Hello All,
I have a slight problem. I'm not sure if this is a bug or something I
am doing wrong. I have set up my own CA and am using this to sign
certificates for our bacula installation. I am using Bacula Director
2.2.6 and all storage daemon and clients are using this version.
I can enable tls fine on the client and storage daemon. I am
generating a custom built rpm as we do things slightly differently
around here, but when I start up the director it just bombs out.
The director info is as follows:
Linux backup-dir-001xxxxx.xxxxx.net 2.6.18-8.1.15.el5 #1 SMP Mon Oct
22 08:32:04 EDT 2007 i686 i686 i386 GNU/Linux
CentOS release 5 (Final)
dmesg |egrep -i "(Intel)|(memory)"
Memory: 3365596k/4194304k available (2043k kernel code, 39276k
reserved, 846k data, 232k init, 2488672k highmem)
Intel machine check architecture supported.
Intel machine check reporting enabled on CPU#0.
CPU0: Intel(R) Xeon(R) CPU E5345 @ 2.33GHz stepping 07
Intel machine check architecture supported.
Intel machine check reporting enabled on CPU#1.
CPU1: Intel(R) Xeon(R) CPU E5345 @ 2.33GHz stepping 07
Intel machine check architecture supported.
Intel machine check reporting enabled on CPU#2.
CPU2: Intel(R) Xeon(R) CPU E5345 @ 2.33GHz stepping 07
Intel machine check architecture supported.
Intel machine check reporting enabled on CPU#3.
CPU3: Intel(R) Xeon(R) CPU E5345 @ 2.33GHz stepping 07
Intel machine check architecture supported.
Intel machine check reporting enabled on CPU#4.
CPU4: Intel(R) Xeon(R) CPU E5345 @ 2.33GHz stepping 07
Intel machine check architecture supported.
Intel machine check reporting enabled on CPU#5.
CPU5: Intel(R) Xeon(R) CPU E5345 @ 2.33GHz stepping 07
Intel machine check architecture supported.
Intel machine check reporting enabled on CPU#6.
CPU6: Intel(R) Xeon(R) CPU E5345 @ 2.33GHz stepping 07
Intel machine check architecture supported.
Intel machine check reporting enabled on CPU#7.
CPU7: Intel(R) Xeon(R) CPU E5345 @ 2.33GHz stepping 07
Freeing initrd memory: 1455k freed
Total HugeTLB memory allocated, 0
Non-volatile memory driver v1.2
Freeing unused kernel memory: 232k freed
intel_rng: FWH not detected
Its a pretty heavy duty server. Other thing to mention is that when
doing a Proof of Concept over Bacula, TLS did work (I think version ~
1.34) But it has taken a while before this has come into production
and this is a bit of an issue. I might be missing a very obvious
thing, I hope the information I have provided below is enough. If you
need anything else please let me know.
I have also written a few scripts that if you want ill post up here.
One is a tape cleaner of sorts. Its a perl script that cleans all the
tapes in a library (write end of file using threads multiple libraries
and drives).. Ill follow up with that in another email and also used a
script in the examples and slightly modified it for every other month
/ every other day basically made it more flexible/rewrote it using a
slightly different method Ill attach that aswell if you want it.
If you require full configuration let me know ill email it privately
or post it up depending.
Anyway, im building with the following options:
./configure \
--host=%{_host} \
--build=%{_build} \
--target=%{_target} \
--program-prefix= \
--enable-smartalloc \
--enable-batch-insert \
--enable-conio \
--disable-build-stored \
--enable-build-dird \
--prefix=%{_prefix} \
--exec-prefix=%{_exec_prefix} \
--bindir=%{_bindir} \
--sbindir=%{_sbindir} \
--sysconfdir=%{_sysconf_dir} \
--datadir=%{_datadir} \
--includedir=%{_includedir} \
--libdir=%{_libdir} \
--libexecdir=%{_libexecdir} \
--localstatedir=%{_localstatedir} \
--mandir=%{_mandir} \
--infodir=%{_infodir} \
--prefix=%{_prefix} \
--with-mysql \
--with-acl= \
--with-openssl \
--with-working-dir=%{_with_working_dir} \
--with-scriptdir=%{_with_scriptdir} \
--with-subsys-dir=%{_with_subsysdir} \
--with-pid-dir=%{_with_piddir} \
--with-tcp-wrappers= \
--with-dump-email=%{_emailaddy} \
--with-job-email=%{_emailaddy} \
--with-dir-password=%{_with_dir_password} \
--with-fd-password=%{_with_fd_password} \
--with-sd-password=%{_with-sd_password} \
--with-mon-dir-password=%{_with_mon_dir_password} \
--with-mon-fd-password=%{_with_mon_fd_password} \
--with-mon-sd-password=%{_with_mon_sd_password} \
--with-dir-user=%{_b_user} \
--with-dir-group=%{_b_group} \
--with-sd-user=%{_b_user} \
--with-sd-group=%{_s_group} \
--with-fd-user=%{_b_user} \
--with-fd-group=%{_b_group}
This is building and working fine.
There is 3 different rpms generated (bacula-fd, bacula-sd and
bacula-dir slightly different spec files)
Once the package is built I have used the following methods to
generate the keys:
http://sial.org/howto/openssl/ca/
I initially was generating everything manually and doing it my own
way, but thought that might be the method, so for arguements sake lets
say the above method is used.
The openssl.cnf has:
[ req ]
default_bits = 2048
default_keyfile = ./private/ca-key.pem
default_md = sha1
prompt = no
distinguished_name = root_ca_distinguished_name
[ root_ca_distinguished_name ]
commonName = Bacula Certificate Authority for xxxxx
countryName = GB
stateOrProvinceName = London
localityName = London
0.organizationName = backup.xxxxx.net
emailAddress = [EMAIL PROTECTED]
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
Thats the basis for the openssl.cnf.
To generate the keys I use:
openssl req -newkey rsa:1024 -nodes -keyout
backup-dir-001.xxxx.xxxx.net.pem -out backup-dir-001.xxxx.xxxx.net.csr
-days 3650
and use make sign to sign it using the makefile from site mentioned above.
Right this generates the signed certificate then inside the director
(director stanza):
TLS Allowed CN = "Bacula Certificate Authority for xxxxx"
TLS Allowed CN = "backup.xxxxx.net"
TLS Allowed CN = "kickstart"
TLS Allowed CN = "backup-dir-fd"
TLS Allowed CN = "backup-dir-001"
TLS CA Certificate File = "/path/to/key/ca-cert.pem"
TLS Certificate = "/path/to/key/backup-dir-001.backup.xxxxx.net.cert"
TLS Key = "/path/to/key/backup-dir-001.backup.xxxxx.net.pem"
Once this has been setup, If I restart bacula I get the following
(Only the above has been enabled none of the rest to deal with the
file daemons and storage daemons)
etc/init.d/bacula-2.2.6-dir restart
Stopping the Bacula Director daemon
Starting the Bacula Director daemon
07-Jan 20:15 bacula-dir: Fatal Error because: Bacula interrupted by
signal 11: Segmentation violation
Kaboom! bacula-dir, bacula-dir got signal 11 - Segmentation violation.
Attempting traceback.
Kaboom! exepath=/opt/bacula-2.2.6-dir/etc
Calling: /opt/bacula-2.2.6-dir/etc/btraceback
/opt/bacula-2.2.6-dir/etc/bacula-dir 25424
Traceback complete, attempting cleanup ...
Orphaned buffer: bacula-dir 16 bytes buf=9514448 allocated at tls.c:124
I have tried recompiling with different versions of openssl and it has
made no difference.. The FD and SD work no problems, so maybe there is
something I am missing here or is this a genuine bug ?
The traceback is as follows:/opt/bacula-2.2.6-dir/etc/bacula-dir: No
such file or directory.
Using host libthread_db library "/lib/libthread_db.so.1".
[Thread debugging using libthread_db enabled]
[New Thread -1208875312 (LWP 25480)]
0x00b28402 in __kernel_vsyscall ()
$1 = "bacula-dir", '\0' <repeats 19 times>
$2 = 0x88368a8 "bacula-dir"
$3 = 0x88368d0 "/opt/bacula-2.2.6-dir/etc/bacula-dir"
$4 = 0x0
$5 = 0x814d3fd "2.2.6 (10 November 2007)"
$6 = 0x8133ce7 "i686-redhat-linux-gnu"
$7 = 0x8133ce0 "redhat"
$8 = 0x813c518 ""
#0 0x00b28402 in __kernel_vsyscall ()
#1 0x00225c33 in __waitpid_nocancel () from /lib/libpthread.so.0
#2 0x080b96dd in signal_handler (sig=11) at signal.c:167
#3 <signal handler called>
#4 0x0091e0a0 in EVP_PKEY_copy_parameters () from /lib/libcrypto.so.6
#5 0x00ac726e in SSL_use_certificate () from /lib/libssl.so.6
#6 0x00ac75d4 in SSL_CTX_use_PrivateKey_file () from /lib/libssl.so.6
#7 0x080bb7b4 in new_tls_context (ca_certfile=0x8838588
"/opt/bacula/keys/ca-cert.pem", ca_certdir=0x0,
certfile=0x88385c8
"/opt/bacula/keys/backup-dir-001.backup.xxxx.xxxx.cert",
keyfile=0x8838620
"/opt/bacula/keys/backup-dir-001.backup.xxxx.xxxx.pem",
pem_callback=0, pem_userdata=0x0, dhfile=0x0, verify_peer=true) at tls.c:174
#8 0x08052601 in check_resources () at dird.c:599
#9 0x08052efb in main (argc=0, argv=0xbfc2fe64) at dird.c:227
#10 0x00549dec in __libc_start_main () from /lib/libc.so.6
#11 0x08050f61 in _start ()
Thread 1 (Thread -1208875312 (LWP 25480)):
#0 0x00b28402 in __kernel_vsyscall ()
#1 0x00225c33 in __waitpid_nocancel () from /lib/libpthread.so.0
#2 0x080b96dd in signal_handler (sig=11) at signal.c:167
#3 <signal handler called>
#4 0x0091e0a0 in EVP_PKEY_copy_parameters () from /lib/libcrypto.so.6
#5 0x00ac726e in SSL_use_certificate () from /lib/libssl.so.6
#6 0x00ac75d4 in SSL_CTX_use_PrivateKey_file () from /lib/libssl.so.6
#7 0x080bb7b4 in new_tls_context (ca_certfile=0x8838588
"/opt/bacula/keys/ca-cert.pem", ca_certdir=0x0,
certfile=0x88385c8
"/opt/bacula/keys/backup-dir-001.xxxxx.xxxx.net.cert",
keyfile=0x8838620
"/opt/bacula/keys/backup-dir-001.xxxxxx.xxxxx.net.pem",
pem_callback=0, pem_userdata=0x0, dhfile=0x0, verify_peer=true) at tls.c:174
#8 0x08052601 in check_resources () at dird.c:599
#9 0x08052efb in main (argc=0, argv=0xbfc2fe64) at dird.c:227
#10 0x00549dec in __libc_start_main () from /lib/libc.so.6
#11 0x08050f61 in _start ()
#0 0x00b28402 in __kernel_vsyscall ()
#0 0x00b28402 in __kernel_vsyscall ()
No symbol table info available.
#1 0x00225c33 in __waitpid_nocancel () from /lib/libpthread.so.0
No symbol table info available.
#2 0x080b96dd in signal_handler (sig=11) at signal.c:167
167 waitpid(pid, NULL, 0); /* wait for child to
produce dump */
Current language: auto; currently c++
sigdefault = {__sigaction_handler = {sa_handler = 0, sa_sigaction =
0}, sa_mask = {__val = {2147483647, 4294967294, 4294967295 <repeats 30
times>}},
sa_flags = 0, sa_restorer = 0x917124 <ERR_get_implementation+1412>}
buf =
"\004??\233\000????????\001\000\000\000#?\230\000??\001\000\000\220??¿\n\000\000\0004\033\233\0004\033\233\000#?\230\000a\227Y\000\021p\221\000(??¿\001\000\000\000#?\230\000??\001\000\000??\001\000\000\000\000\000\000??\006????
\000\000\0004\033\233\0008^e\000\221\002\"\0004\033\233\000\no\230"
pid = 25481
exelen = 25
already_dead = 1
argv = {0x0, 0x0, 0x0, 0x0}
pid_buf = "25480", '\0' <repeats 14 times>
btpath = "/opt/bacula-2.2.6-dir/etc/btraceback", '\0' <repeats 363 times>
#3 <signal handler called>
No symbol table info available.
#4 0x0091e0a0 in EVP_PKEY_copy_parameters () from /lib/libcrypto.so.6
No symbol table info available.
#5 0x00ac726e in SSL_use_certificate () from /lib/libssl.so.6
No symbol table info available.
#6 0x00ac75d4 in SSL_CTX_use_PrivateKey_file () from /lib/libssl.so.6
No symbol table info available.
#7 0x080bb7b4 in new_tls_context (ca_certfile=0x8838588
"/opt/bacula/keys/ca-cert.pem", ca_certdir=0x0,
certfile=0x88385c8
"/opt/bacula/keys/backup-dir-001.xxxxx.xxxx.net.cert",
keyfile=0x8838620 "/opt/bacula/keys/backup-dir-001.xxxx.xxxx.net.pem",
pem_callback=0, pem_userdata=0x0, dhfile=0x0, verify_peer=true) at tls.c:174
174 if (!SSL_CTX_use_PrivateKey_file(ctx->openssl, keyfile,
SSL_FILETYPE_PEM)) {
ctx = (TLS_CONTEXT *) 0x8855448
bio = <value optimized out>
dh = <value optimized out>
bacula is a symlink to director same as bacula-dir.
Thank you in advance,
Vamegh
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users
