Re: Debian: inetd required for amanda?
Jon LaBadie(Di 11 Jul 2017 22:28:56 CEST): > On Tue, Jul 11, 2017 at 03:36:48PM +0200, Heiko Schlittermann wrote: > > Jon LaBadie (Di 11 Jul 2017 15:27:47 CEST): > > > > > BTW the dash after ENVIRONMENT_FILE= is a typo? > > > Or some systemd syntax. > > > > No, in is just a "conditional", if the file does not exist, it is not > > treated as an error (as it would be without the dash). > > > With your normal accuracy I thought it might be some special syntax. Sorry, probably I'm misinterpreting you… It *is* special syntax for systemd's EnvironmentFile option. EnvironmentFile=/etc/default/amanda *requires* the file to exist. But EnvironmentFile=-/etc/default/amanda silently ignores the non-existing file (resulting in unset variables, probably) > > And, the Amanda Version I use (3.3.9) doesn't work with > > ListenStream=10080 > > As the socket is an "combined" ipv4/ipv6 socket and probaby the client > > doesn't use the proper function calls to get the peer address. > > ListenStream=0.0.0.0:10080 > > solved this for me. One should investigate it a bit more probably. > > On these systems the null address is not needed. > Perhaps because I've done nothing with IPv6. I wrote a short Perl script to find the peers address on two of my systems (both Debian9, using systemd 232) and put in there in place of amandad. (Because with ListenStream=10080 amandad complained about the peer address being 0.0.0.0, which is nonsens.) #!/usr/bin/perl use 5.24.1; use strict; use warnings; use IO::Socket::INET; use IO::Socket::INET6; $| = 1; eval { say 'v6: ', IO::Socket::INET6->new_from_fd(0, 'r+')->peerhost }; say "error: $@" if $@; eval { say 'v4: ', IO::Socket::INET->new_from_fd(0, 'r+')->peerhost }; say "error: $@" if $@; With ListenStream= I get an eval error for the INET socket. With ListenStream=0.0.0.0: I get the peers IPv4 address in both cases (IO::Socket::INET6 internally uses functions for both address families, wheras IO::Socket::INET only expects AF_INET (ant not AF_INET6). I think(!), amdand does about the same. Best regards from Dresden/Germany Viele Grüße aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --- key ID: F69376CE - ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 - signature.asc Description: PGP signature
Re: Debian: inetd required for amanda?
On Tue, Jul 11, 2017 at 03:36:48PM +0200, Heiko Schlittermann wrote: > Jon LaBadie(Di 11 Jul 2017 15:27:47 CEST): > > > BTW the dash after ENVIRONMENT_FILE= is a typo? > > Or some systemd syntax. > > No, in is just a "conditional", if the file does not exist, it is not > treated as an error (as it would be without the dash). > With your normal accuracy I thought it might be some special syntax. > And, the Amanda Version I use (3.3.9) doesn't work with > > ListenStream=10080 > > As the socket is an "combined" ipv4/ipv6 socket and probaby the client > doesn't use the proper function calls to get the peer address. > > ListenStream=0.0.0.0:10080 > > solved this for me. One should investigate it a bit more probably. On these systems the null address is not needed. Perhaps because I've done nothing with IPv6. Jon -- Jon H. LaBadie j...@jgcomp.com 11226 South Shore Rd. (703) 787-0688 (H) Reston, VA 20190 (703) 935-6720 (C)
Re: Debian: inetd required for amanda?
Jon LaBadie(Di 11 Jul 2017 15:27:47 CEST): > > No, it just redirects the STDERR (if there is any) to > > the journal, and not to the client. Or needs amandad to send (stderr) > > output to the client? > > > Without investigation I assumed the log/debug files were written > via stderr. Probably they are opened separately. I suppose, they are opened by the daemon, becase xinetd doesn't have this functionality. > > Hm. If the environement file is already named "amanda", I do not see > > a reason to replicate "amanda" in the variable name. But I do not mind > > either. > > When you put it that way there probably is none. > I was thinking of possible future needs for more > "services" variables plus child processes inheriting > an environment containg "SERVICES". If a child depends on such an unspecific name as SERVICES, I cannot help :) > BTW the dash after ENVIRONMENT_FILE= is a typo? > Or some systemd syntax. No, in is just a "conditional", if the file does not exist, it is not treated as an error (as it would be without the dash). And, the Amanda Version I use (3.3.9) doesn't work with ListenStream=10080 As the socket is an "combined" ipv4/ipv6 socket and probaby the client doesn't use the proper function calls to get the peer address. ListenStream=0.0.0.0:10080 solved this for me. One should investigate it a bit more probably. -- Heiko signature.asc Description: PGP signature
Re: Debian: inetd required for amanda?
On Tue, Jul 11, 2017 at 10:40:36AM +0200, Heiko Schlittermann wrote: > Jon LaBadie(Di 11 Jul 2017 07:56:28 CEST): > > > > > > | StandardInput=socket > > > > > | StandardError=journal > > > > Does this prevent writing to amanda's normal log/debug files? > > No, it just redirects the STDERR (if there is any) to > the journal, and not to the client. Or needs amandad to send (stderr) > output to the client? > Without investigation I assumed the log/debug files were written via stderr. Probably they are opened separately. > > > Maybe this could be done via an env file /etc/default/amanda having > > > SERVICES="amdump amindexd amindxtaped…" > > > > > > and then extending the .service unit: > > > > > > EnvironmentFile=-/etc/default/amanda > > > ExecStart=/usr/lib/amanda/amandad -auth=bsdtcp $SERVICES > > > > I was not aware of this capability. I think I'd pick a more specific > > variable name, like AMANDAD_SERVICES. > > Hm. If the environement file is already named "amanda", I do not see > a reason to replicate "amanda" in the variable name. But I do not mind > either. When you put it that way there probably is none. I was thinking of possible future needs for more "services" variables plus child processes inheriting an environment containg "SERVICES". BTW the dash after ENVIRONMENT_FILE= is a typo? Or some systemd syntax. jl -- Jon H. LaBadie j...@jgcomp.com 11226 South Shore Rd. (703) 787-0688 (H) Reston, VA 20190 (703) 935-6720 (C)
Re: Debian: inetd required for amanda?
Jon LaBadie(Di 11 Jul 2017 07:56:28 CEST): > > > Added "After=local-fs.target". Debian may not even have > > > the "local-fs.target", or they may have something similar. > > > > Do the "After=" dependencies matter for socket activated services? > I don't know. Why do you think they may not matter? Hm. I did some investigation. The amanda.socket is WantedBy the sockets.target. This is independend on the local-fs.target. So it may happen, that the amanda.service starts before local-fs.target is complete. So, yes, After=local-fs.target seems to be useful for the amanda.service. > > > > | StandardInput=socket > > > > | StandardError=journal > > Does this prevent writing to amanda's normal log/debug files? No, it just redirects the STDERR (if there is any) to the journal, and not to the client. Or needs amandad to send (stderr) output to the client? > > Maybe this could be done via an env file /etc/default/amanda having > > SERVICES="amdump amindexd amindxtaped…" > > > > and then extending the .service unit: > > > > EnvironmentFile=-/etc/default/amanda > > ExecStart=/usr/lib/amanda/amandad -auth=bsdtcp $SERVICES > > I was not aware of this capability. I think I'd pick a more specific > variable name, like AMANDAD_SERVICES. Hm. If the environement file is already named "amanda", I do not see a reason to replicate "amanda" in the variable name. But I do not mind either. Best regards from Dresden/Germany Viele Grüße aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --- key ID: F69376CE - ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 - signature.asc Description: PGP signature
Re: Debian: inetd required for amanda?
as a reference 2 units I run with gentoo linux (suggested them to the maintainers there, is now part of gentoo): # cat /usr/lib/systemd/system/amanda.socket [Unit] Description=Amanda Socket [Socket] ListenStream=10080 Accept=true [Install] WantedBy=sockets.target # cat /usr/lib/systemd/system/amanda@.service [Unit] Description=Amanda Backup System After=local-fs.target [Service] User=amanda Group=amanda ExecStart=/usr/libexec/amanda/amandad -auth=bsdtcp amdump amindexd amidxtaped StandardInput=socket StandardOutput=socket
Re: Debian: inetd required for amanda?
On Tue, Jul 11, 2017 at 12:49:16AM +0200, Heiko Schlittermann wrote: > > > Jose M Calhariz(Mo 10 Jul 2017 > > > 19:51:31 CEST): > > > … > > > > I happily ship a systemd unit for amanda if someone writes one for the > > > > Debian package. > > > > > > Here are the unit files, I created just now. > > > The User= setting needs to be adapted probably. > > > > Fedora and CentOS (thus probably RHEL also) have some slight > > variations. Plus I added a couple of additions. May not be > > appropriate for Debian, I don't know. > > Thank you. Some notes though… > > > > > > > ,-[the socket unit]--- > > > | # amanda.socket > > > | [Unit] > > > | Description=Amanda Server socket > > > > It is refered to as "Amanda Activation socket". I suspect > > because it is used by both server and client. > > Yes, the description can follow some formalities, "Amanda Activation > socket" reads good. Maybe even better: "Amanda Agent Activation socket", > to avoid confusion with the "Amanda Server", the server, that controls > the backup machinery. > > > > > | Wants=network.target > > > | > > > | [Socket] > > > | Accept=true > > > | # need an IPv4 address, as current (3.3.9) amandad can't deal with ipv6 > > > here > > > | ListenStream=0.0.0.0:10080 > > > | > > > | [Install] > > > | WantedBy=sockets.target > > > ` > > > > > > ,--[the service template unit]--- > > > | # amanda@.service > > > | [Unit] > > > | Description=Amanda Server service > > > > Again, an alternative description "Amanda Backup Service" > > Yes, but see above. "Amanda Backup Agent service" > > > > Added "After=local-fs.target". Debian may not even have > > the "local-fs.target", or they may have something similar. > > Do the "After=" dependencies matter for socket activated services? I don't know. Why do you think they may not matter? I'm guessing the reason for the added "After=local-fs.target" is to avoid starting amanda on the client before the backup source is mounted or on the server before the holding disk and/or the vtapes are mounted. > > > > | > > > | [Service] > > > | User=backup <- change it to your needs > > > > "Group=disk" is added > > Tried this, but this seems to override the groups, "backup" belongs to, > leading to "permission denied" problems when executing the amcheck > triggered tests. > I haven't checked a running dump process. On my systems Amanda's primary group is "Disk", though an Amanda login process has several secondary groups. amcheck and other amanda programs run fine here. I wonder why we see different effects. > > > > > | StandardInput=socket > > > | StandardError=journal Does this prevent writing to amanda's normal log/debug files? > > > | ExecStart=/usr/lib/amanda/amandad -auth=bsdtcp amdump amindexd > > > amidxtaped > > > > Added valid commands "amdumpd" and "ambackupd" to allow server to > > respond to recently added client requests. One such requests is > > "ambackup" which allows the client to requests it own immediate > > backup to the holding disk for later autoflush during a regular > > amdump run. I use it for my sometimes on/sometimes off laptop. BTW while the "Added" comment earlier meant added by fedora/centos, here I mean "Added" by me, not the package developers. > > Maybe this could be done via an env file /etc/default/amanda having > SERVICES="amdump amindexd amindxtaped…" > > > and then extending the .service unit: > > EnvironmentFile=-/etc/default/amanda > ExecStart=/usr/lib/amanda/amandad -auth=bsdtcp $SERVICES I was not aware of this capability. I think I'd pick a more specific variable name, like AMANDAD_SERVICES. Jon -- Jon H. LaBadie j...@jgcomp.com 11226 South Shore Rd. (703) 787-0688 (H) Reston, VA 20190 (703) 935-6720 (C)
Re: Debian: inetd required for amanda?
> > Jose M Calhariz(Mo 10 Jul 2017 19:51:31 > > CEST): > > … > > > I happily ship a systemd unit for amanda if someone writes one for the > > > Debian package. > > > > Here are the unit files, I created just now. > > The User= setting needs to be adapted probably. > > Fedora and CentOS (thus probably RHEL also) have some slight > variations. Plus I added a couple of additions. May not be > appropriate for Debian, I don't know. Thank you. Some notes though… > > > > ,-[the socket unit]--- > > | # amanda.socket > > | [Unit] > > | Description=Amanda Server socket > > It is refered to as "Amanda Activation socket". I suspect > because it is used by both server and client. Yes, the description can follow some formalities, "Amanda Activation socket" reads good. Maybe even better: "Amanda Agent Activation socket", to avoid confusion with the "Amanda Server", the server, that controls the backup machinery. > > | Wants=network.target > > | > > | [Socket] > > | Accept=true > > | # need an IPv4 address, as current (3.3.9) amandad can't deal with ipv6 > > here > > | ListenStream=0.0.0.0:10080 > > | > > | [Install] > > | WantedBy=sockets.target > > ` > > > > ,--[the service template unit]--- > > | # amanda@.service > > | [Unit] > > | Description=Amanda Server service > > Again, an alternative description "Amanda Backup Service" Yes, but see above. "Amanda Backup Agent service" > Added "After=local-fs.target". Debian may not even have > the "local-fs.target", or they may have something similar. Do the "After=" dependencies matter for socket activated services? > > | > > | [Service] > > | User=backup <- change it to your needs > > "Group=disk" is added Tried this, but this seems to override the groups, "backup" belongs to, leading to "permission denied" problems when executing the amcheck triggered tests. > > > | StandardInput=socket > > | StandardError=journal > > | ExecStart=/usr/lib/amanda/amandad -auth=bsdtcp amdump amindexd amidxtaped > > Added valid commands "amdumpd" and "ambackupd" to allow server to > respond to recently added client requests. One such requests is > "ambackup" which allows the client to requests it own immediate > backup to the holding disk for later autoflush during a regular > amdump run. I use it for my sometimes on/sometimes off laptop. Maybe this could be done via an env file /etc/default/amanda having SERVICES="amdump amindexd amindxtaped…" and then extending the .service unit: EnvironmentFile=-/etc/default/amanda ExecStart=/usr/lib/amanda/amandad -auth=bsdtcp $SERVICES -- Heiko signature.asc Description: PGP signature
Re: Debian: inetd required for amanda?
On Mon, Jul 10, 2017 at 11:18:22PM +0200, Heiko Schlittermann wrote: > Jose M Calhariz(Mo 10 Jul 2017 19:51:31 > CEST): > … > > I happily ship a systemd unit for amanda if someone writes one for the > > Debian package. > > Here are the unit files, I created just now. > The User= setting needs to be adapted probably. Fedora and CentOS (thus probably RHEL also) have some slight variations. Plus I added a couple of additions. May not be appropriate for Debian, I don't know. > > ,-[the socket unit]--- > | # amanda.socket > | [Unit] > | Description=Amanda Server socket It is refered to as "Amanda Activation socket". I suspect because it is used by both server and client. > | Wants=network.target > | > | [Socket] > | Accept=true > | # need an IPv4 address, as current (3.3.9) amandad can't deal with ipv6 > here > | ListenStream=0.0.0.0:10080 > | > | [Install] > | WantedBy=sockets.target > ` > > ,--[the service template unit]--- > | # amanda@.service > | [Unit] > | Description=Amanda Server service Again, an alternative description "Amanda Backup Service" Added "After=local-fs.target". Debian may not even have the "local-fs.target", or they may have something similar. > | > | [Service] > | User=backup <- change it to your needs "Group=disk" is added > | StandardInput=socket > | StandardError=journal > | ExecStart=/usr/lib/amanda/amandad -auth=bsdtcp amdump amindexd amidxtaped Added valid commands "amdumpd" and "ambackupd" to allow server to respond to recently added client requests. One such requests is "ambackup" which allows the client to requests it own immediate backup to the holding disk for later autoflush during a regular amdump run. I use it for my sometimes on/sometimes off laptop. > `-- > > > Best regards from Dresden/Germany > Viele Grüße aus Dresden > Heiko Schlittermann > -- > SCHLITTERMANN.de internet & unix support - > Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - > gnupg encrypted messages are welcome --- key ID: F69376CE - > ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 - >>> End of included message <<< -- Jon H. LaBadie j...@jgcomp.com 11226 South Shore Rd. (703) 787-0688 (H) Reston, VA 20190 (703) 935-6720 (C)
Re: Debian: inetd required for amanda?
Jose M Calhariz(Mo 10 Jul 2017 19:51:31 CEST): … > I happily ship a systemd unit for amanda if someone writes one for the > Debian package. Here are the unit files, I created just now. The User= setting needs to be adapted probably. ,-[the socket unit]--- | # amanda.socket | [Unit] | Description=Amanda Server socket | Wants=network.target | | [Socket] | Accept=true | # need an IPv4 address, as current (3.3.9) amandad can't deal with ipv6 here | ListenStream=0.0.0.0:10080 | | [Install] | WantedBy=sockets.target ` ,--[the service template unit]--- | # amanda@.service | [Unit] | Description=Amanda Server service | | [Service] | User=backup <- change it to your needs | StandardInput=socket | StandardError=journal | ExecStart=/usr/lib/amanda/amandad -auth=bsdtcp amdump amindexd amidxtaped `-- Best regards from Dresden/Germany Viele Grüße aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --- key ID: F69376CE - ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 - signature.asc Description: PGP signature
Re: Debian: inetd required for amanda?
On Mon, Jul 10, 2017 at 01:37:21PM -0500, Jason L Tibbitts III wrote: > > "JMC" == Jose M Calharizwrites: > > JMC> I happily ship a systemd unit for amanda if someone writes one for > JMC> the Debian package. > > Amanda in Fedora has been socket-activated for years. Feel free to grab > the relevant units from our git tree: > https://src.fedoraproject.org/cgit/rpms/amanda.git/tree/ > > - J< > > I will then do that. That you for the pointer. Kind regards Jose M Calhariz -- -- Seu filho usa saia e não come ninguém? Calma, vai ver ele é padre. signature.asc Description: PGP signature
Re: Debian: inetd required for amanda?
> "JMC" == Jose M Calharizwrites: JMC> I happily ship a systemd unit for amanda if someone writes one for JMC> the Debian package. Amanda in Fedora has been socket-activated for years. Feel free to grab the relevant units from our git tree: https://src.fedoraproject.org/cgit/rpms/amanda.git/tree/ - J<
Re: Debian: inetd required for amanda?
On Mon, Jul 10, 2017 at 05:32:25PM +0200, Heiko Schlittermann wrote: > Lorenzo Marcantonio(Mo 10 Jul 2017 13:23:36 CEST): > > On Mon, Jul 10, 2017 at 04:30:34AM -0600, Charles Curley wrote: > > > It seems that inetd is required for amanda 1:3.3.9-5 on Debian 9 > > > (stretch). In the days of SSH, is this necessary? I have no use for it, > > > and if it isn't installed it can't be cracked. > > > > Amanda needs some kind of way to be launched when somebody knocks on a > > port, when using standard authentication. Would that be inetd, xinetd or > > some tool from daemontool/s6 or maybe probably systemd. > > Modern Debian systems are shipped with systemd. So I suggest distributing > systemd socket unit files for use with Amanda. It is up to the admin, to > use these units or to setup (x)inetd or some other tool. > > Best regards from Dresden/Germany > Viele Grüße aus Dresden > Heiko Schlittermann I happily ship a systemd unit for amanda if someone writes one for the Debian package. Kind regards Jose M Calhariz -- -- Todas as pessoas que estudam Administração, ao deixar a faculdade, deveriam assinar um contrato incancelável prometendo não tomar mais do que vinte grandes decisões ao longo da vida --Warren Buffett signature.asc Description: PGP signature
Re: Debian: inetd required for amanda?
Lorenzo Marcantonio(Mo 10 Jul 2017 13:23:36 CEST): > On Mon, Jul 10, 2017 at 04:30:34AM -0600, Charles Curley wrote: > > It seems that inetd is required for amanda 1:3.3.9-5 on Debian 9 > > (stretch). In the days of SSH, is this necessary? I have no use for it, > > and if it isn't installed it can't be cracked. > > Amanda needs some kind of way to be launched when somebody knocks on a > port, when using standard authentication. Would that be inetd, xinetd or > some tool from daemontool/s6 or maybe probably systemd. Modern Debian systems are shipped with systemd. So I suggest distributing systemd socket unit files for use with Amanda. It is up to the admin, to use these units or to setup (x)inetd or some other tool. Best regards from Dresden/Germany Viele Grüße aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --- key ID: F69376CE - ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 - signature.asc Description: PGP signature
Re: Debian: inetd required for amanda?
On Mon, Jul 10, 2017 at 04:30:34AM -0600, Charles Curley wrote: > It seems that inetd is required for amanda 1:3.3.9-5 on Debian 9 > (stretch). In the days of SSH, is this necessary? I have no use for it, > and if it isn't installed it can't be cracked. Amanda needs some kind of way to be launched when somebody knocks on a port, when using standard authentication. Would that be inetd, xinetd or some tool from daemontool/s6 or maybe probably systemd. Also it can transport using ssh but this is more difficult to set up and doesn't support the windows client. -- Lorenzo Marcantonio signature.asc Description: PGP signature
Re: Debian: inetd required for amanda?
On Mon, Jul 10, 2017 at 04:30:34AM -0600, Charles Curley wrote: > It seems that inetd is required for amanda 1:3.3.9-5 on Debian 9 > (stretch). In the days of SSH, is this necessary? I have no use for it, > and if it isn't installed it can't be cracked. > Maybe I should change that and make inetd a suggest. The days of inetd being secure are on the past. Please open a bugreport, so I do not forget to do the changes. Kind regards Jose M Calhariz -- -- A gente não vê a radioatividade, e os inimigos desconhecidos são os piores --De uma vítima de Chernobyl signature.asc Description: PGP signature
Debian: inetd required for amanda?
It seems that inetd is required for amanda 1:3.3.9-5 on Debian 9 (stretch). In the days of SSH, is this necessary? I have no use for it, and if it isn't installed it can't be cracked. -- The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized. -- U.S. Const. Amendment IV Key fingerprint = CE5C 6645 A45A 64E4 94C0 809C FFF6 4C48 4ECD DFDB