[Bacula-users] How to handle periods when wanting to preserve long time backups
Good afternoon, We are running Bacula with Postgresql on Solaris and all is fine. I understand the different retetion periods that Bacula handles and so but have a problem. I wanted to be doing two kind of different backups. I do explain. One of them is the daily backup. The daily backup consists on : - Monday -> Full backup - rest of the days -> Inc backup I keep this backups and catalogs during three weeks but seting the following retention periods : - File retention = 21 days - Job retention = 22 days - Volume retention = 23 days But now is when the second kind of backup comes I wanted too, to preserve the following backups too : - One full backup per month - One inc backup per week Keep them for two years. So, obviously I need to set different retention periods for this backup. I have though using a different pool and catalog and using different file, job and volume retention but I have seen that File retention is per client assigned. So I can't set two different file retention for the same client even when I use different catalogs for each backup kind. How would you recommend me to handle this task with Bacula?. By the way... I'm interested on being able to restore by file for month to month backups and a restoration should be fast... can't take ages for restoring full backup or for generating a catalog with which later can restore by file granularity level I can say I have a good in resources, buffers and so, Postgresql server... but that's all... I needed to be able to restore... without spending too many time in creating catalogs and so At present I have been doing some sort of this... but have had to generate a different client for the same machine... in order to use different file retention periods... and wanted to know if exists a better way of achieving all this... thanks a lot mates Any ideas mates?, Best regards, -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] Question about bacula and tls
Thank you so much to all of you :) :) > El 2 oct 2015, a las 12:54, Josh Fisher <jfis...@pvct.com> escribió: > > > > On 10/2/2015 2:47 AM, Egoitz Aurrekoetxea wrote: >> Good morning mates, >> >> Apologies for my very very late response…. >> >> Just one question for confirming, in Josh’s third point, when sais : >> >>> Level 3: >>> # This level requires encryption and that the certificate presented by >>> the peer be signed by a trusted CA >> >> It means a CA in CA certificate file OR a public key CA in the “TLS CA >> Certificate Dir”, isn’t it?. > > Yes. > >> >> >>> El 1/10/2015, a las 16:09, Ana Emília M. Arruda <emiliaarr...@gmail.com >>> <mailto:emiliaarr...@gmail.com>> escribió: >>> >>> Hello Egoitz, >>> >>> Is this thread clear? If you have your own dedicated CA, then take care of >>> her :). This way and having level 4 bacula TLS configured as Josh >>> explained, then your communication will be "secure" (never say that we are >>> 100% secure...). >>> >> >> >> Thank you so much :) :) to all of you mates, you have helped me tons of it >> :) :) :) really :) :) >> >> >>> Thank you very much Josh. >>> >>> Best regards, >>> Ana >>> >>> >>> >>> On Wed, Sep 30, 2015 at 11:22 AM, Josh Fisher < >>> <mailto:jfis...@pvct.com>jfis...@pvct.com <mailto:jfis...@pvct.com>> wrote: >>> >>> >>> On 9/30/2015 3:18 AM, Egoitz Aurrekoetxea wrote: >>>> Hi Ana!! >>>> >>>> Really thanks for answering my doubts :) >>>> >>>> I do answer in black below... >>>> >>>>> El 30/9/2015, a las 6:24, Ana Emília M. Arruda < >>>>> <mailto:emiliaarr...@gmail.com>emiliaarr...@gmail.com >>>>> <mailto:emiliaarr...@gmail.com>> escribió: >>>>> >>>>> >>>>> On Mon, Sep 28, 2015 at 6:20 PM, Egoitz Aurrekoetxea < >>>>> <mailto:ego...@ramattack.net>ego...@ramattack.net >>>>> <mailto:ego...@ramattack.net>> wrote: >>>>> Good night, >>>>> >>>>> >>>>> Yes, you can have certificates from different CA in each side, you just >>>>> need to inform the CA correctly for peer verification. How did you >>>>> generated your certificates? Do you have a CA and signed them properly? >>>> >>>> I have an own dedicated CA for Bacula systems. One of the things I was >>>> trying to get with TLS is the fact that like both sides know the CA public >>>> key, they to be able to check if the information received in each side >>>> because of the other side’s sent data in unaltered due to a possible MITM >>>> issue. I mean, could I with verify peer ensure that if someone tries to do >>>> a MITM won’t succeed because both sides know the CA allowed to >>>> be used in signed certs?. So an attacker doing a signed certificate with a >>>> new CA (CA of the attacker for signing the attacking used certificate) >>>> won’t be able then to inject content in dir and fd dialogue or fd and sd >>>> dialogue?. >>>> Or at least if it does, do each side, the sd, fd or the dir, interrupt the >>>> connection and stop the job notifying?. >>>> >>> >>> Think of it as 5 different security levels. >>> >>> Level 0: >>># Data is transmitted as plain text >>> TLS Enable = no >>> >>> Level 1: >>> # This level allows opportunistic encryption if the peer chooses, or >>> the peer can communicate in plain text. >>> TLS Enable = yes >>> TLS Require = no >>> TLS Verify Peer = no >>> TLS Certificate = /etc/bacula/cert.pem >>> TLS Key = /etc/bacula/key.pem >>> TLS CA Certificate File = /path/to/system/cafile >>> >>> Level 2: >>> # This level requires encryption of data. Any certificate will do, even >>> a self-signed certificate. >>> TLS Enable = yes >>> TLS Require = yes >>> TLS Verify Peer = no >>> TLS Certificate = /etc/bacula/cert.pem >>> TLS Key = /etc/bacula/key.pem >>> TLS CA Certificate File = /path/to/system/cafile >>> >>> Level 3: >>> #
Re: [Bacula-users] Question about bacula and tls
Good morning mates, Apologies for my very very late response…. Just one question for confirming, in Josh’s third point, when sais : > Level 3: > # This level requires encryption and that the certificate presented by > the peer be signed by a trusted CA It means a CA in CA certificate file OR a public key CA in the “TLS CA Certificate Dir”, isn’t it?. > El 1/10/2015, a las 16:09, Ana Emília M. Arruda <emiliaarr...@gmail.com> > escribió: > > Hello Egoitz, > > Is this thread clear? If you have your own dedicated CA, then take care of > her :). This way and having level 4 bacula TLS configured as Josh explained, > then your communication will be "secure" (never say that we are 100% > secure...). > Thank you so much :) :) to all of you mates, you have helped me tons of it :) :) :) really :) :) > Thank you very much Josh. > > Best regards, > Ana > > > > On Wed, Sep 30, 2015 at 11:22 AM, Josh Fisher <jfis...@pvct.com > <mailto:jfis...@pvct.com>> wrote: > > > On 9/30/2015 3:18 AM, Egoitz Aurrekoetxea wrote: >> Hi Ana!! >> >> Really thanks for answering my doubts :) >> >> I do answer in black below... >> >>> El 30/9/2015, a las 6:24, Ana Emília M. Arruda <emiliaarr...@gmail.com >>> <mailto:emiliaarr...@gmail.com>> escribió: >>> >>> >>> On Mon, Sep 28, 2015 at 6:20 PM, Egoitz Aurrekoetxea < >>> <mailto:ego...@ramattack.net>ego...@ramattack.net >>> <mailto:ego...@ramattack.net>> wrote: >>> Good night, >>> >>> >>> Yes, you can have certificates from different CA in each side, you just >>> need to inform the CA correctly for peer verification. How did you >>> generated your certificates? Do you have a CA and signed them properly? >> >> I have an own dedicated CA for Bacula systems. One of the things I was >> trying to get with TLS is the fact that like both sides know the CA public >> key, they to be able to check if the information received in each side >> because of the other side’s sent data in unaltered due to a possible MITM >> issue. I mean, could I with verify peer ensure that if someone tries to do a >> MITM won’t succeed because both sides know the CA allowed to >> be used in signed certs?. So an attacker doing a signed certificate with a >> new CA (CA of the attacker for signing the attacking used certificate) won’t >> be able then to inject content in dir and fd dialogue or fd and sd dialogue?. >> Or at least if it does, do each side, the sd, fd or the dir, interrupt the >> connection and stop the job notifying?. >> > > Think of it as 5 different security levels. > > Level 0: ># Data is transmitted as plain text > TLS Enable = no > > Level 1: > # This level allows opportunistic encryption if the peer chooses, or the > peer can communicate in plain text. > TLS Enable = yes > TLS Require = no > TLS Verify Peer = no > TLS Certificate = /etc/bacula/cert.pem > TLS Key = /etc/bacula/key.pem > TLS CA Certificate File = /path/to/system/cafile > > Level 2: > # This level requires encryption of data. Any certificate will do, even a > self-signed certificate. > TLS Enable = yes > TLS Require = yes > TLS Verify Peer = no > TLS Certificate = /etc/bacula/cert.pem > TLS Key = /etc/bacula/key.pem > TLS CA Certificate File = /path/to/system/cafile > > Level 3: > # This level requires encryption and that the certificate presented by > the peer be signed by a trusted CA > TLS Enable = yes > TLS Require = yes > TLS Verify Peer = yes > TLS Certificate = /etc/bacula/cert.pem > TLS Key = /etc/bacula/key.pem > TLS CA Certificate File = /path/to/system/cafile > > Level 4: > # This level requires encryption and that the certificate presented by > the peer be signed by a trusted CA > # and that the certificate have a specific CN > TLS Enable = yes > TLS Require = yes > TLS Verify Peer = yes > TLS Allowed CN = "some.client.common.name > <http://some.client.common.name/>" > TLS Certificate = /etc/bacula/cert.pem > TLS Key = /etc/bacula/key.pem > TLS CA Certificate File = /path/to/system/cafile > > > As for a MiTM attack, keep in mind that an active attack is harder than a > passive attack. Even opportunistic encryption with self-signed certs protects > against passive snooping. Protecting against an active MiTM attack requires > authentication. Heartbleed bug aside, level 3 means that the attacker mu
Re: [Bacula-users] Question about bacula and tls
Hi Ana!! Really thanks for answering my doubts :) I do answer in black below... > El 30/9/2015, a las 6:24, Ana Emília M. Arruda <emiliaarr...@gmail.com> > escribió: > > > On Mon, Sep 28, 2015 at 6:20 PM, Egoitz Aurrekoetxea <ego...@ramattack.net > <mailto:ego...@ramattack.net>> wrote: > Good night, > > Good night Egoitz. Sorry for my late reply. > > > First of all thanks a lot for your time :) > > Thank you for this thread :) Thanks to you always :) > > >> El 28/9/2015, a las 21:46, Ana Emília M. Arruda <emiliaarr...@gmail.com >> <mailto:emiliaarr...@gmail.com>> escribió: >> >> Hello, >> >> The TLS enable do not force the use of TLS. For example, if you configure >> your director with TLS enable = yes and TLS require = no, clients can >> communicate with your director with or without TLS. But if you configure >> your director with both TLS enable and TLS require = yes, then all your >> clients and storage daemons will only be able to communicate with your >> director with TLS. >> > > Yes, this is clear > > >> If you do not set TLS Verify Peer or TLS Allowed CN, then you can use any >> Certificate File or Directory. The certificate CN will not be checked >> against the Certificate File or Directory configured. > > what do you mean? any ca or ca path for each side cert? I could use > certificates from different ca in each side?. Even having the proper cn, this > doesn’t worked in my testing env (which doesn’t use tis verify peer or tls > allowed cn) … you mean the certificate won’t be checked if it was created by > the ca_certificate file's ca? Sorry can’t understand this... > > Yes, you can have certificates from different CA in each side, you just need > to inform the CA correctly for peer verification. How did you generated your > certificates? Do you have a CA and signed them properly? I have an own dedicated CA for Bacula systems. One of the things I was trying to get with TLS is the fact that like both sides know the CA public key, they to be able to check if the information received in each side because of the other side’s sent data in unaltered due to a possible MITM issue. I mean, could I with verify peer ensure that if someone tries to do a MITM won’t succeed because both sides know the CA allowed to be used in signed certs?. So an attacker doing a signed certificate with a new CA (CA of the attacker for signing the attacking used certificate) won’t be able then to inject content in dir and fd dialogue or fd and sd dialogue?. Or at least if it does, do each side, the sd, fd or the dir, interrupt the connection and stop the job notifying?. > > >> >> If TLS Verify Peer is enabled, then the peer´s hostname is verified against >> the subjectAltName (alternative name) and commonName attributes. This way, a >> certificate issued for myclient2.example.com <http://myclient2.example.com/> >> cannot be used, for example, by a host named myclient1.example.com >> <http://myclient1.example.com/>. Even if they are issued by your own CA (not >> a trusted root CA), you have the CN of the certificate file checked against >> the hostname (director, client or storage daemon host) that is using it. > > Are you sure? this config parameter requires to specify ca cert file or ca > path.. and the code seems to be doing a check of the remote side cert to be > issued by the ca listed in ca cert or ca path….. > > This just means the tls verify peer?. You can for instance use different ca > for bacula-dir and bacula-fd mean while one cert with one ca has as cn the > server name and the other one the bacula-fd’s daemon hostname?. Even when the > ca is not trusted?? will it work?. Sorry but this doesn’t work to me…. are > you really sure Ana? > > > If you have certificates signed by different CA's, you just need to inform > them through the "TLS CA Certificate File" or "TLS CA Certificate Dir" to > the other peer. For example, if you have director's certificate signed by CA1 > and you have client1's certificate signed by CA2, then your director will > need to know about the CA2 certificate to verify the client1 certificate. That’s it… so then even if the OS and Openssl comes with root ca certificates from known trusted CA (Thawte, Verisign, etc) a certificate signed by these CA won’t be accepted by a remote side where the ca certificate and all of it’s intermediates is not in a file in "TLS CA Certificate Dir” or is the own file in "TLS CA Certificate File”. I mean even being known in the world and by the OS running in the certificate verifying machine, if the CA certs don’t exist
[Bacula-users] Bacula Windows binaries
Good morning, Does bacula windows binaries exist available for buying for the 5.2 branch newer than the 5.2.10 ?. Best regards, -- ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] Bacula Windows binaries
Hi Kern, Yep I have that read but as when talking about current release in http://www.baculasystems.com/windows-binaries-for-bacula-community-users <http://www.baculasystems.com/windows-binaries-for-bacula-community-users> it talks about 7.0.5 I was wondering if perhaps a bacula-fd 5.2.13 existed. So then yes isn’t it?, Thank you so much, Regards, > El 29/9/2015, a las 17:04, Kern Sibbald <k...@sibbald.com> escribió: > > Yes, see the right of the three boxes on the first page of www.bacula.org > > On 15-09-29 07:47 AM, Egoitz Aurrekoetxea wrote: >> Good morning, >> >> Does bacula windows binaries exist available for buying for the 5.2 branch >> newer than the 5.2.10 ?. >> >> Best regards, >> -- >> ___ >> Bacula-users mailing list >> Bacula-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/bacula-users >> > -- ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] Question about bacula and tls
Have been taking a look to all this in the source code… It seems that TLS Verify Peer basically ends up by doing (look at bold please) : /* * Create a new TLS_CONTEXT instance. * Returns: Pointer to TLS_CONTEXT instance on success * NULL on failure; */ TLS_CONTEXT *new_tls_context(const char *ca_certfile, const char *ca_certdir, const char *certfile, const char *keyfile, CRYPTO_PEM_PASSWD_CB *pem_callback, const void *pem_userdata, const char *dhfile, bool verify_peer) { TLS_CONTEXT *ctx; BIO *bio; DH *dh; . . . . . . . SSL_CTX_set_default_passwd_cb(ctx->openssl, tls_pem_callback_dispatch); SSL_CTX_set_default_passwd_cb_userdata(ctx->openssl, (void *) ctx); /* * Set certificate verification paths. This requires that at least one * value be non-NULL */ if (ca_certfile || ca_certdir) { if (!SSL_CTX_load_verify_locations(ctx->openssl, ca_certfile, ca_certdir)) { openssl_post_errors(M_FATAL, _("Error loading certificate verification stores")); goto err; } } else if (verify_peer) { /* At least one CA is required for peer verification */ Jmsg0(NULL, M_ERROR, 0, _("Either a certificate file or a directory must be" " specified as a verification store\n")); goto err; } For later but in the same function to : /* Verify Peer Certificate */ if (verify_peer) { /* SSL_VERIFY_FAIL_IF_NO_PEER_CERT has no effect in client mode */ SSL_CTX_set_verify(ctx->openssl, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, openssl_verify_peer); } It needs a ca public key or a directory with ca public keys…. So I assume that setting properly : TLS Enable = Yes TLS Require = Yes TLS Certificate = TLS Key = TLS Verify Peer = TLS CA Certificate File = it’s enough when you have created all certs with an own (not popularly accepted as trusted CA). The TLS Allowed CN directive, I think it’s just when you use a not dedicated CA for the backup or you are using a trusted CA where lots of certs could be easily signed (like Thawte) for restricting which CN can connect for avoiding not authorized valid certs to connect. And by the way, I think perhaps TLS Verify Peer is not properly documented because in : http://www.bacula.org/5.1.x-manuals/en/main/main/Bacula_TLS_Communications.html <http://www.bacula.org/5.1.x-manuals/en/main/main/Bacula_TLS_Communications.html> it sais : TLS Verify Peer = yes|no Verify peer certificate. Instructs server to request and verify the client's x509 certificate. Any client certificate signed by a known-CA will be accepted unless the TLS Allowed CN configuration directive is used, in which case the client certificate must correspond to the Allowed Common Name specified. This directive is valid only for a server and not in a client context. But in the code, you can see : /* Verify Peer Certificate */ if (verify_peer) { /* SSL_VERIFY_FAIL_IF_NO_PEER_CERT has no effect in client mode */ SSL_CTX_set_verify(ctx->openssl, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, openssl_verify_peer); } both flags and I have seen you call to new_tls_context from filed.c. Perhaps this should be corrected in the doc? or am I missing something?. Best regards, > El 28/9/2015, a las 15:57, Egoitz Aurrekoetxea <ego...@ramattack.net> > escribió: > > Hi mates, > > Have been doing some checks with Bacula and TLS. > > At present I have a TLS enable directive, require tis to yes and the ca > certificate public key (of an own CA) copied in the server and the client. > > Now I become an attacker and If I create a new client certificate with the > same CN as the present used one in bacula-fd and configure bacula-fd to use > this falsified certificate > of the falsified ca whose public key is used in the ca cert file directive of > the bacula-fd, you can’t do from the server (director) a status client. This > seems to be fine, because it seems > that like we are not using a known ca (like geotrust, thawte or similar) and > each other part is not using certificate signed by the ca whose public key > they have in the config each > part, the fd and the dir refuse to agree, basically to arrange a TLS > connection. > > So now… my question is then… when is required to use TLS Verify peer in the > director and the fd?. When someone could use a certificate from Thawte for > example??. Then you can use > TLS Allowed CN for even in this situation to avoid using this Thawte’s certs > in some way?. But how? the CN could be same as the “good” certificate one. > > Wh
Re: [Bacula-users] Question about bacula and tls
Good night, First of all thanks a lot for your time :) > El 28/9/2015, a las 21:46, Ana Emília M. Arruda <emiliaarr...@gmail.com> > escribió: > > Hello, > > The TLS enable do not force the use of TLS. For example, if you configure > your director with TLS enable = yes and TLS require = no, clients can > communicate with your director with or without TLS. But if you configure your > director with both TLS enable and TLS require = yes, then all your clients > and storage daemons will only be able to communicate with your director with > TLS. > Yes, this is clear > If you do not set TLS Verify Peer or TLS Allowed CN, then you can use any > Certificate File or Directory. The certificate CN will not be checked against > the Certificate File or Directory configured. what do you mean? any ca or ca path for each side cert? I could use certificates from different ca in each side?. Even having the proper cn, this doesn’t worked in my testing env (which doesn’t use tis verify peer or tls allowed cn) … you mean the certificate won’t be checked if it was created by the ca_certificate file's ca? Sorry can’t understand this... > > If TLS Verify Peer is enabled, then the peer´s hostname is verified against > the subjectAltName (alternative name) and commonName attributes. This way, a > certificate issued for myclient2.example.com <http://myclient2.example.com/> > cannot be used, for example, by a host named myclient1.example.com > <http://myclient1.example.com/>. Even if they are issued by your own CA (not > a trusted root CA), you have the CN of the certificate file checked against > the hostname (director, client or storage daemon host) that is using it. Are you sure? this config parameter requires to specify ca cert file or ca path.. and the code seems to be doing a check of the remote side cert to be issued by the ca listed in ca cert or ca path….. This just means the tls verify peer?. You can for instance use different ca for bacula-dir and bacula-fd mean while one cert with one ca has as cn the server name and the other one the bacula-fd’s daemon hostname?. Even when the ca is not trusted?? will it work?. Sorry but this doesn’t work to me…. are you really sure Ana? > > If TLS Allowed CN is enabled, then in addition to the peer´s hostname being > verified, just that ones listed in the "TLS Allowed CN" directives are > permited. So each part to have it’s proper cert (matching cn with the connecting name and so) and if this last is ok… to be in tls allowed cn too… do you mean this? > If TLS Verify Peer is not enabled and a client uses a "false" certificate > (myclient2 using the myclient1 certificate and myclient1 is in the allowed CN > list, for example) from a host in the allowed CN list of allowed hosts, it > will work. I see… so the cert can be both from the same ca or not..or… isn’t it? > > Openssl functions are used for certificate manipulation (including validation > and verification). Yep I’ve seen in the code… > > So, it will depend of what you want to have in you TLS communication, even if > using your own CA for the PKI infrastructure used in your bacula TLS > environment. You can have your own CA (a virtual machine for this purpose), > that will be your trusted CA for your environment. And let all your daemons > trust in each other by setting properly the TLS Verify Peer and TLS Allowed > CN directives. I think this should work fine for what you want. > I could use tls verify peer in the director and in bacula-fd (dir and sd are the same machine and to use loopback)… I wanted each director and each fd, to only be able to be accesed by just those remote daemons who own a certificate allowing them to do so… could you please paste an example config? > Best regards, Thank you so much again, really, Egoitz > Ana > > > On Mon, Sep 28, 2015 at 3:03 PM, Egoitz Aurrekoetxea <ego...@ramattack.net > <mailto:ego...@ramattack.net>> wrote: > Have been taking a look to all this in the source code… > > It seems that TLS Verify Peer basically ends up by doing (look at bold > please) : > > /* > * Create a new TLS_CONTEXT instance. > * Returns: Pointer to TLS_CONTEXT instance on success > * NULL on failure; > */ > TLS_CONTEXT *new_tls_context(const char *ca_certfile, const char *ca_certdir, > const char *certfile, const char *keyfile, > CRYPTO_PEM_PASSWD_CB *pem_callback, > const void *pem_userdata, const char *dhfile, > bool verify_peer) > { >TLS_CONTEXT *ctx; >BIO *bio; >DH *dh; > > . > . > . > . > . > . > . >SSL_CTX_s
[Bacula-users] Question about bacula and tls
Hi mates, Have been doing some checks with Bacula and TLS. At present I have a TLS enable directive, require tis to yes and the ca certificate public key (of an own CA) copied in the server and the client. Now I become an attacker and If I create a new client certificate with the same CN as the present used one in bacula-fd and configure bacula-fd to use this falsified certificate of the falsified ca whose public key is used in the ca cert file directive of the bacula-fd, you can’t do from the server (director) a status client. This seems to be fine, because it seems that like we are not using a known ca (like geotrust, thawte or similar) and each other part is not using certificate signed by the ca whose public key they have in the config each part, the fd and the dir refuse to agree, basically to arrange a TLS connection. So now… my question is then… when is required to use TLS Verify peer in the director and the fd?. When someone could use a certificate from Thawte for example??. Then you can use TLS Allowed CN for even in this situation to avoid using this Thawte’s certs in some way?. But how? the CN could be same as the “good” certificate one. What’s the real purpose of verify peer an tls allowed cn?. Now by the way… the main reason I needed TLS to work fine, is just for avoiding an arp poissoning attack to make Bacula store or restore injected data in a backup. How could this be done noticing that anyone could create a Thawte’s for instance certificate for the client, and even you have TLS Allowed CN the CN of the client, as the cert is valid, this damage could be caused? isn’t it?. Thanks a lot really, -- ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
[Bacula-users] Question about verify job expirations
Hi mates, The first question I have is : - Sometime ago, I asked here if the verification init catalog jobs could expire, in order to need a new init catalog for new verify catalogs to run. Have found in some of my tests that even have just than once the init catalog and run daily a verify catalog… this task works fine even when having the following retentions : - File retention : 21 days - Job retention : 23 days - Volume retention : 27 days I can easily be at the day 60 and still being able to do verify catalogs without a new init catalog… could anyone give me please an idea of what could be happening?. Thank you much, -- ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] Question about verify jobs
Does anobody know something about this?. Best regards, El 8/4/2015, a las 9:48, Egoitz Aurrekoetxea ego...@ramattack.net escribió: Good morning, When I launch a new verify init catalog job, is the previous created init catalog for verification removed?. I mean, I don’t want to have 30 (for saying this way) init catalogs in the database. I just want to have the last created one and then to verify always against that. Is it possible this config?. If not, how could I remove previous verification catalogs, in order to just the last one (launched with the last verify init catalog) to exist?. Thank you so much, Best regards, -- BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT Develop your own process in accordance with the BPMN 2 standard Learn Process modeling best practices with Bonita BPM through live exercises http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ source=Sourceforge_BPM_Camp_5_6_15utm_medium=emailutm_campaign=VA_SF ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users -- BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT Develop your own process in accordance with the BPMN 2 standard Learn Process modeling best practices with Bonita BPM through live exercises http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ source=Sourceforge_BPM_Camp_5_6_15utm_medium=emailutm_campaign=VA_SF ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
[Bacula-users] Question about verify jobs
Good morning, When I launch a new verify init catalog job, is the previous created init catalog for verification removed?. I mean, I don’t want to have 30 (for saying this way) init catalogs in the database. I just want to have the last created one and then to verify always against that. Is it possible this config?. If not, how could I remove previous verification catalogs, in order to just the last one (launched with the last verify init catalog) to exist?. Thank you so much, Best regards, -- BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT Develop your own process in accordance with the BPMN 2 standard Learn Process modeling best practices with Bonita BPM through live exercises http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ source=Sourceforge_BPM_Camp_5_6_15utm_medium=emailutm_campaign=VA_SF ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] How to do Cross Replication Site1=Site2 (DR)
Good afternoon, Will a standard replication work for this purpose?. I explain, this way of course you will be able to have a replicated database state. But what you really need isn't the snapshot of both members, database and storage daemon at the same moment in a concrete instant ?. Imagine you have a database server and a dir-sd different server connected to a disk array for example. Imagine that dir-sd machine goes down while Mysql is running a huge query for entering something in database. That query finishes fine and the info is replicated, but the sd-dir has gone down 20 minutes ago!! Would be ok really, just to have replicated that way?. You will have database fine, but perhaps the disk (virtual types) from file storage are not the way “the well database describes”. Would really this would be valid as HA? Best regards, El 26/11/2014, a las 17:50, Danixu86 bacula-fo...@backupcentral.com escribió: But you're using both directors to make backups, or the second is only a mirror waiting for dissaster?, because for example, i've an script running every day to dump the entire database to another server, then if there are any dissasters, i only have to import the last backup to a new director. Maybe is different, because my director is in a Virtual Machine, and i've a backup of that machine in another server, then if something fails, i only have to power on that backup of director and import the last database. Greetings!! -Original Message- Mysql replication may in fact guard against duplicate jobids, since the same jobids will be in both databases, in theory. It's the replication lag that will be the problem. During the lag it will still be possible to create duplicate bacula jobids. +-- |This was sent by danielmadri...@gmail.com via Backup Central. |Forward SPAM to ab...@backupcentral.com. +-- -- Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=157005751iu=/4140/ostg.clktrk ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users -- Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=157005751iu=/4140/ostg.clktrk ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
[Bacula-users] Bconsole catalog auto-selection
Good morning, Is it possible to tell bconsole or to a session connected to bacula’s console to use always a given catalog with all it’s jobs and so?. Best regards, -- Want excitement? Manually upgrade your production database. When you want reliability, choose Perforce Perforce version control. Predictably reliable. http://pubads.g.doubleclick.net/gampad/clk?id=157508191iu=/4140/ostg.clktrk ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] Bacula and High availability
Good morning Dan!, El 10/05/2014, a las 00:48, Dan Langille d...@langille.org escribió: Really: does your requirement really need HA of this level? Would it not be sufficient to accept that if stuff goes down, what you have is what you have? -- Dan Langille - http://langille.org It’s not something my implementation has been required to have… but I like thinking and designing platforms granting you the possibility of later scaling, having de possibility to improve them and of course protecting one's neck :) Thank you so much!-- Is your legacy SCM system holding you back? Join Perforce May 7 to find out: #149; 3 signs your SCM is hindering your productivity #149; Requirements for releasing software faster #149; Expert tips and advice for migrating your SCM now http://p.sf.net/sfu/perforce___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] VirtualFull Jobs
Hi!, Xabier, mates, could anyone confirm this?? Thank you so much, El 06/05/2014, a las 14:14, Egoitz Aurrekoetxea ego...@ramattack.net escribió: So, finally this all means that you can do a virtual full job and no need to migrate is needed anymore ? neither for doing a new virtual full or perform some kind of restoration?. Best regards, El 06/05/2014, a las 12:40, Xabier Elkano xelk...@hostinet.com escribió: Hi, happy to read that this restriction has been removed :-) I am running virtual fulls for almost three years and I'm very happy with them. I had to use them because my servers had a very high load when running full backups jobs. I did a little trick to manage the migration from virtual pool to normal pool. After each backup job (without distinction) I have configured a little script (RunAfterJob) to verify if there are volumes in the virtual pool and if it find some, it move them to the normal pool. The changes are made directly in the Bacula database, because volumes are, in both pools, in the same directory. I simply run this for each volume found in the virtual pool: update Media set MediaType=$mediatype,StorageId=$storageid where VolumeName=$vol the following incremental and restores are run without problems. Xabier El 04/05/14 14:51, Kern Sibbald escribió: Hello, I believe that I have removed the restriction on using a different Pool. Perhaps it is not well documented, in which case if you make it work, as I think a lot of people have done, a patch for the manual would be appreciated. Kern On 04/30/2014 12:45 PM, Egoitz Aurrekoetxea wrote: Good morning, I’m at this moment doing real full jobs of my servers. I have some slowness (in backup) with some servers due to it’s activity. I have tested virtual full jobs and work like a charm :) but I have one problem; normally I schedule a real full job and I’m done… as virtual full jobs have to be done in another pool, later migrated and later a new incremental job should be done (for replacing a normal full) how could I manage for automating this tasks, without starting one before the other one and… basically for automating all this tasks involving a virtual full job but having in mind that this automation has to be in a proper order, if one job fails should not continue with the other “sub jobs” let’s say of the virtual full job?… how do you manage for this tasks? Best regards, -- Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available. Simple to use. Nothing to install. Get started now for free. http://p.sf.net/sfu/SauceLabs ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users -- Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available. Simple to use. Nothing to install. Get started now for free. http://p.sf.net/sfu/SauceLabs ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users -- Is your legacy SCM system holding you back? Join Perforce May 7 to find out: #149; 3 signs your SCM is hindering your productivity #149; Requirements for releasing software faster #149; Expert tips and advice for migrating your SCM now http://p.sf.net/sfu/perforce ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users -- Is your legacy SCM system holding you back? Join Perforce May 7 to find out: #149; 3 signs your SCM is hindering your productivity #149; Requirements for releasing software faster #149; Expert tips and advice for migrating your SCM now http://p.sf.net/sfu/perforce ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users -- Is your legacy SCM system holding you back? Join Perforce May 7 to find out: #149; 3 signs your SCM is hindering your productivity #149; Requirements for releasing software faster #149; Expert tips and advice for migrating your SCM now http://p.sf.net/sfu
[Bacula-users] Bacula and High availability
Good morning, Have been thinking in how could be setup a bacula infrastructure with HA. You could for example if you use Postgres or Mysql the databases replicate the servers through it’s own replication protocol and will be up to date. For backing up pools you could always something like ZFS replication, DRBD or whatever…. but, now… Imagine the following situation : - Bacula infrastructure A goes down… - Bacula infrastructure B is up and replicated from A…. but : - The database could be after or before the status of the tapes in the pool… (talking about File Storage) - The same for the pools and pool’s tapes repesct to the database…. How does bacula manage this situations?. I mean… Is there any possible way of ensuring the replicated content (the combination of both the database and pool’s tapes) is reliable for using it in case of disaster?. How else is this advised to be done?. Best regards, -- Is your legacy SCM system holding you back? Join Perforce May 7 to find out: #149; 3 signs your SCM is hindering your productivity #149; Requirements for releasing software faster #149; Expert tips and advice for migrating your SCM now http://p.sf.net/sfu/perforce ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] VirtualFull Jobs
Good afternoon :) , I tested in that version and didn’t work… that was the reason of the question… perhaps it’s done in 7.0? Regards, El 07/05/2014, a las 14:19, Xabier Elkano xelk...@hostinet.com escribió: Hi Egoitz, I cannot confirm the fix, because I am running version 5.2.12 on my server, but I think it should be easy to test y you have a running bacula server. Best Regards, Xabier El 07/05/14 09:30, Egoitz Aurrekoetxea escribió: Hi!, Xabier, mates, could anyone confirm this?? Thank you so much, El 06/05/2014, a las 14:14, Egoitz Aurrekoetxea ego...@ramattack.net escribió: So, finally this all means that you can do a virtual full job and no need to migrate is needed anymore ? neither for doing a new virtual full or perform some kind of restoration?. Best regards, El 06/05/2014, a las 12:40, Xabier Elkano xelk...@hostinet.com escribió: Hi, happy to read that this restriction has been removed :-) I am running virtual fulls for almost three years and I'm very happy with them. I had to use them because my servers had a very high load when running full backups jobs. I did a little trick to manage the migration from virtual pool to normal pool. After each backup job (without distinction) I have configured a little script (RunAfterJob) to verify if there are volumes in the virtual pool and if it find some, it move them to the normal pool. The changes are made directly in the Bacula database, because volumes are, in both pools, in the same directory. I simply run this for each volume found in the virtual pool: update Media set MediaType=$mediatype,StorageId=$storageid where VolumeName=$vol the following incremental and restores are run without problems. Xabier El 04/05/14 14:51, Kern Sibbald escribió: Hello, I believe that I have removed the restriction on using a different Pool. Perhaps it is not well documented, in which case if you make it work, as I think a lot of people have done, a patch for the manual would be appreciated. Kern On 04/30/2014 12:45 PM, Egoitz Aurrekoetxea wrote: Good morning, I’m at this moment doing real full jobs of my servers. I have some slowness (in backup) with some servers due to it’s activity. I have tested virtual full jobs and work like a charm :) but I have one problem; normally I schedule a real full job and I’m done… as virtual full jobs have to be done in another pool, later migrated and later a new incremental job should be done (for replacing a normal full) how could I manage for automating this tasks, without starting one before the other one and… basically for automating all this tasks involving a virtual full job but having in mind that this automation has to be in a proper order, if one job fails should not continue with the other “sub jobs” let’s say of the virtual full job?… how do you manage for this tasks? Best regards, -- Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available. Simple to use. Nothing to install. Get started now for free. http://p.sf.net/sfu/SauceLabs ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users -- Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available. Simple to use. Nothing to install. Get started now for free. http://p.sf.net/sfu/SauceLabs ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users -- Is your legacy SCM system holding you back? Join Perforce May 7 to find out: #149; 3 signs your SCM is hindering your productivity #149; Requirements for releasing software faster #149; Expert tips and advice for migrating your SCM now http://p.sf.net/sfu/perforce ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users -- Is your legacy SCM system holding you back? Join Perforce May 7 to find out: #149; 3 signs your SCM is hindering your productivity #149; Requirements for releasing software faster #149; Expert tips and advice for migrating your SCM now http://p.sf.net/sfu/perforce
Re: [Bacula-users] VirtualFull Jobs
So, finally this all means that you can do a virtual full job and no need to migrate is needed anymore ? neither for doing a new virtual full or perform some kind of restoration?. Best regards, El 06/05/2014, a las 12:40, Xabier Elkano xelk...@hostinet.com escribió: Hi, happy to read that this restriction has been removed :-) I am running virtual fulls for almost three years and I'm very happy with them. I had to use them because my servers had a very high load when running full backups jobs. I did a little trick to manage the migration from virtual pool to normal pool. After each backup job (without distinction) I have configured a little script (RunAfterJob) to verify if there are volumes in the virtual pool and if it find some, it move them to the normal pool. The changes are made directly in the Bacula database, because volumes are, in both pools, in the same directory. I simply run this for each volume found in the virtual pool: update Media set MediaType=$mediatype,StorageId=$storageid where VolumeName=$vol the following incremental and restores are run without problems. Xabier El 04/05/14 14:51, Kern Sibbald escribió: Hello, I believe that I have removed the restriction on using a different Pool. Perhaps it is not well documented, in which case if you make it work, as I think a lot of people have done, a patch for the manual would be appreciated. Kern On 04/30/2014 12:45 PM, Egoitz Aurrekoetxea wrote: Good morning, I’m at this moment doing real full jobs of my servers. I have some slowness (in backup) with some servers due to it’s activity. I have tested virtual full jobs and work like a charm :) but I have one problem; normally I schedule a real full job and I’m done… as virtual full jobs have to be done in another pool, later migrated and later a new incremental job should be done (for replacing a normal full) how could I manage for automating this tasks, without starting one before the other one and… basically for automating all this tasks involving a virtual full job but having in mind that this automation has to be in a proper order, if one job fails should not continue with the other “sub jobs” let’s say of the virtual full job?… how do you manage for this tasks? Best regards, -- Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available. Simple to use. Nothing to install. Get started now for free. http://p.sf.net/sfu/SauceLabs ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users -- Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available. Simple to use. Nothing to install. Get started now for free. http://p.sf.net/sfu/SauceLabs ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users -- Is your legacy SCM system holding you back? Join Perforce May 7 to find out: #149; 3 signs your SCM is hindering your productivity #149; Requirements for releasing software faster #149; Expert tips and advice for migrating your SCM now http://p.sf.net/sfu/perforce ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users -- Is your legacy SCM system holding you back? Join Perforce May 7 to find out: #149; 3 signs your SCM is hindering your productivity #149; Requirements for releasing software faster #149; Expert tips and advice for migrating your SCM now http://p.sf.net/sfu/perforce ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] VirtualFull Jobs
Good morning Kern, So you mean that even you create a virtual full in a different pool there’s no need to later migrating for operational purposes like using it for a restore or a new virtual full?. Do you mean this? Best regards, El 04/05/2014, a las 14:51, Kern Sibbald k...@sibbald.com escribió: Hello, I believe that I have removed the restriction on using a different Pool. Perhaps it is not well documented, in which case if you make it work, as I think a lot of people have done, a patch for the manual would be appreciated. Kern On 04/30/2014 12:45 PM, Egoitz Aurrekoetxea wrote: Good morning, I’m at this moment doing real full jobs of my servers. I have some slowness (in backup) with some servers due to it’s activity. I have tested virtual full jobs and work like a charm :) but I have one problem; normally I schedule a real full job and I’m done… as virtual full jobs have to be done in another pool, later migrated and later a new incremental job should be done (for replacing a normal full) how could I manage for automating this tasks, without starting one before the other one and… basically for automating all this tasks involving a virtual full job but having in mind that this automation has to be in a proper order, if one job fails should not continue with the other “sub jobs” let’s say of the virtual full job?… how do you manage for this tasks? Best regards, -- Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available. Simple to use. Nothing to install. Get started now for free. http://p.sf.net/sfu/SauceLabs ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users -- Is your legacy SCM system holding you back? Join Perforce May 7 to find out: #149; 3 signs your SCM is hindering your productivity #149; Requirements for releasing software faster #149; Expert tips and advice for migrating your SCM now http://p.sf.net/sfu/perforce ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] VirtualFull Jobs
Anyone who knows this please? El 30/04/2014, a las 12:45, Egoitz Aurrekoetxea ego...@ramattack.net escribió: Good morning, I’m at this moment doing real full jobs of my servers. I have some slowness (in backup) with some servers due to it’s activity. I have tested virtual full jobs and work like a charm :) but I have one problem; normally I schedule a real full job and I’m done… as virtual full jobs have to be done in another pool, later migrated and later a new incremental job should be done (for replacing a normal full) how could I manage for automating this tasks, without starting one before the other one and… basically for automating all this tasks involving a virtual full job but having in mind that this automation has to be in a proper order, if one job fails should not continue with the other “sub jobs” let’s say of the virtual full job?… how do you manage for this tasks? Best regards, -- Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available. Simple to use. Nothing to install. Get started now for free. http://p.sf.net/sfu/SauceLabs ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users -- Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available. Simple to use. Nothing to install. Get started now for free. http://p.sf.net/sfu/SauceLabs ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
[Bacula-users] VirtualFull Jobs
Good morning, I’m at this moment doing real full jobs of my servers. I have some slowness (in backup) with some servers due to it’s activity. I have tested virtual full jobs and work like a charm :) but I have one problem; normally I schedule a real full job and I’m done… as virtual full jobs have to be done in another pool, later migrated and later a new incremental job should be done (for replacing a normal full) how could I manage for automating this tasks, without starting one before the other one and… basically for automating all this tasks involving a virtual full job but having in mind that this automation has to be in a proper order, if one job fails should not continue with the other “sub jobs” let’s say of the virtual full job?… how do you manage for this tasks? Best regards, -- Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available. Simple to use. Nothing to install. Get started now for free. http://p.sf.net/sfu/SauceLabs ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
[Bacula-users] Question about user interaction with backup system
Hi all, Does bacula log the activity done from Bconsole or Bat (for example) for later avoiding problems like… my backup does not exist and I haven’t purged job files or… I haven’t deleted the jobs catalog??. I have all those commands forbidden from a console resource…. but anyway is it possible to define that kind of log and verbosity for later having constancy of what each one has invoked from bat for example?. Thank you so much and congrats for so nice backup tool :) Regards, -- ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users