RE: Troubleshooting new Amanda client: Amanda user?

Kevin, thanks so much. You were right on the money. Disabling the
firewall completely allow amcheck to work correctly.

If you have some additional patience, I could use a hand trying to
configure the firewall rules correctly on my amanda client. I tried to
follow the directions at
http://wiki.zmanda.com/index.php/How_To:Set_Up_iptables_for_Amanda to
set up this rule on tobaccodev, my amanda client. This combines the
amanda rule with the rules I set up using the firewall GUI in CentOS5
(RHEL5):
[root@tobaccodev ~]# iptables -t filter -I INPUT 1 -p udp -m udp -s
centernet.jhuccp.org --dport 10080:10083 -j ACCEPT       
[root@tobaccodev ~]# service iptables status                         
Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     udp  --  10.253.192.205       0.0.0.0/0           udp
dpts:10080:10083 
2    RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0


Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         
1    RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0


Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain RH-Firewall-1-INPUT (2 references)
num  target     prot opt source               destination         
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
2    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp
type 255 
3    ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0           
4    ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0           
5    ACCEPT     udp  --  0.0.0.0/0            224.0.0.251         udp
dpt:5353 
6    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp
dpt:631 
7    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
dpt:631 
8    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state
RELATED,ESTABLISHED 
9    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state
NEW tcp dpt:21 
10   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state
NEW tcp dpt:25 
11   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state
NEW tcp dpt:22 
12   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state
NEW tcp dpt:443 
13   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state
NEW tcp dpt:23 
14   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state
NEW tcp dpt:80 
15   REJECT     all  --  0.0.0.0/0            0.0.0.0/0
reject-with icmp-host-prohibited 

Here's an example of a no-error 'amcheck -c DBackup tobaccodev' from the
tapeserver:

[root@tobaccodev ~]# tcpdump -nn src or dst centernet and port amanda
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
10:28:58.190591 IP 10.253.192.205.854 > 10.253.192.217.10080: UDP,
length 123
10:28:58.210814 IP 10.253.192.217.10080 > 10.253.192.205.854: UDP,
length 50
10:28:58.212936 IP 10.253.192.217.10080 > 10.253.192.205.854: UDP,
length 87
10:28:58.214318 IP 10.253.192.205.854 > 10.253.192.217.10080: UDP,
length 50
10:28:58.216532 IP 10.253.192.205.854 > 10.253.192.217.10080: UDP,
length 299
10:28:58.223632 IP 10.253.192.217.10080 > 10.253.192.205.854: UDP,
length 50
10:28:58.233581 IP 10.253.192.217.10080 > 10.253.192.205.854: UDP,
length 527
10:28:58.235018 IP 10.253.192.205.854 > 10.253.192.217.10080: UDP,
length 50

8 packets captured
20 packets received by filter
0 packets dropped by kernel
[root@tobaccodev ~]#

I had to insert the rule to allow amanda packets in _before_ the
RH-Firewall-1-INPUT rule to make it work. This tests correctly with
amcheck, but I haven't tried an actual dump yet.

If someone with some amanda firewall rule writing experience could check
and confirm my work, I'll write an addendum to the Zmanda artile with my
example, for other CentOS and RHEL users.

Thanks, again, Kevin, for your advice and suggestions.

-Kevin 

-----Original Message-----
From: owner-amanda-users AT amanda DOT org
[mailto:owner-amanda-users AT amanda DOT org] On Behalf Of Kevin Till
Sent: Friday, June 22, 2007 5:33 PM
Cc: amanda-users AT amanda DOT org
Subject: Re: Troubleshooting new Amanda client: Amanda user?

Zembower, Kevin wrote:
> Kevin, thanks so much for writing. I appreciate your suggestions and
> questions.
> 
> Here's /etc/xinet.d/amanda:
> 
> [root@tobaccodev ~]# cat /etc/xinetd.d/amanda 
> # default: off
> # description:  The client for the Amanda backup system.\
> #               This must be on for systems being backed up\
> #               by Amanda.
> 
> service amanda
> {
>         socket_type             = dgram
>         protocol                = udp
>         wait                    = yes
>         user                    = amanda
>         group                   = disk
>         server                  = /usr/lib/amanda/amandad 
>         disable                 = no
> }
> [root@tobaccodev ~]#
> 
> No 'auth' seems to be indicated.

It's running the defullt, bsd.

> 
> The disklist entry for the 'tobaccodev' host on the tapehost is:
> 
> backup@cn2:~$ grep tobaccodev /etc/amanda/DBackup/disklist
> # tobaccodev host
> # Uncomment when internal DNS set up for tobaccodev
> tobaccodev      /dev/mapper/VolGroup00-LogVol00 tar     #tobaccodev: /
> tobaccodev      /dev/sda1                       tar     #tobaccodev:
> /boot
> backup@cn2:~$
> 
> No 'auth' is indicated there, either. The 'tar' dumptype is defined on
> the tapehost with:
> 
> define dumptype global {
>     comment "Global definitions"
>     index yes
> }
> 
> define dumptype tar {
>     global
>     program "GNUTAR"
> }
> 
> Also, something may have just changed because of changes in my
> tobaccodev:~amanda/.amandahosts file, based on suggestions from Gene
> Heskett. This file now reads:
> 
> [root@tobaccodev ~]# cat ~amanda/.amandahosts
> centernet.jhuccp.org backup amdump amindexd amidxtaped
> cn2.jhuccp.org backup amdump amindexd amidxtaped
> [root@tobaccodev ~]#
> 
> This seems to now have caused the amanda log files to be written:
> 
> [root@tobaccodev ~]# ls -la /var/log/amanda/amandad.200706221*
> -rw-r----- 1 amanda disk 2525 Jun 22 14:26
> /var/log/amanda/amandad.20070622142641.debug
> -rw-r----- 1 amanda disk 2525 Jun 22 15:02
> /var/log/amanda/amandad.20070622150238.debug
> [root@tobaccodev ~]# cat /var/log/amanda/amandad.20070622150238.debug
> amandad: debug 1 pid 8055 ruid 0 euid 33: start at Fri Jun 22 15:02:38
> 2007
> amandad: version 2.5.0p2
> amandad: build: VERSION="Amanda-2.5.0p2"
> amandad:        BUILT_DATE="Sun Jan 7 04:49:22 EST 2007"
> amandad:        BUILT_MACH="Linux builder5.centos.org
2.6.9-42.0.3.ELsmp
> #1 SMP Fri Oct 6 06:28:26 CDT 2006 i686 i686 i386 GNU/Linux"
> amandad:        CC="gcc"
> amandad:        CONFIGURE_COMMAND="'./configure'
> '--build=i686-redhat-linux-gnu' '--host=i686-redhat-linux-gnu'
> '--target=i386-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr'
> '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin'
> '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include'
> '--libdir=/usr/lib' '--libexecdir=/usr/lib/amanda'
> '--localstatedir=/var/lib' '--sharedstatedir=/usr/com'
> '--mandir=/usr/share/man' '--infodir=/usr/share/info'
'--enable-shared'
> '--disable-static' '--disable-dependency-tracking'
> '--with-index-server=amandahost' '--with-tape-server=amandahost'
> '--with-config=DailySet1'
> '--with-gnutar-listdir=/var/lib/amanda/gnutar-lists'
> '--with-smbclient=/usr/bin/smbclient'
> '--with-dumperdir=/usr/lib/amanda/dumperdir' '--with-amandahosts'
> '--with-user=amanda' '--with-group=disk'
'--with-tmpdir=/var/log/amanda'
> '--with-gnutar=/bin/tar' '--with-ssh-security'"
> amandad: paths: bindir="/usr/bin" sbindir="/usr/sbin"
> amandad:        libexecdir="/usr/lib/amanda" mandir="/usr/share/man"
> amandad:        AMANDA_TMPDIR="/var/log/amanda"
> amandad:        AMANDA_DBGDIR="/var/log/amanda"
CONFIG_DIR="/etc/amanda"
> amandad:        DEV_PREFIX="/dev/" RDEV_PREFIX="/dev/r"
> amandad:        DUMP="/sbin/dump" RESTORE="/sbin/restore" VDUMP=UNDEF
> amandad:        VRESTORE=UNDEF XFSDUMP=UNDEF XFSRESTORE=UNDEF
> VXDUMP=UNDEF
> amandad:        VXRESTORE=UNDEF SAMBA_CLIENT="/usr/bin/smbclient"
> amandad:        GNUTAR="/bin/tar" COMPRESS_PATH="/bin/gzip"
> amandad:        UNCOMPRESS_PATH="/bin/gzip" LPRCMD="/usr/bin/lpr"
> amandad:        MAILER="/usr/bin/Mail"
> amandad:        listed_incr_dir="/var/lib/amanda/gnutar-lists"
> amandad: defs:  DEFAULT_SERVER="amandahost" DEFAULT_CONFIG="DailySet1"
> amandad:        DEFAULT_TAPE_SERVER="amandahost"
> amandad:        DEFAULT_TAPE_DEVICE="null:" HAVE_MMAP HAVE_SYSVSHM
> amandad:        LOCKING=POSIX_FCNTL SETPGRP_VOID DEBUG_CODE
> amandad:        AMANDA_DEBUG_DAYS=4 BSD_SECURITY RSH_SECURITY
> USE_AMANDAHOSTS
> amandad:        CLIENT_LOGIN="amanda" FORCE_USERID HAVE_GZIP
> amandad:        COMPRESS_SUFFIX=".gz" COMPRESS_FAST_OPT="--fast"
> amandad:        COMPRESS_BEST_OPT="--best" UNCOMPRESS_OPT="-dc"
> [root@tobaccodev ~]#
> 
> I'm still getting an error, and this log file doesn't clearly indicate
> to me the source of the problem.
> 

seems to me the client couldn't connect to the server.
Do you need to instruct iptables to allow OUTPUT traffic on the client?
I would turn off iptables and see if amcheck works.



> -----Original Message-----
> From: Kevin Till [mailto:kevin.till AT zmanda DOT com] 
> Sent: Friday, June 22, 2007 2:17 PM
> To: Zembower, Kevin
> Cc: amanda-users AT amanda DOT org
> Subject: Re: Troubleshooting new Amanda client: Amanda user?
> 
> Zembower, Kevin wrote:
> 
>>I'm trying to get a new Amanda client working with my existing Amanda
>>system. My tapehost is a Debian/GNU 4.0 system named
>>'centernet.jhuccp.org.' It uses 'backup' as the Amanda username. My
>>client is host 'tobaccodev.jhuccp.org' with CentOS 5, using 'amanda'
> 
> as
> 
>>the Amanda user. The client 'amanda' has a ~/.amandahosts file
>>containing:
>>
>>[root@tobaccodev ~]# cat /var/lib/amanda/.amandahosts
>>centernet.jhuccp.org backup
>>cn2.jhuccp.org backup
>>[root@tobaccodev ~]#
>>
>>I have netstat output showing amanda listening, /etc/xinet.d/amanda
> 
> with
> 
>>proper (I think) configuration, tcpdump with packets arriving for
> 
> amanda
> 
>>from centernet, but the tapehost reports:
>>
>>backup@cn2:~$ amcheck -c DBackup tobaccodev
>>
>>Amanda Backup Client Hosts Check
>>--------------------------------
>>WARNING: tobaccodev: selfcheck request failed: timeout waiting for ACK
>>Client check: 1 host checked in 30.019 seconds, 1 problem found
>>
>>(brought to you by Amanda 2.5.1p1)
>>backup@cn2:~$
>>
>>I'm running iptables on tobaccodev, but I set up a firewall rule
>>according to
>>http://wiki.zmanda.com/index.php/How_To:Set_Up_iptables_for_Amanda
> 
> that
> 
>>I thought should have worked:
>>
>>[root@tobaccodev ~]# iptables -t filter -A INPUT -p udp -m udp -s
>>centernet.jhuccp.org --dport 10080 -j ACCEPT
>>[root@tobaccodev ~]# iptables -L
>>Chain INPUT (policy ACCEPT)
>>target     prot opt source               destination         
>>RH-Firewall-1-INPUT  all  --  anywhere             anywhere
> 
> 
>>ACCEPT     udp  --  centernet.jhuccp.org  anywhere            udp
>>dpt:amanda 
>><snip>
>>
>>I can't find any Amanda log files on the client tobaccodev.
>>
>>Can anyone point out what I'm doing wrong? Is there any other
> 
> diagnostic
> 
>>I can run or send in to help troubleshoot this problem?
>>
> 
> 
> what dumptype(particular what auth) is used?
> Please list /etc/xinet.d/amanda file.
> 
> Additional auth (bsdtcp, bsdudp) are added to Amanda 2.5.1.
> Please see
>
http://wiki.zmanda.com/index.php/Configuring_bsd/bsdudp/bsdtcp_authentic
> ation
> 

-- 
Thank you!
Kevin Till

Zmanda Management Console (ZMC) now available at http://zmanda.com