Re: [Bacula-users] Question about bacula 13.0.x isntallation

2023-02-03 Thread Robin Schröter

Hello Ana,

no unfortunately that is not the problem.

I tried to install Bacula 13.0.1 on a clean installed Ubuntu 20.04.

I tried the bacual-mysql packed but then I only get

bacula-client/stable,now 13.0.1-22081215~focal amd64 [installed,automatic]
bacula-common/stable,now 13.0.1-22081215~focal amd64 [installed,automatic]
bacula-console/stable,now 13.0.1-22081215~focal amd64 [installed,automatic]
bacula-mysql/stable,now 13.0.1-22081215~focal amd64 [installed]

Than I tried to install the old bacula 9.4 director first and updating 
to the newest bacula 13.0.1 version. But than the installer deleted the 
bacula-director and then I also only have these shown above.


I cant install bacula-director at all. I also tried all other packeges 
that are accessible on that repo I got from bacula without success.


https://www.bacula.org/packages/***/debs/13.0.1/dists/focal/main/binary-amd64/


Am 02.02.2023 um 23:06 schrieb Ana Emília M. Arruda:

Hello Robin,

If you had previously installed both bacula-postgresql and 
bacula-mysql, I would suggest you remove one of them. These are 
Director, File Daemon and Storage Daemon for either PostgreSQL or 
MySQL/MariaDB.


As you have problems getting Director and/or Storage installed, it is 
possible the installation is not successful because you are installing 
these two packages.


Please confirm if you have a bacula PostgreSQL or a MySQL database. 
This is very important. You need to use the correct one for the upgrade.


Best,
Ana

On Thu, Feb 2, 2023 at 5:10 PM Robin Schröter  
wrote:


Hello Ana,

i tried your solution and installed
bacula-mysql

The Server installed a few packeges but no director was installed.

bacula-client/stable,now 13.0.1-22081215~focal amd64
[installed,automatic]
bacula-common/stable,now 13.0.1-22081215~focal amd64
[installed,automatic]
bacula-console/stable,now 13.0.1-22081215~focal amd64
[installed,automatic]
bacula-mysql/stable,now 13.0.1-22081215~focal amd64 [installed]
bacula/stable,now 13.0.1-22081215~focal all [installed]

Thats the only packeges that bacula 13 can install.

Can I get the director and Storage as installed packeges?

Am 27.01.2023 um 09:43 schrieb Ana Emília M. Arruda:

Hello Robin,

Bacula Director and Bacula Storage Daemon comes in the very same
package.

You must install either the bacula_postgresql (if you use a
PostgreSQL Bacula Catalog) or the bacula_mysql (if you use a
MySQL or MariaDB Bacula Catalog). Then, as soon as you have this
package installed, you will have both Director and the Storage in
the same host. You just need to disable and stop the daemon, for
example, in the Storage only host:

* systemctl disable bacula-dir
* systemctl stop bacula-dir

Hope it helps.

Best,
Ana

On Thu, Jan 26, 2023 at 4:59 PM Robin Schröter
 wrote:

Hello,

at the moment we have to seperate Ubunut 20.04 Server.

One has Bacula-director 9.4.2 and the other has Bacula-sd 9.4.2

I got the repo link from bacula

https://www.bacula.org/packages/***/debs/13.0.1/dists/focal/main/binary-amd64/
there are the packeges I can get into ubuntu using the
sources.list.

The problem is I cant find the bacual-sd nor the
bacula-director as
seperate packeges.

I wanted to update the bacula version on these two ubuntu
Servers to the
newest 13.0.x version.

For that I need to install the bacula-sd and bacula-director
seperatly
on two different servers.

The other bacula version also only have these packeges.

bacula-cdp-plugin_13.0.1-22081215~focal_amd64.deb
bacula-client_13.0.1-22081215~focal_amd64.deb
bacula-cloud-storage-common_13.0.1-22081215~focal_amd64.deb
bacula-cloud-storage-s3_13.0.1-22081215~focal_amd64.deb
bacula-common_13.0.1-22081215~focal_amd64.deb
bacula-console_13.0.1-22081215~focal_amd64.deb
bacula-docker-plugin_13.0.1-22081215~focal_amd64.deb
bacula-docker-tools_13.0.1-22081215~focal_amd64.deb
bacula-kubernetes-plugin_13.0.1-22081215~focal_amd64.deb
bacula-kubernetes-tools_13.0.1-22081215~focal_amd64.deb
bacula-mysql_13.0.1-22081215~focal_amd64.deb
bacula-postgresql_13.0.1-22081215~focal_amd64.deb
bacula_13.0.1-22081215~focal_all.deb

I can install the bacula_13.0.1-22081215~focal_all.deb packed
but that
doesnt list bacula-sd or bacula-director as installed packeges.
In addition to that that packed also wants to install
postgresql that we
dont wanna use.

Is there a possibility to install bacula-director and
bacula-sd 13.0.x
speratly on two different servers without compiling it new?
(Because we
want to upgarde the already installed version)




Re: [Bacula-users] Question about bacula 13.0.x isntallation

2023-02-02 Thread Ana Emília M . Arruda
Hello Robin,

If you had previously installed both bacula-postgresql and bacula-mysql, I
would suggest you remove one of them. These are Director, File Daemon and
Storage Daemon for either PostgreSQL or MySQL/MariaDB.

As you have problems getting Director and/or Storage installed, it is
possible the installation is not successful because you are installing
these two packages.

Please confirm if you have a bacula PostgreSQL or a MySQL database. This is
very important. You need to use the correct one for the upgrade.

Best,
Ana

On Thu, Feb 2, 2023 at 5:10 PM Robin Schröter  wrote:

> Hello Ana,
>
> i tried your solution and installed
> bacula-mysql
>
> The Server installed a few packeges but no director was installed.
>
> bacula-client/stable,now 13.0.1-22081215~focal amd64 [installed,automatic]
> bacula-common/stable,now 13.0.1-22081215~focal amd64 [installed,automatic]
> bacula-console/stable,now 13.0.1-22081215~focal amd64 [installed,automatic]
> bacula-mysql/stable,now 13.0.1-22081215~focal amd64 [installed]
> bacula/stable,now 13.0.1-22081215~focal all [installed]
>
> Thats the only packeges that bacula 13 can install.
>
> Can I get the director and Storage as installed packeges?
> Am 27.01.2023 um 09:43 schrieb Ana Emília M. Arruda:
>
> Hello Robin,
>
> Bacula Director and Bacula Storage Daemon comes in the very same package.
>
> You must install either the bacula_postgresql (if you use a PostgreSQL
> Bacula Catalog) or the bacula_mysql (if you use a MySQL or MariaDB Bacula
> Catalog). Then, as soon as you have this package installed, you will have
> both Director and the Storage in the same host. You just need to disable
> and stop the daemon, for example, in the Storage only host:
>
> * systemctl disable bacula-dir
> * systemctl stop bacula-dir
>
> Hope it helps.
>
> Best,
> Ana
>
> On Thu, Jan 26, 2023 at 4:59 PM Robin Schröter 
> wrote:
>
>> Hello,
>>
>> at the moment we have to seperate Ubunut 20.04 Server.
>>
>> One has Bacula-director 9.4.2 and the other has Bacula-sd 9.4.2
>>
>> I got the repo link from bacula
>>
>> https://www.bacula.org/packages/***/debs/13.0.1/dists/focal/main/binary-amd64/
>> there are the packeges I can get into ubuntu using the sources.list.
>>
>> The problem is I cant find the bacual-sd nor the bacula-director as
>> seperate packeges.
>>
>> I wanted to update the bacula version on these two ubuntu Servers to the
>> newest 13.0.x version.
>>
>> For that I need to install the bacula-sd and bacula-director seperatly
>> on two different servers.
>>
>> The other bacula version also only have these packeges.
>>
>> bacula-cdp-plugin_13.0.1-22081215~focal_amd64.deb
>> bacula-client_13.0.1-22081215~focal_amd64.deb
>> bacula-cloud-storage-common_13.0.1-22081215~focal_amd64.deb
>> bacula-cloud-storage-s3_13.0.1-22081215~focal_amd64.deb
>> bacula-common_13.0.1-22081215~focal_amd64.deb
>> bacula-console_13.0.1-22081215~focal_amd64.deb
>> bacula-docker-plugin_13.0.1-22081215~focal_amd64.deb
>> bacula-docker-tools_13.0.1-22081215~focal_amd64.deb
>> bacula-kubernetes-plugin_13.0.1-22081215~focal_amd64.deb
>> bacula-kubernetes-tools_13.0.1-22081215~focal_amd64.deb
>> bacula-mysql_13.0.1-22081215~focal_amd64.deb
>> bacula-postgresql_13.0.1-22081215~focal_amd64.deb
>> bacula_13.0.1-22081215~focal_all.deb
>>
>> I can install the bacula_13.0.1-22081215~focal_all.deb packed but that
>> doesnt list bacula-sd or bacula-director as installed packeges.
>> In addition to that that packed also wants to install postgresql that we
>> dont wanna use.
>>
>> Is there a possibility to install bacula-director and bacula-sd 13.0.x
>> speratly on two different servers without compiling it new? (Because we
>> want to upgarde the already installed version)
>>
>>
>>
>> ___
>> Bacula-users mailing list
>> Bacula-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/bacula-users
>>
>
___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users


Re: [Bacula-users] Question about bacula 13.0.x isntallation

2023-02-02 Thread Robin Schröter

Hello Ana,

i tried your solution and installed
bacula-mysql

The Server installed a few packeges but no director was installed.

bacula-client/stable,now 13.0.1-22081215~focal amd64 [installed,automatic]
bacula-common/stable,now 13.0.1-22081215~focal amd64 [installed,automatic]
bacula-console/stable,now 13.0.1-22081215~focal amd64 [installed,automatic]
bacula-mysql/stable,now 13.0.1-22081215~focal amd64 [installed]
bacula/stable,now 13.0.1-22081215~focal all [installed]

Thats the only packeges that bacula 13 can install.

Can I get the director and Storage as installed packeges?

Am 27.01.2023 um 09:43 schrieb Ana Emília M. Arruda:

Hello Robin,

Bacula Director and Bacula Storage Daemon comes in the very same package.

You must install either the bacula_postgresql (if you use a PostgreSQL 
Bacula Catalog) or the bacula_mysql (if you use a MySQL or MariaDB 
Bacula Catalog). Then, as soon as you have this package installed, you 
will have both Director and the Storage in the same host. You just 
need to disable and stop the daemon, for example, in the Storage only 
host:


* systemctl disable bacula-dir
* systemctl stop bacula-dir

Hope it helps.

Best,
Ana

On Thu, Jan 26, 2023 at 4:59 PM Robin Schröter  
wrote:


Hello,

at the moment we have to seperate Ubunut 20.04 Server.

One has Bacula-director 9.4.2 and the other has Bacula-sd 9.4.2

I got the repo link from bacula

https://www.bacula.org/packages/***/debs/13.0.1/dists/focal/main/binary-amd64/
there are the packeges I can get into ubuntu using the sources.list.

The problem is I cant find the bacual-sd nor the bacula-director as
seperate packeges.

I wanted to update the bacula version on these two ubuntu Servers
to the
newest 13.0.x version.

For that I need to install the bacula-sd and bacula-director
seperatly
on two different servers.

The other bacula version also only have these packeges.

bacula-cdp-plugin_13.0.1-22081215~focal_amd64.deb
bacula-client_13.0.1-22081215~focal_amd64.deb
bacula-cloud-storage-common_13.0.1-22081215~focal_amd64.deb
bacula-cloud-storage-s3_13.0.1-22081215~focal_amd64.deb
bacula-common_13.0.1-22081215~focal_amd64.deb
bacula-console_13.0.1-22081215~focal_amd64.deb
bacula-docker-plugin_13.0.1-22081215~focal_amd64.deb
bacula-docker-tools_13.0.1-22081215~focal_amd64.deb
bacula-kubernetes-plugin_13.0.1-22081215~focal_amd64.deb
bacula-kubernetes-tools_13.0.1-22081215~focal_amd64.deb
bacula-mysql_13.0.1-22081215~focal_amd64.deb
bacula-postgresql_13.0.1-22081215~focal_amd64.deb
bacula_13.0.1-22081215~focal_all.deb

I can install the bacula_13.0.1-22081215~focal_all.deb packed but
that
doesnt list bacula-sd or bacula-director as installed packeges.
In addition to that that packed also wants to install postgresql
that we
dont wanna use.

Is there a possibility to install bacula-director and bacula-sd
13.0.x
speratly on two different servers without compiling it new?
(Because we
want to upgarde the already installed version)



___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users
___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users


Re: [Bacula-users] Question about bacula 13.0.x isntallation

2023-01-27 Thread Ana Emília M . Arruda
Hello Robin,

Bacula Director and Bacula Storage Daemon comes in the very same package.

You must install either the bacula_postgresql (if you use a PostgreSQL
Bacula Catalog) or the bacula_mysql (if you use a MySQL or MariaDB Bacula
Catalog). Then, as soon as you have this package installed, you will have
both Director and the Storage in the same host. You just need to disable
and stop the daemon, for example, in the Storage only host:

* systemctl disable bacula-dir
* systemctl stop bacula-dir

Hope it helps.

Best,
Ana

On Thu, Jan 26, 2023 at 4:59 PM Robin Schröter  wrote:

> Hello,
>
> at the moment we have to seperate Ubunut 20.04 Server.
>
> One has Bacula-director 9.4.2 and the other has Bacula-sd 9.4.2
>
> I got the repo link from bacula
>
> https://www.bacula.org/packages/***/debs/13.0.1/dists/focal/main/binary-amd64/
> there are the packeges I can get into ubuntu using the sources.list.
>
> The problem is I cant find the bacual-sd nor the bacula-director as
> seperate packeges.
>
> I wanted to update the bacula version on these two ubuntu Servers to the
> newest 13.0.x version.
>
> For that I need to install the bacula-sd and bacula-director seperatly
> on two different servers.
>
> The other bacula version also only have these packeges.
>
> bacula-cdp-plugin_13.0.1-22081215~focal_amd64.deb
> bacula-client_13.0.1-22081215~focal_amd64.deb
> bacula-cloud-storage-common_13.0.1-22081215~focal_amd64.deb
> bacula-cloud-storage-s3_13.0.1-22081215~focal_amd64.deb
> bacula-common_13.0.1-22081215~focal_amd64.deb
> bacula-console_13.0.1-22081215~focal_amd64.deb
> bacula-docker-plugin_13.0.1-22081215~focal_amd64.deb
> bacula-docker-tools_13.0.1-22081215~focal_amd64.deb
> bacula-kubernetes-plugin_13.0.1-22081215~focal_amd64.deb
> bacula-kubernetes-tools_13.0.1-22081215~focal_amd64.deb
> bacula-mysql_13.0.1-22081215~focal_amd64.deb
> bacula-postgresql_13.0.1-22081215~focal_amd64.deb
> bacula_13.0.1-22081215~focal_all.deb
>
> I can install the bacula_13.0.1-22081215~focal_all.deb packed but that
> doesnt list bacula-sd or bacula-director as installed packeges.
> In addition to that that packed also wants to install postgresql that we
> dont wanna use.
>
> Is there a possibility to install bacula-director and bacula-sd 13.0.x
> speratly on two different servers without compiling it new? (Because we
> want to upgarde the already installed version)
>
>
>
> ___
> Bacula-users mailing list
> Bacula-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bacula-users
>
___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users


[Bacula-users] Question about bacula 13.0.x isntallation

2023-01-26 Thread Robin Schröter

Hello,

at the moment we have to seperate Ubunut 20.04 Server.

One has Bacula-director 9.4.2 and the other has Bacula-sd 9.4.2

I got the repo link from bacula
https://www.bacula.org/packages/***/debs/13.0.1/dists/focal/main/binary-amd64/
there are the packeges I can get into ubuntu using the sources.list.

The problem is I cant find the bacual-sd nor the bacula-director as 
seperate packeges.


I wanted to update the bacula version on these two ubuntu Servers to the 
newest 13.0.x version.


For that I need to install the bacula-sd and bacula-director seperatly 
on two different servers.


The other bacula version also only have these packeges.

bacula-cdp-plugin_13.0.1-22081215~focal_amd64.deb
bacula-client_13.0.1-22081215~focal_amd64.deb
bacula-cloud-storage-common_13.0.1-22081215~focal_amd64.deb
bacula-cloud-storage-s3_13.0.1-22081215~focal_amd64.deb
bacula-common_13.0.1-22081215~focal_amd64.deb
bacula-console_13.0.1-22081215~focal_amd64.deb
bacula-docker-plugin_13.0.1-22081215~focal_amd64.deb
bacula-docker-tools_13.0.1-22081215~focal_amd64.deb
bacula-kubernetes-plugin_13.0.1-22081215~focal_amd64.deb
bacula-kubernetes-tools_13.0.1-22081215~focal_amd64.deb
bacula-mysql_13.0.1-22081215~focal_amd64.deb
bacula-postgresql_13.0.1-22081215~focal_amd64.deb
bacula_13.0.1-22081215~focal_all.deb

I can install the bacula_13.0.1-22081215~focal_all.deb packed but that 
doesnt list bacula-sd or bacula-director as installed packeges.
In addition to that that packed also wants to install postgresql that we 
dont wanna use.


Is there a possibility to install bacula-director and bacula-sd 13.0.x 
speratly on two different servers without compiling it new? (Because we 
want to upgarde the already installed version)




___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users


Re: [Bacula-users] Question about bacula

2019-12-13 Thread Heitor Faria
Hello Kern,

Just to add, Bacula Systems added several improvements to its BMR technology in 
the last years.
I'm almost sure restoring from and to UEFI machines is supported; also P2V, V2P.

Regards,
--
MSc Heitor Faria
CEO Bacula LatAm
mobile1: + 1 909 655-8971
mobile2: + 55 61 98268-4220

América Latina
[ http://bacula.lat/]

 Original Message 
From: Kern Sibbald 
Sent: Friday, December 13, 2019 06:41 AM
To: Pierre Bernhardt 
,bacula-users@lists.sourceforge.net
Subject: Re: [Bacula-users] Question about bacula

>Hello,
>
>Some time ago, the project provided bare metal recovery, but the boot 
>process has evolved significantly since then with many differences 
>between vendor, which made maintenance of the BMR too onerous.  However, 
>Bacula Systems as a part of their commercial offering does offer 
>selected Linux distro as well as Window complete BMR capabilities.
>
>One reasonable alternative is to ensure you have complete backups of the 
>whole system, then in a disaster situation, reinstall the original OS 
>followed by doing a full Bacula restore.  For those of you who use the 
>Bacula recommended install options (most files going in /opt/bacula) 
>restoring a fully functional Bacula is easy, and then once done, 
>restoring the whole OS as of the last backup is not hard.  This 
>procedure works fine (I have done it on several of my computers) however 
>it may be slightly more time consuming than using the Bacula Systems BMR.
>
>Best regards,
>Kern
>
>On 12/13/19 9:46 AM, Pierre Bernhardt wrote:
>> Hello,
>>
>> I think what you mean is a bare metal recovery procedure.
>> This is generally possible but needs some special preparations and 
>> instructions.
>> It is not a full out of the box recovery procedure.
>>
>> It depends on how secure you backup you servers.
>>
>> I've already written a complex base article but I think
>> this is not the time to publish them here. I don't make
>> people to read boring and unfinished alpharelease stuff :-)
>>
>> Cheers,
>> Pierre
>>
>> Am 12.12.19 um 16:49 schrieb Gregor Burck:
>>> Hi,
>>>
>>> I've already a running system with bacula 9.4.4 and baculum.
>>> My main question is, could I make a desaster recovery of my Windows and 
>>> Linux Server?
>>>
>>> It seem to me, sat bacula only made File Backup?
>>>
>>> I suggest more than a veeam thing, but then I've to use Bacula Enterprise, 
>>> that support things like hyper visor, SQL and Exchange and other features?
>>>
>>> In the moment I've a proxmox cluster and use a mix from Backupassist and 
>>> the proxmox own backup, I want to replace this solution thru an centrelized 
>>> Backupserver.
>>>
>>> Bye
>>>
>>> Gregor
>>>
>>>
>>>
>>>
>>>
>>> ___
>>> Bacula-users mailing list
>>> Bacula-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/bacula-users
>>>
>>
>>
>>
>> ___
>> Bacula-users mailing list
>> Bacula-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/bacula-users
>>
>
>
>
>___
>Bacula-users mailing list
>Bacula-users@lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/bacula-users
___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users


Re: [Bacula-users] Question about bacula

2019-12-13 Thread Kern Sibbald

Hello,

Some time ago, the project provided bare metal recovery, but the boot 
process has evolved significantly since then with many differences 
between vendor, which made maintenance of the BMR too onerous.  However, 
Bacula Systems as a part of their commercial offering does offer 
selected Linux distro as well as Window complete BMR capabilities.


One reasonable alternative is to ensure you have complete backups of the 
whole system, then in a disaster situation, reinstall the original OS 
followed by doing a full Bacula restore.  For those of you who use the 
Bacula recommended install options (most files going in /opt/bacula) 
restoring a fully functional Bacula is easy, and then once done, 
restoring the whole OS as of the last backup is not hard.  This 
procedure works fine (I have done it on several of my computers) however 
it may be slightly more time consuming than using the Bacula Systems BMR.


Best regards,
Kern

On 12/13/19 9:46 AM, Pierre Bernhardt wrote:

Hello,

I think what you mean is a bare metal recovery procedure.
This is generally possible but needs some special preparations and instructions.
It is not a full out of the box recovery procedure.

It depends on how secure you backup you servers.

I've already written a complex base article but I think
this is not the time to publish them here. I don't make
people to read boring and unfinished alpharelease stuff :-)

Cheers,
Pierre

Am 12.12.19 um 16:49 schrieb Gregor Burck:

Hi,

I've already a running system with bacula 9.4.4 and baculum.
My main question is, could I make a desaster recovery of my Windows and Linux 
Server?

It seem to me, sat bacula only made File Backup?

I suggest more than a veeam thing, but then I've to use Bacula Enterprise, that 
support things like hyper visor, SQL and Exchange and other features?

In the moment I've a proxmox cluster and use a mix from Backupassist and the 
proxmox own backup, I want to replace this solution thru an centrelized 
Backupserver.

Bye

Gregor





___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users





___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users





___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users


Re: [Bacula-users] Question about bacula

2019-12-13 Thread Pierre Bernhardt
Hello,

I think what you mean is a bare metal recovery procedure.
This is generally possible but needs some special preparations and instructions.
It is not a full out of the box recovery procedure.

It depends on how secure you backup you servers.

I've already written a complex base article but I think
this is not the time to publish them here. I don't make
people to read boring and unfinished alpharelease stuff :-)

Cheers,
Pierre

Am 12.12.19 um 16:49 schrieb Gregor Burck:
> Hi,
> 
> I've already a running system with bacula 9.4.4 and baculum.
> My main question is, could I make a desaster recovery of my Windows and Linux 
> Server?
> 
> It seem to me, sat bacula only made File Backup?
> 
> I suggest more than a veeam thing, but then I've to use Bacula Enterprise, 
> that support things like hyper visor, SQL and Exchange and other features?
> 
> In the moment I've a proxmox cluster and use a mix from Backupassist and the 
> proxmox own backup, I want to replace this solution thru an centrelized 
> Backupserver.
> 
> Bye
> 
> Gregor
> 
> 
> 
> 
> 
> ___
> Bacula-users mailing list
> Bacula-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bacula-users
> 




___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users


[Bacula-users] Question about bacula

2019-12-12 Thread Gregor Burck
Hi,

I've already a running system with bacula 9.4.4 and baculum.
My main question is, could I make a desaster recovery of my Windows and Linux 
Server?

It seem to me, sat bacula only made File Backup?

I suggest more than a veeam thing, but then I've to use Bacula Enterprise, that 
support things like hyper visor, SQL and Exchange and other features?

In the moment I've a proxmox cluster and use a mix from Backupassist and the 
proxmox own backup, I want to replace this solution thru an centrelized 
Backupserver.

Bye

Gregor





___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users


Re: [Bacula-users] question about bacula job speed

2019-05-14 Thread ce
for the bacula backups on the old bacula server ( for backups of a windows
client ), I never noticed that long bacula jobs for incremental and
differential ones.

on the new bacula server for the backups of one of the folder:

Elapsed timeLevelBytesFilesSpeed

13:45:29   Differential 2.17 MB 42 45.92 B/s 0.35

on the new bacula server for the backups of another folder on the same
client:
Elapsed timeLevelBytesFilesSpeed

03:00:03 Differential 932.23 MB 1.648 88.36 KB/s

how can I find out why there is such a difference? the second folder backup
has even more files for backup as you see above but it took less.
NOTE:

for the first folder: 22 G out of 500 G  free space
for the second folder 400 G out of 700 free space?
not sure if having more free space for the client folders, will affect the
speed of backup?

any help will be appreciated!

On Mon, May 13, 2019 at 12:58 PM Christian Lehmann 
wrote:

> Hi and welcome!
>
>
>
> Most of the time, the limiting factor for an incremental backup is the
> analysis of all files by the file daemon on the client.
>
> So, only some small changes/files need to be backed-up, but bacula can
> only know this by analyse one file after another.
>
> So it can well be that an incremental backup can need as much time as a
> full backup, presumed, the transfer rate for your backup device and/or to
> your server is not the limiting factor.
>
>
>
> However, which the information you provided, it is difficult to give you a
> black “Yes or No”-answer.
>
>
>
> Best,
>
>
>
> Christian
>
>
>
> *Von:* ce 
> *Gesendet:* Montag, 13. Mai 2019 20:30
> *An:* bacula-users@lists.sourceforge.net
> *Betreff:* [Bacula-users] question about bacula job speed
>
>
>
> Hi everyone,
>
> Is that normal that incremental bacula job ( just to backup  a few
> megabytes) takes 9 or 10 hours? assuming there is no performance or any
> issue on the servers and clients, only encryption algorithm has changed
> recently!
>
>
>
>
>
> Thanks,
>
>
>
>
>
___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users


Re: [Bacula-users] question about bacula job speed

2019-05-13 Thread Christian Lehmann
Hi and welcome!

 

Most of the time, the limiting factor for an incremental backup is the analysis 
of all files by the file daemon on the client. 

So, only some small changes/files need to be backed-up, but bacula can only 
know this by analyse one file after another.

So it can well be that an incremental backup can need as much time as a full 
backup, presumed, the transfer rate for your backup device and/or to your 
server is not the limiting factor.

 

However, which the information you provided, it is difficult to give you a 
black “Yes or No”-answer.

 

Best,

 

Christian

 

Von: ce  
Gesendet: Montag, 13. Mai 2019 20:30
An: bacula-users@lists.sourceforge.net
Betreff: [Bacula-users] question about bacula job speed

 

Hi everyone,

Is that normal that incremental bacula job ( just to backup  a few megabytes) 
takes 9 or 10 hours? assuming there is no performance or any issue on the 
servers and clients, only encryption algorithm has changed recently!

 

 

Thanks,

 

 

___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users


[Bacula-users] question about bacula job speed

2019-05-13 Thread ce
Hi everyone,
Is that normal that incremental bacula job ( just to backup  a few
megabytes) takes 9 or 10 hours? assuming there is no performance or any
issue on the servers and clients, only encryption algorithm has changed
recently!


Thanks,
___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users


Re: [Bacula-users] Question about bacula and tls

2015-10-05 Thread Egoitz Aurrekoetxea
Thank you so much to all of you :) :)


> El 2 oct 2015, a las 12:54, Josh Fisher  escribió:
> 
> 
> 
> On 10/2/2015 2:47 AM, Egoitz Aurrekoetxea wrote:
>> Good morning mates,
>> 
>> Apologies for my very very late response….
>> 
>> Just one question for confirming, in Josh’s third point, when sais : 
>> 
>>> Level 3:
>>> # This level requires encryption and that the certificate presented by 
>>> the peer be signed by a trusted CA
>> 
>> It means a CA in CA certificate file OR a public key CA in the “TLS CA 
>> Certificate Dir”, isn’t it?.
> 
> Yes. 
> 
>> 
>> 
>>> El 1/10/2015, a las 16:09, Ana Emília M. Arruda >> > escribió:
>>> 
>>> Hello Egoitz,
>>> 
>>> Is this thread clear? If you have your own dedicated CA, then take care of 
>>> her :). This way and having level 4 bacula TLS configured as Josh 
>>> explained, then your communication will be "secure" (never say that we are 
>>> 100% secure...).
>>> 
>> 
>> 
>> Thank you so much :) :) to all of you mates, you have helped me tons of it 
>> :) :) :) really :) :)
>> 
>> 
>>> Thank you very much Josh.
>>> 
>>> Best regards,
>>> Ana
>>> 
>>> 
>>> 
>>> On Wed, Sep 30, 2015 at 11:22 AM, Josh Fisher < 
>>> jfis...@pvct.com > wrote:
>>> 
>>> 
>>> On 9/30/2015 3:18 AM, Egoitz Aurrekoetxea wrote:
 Hi Ana!!
 
 Really thanks for answering my doubts :)
 
 I do answer in black below...
 
> El 30/9/2015, a las 6:24, Ana Emília M. Arruda < 
> emiliaarr...@gmail.com 
> > escribió:
> 
> 
> On Mon, Sep 28, 2015 at 6:20 PM, Egoitz Aurrekoetxea < 
> ego...@ramattack.net 
> > wrote:
> Good night,
> 
> 
> ​ Yes, you can have certificates from different CA in each side, you just 
> need to inform the CA correctly for peer verification. How did you 
> generated your certificates? Do you have a CA and signed them properly?
 
 I have an own dedicated CA for Bacula systems. One of the things I was 
 trying to get with TLS is the fact that like both sides know the CA public 
 key, they to be able to check if the information received in each side 
 because of the other side’s sent data in unaltered due to a possible MITM 
 issue. I mean, could I with verify peer ensure that if someone tries to do 
 a MITM won’t succeed because both sides know the CA allowed to 
 be used in signed certs?. So an attacker doing a signed certificate with a 
 new CA (CA of the attacker for signing the attacking used certificate) 
 won’t be able then to inject content in dir and fd dialogue or fd and sd 
 dialogue?.
 Or at least if it does, do each side, the sd, fd or the dir, interrupt the 
 connection and stop the job notifying?.
 
>>> 
>>> Think of it as 5 different security levels.
>>> 
>>> Level 0: 
>>># Data is transmitted as plain text
>>> TLS Enable = no
>>> 
>>> Level 1:
>>> # This level allows opportunistic encryption if the peer chooses, or 
>>> the peer can communicate in plain text.
>>> TLS Enable = yes
>>> TLS Require = no
>>> TLS Verify Peer = no
>>> TLS Certificate = /etc/bacula/cert.pem
>>> TLS Key = /etc/bacula/key.pem
>>> TLS CA Certificate File = /path/to/system/cafile
>>> 
>>> Level 2:
>>> # This level requires encryption of data. Any certificate will do, even 
>>> a self-signed certificate.
>>> TLS Enable = yes
>>> TLS Require = yes
>>> TLS Verify Peer = no
>>> TLS Certificate = /etc/bacula/cert.pem
>>> TLS Key = /etc/bacula/key.pem
>>> TLS CA Certificate File = /path/to/system/cafile
>>> 
>>> Level 3:
>>> # This level requires encryption and that the certificate presented by 
>>> the peer be signed by a trusted CA
>>> TLS Enable = yes
>>> TLS Require = yes
>>> TLS Verify Peer = yes
>>> TLS Certificate = /etc/bacula/cert.pem
>>> TLS Key = /etc/bacula/key.pem
>>> TLS CA Certificate File = /path/to/system/cafile
>>> 
>>> Level 4:
>>> # This level requires encryption and that the certificate presented by 
>>> the peer be signed by a trusted CA
>>> # and that the certificate have a specific CN
>>> TLS Enable = yes
>>> TLS Require = yes
>>> TLS Verify Peer = yes
>>> TLS Allowed CN = "some.client.common.name 
>>> "
>>> TLS Certificate = /etc/bacula/cert.pem
>>> TLS Key = /etc/bacula/key.pem
>>> TLS CA Certificate File = /path/to/system/cafile
>>> 
>>> 
>>> As for a MiTM attack, keep in mind that an active attack is harder than a 
>>> passive attack. Even opportunistic encryption with self-signed certs 
>>> protects against passive snooping. Protecting against an active MiTM attack 
>>> requires authentication. Heartbleed bug aside, level 3 means that 

Re: [Bacula-users] Question about bacula and tls

2015-10-02 Thread Egoitz Aurrekoetxea
Good morning mates,

Apologies for my very very late response….

Just one question for confirming, in Josh’s third point, when sais : 

> Level 3:
> # This level requires encryption and that the certificate presented by 
> the peer be signed by a trusted CA

It means a CA in CA certificate file OR a public key CA in the “TLS CA 
Certificate Dir”, isn’t it?.


> El 1/10/2015, a las 16:09, Ana Emília M. Arruda  
> escribió:
> 
> Hello Egoitz,
> 
> Is this thread clear? If you have your own dedicated CA, then take care of 
> her :). This way and having level 4 bacula TLS configured as Josh explained, 
> then your communication will be "secure" (never say that we are 100% 
> secure...).
> 


Thank you so much :) :) to all of you mates, you have helped me tons of it :) 
:) :) really :) :)


> Thank you very much Josh.
> 
> Best regards,
> Ana
> 
> 
> 
> On Wed, Sep 30, 2015 at 11:22 AM, Josh Fisher  > wrote:
> 
> 
> On 9/30/2015 3:18 AM, Egoitz Aurrekoetxea wrote:
>> Hi Ana!!
>> 
>> Really thanks for answering my doubts :)
>> 
>> I do answer in black below...
>> 
>>> El 30/9/2015, a las 6:24, Ana Emília M. Arruda >> > escribió:
>>> 
>>> 
>>> On Mon, Sep 28, 2015 at 6:20 PM, Egoitz Aurrekoetxea < 
>>> ego...@ramattack.net 
>>> > wrote:
>>> Good night,
>>> 
>>> 
>>> ​Yes, you can have certificates from different CA in each side, you just 
>>> need to inform the CA correctly for peer verification. How did you 
>>> generated your certificates? Do you have a CA and signed them properly?
>> 
>> I have an own dedicated CA for Bacula systems. One of the things I was 
>> trying to get with TLS is the fact that like both sides know the CA public 
>> key, they to be able to check if the information received in each side 
>> because of the other side’s sent data in unaltered due to a possible MITM 
>> issue. I mean, could I with verify peer ensure that if someone tries to do a 
>> MITM won’t succeed because both sides know the CA allowed to 
>> be used in signed certs?. So an attacker doing a signed certificate with a 
>> new CA (CA of the attacker for signing the attacking used certificate) won’t 
>> be able then to inject content in dir and fd dialogue or fd and sd dialogue?.
>> Or at least if it does, do each side, the sd, fd or the dir, interrupt the 
>> connection and stop the job notifying?.
>> 
> 
> Think of it as 5 different security levels.
> 
> Level 0: 
># Data is transmitted as plain text
> TLS Enable = no
> 
> Level 1:
> # This level allows opportunistic encryption if the peer chooses, or the 
> peer can communicate in plain text.
> TLS Enable = yes
> TLS Require = no
> TLS Verify Peer = no
> TLS Certificate = /etc/bacula/cert.pem
> TLS Key = /etc/bacula/key.pem
> TLS CA Certificate File = /path/to/system/cafile
> 
> Level 2:
> # This level requires encryption of data. Any certificate will do, even a 
> self-signed certificate.
> TLS Enable = yes
> TLS Require = yes
> TLS Verify Peer = no
> TLS Certificate = /etc/bacula/cert.pem
> TLS Key = /etc/bacula/key.pem
> TLS CA Certificate File = /path/to/system/cafile
> 
> Level 3:
> # This level requires encryption and that the certificate presented by 
> the peer be signed by a trusted CA
> TLS Enable = yes
> TLS Require = yes
> TLS Verify Peer = yes
> TLS Certificate = /etc/bacula/cert.pem
> TLS Key = /etc/bacula/key.pem
> TLS CA Certificate File = /path/to/system/cafile
> 
> Level 4:
> # This level requires encryption and that the certificate presented by 
> the peer be signed by a trusted CA
> # and that the certificate have a specific CN
> TLS Enable = yes
> TLS Require = yes
> TLS Verify Peer = yes
> TLS Allowed CN = "some.client.common.name 
> "
> TLS Certificate = /etc/bacula/cert.pem
> TLS Key = /etc/bacula/key.pem
> TLS CA Certificate File = /path/to/system/cafile
> 
> 
> As for a MiTM attack, keep in mind that an active attack is harder than a 
> passive attack. Even opportunistic encryption with self-signed certs protects 
> against passive snooping. Protecting against an active MiTM attack requires 
> authentication. Heartbleed bug aside, level 3 means that the attacker must 
> somehow acquire certificates signed by a CA in the TLS CA Certificate Files 
> of both client and server. Level 4 means that she must steal particular 
> certificates. So level 4 makes a MiTM attack very difficult.
> 
> That said, the real danger is a valid certificate that is stolen or 
> compromised. The CA can revoke a certificate, but this does no good because, 
> as far as I can tell, Bacula does not check CRLs! Level 3 is not very useful 
> without CRL checks. Therefore, always use level 4, at least until Bacula 
> supports CRL 

Re: [Bacula-users] Question about bacula and tls

2015-10-02 Thread Josh Fisher



On 10/2/2015 2:47 AM, Egoitz Aurrekoetxea wrote:

Good morning mates,

Apologies for my very very late response….

Just one question for confirming, in Josh’s third point, when sais :


Level 3:
# This level requires encryption and that the certificate
presented by the peer be signed by a trusted CA



It means a CA in CA certificate file OR a public key CA in the “TLS CA 
Certificate Dir”, isn’t it?.


Yes.




El 1/10/2015, a las 16:09, Ana Emília M. Arruda 
> escribió:


Hello Egoitz,

Is this thread clear? If you have your own dedicated CA, then take 
care of her :). This way and having level 4 bacula TLS configured as 
Josh explained, then your communication will be "secure" (never say 
that we are 100% secure...).





Thank you so much :) :) to all of you mates, you have helped me tons 
of it :) :) :) really :) :)




Thank you very much Josh.

Best regards,
Ana



On Wed, Sep 30, 2015 at 11:22 AM, Josh Fisher > wrote:




On 9/30/2015 3:18 AM, Egoitz Aurrekoetxea wrote:

Hi Ana!!

Really thanks for answering my doubts :)

I do answer in black below...


El 30/9/2015, a las 6:24, Ana Emília M. Arruda
> escribió:


On Mon, Sep 28, 2015 at 6:20 PM, Egoitz
Aurrekoetxea>wrote:

Good night,



​ Yes, you can have certificates from different CA in each
side, you just need to inform the CA correctly for peer
verification. How did you generated your certificates? Do you
have a CA and signed them properly?


I have an own dedicated CA for Bacula systems. One of the things
I was trying to get with TLS is the fact that like both sides
know the CA public key, they to be able to check if the
information received in each side
because of the other side’s sent data in unaltered due to a
possible MITM issue. I mean, could I with verify peer ensure
that if someone tries to do a MITM won’t succeed because both
sides know the CA allowed to
be used in signed certs?. So an attacker doing a signed
certificate with a new CA (CA of the attacker for signing the
attacking used certificate) won’t be able then to inject content
in dir and fd dialogue or fd and sd dialogue?.
Or at least if it does, do each side, the sd, fd or the dir,
interrupt the connection and stop the job notifying?.



Think of it as 5 different security levels.

Level 0:
   # Data is transmitted as plain text
TLS Enable = no

Level 1:
# This level allows opportunistic encryption if the peer
chooses, or the peer can communicate in plain text.
TLS Enable = yes
TLS Require = no
TLS Verify Peer = no
TLS Certificate = /etc/bacula/cert.pem
TLS Key = /etc/bacula/key.pem
TLS CA Certificate File = /path/to/system/cafile

Level 2:
# This level requires encryption of data. Any certificate
will do, even a self-signed certificate.
TLS Enable = yes
TLS Require = yes
TLS Verify Peer = no
TLS Certificate = /etc/bacula/cert.pem
TLS Key = /etc/bacula/key.pem
TLS CA Certificate File = /path/to/system/cafile

Level 3:
# This level requires encryption and that the certificate
presented by the peer be signed by a trusted CA
TLS Enable = yes
TLS Require = yes
TLS Verify Peer = yes
TLS Certificate = /etc/bacula/cert.pem
TLS Key = /etc/bacula/key.pem
TLS CA Certificate File = /path/to/system/cafile

Level 4:
# This level requires encryption and that the certificate
presented by the peer be signed by a trusted CA
# and that the certificate have a specific CN
TLS Enable = yes
TLS Require = yes
TLS Verify Peer = yes
TLS Allowed CN = "some.client.common.name
"
TLS Certificate = /etc/bacula/cert.pem
TLS Key = /etc/bacula/key.pem
TLS CA Certificate File = /path/to/system/cafile


As for a MiTM attack, keep in mind that an active attack is
harder than a passive attack. Even opportunistic encryption with
self-signed certs protects against passive snooping. Protecting
against an active MiTM attack requires authentication. Heartbleed
bug aside, level 3 means that the attacker must somehow acquire
certificates signed by a CA in the TLS CA Certificate Files of
both client and server. Level 4 means that she must steal
particular certificates. So level 4 makes a MiTM attack very
difficult.

That said, the real danger is a valid certificate that is stolen
or compromised. The CA can revoke a certificate, but this does no
good because, as far as I can tell, Bacula does not check CRLs!

Re: [Bacula-users] Question about bacula and tls

2015-10-01 Thread Ana Emília M . Arruda
Hello Egoitz,

Is this thread clear? If you have your own dedicated CA, then take care of
her :). This way and having level 4 bacula TLS configured as Josh
explained, then your communication will be "secure" (never say that we are
100% secure...).

Thank you very much Josh.

Best regards,
Ana



On Wed, Sep 30, 2015 at 11:22 AM, Josh Fisher  wrote:

>
>
> On 9/30/2015 3:18 AM, Egoitz Aurrekoetxea wrote:
>
> Hi Ana!!
>
> Really thanks for answering my doubts :)
>
> I do answer in black below...
>
> El 30/9/2015, a las 6:24, Ana Emília M. Arruda 
> escribió:
>
>
> On Mon, Sep 28, 2015 at 6:20 PM, Egoitz Aurrekoetxea <
> ego...@ramattack.net> wrote:
>
>> Good night,
>>
>
>
> ​Yes, you can have certificates from different CA in each side, you just
> need to inform the CA correctly for peer verification. How did you
> generated your certificates? Do you have a CA and signed them properly?
>
>
> I have an own dedicated CA for Bacula systems. One of the things I was
> trying to get with TLS is the fact that like both sides know the CA public
> key, they to be able to check if the information received in each side
> because of the other side’s sent data in unaltered due to a possible MITM
> issue. I mean, could I with verify peer ensure that if someone tries to do
> a MITM won’t succeed because both sides know the CA allowed to
> be used in signed certs?. So an attacker doing a signed certificate with a
> new CA (CA of the attacker for signing the attacking used certificate)
> won’t be able then to inject content in dir and fd dialogue or fd and sd
> dialogue?.
> Or at least if it does, do each side, the sd, fd or the dir, interrupt the
> connection and stop the job notifying?.
>
>
> Think of it as 5 different security levels.
>
> Level 0:
># Data is transmitted as plain text
> TLS Enable = no
>
> Level 1:
> # This level allows opportunistic encryption if the peer chooses, or
> the peer can communicate in plain text.
> TLS Enable = yes
> TLS Require = no
> TLS Verify Peer = no
> TLS Certificate = /etc/bacula/cert.pem
> TLS Key = /etc/bacula/key.pem
> TLS CA Certificate File = /path/to/system/cafile
>
> Level 2:
> # This level requires encryption of data. Any certificate will do,
> even a self-signed certificate.
> TLS Enable = yes
> TLS Require = yes
> TLS Verify Peer = no
> TLS Certificate = /etc/bacula/cert.pem
> TLS Key = /etc/bacula/key.pem
> TLS CA Certificate File = /path/to/system/cafile
>
> Level 3:
> # This level requires encryption and that the certificate presented by
> the peer be signed by a trusted CA
> TLS Enable = yes
> TLS Require = yes
> TLS Verify Peer = yes
> TLS Certificate = /etc/bacula/cert.pem
> TLS Key = /etc/bacula/key.pem
> TLS CA Certificate File = /path/to/system/cafile
>
> Level 4:
> # This level requires encryption and that the certificate presented by
> the peer be signed by a trusted CA
> # and that the certificate have a specific CN
> TLS Enable = yes
> TLS Require = yes
> TLS Verify Peer = yes
> TLS Allowed CN = "some.client.common.name"
> TLS Certificate = /etc/bacula/cert.pem
> TLS Key = /etc/bacula/key.pem
> TLS CA Certificate File = /path/to/system/cafile
>
>
> As for a MiTM attack, keep in mind that an active attack is harder than a
> passive attack. Even opportunistic encryption with self-signed certs
> protects against passive snooping. Protecting against an active MiTM attack
> requires authentication. Heartbleed bug aside, level 3 means that the
> attacker must somehow acquire certificates signed by a CA in the TLS CA
> Certificate Files of both client and server. Level 4 means that she must
> steal particular certificates. So level 4 makes a MiTM attack very
> difficult.
>
> That said, the real danger is a valid certificate that is stolen or
> compromised. The CA can revoke a certificate, but this does no good
> because, as far as I can tell, Bacula does not check CRLs! Level 3 is not
> very useful without CRL checks. Therefore, always use level 4, at least
> until Bacula supports CRL checks, since then a  can be avoided by removing
> its CN from the TLS Allowed CN list. If you are not wrorried about MiTM
> attacks and just want to prevent snooping, then level 2 will suffice.
>
>
>
>
>
> --
>
> ___
> Bacula-users mailing list
> Bacula-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bacula-users
>
>
--
___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users


Re: [Bacula-users] Question about bacula and tls

2015-09-30 Thread Egoitz Aurrekoetxea
Hi Ana!!

Really thanks for answering my doubts :)

I do answer in black below...

> El 30/9/2015, a las 6:24, Ana Emília M. Arruda  
> escribió:
> 
> 
> On Mon, Sep 28, 2015 at 6:20 PM, Egoitz Aurrekoetxea  > wrote:
> Good night,
> 
> ​Good night Egoitz. Sorry for my late reply.​
>  
> 
> First of all thanks a lot for your time :)
> 
> ​Thank you for this thread :)​

Thanks to you always :)

>  
> 
>> El 28/9/2015, a las 21:46, Ana Emília M. Arruda > > escribió:
>> 
>> Hello,
>> 
>> The TLS enable do not force the use of TLS. For example, if you configure 
>> your director with TLS enable = yes and TLS require = no, clients can 
>> communicate with your director with or without TLS. But if you configure 
>> your director with both TLS enable and TLS require = yes, then all your 
>> clients and storage daemons will only be able to communicate with your 
>> director with TLS.
>> 
> 
> Yes, this is clear
> 
> 
>> If you do not set TLS Verify Peer or TLS Allowed CN, then you can use any 
>> Certificate File or Directory. The certificate CN will not be checked 
>> against the Certificate File or Directory configured.
> 
> what do you mean? any ca or ca path for each side cert? I could use 
> certificates from different ca in each side?. Even having the proper cn, this 
> doesn’t worked in my testing env (which doesn’t use tis verify peer or tls 
> allowed cn) … you mean the certificate won’t be checked if it was created by 
> the ca_certificate file's ca? Sorry can’t understand this...
> 
> ​Yes, you can have certificates from different CA in each side, you just need 
> to inform the CA correctly for peer verification. How did you generated your 
> certificates? Do you have a CA and signed them properly?

I have an own dedicated CA for Bacula systems. One of the things I was trying 
to get with TLS is the fact that like both sides know the CA public key, they 
to be able to check if the information received in each side 
because of the other side’s sent data in unaltered due to a possible MITM 
issue. I mean, could I with verify peer ensure that if someone tries to do a 
MITM won’t succeed because both sides know the CA allowed to 
be used in signed certs?. So an attacker doing a signed certificate with a new 
CA (CA of the attacker for signing the attacking used certificate) won’t be 
able then to inject content in dir and fd dialogue or fd and sd dialogue?.
Or at least if it does, do each side, the sd, fd or the dir, interrupt the 
connection and stop the job notifying?.

>  
> 
>> 
>> If TLS Verify Peer is enabled, then the peer´s hostname is verified against 
>> the subjectAltName (alternative name) and commonName attributes. This way, a 
>> certificate issued for myclient2.example.com  
>> cannot be used, for example, by a host named myclient1.example.com 
>> . Even if they are issued by your own CA (not 
>> a trusted root CA), you have the CN of the certificate file checked against 
>> the hostname (director, client or storage daemon host) that is using it.
> 
> Are you sure? this config parameter requires to specify ca cert file or ca 
> path.. and the code seems to be doing a check of the remote side cert to be 
> issued by the ca listed in ca cert or ca path…..
> 
> This just means the tls verify peer?. You can for instance use different ca 
> for bacula-dir and bacula-fd mean while one cert with one ca has as cn the 
> server name and the other one the bacula-fd’s daemon hostname?. Even when the 
> ca is not trusted?? will it work?. Sorry but this doesn’t work to me…. are 
> you really sure Ana?
> 
> 
> ​If you have certificates signed by different CA's, you just need to inform 
> them through the "TLS CA Certificate File" or ​"TLS CA Certificate Dir" to 
> the other peer. For example, if you have director's certificate signed by CA1 
> and you have client1's certificate signed by CA2, then your director will 
> need to know about the CA2 certificate to verify the client1 certificate.

That’s it… so then even if the OS and Openssl comes with root ca certificates 
from known trusted CA (Thawte, Verisign, etc) a certificate signed by these CA 
won’t be accepted by a remote side where the ca certificate and all of 
it’s intermediates is not in a  file in "TLS CA Certificate Dir” or is the own 
file in "TLS CA Certificate File”. I mean even being known in the world and by 
the OS running in the certificate verifying machine, if the CA certs don’t 
exist in 
the "TLS CA Certificate Dir” or is not the "TLS CA Certificate File” won’t 
never be accepted by the certificate verifying part.

So then, "TLS Verify Peer” apart from checking the CN of the cert offered by 
the machine we are connecting to, to be the same as the entire name we have 
asked for resolution for connecting to the other side it checks too that 

Re: [Bacula-users] Question about bacula and tls

2015-09-30 Thread Josh Fisher



On 9/30/2015 3:18 AM, Egoitz Aurrekoetxea wrote:

Hi Ana!!

Really thanks for answering my doubts :)

I do answer in black below...

El 30/9/2015, a las 6:24, Ana Emília M. Arruda 
> escribió:



On Mon, Sep 28, 2015 at 6:20 PM, Egoitz 
Aurrekoetxea>wrote:


Good night,



​Yes, you can have certificates from different CA in each side, you 
just need to inform the CA correctly for peer verification. How did 
you generated your certificates? Do you have a CA and signed them 
properly?


I have an own dedicated CA for Bacula systems. One of the things I was 
trying to get with TLS is the fact that like both sides know the CA 
public key, they to be able to check if the information received in 
each side
because of the other side’s sent data in unaltered due to a possible 
MITM issue. I mean, could I with verify peer ensure that if someone 
tries to do a MITM won’t succeed because both sides know the CA 
allowed to
be used in signed certs?. So an attacker doing a signed certificate 
with a new CA (CA of the attacker for signing the attacking used 
certificate) won’t be able then to inject content in dir and fd 
dialogue or fd and sd dialogue?.
Or at least if it does, do each side, the sd, fd or the dir, interrupt 
the connection and stop the job notifying?.




Think of it as 5 different security levels.

Level 0:
   # Data is transmitted as plain text
TLS Enable = no

Level 1:
# This level allows opportunistic encryption if the peer chooses, 
or the peer can communicate in plain text.

TLS Enable = yes
TLS Require = no
TLS Verify Peer = no
TLS Certificate = /etc/bacula/cert.pem
TLS Key = /etc/bacula/key.pem
TLS CA Certificate File = /path/to/system/cafile

Level 2:
# This level requires encryption of data. Any certificate will do, 
even a self-signed certificate.

TLS Enable = yes
TLS Require = yes
TLS Verify Peer = no
TLS Certificate = /etc/bacula/cert.pem
TLS Key = /etc/bacula/key.pem
TLS CA Certificate File = /path/to/system/cafile

Level 3:
# This level requires encryption and that the certificate presented 
by the peer be signed by a trusted CA

TLS Enable = yes
TLS Require = yes
TLS Verify Peer = yes
TLS Certificate = /etc/bacula/cert.pem
TLS Key = /etc/bacula/key.pem
TLS CA Certificate File = /path/to/system/cafile

Level 4:
# This level requires encryption and that the certificate presented 
by the peer be signed by a trusted CA

# and that the certificate have a specific CN
TLS Enable = yes
TLS Require = yes
TLS Verify Peer = yes
TLS Allowed CN = "some.client.common.name"
TLS Certificate = /etc/bacula/cert.pem
TLS Key = /etc/bacula/key.pem
TLS CA Certificate File = /path/to/system/cafile


As for a MiTM attack, keep in mind that an active attack is harder than 
a passive attack. Even opportunistic encryption with self-signed certs 
protects against passive snooping. Protecting against an active MiTM 
attack requires authentication. Heartbleed bug aside, level 3 means that 
the attacker must somehow acquire certificates signed by a CA in the TLS 
CA Certificate Files of both client and server. Level 4 means that she 
must steal particular certificates. So level 4 makes a MiTM attack very 
difficult.


That said, the real danger is a valid certificate that is stolen or 
compromised. The CA can revoke a certificate, but this does no good 
because, as far as I can tell, Bacula does not check CRLs! Level 3 is 
not very useful without CRL checks. Therefore, always use level 4, at 
least until Bacula supports CRL checks, since then a  can be avoided by 
removing its CN from the TLS Allowed CN list. If you are not wrorried 
about MiTM attacks and just want to prevent snooping, then level 2 will 
suffice.




--
___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users


Re: [Bacula-users] Question about bacula and tls

2015-09-29 Thread Ana Emília M . Arruda
On Mon, Sep 28, 2015 at 6:20 PM, Egoitz Aurrekoetxea 
wrote:

> Good night,
>

​Good night Egoitz. Sorry for my late reply.​


>
> First of all thanks a lot for your time :)
>

​Thank you for this thread :)​


>
> El 28/9/2015, a las 21:46, Ana Emília M. Arruda 
> escribió:
>
> Hello,
>
> The TLS enable do not force the use of TLS. For example, if you configure
> your director with TLS enable = yes and TLS require = no, clients can
> communicate with your director with or without TLS. But if you configure
> your director with both TLS enable and TLS require = yes, then all your
> clients and storage daemons will only be able to communicate with your
> director with TLS.
>
>
> Yes, this is clear
>
>
> If you do not set TLS Verify Peer or TLS Allowed CN, then you can use any
> Certificate File or Directory. The certificate CN will not be checked
> against the Certificate File or Directory configured.
>
>
> what do you mean? any ca or ca path for each side cert? I could use
> certificates from different ca in each side?. Even having the proper cn,
> this doesn’t worked in my testing env (which doesn’t use tis verify peer or
> tls allowed cn) … you mean the certificate won’t be checked if it was
> created by the ca_certificate file's ca? Sorry can’t understand this...
>

​Yes, you can have certificates from different CA in each side, you just
need to inform the CA correctly for peer verification. How did you
generated your certificates? Do you have a CA and signed them properly?


>
>
> If TLS Verify Peer is enabled, then the peer´s hostname is verified
> against the subjectAltName (alternative name) and commonName attributes.
> This way, a certificate issued for myclient2.example.com cannot be used,
> for example, by a host named myclient1.example.com. Even if they are
> issued by your own CA (not a trusted root CA), you have the CN of the
> certificate file checked against the hostname (director, client or storage
> daemon host) that is using it.
>
>
> Are you sure? this config parameter requires to specify ca cert file or ca
> path.. and the code seems to be doing a check of the remote side cert to be
> issued by the ca listed in ca cert or ca path…..
>
> This just means the tls verify peer?. You can for instance use different
> ca for bacula-dir and bacula-fd mean while one cert with one ca has as cn
> the server name and the other one the bacula-fd’s daemon hostname?. Even
> when the ca is not trusted?? will it work?. Sorry but this doesn’t work to
> me…. are you really sure Ana?
>
>
​If you have certificates signed by different CA's, you just need to inform
them through the "TLS CA Certificate File" or ​"TLS CA Certificate Dir" to
the other peer. For example, if you have director's certificate signed by
CA1 and you have client1's certificate signed by CA2, then your director
will need to know about the CA2 certificate to verify the client1
certificate.


>
> If TLS Allowed CN is enabled, then in addition to the peer´s hostname
> being verified, just that ones listed in the "TLS Allowed CN" directives
> are permited.
>
>
> So each part to have it’s proper cert (matching cn with the connecting
> name and so) and if this last is ok… to be in tls allowed cn too… do you
> mean this?
>

Yes, but I misunderstood here. I was having a look into the code and now I
understand this: if TLS Allowed CN is specified, then the CN's listed here
will be verified against ​​the cn present in the certifcate provided by the
peer. If no TLS Allowed CN is specified then a simple host and certificate
common name comparision takes place.


>
> If TLS Verify Peer is not enabled and a client uses a "false" certificate
> (myclient2 using the myclient1 certificate and myclient1 is in the allowed
> CN list, for example) from a host in the allowed CN list of allowed hosts,
> it will work.
>
>
> I see… so the cert can be both from the same ca or not..or… isn’t it?
>
>
> Openssl functions are used for certificate manipulation (including
> validation and verification).
>
>
> Yep I’ve seen in the code…
>
>
> So, it will depend of what you want to have in you TLS communication, even
> if using your own CA for the PKI infrastructure used in your bacula TLS
> environment. You can have your own CA (a virtual machine for this purpose),
> that will be your trusted CA for your environment. And let all your daemons
> trust in each other by setting properly the TLS Verify Peer and TLS Allowed
> CN directives. I think this should work fine for what you want.
>
>
> I could use tls verify peer in the director and in bacula-fd (dir and sd
> are the same machine and to use loopback)…
>
> I wanted each director and each fd, to only be able to be accesed by just
> those remote daemons who own a certificate allowing them to do so…
>
> could you please paste an example config?
>

​Sure. For example, this worked fine for me:

bconsole.conf:

Director {
  Name = director.example.com-dir
  DIRport = 9101
  address 

Re: [Bacula-users] Question about bacula and tls

2015-09-28 Thread Egoitz Aurrekoetxea
Have been taking a look to all this in the source code…

It seems that TLS Verify Peer basically ends up by doing (look at bold please) :

/*
 * Create a new TLS_CONTEXT instance.
 *  Returns: Pointer to TLS_CONTEXT instance on success
 *   NULL on failure;
 */
TLS_CONTEXT *new_tls_context(const char *ca_certfile, const char *ca_certdir,
 const char *certfile, const char *keyfile,
 CRYPTO_PEM_PASSWD_CB *pem_callback,
 const void *pem_userdata, const char *dhfile,
 bool verify_peer)
{
   TLS_CONTEXT *ctx;
   BIO *bio;
   DH *dh;

  .
.
.
.
.
.
.
   SSL_CTX_set_default_passwd_cb(ctx->openssl, tls_pem_callback_dispatch);
   SSL_CTX_set_default_passwd_cb_userdata(ctx->openssl, (void *) ctx);

   /*
* Set certificate verification paths. This requires that at least one
* value be non-NULL
*/
   if (ca_certfile || ca_certdir) {
  if (!SSL_CTX_load_verify_locations(ctx->openssl, ca_certfile, 
ca_certdir)) {
 openssl_post_errors(M_FATAL, _("Error loading certificate verification 
stores"));
 goto err;
  }
   } else if (verify_peer) {
  /* At least one CA is required for peer verification */
  Jmsg0(NULL, M_ERROR, 0, _("Either a certificate file or a directory must 
be"
 " specified as a verification store\n"));
  goto err;
   }

For later but in the same function to : 

   /* Verify Peer Certificate */
   if (verify_peer) {
  /* SSL_VERIFY_FAIL_IF_NO_PEER_CERT has no effect in client mode */
  SSL_CTX_set_verify(ctx->openssl,
 SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
 openssl_verify_peer);
   }

 
It needs a ca public key or a directory with ca public keys….

So I assume that setting properly : 

TLS Enable = Yes
TLS Require = Yes
TLS Certificate =
TLS Key =
TLS Verify Peer =
TLS CA Certificate File = 

it’s enough when you have created all certs with an own (not popularly accepted 
as trusted CA).

The TLS Allowed CN directive, I think it’s just when you use a not dedicated CA 
for the backup or you are using 
a trusted CA where lots of certs could be easily signed (like Thawte) for 
restricting which CN can connect for avoiding 
not authorized valid certs to connect.

And by the way, I think perhaps TLS Verify Peer is not properly documented 
because in : 

http://www.bacula.org/5.1.x-manuals/en/main/main/Bacula_TLS_Communications.html 

 it sais : 

TLS Verify Peer = yes|no
Verify peer certificate. Instructs server to request and verify the client's 
x509 certificate. Any client certificate signed by a known-CA will be accepted 
unless the TLS Allowed CN configuration directive is used, in which case the 
client certificate must correspond to the Allowed Common Name specified. This 
directive is valid only for a server and not in a client context.


But in the code, you can see : 

   /* Verify Peer Certificate */
   if (verify_peer) {
  /* SSL_VERIFY_FAIL_IF_NO_PEER_CERT has no effect in client mode */
  SSL_CTX_set_verify(ctx->openssl,
 SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
 openssl_verify_peer);
   }


both flags and I have seen you call to new_tls_context from filed.c.

Perhaps this should be corrected in the doc? or am I missing something?.

Best regards,



> El 28/9/2015, a las 15:57, Egoitz Aurrekoetxea  
> escribió:
> 
> Hi mates,
> 
> Have been doing some checks with Bacula and TLS. 
> 
> At present I have a TLS enable directive, require tis to yes and the ca 
> certificate public key (of an own CA) copied in the server and the client.
> 
> Now I become an attacker and If I create a new client certificate with the 
> same CN as the present used one in bacula-fd and configure bacula-fd to use 
> this falsified certificate 
> of the falsified ca whose public key is used in the ca cert file directive of 
> the bacula-fd, you can’t do from the server (director) a status client. This 
> seems to be fine, because it seems 
> that like we are not using a known ca (like geotrust, thawte or similar) and 
> each other part is not using certificate signed by the ca whose public key 
> they have in the config each 
> part, the fd and the dir refuse to agree, basically to arrange a TLS 
> connection.
> 
> So now… my question is then… when is required to use TLS Verify peer in the 
> director and the fd?. When someone could use a certificate from Thawte for 
> example??. Then you can use 
> TLS Allowed CN for even in this situation to avoid using this Thawte’s certs 
> in some way?. But how? the CN could be same as the “good” certificate one.
> 
> What’s the real purpose of verify peer an tls allowed cn?.
> 
> Now by the way… the main reason I needed TLS to work fine, is just for 
> avoiding an 

Re: [Bacula-users] Question about bacula and tls

2015-09-28 Thread Egoitz Aurrekoetxea
Good night,

First of all thanks a lot for your time :)

> El 28/9/2015, a las 21:46, Ana Emília M. Arruda  
> escribió:
> 
> Hello,
> 
> The TLS enable do not force the use of TLS. For example, if you configure 
> your director with TLS enable = yes and TLS require = no, clients can 
> communicate with your director with or without TLS. But if you configure your 
> director with both TLS enable and TLS require = yes, then all your clients 
> and storage daemons will only be able to communicate with your director with 
> TLS.
> 

Yes, this is clear


> If you do not set TLS Verify Peer or TLS Allowed CN, then you can use any 
> Certificate File or Directory. The certificate CN will not be checked against 
> the Certificate File or Directory configured.

what do you mean? any ca or ca path for each side cert? I could use 
certificates from different ca in each side?. Even having the proper cn, this 
doesn’t worked in my testing env (which doesn’t use tis verify peer or tls 
allowed cn) … you mean the certificate won’t be checked if it was created by 
the ca_certificate file's ca? Sorry can’t understand this...

> 
> If TLS Verify Peer is enabled, then the peer´s hostname is verified against 
> the subjectAltName (alternative name) and commonName attributes. This way, a 
> certificate issued for myclient2.example.com  
> cannot be used, for example, by a host named myclient1.example.com 
> . Even if they are issued by your own CA (not 
> a trusted root CA), you have the CN of the certificate file checked against 
> the hostname (director, client or storage daemon host) that is using it.

Are you sure? this config parameter requires to specify ca cert file or ca 
path.. and the code seems to be doing a check of the remote side cert to be 
issued by the ca listed in ca cert or ca path…..

This just means the tls verify peer?. You can for instance use different ca for 
bacula-dir and bacula-fd mean while one cert with one ca has as cn the server 
name and the other one the bacula-fd’s daemon hostname?. Even when the ca is 
not trusted?? will it work?. Sorry but this doesn’t work to me…. are you really 
sure Ana?

> 
> If TLS Allowed CN is enabled, then in addition to the peer´s hostname being 
> verified, just that ones listed in the "TLS Allowed CN" directives are 
> permited.

So each part to have it’s proper cert (matching cn with the connecting name and 
so) and if this last is ok… to be in tls allowed cn too… do you mean this?

> If TLS Verify Peer is not enabled and a client uses a "false" certificate 
> (myclient2 using the myclient1 certificate and myclient1 is in the allowed CN 
> list, for example) from a host in the allowed CN list of allowed hosts, it 
> will work.

I see… so the cert can be both from the same ca or not..or… isn’t it?

> 
> Openssl functions are used for certificate manipulation (including validation 
> and verification).

Yep I’ve seen in the code…

> 
> So, it will depend of what you want to have in you TLS communication, even if 
> using your own CA for the PKI infrastructure used in your bacula TLS 
> environment. You can have your own CA (a virtual machine for this purpose), 
> that will be your trusted CA for your environment. And let all your daemons 
> trust in each other by setting properly the TLS Verify Peer and TLS Allowed 
> CN directives. I think this should work fine for what you want.
> 

I could use tls verify peer in the director and in bacula-fd (dir and sd are 
the same machine and to use loopback)…

I wanted each director and each fd, to only be able to be accesed by just those 
remote daemons who own a certificate allowing them to do so…

could you please paste an example config?

> Best regards,

Thank you so much again, really,
Egoitz

> Ana
> 
> 
> On Mon, Sep 28, 2015 at 3:03 PM, Egoitz Aurrekoetxea  > wrote:
> Have been taking a look to all this in the source code…
> 
> It seems that TLS Verify Peer basically ends up by doing (look at bold 
> please) :
> 
> /*
>  * Create a new TLS_CONTEXT instance.
>  *  Returns: Pointer to TLS_CONTEXT instance on success
>  *   NULL on failure;
>  */
> TLS_CONTEXT *new_tls_context(const char *ca_certfile, const char *ca_certdir,
>  const char *certfile, const char *keyfile,
>  CRYPTO_PEM_PASSWD_CB *pem_callback,
>  const void *pem_userdata, const char *dhfile,
>  bool verify_peer)
> {
>TLS_CONTEXT *ctx;
>BIO *bio;
>DH *dh;
> 
>   .
> .
> .
> .
> .
> .
> .
>SSL_CTX_set_default_passwd_cb(ctx->openssl, tls_pem_callback_dispatch);
>SSL_CTX_set_default_passwd_cb_userdata(ctx->openssl, (void *) ctx);
> 
>/*
> * Set certificate verification paths. This requires that at least one
> * value be non-NULL
> */
>if (ca_certfile || 

[Bacula-users] Question about bacula and tls

2015-09-28 Thread Egoitz Aurrekoetxea
Hi mates,

Have been doing some checks with Bacula and TLS. 

At present I have a TLS enable directive, require tis to yes and the ca 
certificate public key (of an own CA) copied in the server and the client.

Now I become an attacker and If I create a new client certificate with the same 
CN as the present used one in bacula-fd and configure bacula-fd to use this 
falsified certificate 
of the falsified ca whose public key is used in the ca cert file directive of 
the bacula-fd, you can’t do from the server (director) a status client. This 
seems to be fine, because it seems 
that like we are not using a known ca (like geotrust, thawte or similar) and 
each other part is not using certificate signed by the ca whose public key they 
have in the config each 
part, the fd and the dir refuse to agree, basically to arrange a TLS connection.

So now… my question is then… when is required to use TLS Verify peer in the 
director and the fd?. When someone could use a certificate from Thawte for 
example??. Then you can use 
TLS Allowed CN for even in this situation to avoid using this Thawte’s certs in 
some way?. But how? the CN could be same as the “good” certificate one.

What’s the real purpose of verify peer an tls allowed cn?.

Now by the way… the main reason I needed TLS to work fine, is just for avoiding 
an arp poissoning attack to make Bacula store or restore injected data in a 
backup. How could this be done 
noticing that anyone could create a Thawte’s for instance certificate for the 
client, and even you have TLS Allowed CN the CN of the client, as the cert is 
valid, this damage could be caused? 
isn’t it?.

Thanks a lot really,


--
___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users


Re: [Bacula-users] Question about bacula and tls

2015-09-28 Thread Ana Emília M . Arruda
Hello,

The TLS enable do not force the use of TLS. For example, if you configure
your director with TLS enable = yes and TLS require = no, clients can
communicate with your director with or without TLS. But if you configure
your director with both TLS enable and TLS require = yes, then all your
clients and storage daemons will only be able to communicate with your
director with TLS.

If you do not set TLS Verify Peer or TLS Allowed CN, then you can use any
Certificate File or Directory. The certificate CN will not be checked
against the Certificate File or Directory configured.

If TLS Verify Peer is enabled, then the peer´s hostname is verified against
the subjectAltName (alternative name) and commonName attributes. This way,
a certificate issued for myclient2.example.com cannot be used, for example,
by a host named myclient1.example.com. Even if they are issued by your own
CA (not a trusted root CA), you have the CN of the certificate file checked
against the hostname (director, client or storage daemon host) that is
using it.

If TLS Allowed CN is enabled, then in addition to the peer´s hostname being
verified, just that ones listed in the "TLS Allowed CN" directives are
permited. If TLS Verify Peer is not enabled and a client uses a "false"
certificate (myclient2 using the myclient1 certificate and myclient1 is in
the allowed CN list, for example) from a host in the allowed CN list of
allowed hosts, it will work.

Openssl functions are used for certificate manipulation (including
validation and verification).

So, it will depend of what you want to have in you TLS communication, even
if using your own CA for the PKI infrastructure used in your bacula TLS
environment. You can have your own CA (a virtual machine for this purpose),
that will be your trusted CA for your environment. And let all your daemons
trust in each other by setting properly the TLS Verify Peer and TLS Allowed
CN directives. I think this should work fine for what you want.

Best regards,
Ana


On Mon, Sep 28, 2015 at 3:03 PM, Egoitz Aurrekoetxea 
wrote:

> Have been taking a look to all this in the source code…
>
> It seems that TLS Verify Peer basically ends up by doing (look at bold
> please) :
>
> /*
>  * Create a new TLS_CONTEXT instance.
>  *  Returns: Pointer to TLS_CONTEXT instance on success
>  *   NULL on failure;
>  */
> TLS_CONTEXT *new_tls_context(const char *ca_certfile, const char
> *ca_certdir,
>  const char *certfile, const char *keyfile,
>  CRYPTO_PEM_PASSWD_CB *pem_callback,
>  const void *pem_userdata, const char *dhfile,
>  bool verify_peer)
> {
>TLS_CONTEXT *ctx;
>BIO *bio;
>DH *dh;
>
>   .
> .
> .
> .
> .
> .
> .
>SSL_CTX_set_default_passwd_cb(ctx->openssl, tls_pem_callback_dispatch);
>SSL_CTX_set_default_passwd_cb_userdata(ctx->openssl, (void *) ctx);
>
>/*
> * Set certificate verification paths. This requires that at least one
> * value be non-NULL
> */
> *   if (ca_certfile || ca_certdir) {*
> *  if (!SSL_CTX_load_verify_locations(ctx->openssl, ca_certfile,
> ca_certdir)) {*
> * openssl_post_errors(M_FATAL, _("Error loading certificate
> verification stores"));*
> * goto err;*
> *  }*
> *   } else if (verify_peer) {*
> *  /* At least one CA is required for peer verification */*
> *  Jmsg0(NULL, M_ERROR, 0, _("Either a certificate file or a directory
> must be"*
> * " specified as a verification store\n"));*
> *  goto err;*
> *   }*
>
> For later but in the same function to :
>
>
> *   /* Verify Peer Certificate */   if (verify_peer) {  /*
> SSL_VERIFY_FAIL_IF_NO_PEER_CERT has no effect in client mode */
> SSL_CTX_set_verify(ctx->openssl,
>  SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
>  openssl_verify_peer);   }*
>
> It needs a ca public key or a directory with ca public keys….
>
> So I assume that setting properly :
>
> TLS Enable = Yes
> TLS Require = Yes
> TLS Certificate =
> TLS Key =
> TLS Verify Peer =
> TLS CA Certificate File =
>
> it’s enough when you have created all certs with an own (not popularly
> accepted as trusted CA).
>
> The TLS Allowed CN directive, I think it’s just when you use a not
> dedicated CA for the backup or you are using
> a trusted CA where lots of certs could be easily signed (like Thawte) for
> restricting which CN can connect for avoiding
> not authorized valid certs to connect.
>
> And by the way, I think perhaps TLS Verify Peer is not properly documented
> because in :
>
> *http://www.bacula.org/5.1.x-manuals/en/main/main/Bacula_TLS_Communications.html
> 
>  *it
> sais :
>
> *TLS Verify Peer = yes|no* Verify peer certificate. Instructs server to
> request and verify the client's x509 certificate. Any client certificate
> signed by a known-CA will be 

[Bacula-users] Question about bacula conception

2009-05-28 Thread - -
Hello all,

I have a question about bacula conception.

When you define a job, you have to tell in it where you will store the data,
with the keyword Storage.

Imagine you do backup on disk: on the storage conf file, you define 3
virtual drives (VirtualTapeDrive_01,VirtualTapeDrive_02,VirtualTapeDrive_03)
which take 4GiBFile as media.
In the job definition, you have to put the name of the storage through which
data will be written. Let's name them VTD_01, VTD_02, VTD_03 to be
consistent with the definition in the bacula-sd.conf file. They are name in
the bacula-dir.conf file.

At this point i don't understand. Why define a storage device instead of a
storage daemon in the job definition.

If the drive is already used, your job will have to wait until it  would be
available again, even if the storage demon manages 2 others drives which are
free. So why such a conception ? In this manner, you can do a sort of load
balancing  by storage daemon, you have to do a load balancing by jobs, which
is more difficult to manage.

Do I understand something wrong ? Can someone explain me why this choice ?

Thanks !
--
Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT 
is a gathering of tech-side developers  brand creativity professionals. Meet
the minds behind Google Creative Lab, Visual Complexity, Processing,  
iPhoneDevCamp as they present alongside digital heavyweights like Barbarian 
Group, R/GA,  Big Spaceship. http://p.sf.net/sfu/creativitycat-com ___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users


Re: [Bacula-users] Question about bacula console

2006-11-08 Thread Jaime Ventura
Hi, Tom
I'm not sure about all GUI consoles available  since I use only the 
CLI console, but you can do it.
On bacula's gnome-console, once you have you jobs defined, you may 
run them manually with the run command(or clicking on the run 
button). This command allows you to quickly change any of the job 
parameters if you want to and run it.

   
   


 


Jaime Ventura
[Infra-estruturas e Comunicações]

Rua Dr. António Bernardino de Almeida, 431
4200 - 072 Porto
Telef: +351 22 834 05 00 (04) - ext. 1641
Fax: +351 22 832 11 59

e-mail: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]
url:www.isep.ipp.pt http://www.isep.ipp.pt 







Tom Moyer wrote:
 I am thinking about setting up bacula to handle the backups for about 
 5 computers on a network, one of which will be a laptop.  I was 
 wondering how easy it is to initiate a manual backup from the console, 
 and is it possible to do so through the GUI consoles that are available?
 

 -
 Using Tomcat but need to do more? Need to support web services, security?
 Get stuff done quickly with pre-integrated technology to make your job easier
 Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
 http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642
 

 ___
 Bacula-users mailing list
 Bacula-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/bacula-users
   

-
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642
___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users


Re: [Bacula-users] Question about bacula console

2006-11-08 Thread Paul Norland





I would spend a bit of time reading the docs and to get you started,
http://bacula.org/rel-manual/Brief_Tutorial.html.
>From the ./bconsole it is quite easy to start a manual backup. 

Tom Moyer wrote:
I am thinking about setting up bacula to handle the
backups for about 5 computers on a network, one of which will be a
laptop. I was wondering how easy it is to initiate a manual backup
from the console, and is it possible to do so through the GUI consoles
that are available?
  
  

-
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642
  

___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users
  



-
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users


Re: [Bacula-users] Question about Bacula tape handling.

2005-10-18 Thread Erik P. Olsen
On Thu, 2005-10-13 at 11:28 +0200, Erik P. Olsen wrote:
 On Tue, 2005-10-11 at 09:56 +0200, Kern Sibbald wrote:
  On Tuesday 11 October 2005 09:06, Erik P. Olsen wrote:
   How does Bacula handle foreign tapes? I am currently using Amanda for
   back-up but planning to switch to Bacula and sometimes I erroneously
   leave an Amanda labeled tape in the tape drive. I see the error when
   Bacula complains about the tape and pull it out, but later when Amanda
   recycles the tape it cannot read it and reports i/o error.
   dd if=/dev/nst0 cannot read it either and the only way to recover the
   tape is to erase it and relabel.
  
   Shouldn't Bacula leave the tape untouched when it sees that it does not
   carry the correct Bacula label?
  
  Unless you have setup for Bacula to automatically label tape (or explicitly 
  do 
  a label command), Bacula will not write to a non-Bacula tape.
 No, I don't have automatic labeling specified and haven't issued any
 label command.
  
  However, depending on what version of Bacula you are running, it will 
  automatically modify your tape drive parameters (variable blocksize, ...) 
  to 
  be compatible with how Bacula uses tapes.  If you subsequently try to use 
  the 
  drive and the program is expecting a different mode (fixed blocksize, ...) 
  it 
  will fail.
 
 This sounds possible, but a closer investigation proves that it cannot
 be the case. I have stopped the bacula tests for a couple of days and
 today a tape showed the same i/o error symptom and only amanda has used
 the tape drive the last three times it was used, so drive settings
 should be OK.
 
 I get the following using dd on the tape:
 
 [EMAIL PROTECTED] ~]$ dd if=/dev/nst0
 dd: reading `/dev/nst0': Input/output error
 0+0 records in
 0+0 records out
 
 My conclusion is that since I only use bacula and amanda with the tape
 drive then bacula has indeed caused the failure (it can hardly be dd or
 mt). My experience with tapes comes from mainframes and there this type
 of error would occur with a variable blocked tape where the block size
 or record size was wrongly recorded on the tape. Could that be the case
 here?

Replying to myself! I have now seen that this conclusion is wrong. I
haven't been testing Bacula for quite some time and yet the tape error
has again shown its ugly face. Perhaps it's a hardware problem? Anyway,
I apologise for having accused Bacula for this problem and I shan't
bother this mailing list with this tape problem anymore.

-- 
Regards,
Erik P. Olsen



---
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users


Re: [Bacula-users] Question about Bacula tape handling.

2005-10-13 Thread Erik P. Olsen
On Tue, 2005-10-11 at 09:56 +0200, Kern Sibbald wrote:
 On Tuesday 11 October 2005 09:06, Erik P. Olsen wrote:
  How does Bacula handle foreign tapes? I am currently using Amanda for
  back-up but planning to switch to Bacula and sometimes I erroneously
  leave an Amanda labeled tape in the tape drive. I see the error when
  Bacula complains about the tape and pull it out, but later when Amanda
  recycles the tape it cannot read it and reports i/o error.
  dd if=/dev/nst0 cannot read it either and the only way to recover the
  tape is to erase it and relabel.
 
  Shouldn't Bacula leave the tape untouched when it sees that it does not
  carry the correct Bacula label?
 
 Unless you have setup for Bacula to automatically label tape (or explicitly 
 do 
 a label command), Bacula will not write to a non-Bacula tape.
No, I don't have automatic labeling specified and haven't issued any
label command.
 
 However, depending on what version of Bacula you are running, it will 
 automatically modify your tape drive parameters (variable blocksize, ...) to 
 be compatible with how Bacula uses tapes.  If you subsequently try to use the 
 drive and the program is expecting a different mode (fixed blocksize, ...) it 
 will fail.

This sounds possible, but a closer investigation proves that it cannot
be the case. I have stopped the bacula tests for a couple of days and
today a tape showed the same i/o error symptom and only amanda has used
the tape drive the last three times it was used, so drive settings
should be OK.

I get the following using dd on the tape:

[EMAIL PROTECTED] ~]$ dd if=/dev/nst0
dd: reading `/dev/nst0': Input/output error
0+0 records in
0+0 records out

My conclusion is that since I only use bacula and amanda with the tape
drive then bacula has indeed caused the failure (it can hardly be dd or
mt). My experience with tapes comes from mainframes and there this type
of error would occur with a variable blocked tape where the block size
or record size was wrongly recorded on the tape. Could that be the case
here?

-- 
Regards,
Erik P. Olsen



---
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users


[Bacula-users] Question about Bacula tape handling.

2005-10-11 Thread Erik P. Olsen
How does Bacula handle foreign tapes? I am currently using Amanda for
back-up but planning to switch to Bacula and sometimes I erroneously
leave an Amanda labeled tape in the tape drive. I see the error when
Bacula complains about the tape and pull it out, but later when Amanda
recycles the tape it cannot read it and reports i/o error. 
dd if=/dev/nst0 cannot read it either and the only way to recover the
tape is to erase it and relabel.

Shouldn't Bacula leave the tape untouched when it sees that it does not
carry the correct Bacula label?

-- 
Regards,
Erik P. Olsen



---
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users


Re: [Bacula-users] Question about Bacula tape handling.

2005-10-11 Thread Florian Schnabel

Erik P. Olsen wrote:

How does Bacula handle foreign tapes? I am currently using Amanda for
back-up but planning to switch to Bacula and sometimes I erroneously
leave an Amanda labeled tape in the tape drive. I see the error when
Bacula complains about the tape and pull it out, but later when Amanda
recycles the tape it cannot read it and reports i/o error. 
dd if=/dev/nst0 cannot read it either and the only way to recover the

tape is to erase it and relabel.

Shouldn't Bacula leave the tape untouched when it sees that it does not
carry the correct Bacula label?



that depends on your settings ...
there is an auto label option you know ..

Florian


---
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users


Re: [Bacula-users] Question about Bacula tape handling.

2005-10-11 Thread Kern Sibbald
On Tuesday 11 October 2005 09:06, Erik P. Olsen wrote:
 How does Bacula handle foreign tapes? I am currently using Amanda for
 back-up but planning to switch to Bacula and sometimes I erroneously
 leave an Amanda labeled tape in the tape drive. I see the error when
 Bacula complains about the tape and pull it out, but later when Amanda
 recycles the tape it cannot read it and reports i/o error.
 dd if=/dev/nst0 cannot read it either and the only way to recover the
 tape is to erase it and relabel.

 Shouldn't Bacula leave the tape untouched when it sees that it does not
 carry the correct Bacula label?

Unless you have setup for Bacula to automatically label tape (or explicitly do 
a label command), Bacula will not write to a non-Bacula tape.

However, depending on what version of Bacula you are running, it will 
automatically modify your tape drive parameters (variable blocksize, ...) to 
be compatible with how Bacula uses tapes.  If you subsequently try to use the 
drive and the program is expecting a different mode (fixed blocksize, ...) it 
will fail.

-- 
Best regards,

Kern

  (
  /\
  V_V


---
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users