mar-2021 11:53:30
  End time:   24-Mar-2021 11:53:33
  Files Expected: 6
  Files Restored: 6
  Bytes Restored: 0
  Rate:   0.0 KB/s
  FD Errors:  6
  FD termination status:  Error
  SD termination status:  OK
  Termination:*** Restore Error ***

So, it seems that the way I have things configured, I can only restore to the 
same host (I was able to do that successfully).

Here are the File Daemon sections of those two servers:
FileDaemon {  # this is me
  Name = portal02-px.internal.shutterfly.com-fd
  FDport = 9102  # where we listen for the director
  WorkingDirectory = /var/bacula
  Pid Directory = /var/run
  Maximum Concurrent Jobs = 20
  Plugin Directory = /usr/lib64
  TLS Enable = yes
  TLS Require = yes
  TLS CA Certificate File = /etc/bacula/cacert.pem
  TLS Certificate = /etc/bacula/portal02-px.crt
  TLS Key = /etc/bacula/portal02-px-daemon.key
  PKI Encryption = Yes   # Enable Data Encryption
  PKI Signatures = Yes   # Enable Data Signing
  PKI Keypair = /etc/bacula/portal02-px.pem# Public and Private Keys
  PKI Master Key = /etc/bacula/bacdirector01-lv.crt   # ONLY the Public Key
}

FileDaemon {  # this is me
  Name = portal01-px.internal.shutterfly.com-fd
  FDport = 9102  # where we listen for the director
  WorkingDirectory = /opt/bacula/working
  Pid Directory = /var/run
  Maximum Concurrent Jobs = 20
  Plugin Directory = /usr/lib64
  TLS Enable = yes
  TLS Require = yes
  TLS CA Certificate File = /etc/bacula/cacert.pem
  TLS Certificate = /etc/bacula/portal01-px.crt
  TLS Key = /etc/bacula/portal01-px-daemon.key
  PKI Encryption = Yes   # Enable Data Encryption
  PKI Signatures = Yes   # Enable Data Signing
  PKI Keypair = /etc/bacula/portal01-px.pem# Public and Private Keys
  PKI Master Key = /etc/bacula/bacdirector01-lv.crt   # ONLY the Public Key
}

What do I need to do in order to be able to restore from one server to the 
other? Do I need to copy the private key from portal02-px to portal01-px and 
update bacula-fd.conf on them as well? If so, what would I put in 
bacula-fd.conf?

Thanks!

--Shawn
___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users

Re: [Bacula-users] regression testing - more volunteers wanted

[Adolf Belka (gmail)]

Hi Dan,

Sent from my Desktop Computer

On 24/03/2021 15:29, Dan Langille wrote:

On Tue, Mar 23, 2021, at 8:26 AM, Adolf Belka (gmail) wrote:

Hi All,

Found the README.ctest file and the CDashboard url. Have successfully
run the experimental-disk script and the results have got onto the
CDashboard.

So everything seems to be working well except that the bacula configure
script does not recognise Arch Linux.

Looking at 
http://regress.bacula.org/index.php?project=Bacula-9.6=2021-03-24 I see

9.6.7-10Dec20-mysql-unknown-unknown

Are you referring to 'unknown-unknown' where as other results have 
'freebsd-12.2-RELEASE-p4'?


Yes, that is what I am referring to together with the line in the checking part 
of configure output

 === Something went wrong. Unknown DISTNAME archlinux ===

The distribution version will always be unknown because Arch Linux is a rolling 
release and does not have a version number.

Regards,

Adolf.



___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users

Re: [Bacula-users] regression testing - more volunteers wanted

[Adolf Belka (gmail)]

Hi Dan,

Sent from my Desktop Computer

On 24/03/2021 15:27, Dan Langille wrote:

On Mon, Mar 22, 2021, at 8:23 AM, Adolf Belka (gmail) wrote:

Hi All,

I have run the regression tests and had a couple of failures. One of
those disappeared after re-running the test. The other I have re-run
with debug set and saved the output to a file. I also had a syntax error
from the regression script itself right at the end for the total time
printing.

What was the error?


  = End three-pool-disk OK 20:16:18 00:00:59 59s =
  = End 2drive-3pool-test OK 20:17:41 00:00:59 59s =
  = End 2drive-swap-test OK 20:19:14 00:01:09 69s =
End non-root virtual disk autochanger tests
End do_file tests
  File "/home/ahb/sandbox/bacula/regress/./endtime", line 16
    print 'Total time = %d:%02d:%02d or %d secs' % (h, m, sec, t - float(s))
  ^
SyntaxError: invalid syntax


I think this was at the end of running make test but it might have been from 
running ./do_disk, I can't remember any more.

However this error does not occur when I am running the ./experimental_disk or 
./nightly_disk.



___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users

Re: [Bacula-users] regression testing - more volunteers wanted

[Dan Langille]

On Mon, Mar 22, 2021, at 8:23 AM, Adolf Belka (gmail) wrote:
> Hi All,
> 
> I have run the regression tests and had a couple of failures. One of 
> those disappeared after re-running the test. The other I have re-run 
> with debug set and saved the output to a file. I also had a syntax error 
> from the regression script itself right at the end for the total time 
> printing.

What was the error?


-- 
  Dan Langille
  d...@langille.org


___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users

Re: [Bacula-users] regression testing - more volunteers wanted

[Dan Langille]

On Tue, Mar 23, 2021, at 8:26 AM, Adolf Belka (gmail) wrote:
> Hi All,
> 
> Found the README.ctest file and the CDashboard url. Have successfully 
> run the experimental-disk script and the results have got onto the 
> CDashboard.
> 
> So everything seems to be working well except that the bacula configure 
> script does not recognise Arch Linux.

Looking at 
http://regress.bacula.org/index.php?project=Bacula-9.6=2021-03-24 I see

9.6.7-10Dec20-mysql-unknown-unknown

Are you referring to 'unknown-unknown' where as other results have 
'freebsd-12.2-RELEASE-p4'?

-- 
  Dan Langille
  d...@langille.org


___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users

Re: [Bacula-users] Regression testing - errors found with make setup

[Martin Simmons]

> On Mon, 22 Mar 2021 19:35:04 +0100, Adolf Belka (gmail) said:
> 
> Hi Radoslaw,
> 
> Sent from my Desktop Computer
> 
> On 22/03/2021 16:23, Radosław Korzeniewski wrote:
> > Hello,
> >
> > pon., 22 mar 2021 o 15:44 Adolf Belka (gmail)  > > napisał(a):
> >
> > Hi All,
> >
> > I initially setup the regression system with sqlite3 to prove it was 
> > working in a simple manner. This worked and I was able to run the 
> > regression tests, most of which passed.
> >
> >
> > I then changed my setup to mysql (mariadb for Arch Linux).
> >
> > I then re-ran make setup but get a whole lot of errors at the end. The 
> > following is just the end part with the errors but if the whole of the 
> > output from make setup is required I can provide that.
> >
> >
> > Any clues, from the error messages being seen, for what I have not done 
> > correctly.
> >
> >
> > Stopping the Bacula File daemon
> > Stopping the Bacula Storage daemon
> > Stopping the Bacula Director daemon
> > Running database creation scripts
> > Creating mysql database
> > ERROR 1044 (42000) at line 1: Access denied for user ''@'localhost' to 
> > database 'regress'
> >
> >
> > It seems you have no permissions (Access denied above) to create a 
> > database. No database, no regression testing.
> >
> Thanks very much for the input.
> 
> Yes, I had to add my unprivileged user into mariadb with full granting, 
> creation etc privileges and then most of the errors disappeared. I had to 
> also redo the root user as somehow the blank password had become an invalid 
> password and that was still causing some errors.
> 
> Once that was solved then I only have two errors left but they don't appear 
> to be blocking (yet) as the regression tests are running okay so far.
> 
> The need to have your unprivileged user in mariadb/mysql with granting etc 
> rights is not mentioned in the Regression instructions section of the manual.
> 
> The error messages still left are the "ERROR 1133" line and the 
> "smartall.c:418-0 Orphaned buffer" line in the output below.
> 
> I think the ERROR 1133 line may be related to the mariadb.sys user. Searching 
> found other people with the same message and it was said to be a feature of 
> that user.
> 
> The other error I have not been able to figure out at all but the disk based 
> tests all seem to be working at the moment with mysql/mariadb.
> 
> Stopping the Bacula File daemon
> Stopping the Bacula Storage daemon
> Stopping the Bacula Director daemon
> Running database creation scripts
> Creating mysql database
> Creation of regress database succeeded.
> Deletion of regress MySQL tables succeeded.
> Dropped mysql tables
> Making mysql tables
> Creation of Bacula MySQL tables succeeded.
> Granting mysql privileges
> Created MySQL database user: regress
> ERROR 1133 (28000) at line 2: Can't find any matching row in the user table
> Host    User    Password    Select_priv    Insert_priv Update_priv    
> Delete_privCreate_priv    Drop_priv Reload_priv    Shutdown_priv    
> Process_priv    File_priv Grant_priv    References_priv    Index_priv    
> Alter_priv Show_db_priv    Super_privCreate_tmp_table_priv Lock_tables_priv   
>  Execute_priv    Repl_slave_priv Repl_client_priv    Create_view_priv    
> Show_view_priv Create_routine_priv    Alter_routine_privCreate_user_priv 
> Event_priv    Trigger_priv    Create_tablespace_priv 
> Delete_history_privssl_type    ssl_cipher    x509_issuer x509_subject    
> max_questions    max_updatesmax_connections max_user_connections    plugin    
> authentication_string password_expired    is_role    default_role    
> max_statement_time
> localhost    mariadb.sys        N    N    N    N    N    N    N NN    N    N  
>   N    N    N    N    N    N    N    N    N    NN N    N    N    N    N    N  
>   N    N                00    0 0    mysql_native_password        N    N      
>   0.00
> localhost    root        Y    Y    Y    Y    Y    Y    Y    Y YY    Y    Y    
> Y    Y    Y    Y    Y    Y    Y    Y    Y    YY Y    Y    Y    Y    Y    Y    
> Y                    00    0    0 mysql_native_password        N    N        
> 0.00
> localhost    ahb        Y    Y    Y    Y    Y    Y    Y    Y YY    Y    Y    
> Y    Y    Y    Y    Y    Y    Y    Y    Y    YY Y    Y    Y    Y    Y    Y    
> Y                    00    0    0 mysql_native_password        N    N        
> 0.00
> %    regress        N    N    N    N    N    N    N    N    N NN    N    N    
> N    N    N    N    N    N    N    N    N    NN N    N    N    N    N    N    
>                 0    00    0 mysql_native_password        N    N        
> 0.00
> Privileges for user regress granted on database regress.

It looks like this error 1133 is coming from Bacula's grant_mysql_privileges
script.  Line 2 expects to find regress@localhost:

use mysql
grant all privileges on ${db_name}.* to ${db_user}@localhost ${ssl_options};
grant