Hi,
21.04.2008 19:05, Jon Amundsen wrote:
> Landon,
>
> After searching through the list archives I came across this thread
> from last May. I'm having a similar issue with the 'fd' where it will
> crash after I attempt a redirected restore of an encrypted file using
> the master key.
>
> Here is a tail of the output with a couple names edited for confidentiality:
You should report which version of Bacula you're using, which OS,
which OpenSSL and the corresponding configuration and file system
entries (like, which certificate / key files you include, how their
metadata is set up - "ls -l /path/to/file" - and which user the FD
runs as). Hopefully, then, Landon doesn't have to ask for that
information himself :-)
Arno
> fd restore.c:1101 Flush write 34351 bytes, JobBytes=362031
> fd restore.c:839 Could not find a valid public key for signature on
> /mnt/database/bacula_restores/etc/services
> Kaboom! bacula-fd, fd got signal 11. Attempting traceback.
> Kaboom! exepath=/usr/sbin
> Calling: /usr/sbin/btraceback /usr/sbin/bacula-fd 11254
> Traceback complete, attempting cleanup ...
> fd: pythonlib.c:237 No startup module.
>
> Unfortunately putting the "PKI Signatures = no" in the config file of
> the 'fd' where I'm redirecting the restore to does not seem to solve
> the problem. I can copy the original fd's key pair over to the host
> where I'm redirecting the output and everything works fine.
>
> Has there been any movement on this issue? Something that stops the
> daemon from crashing and allows the restore to continue in an
> emergency?
>
> Regards,
>
> Jon Amundsen
> jamundsen AT gmail DOT com
>
>
> Massano,
>
> Thanks for the debugging output, it's exactly what's needed. The
> crash-causing logic error was already fixed in subversion by Kern,
> and I believe a release is planned soon; As a temporary work-around,
> you can set "PKI Signatures = no" in the configuration file when
> doing the emergency restore.
>
> The "Could not find a valid public key for signature" message is
> expected -- the signatures are created using available signing keys,
> and your signing public key is no longer available to Bacula. Since
> the master private key is not available at encryption time, the files
> are not signed with it. This should obviously not cause a crash, though.
>
> I eventually intend on implementing HMAC signing -- in addition to
> being much faster, it will allow any valid decryption key to verify
> the signature, regardless of public key availability.
>
> -landonf
>
> On May 11, 2007, at 8:32 AM, massano jerome wrote:
>
>> Here is the output of the debug (followed the instructions on the
>> manual
>> to get more debugging infos) :
>>
>>
>> sme-fd: bnet.c:1154 who=client host=192.168.0.1 port=36387
>> [New Thread -1211208784 (LWP 4619)]
>> sme-fd: find.c:81 init_find_files ff=8e528e0
>> sme-fd: job.c:232 <dird: Hello Director nec-dir calling
>> sme-fd: job.c:248 Executing Hello command.
>> sme-fd: job.c:351 Calling Authenticate
>> sme-fd: cram-md5.c:71 send: auth cram-md5
>> <1352298699.1178897275 <at> sme-fd>
>> ssl=0
>> sme-fd: cram-md5.c:131 cram-get: auth cram-md5
>> <446678098.1178897276 <at> nec-dir> ssl=0
>> sme-fd: cram-md5.c:150 sending resp to challenge: bEU/R4lTp/+WMm+N/i
>> +saA
>> sme-fd: job.c:355 OK Authenticate
>> sme-fd: job.c:232 <dird: JobId=401 Job=RestoreFiles.
>> 2007-05-11_17.27.53
>> SDid=28 SDtime=1178874819
>> Authorization=OEFH-DFHP-ABNJ-OJEH-KLNL-LBOF-FPNC-IONP
>> sme-fd: job.c:248 Executing JobId= command.
>> sme-fd: job.c:449 JobId=401 Auth=OEFH-DFHP-ABNJ-OJEH-KLNL-LBOF-FPNC-
>> IONP
>> sme-fd: job.c:232 <dird: storage address=192.168.0.1 port=9103 ssl=0
>> sme-fd: job.c:248 Executing storage command.
>> sme-fd: job.c:1253 StorageCmd: storage address=192.168.0.1 port=9103
>> ssl=0
>> sme-fd: job.c:1259 Open storage: 192.168.0.1:9103 ssl=0
>> sme-fd: bnet.c:792 Current host[ipv4:192.168.0.1:9103] All
>> host[ipv4:192.168.0.1:9103]
>> sme-fd: bnet.c:1154 who=Storage daemon host=192.168.0.1 port=9103
>> sme-fd: job.c:1271 Connection OK to SD.
>> sme-fd: cram-md5.c:131 cram-get: auth cram-md5
>> <877297817.1178897276 <at> nec-sd> ssl=0
>> sme-fd: cram-md5.c:150 sending resp to challenge: Hj/7R/+Gu6/TOTVfP1
>> +SfC
>> sme-fd: cram-md5.c:78 send: auth cram-md5
>> <1036016859.1178897276 <at> sme-fd>
>> ssl=0
>> sme-fd: cram-md5.c:97 Authenticate OK 62/xH8NSmS4n165Ilg+/SC
>> sme-fd: job.c:1280 Authenticated with SD.
>> sme-fd: job.c:232 <dird: bootstrap
>> sme-fd: job.c:248 Executing bootstrap command.
>> sme-fd: job.c:1106 filed<dird: bootstrap file Volume="Vol0098"
>>
>> sme-fd: job.c:1106 filed<dird: bootstrap file MediaType="File"
>>
>> sme-fd: job.c:1106 filed<dird: bootstrap file Device="FileStorage"
>>
>> sme-fd: job.c:1106 filed<dird: bootstrap file VolSessionId=27
>>
>> sme-fd: job.c:1106 filed<dird: bootstrap file
>> VolSessionTime=1178874819
>>
>> sme-fd: job.c:1106 filed<dird: bootstrap file VolFile=0
>>
>> sme-fd: job.c:1106 filed<dird: bootstrap file VolBlock=185-45743481
>>
>> sme-fd: job.c:1106 filed<dird: bootstrap file FileIndex=1-2853
>>
>> sme-fd: job.c:1106 filed<dird: bootstrap file Count=2853
>>
>> sme-fd: job.c:232 <dird: restore replace=a prelinks=0
>> where=/tmp/bacula-restoressme-fd: job.c:248 Executing restore command.
>> sme-fd: job.c:1578 restore command
>> sme-fd: job.c:1596 Got replace a, where=/tmp/bacula-restores
>> sme-fd: job.c:1604 bfiled>dird: 2000 OK restore
>> sme-fd: job.c:1669 VolSessId=28 VolsessT=1178874819 SF=0 EF=0
>> sme-fd: job.c:1670 JobId=401 vol=DummyVolume
>> sme-fd: job.c:1677 >stored: read open session = DummyVolume 28
>> 1178874819 0 0 0 0
>> sme-fd: job.c:1683 bfiled<stored: 3000 OK open ticket = 28
>> sme-fd: job.c:1688 bfiled: got Ticket=28
>> sme-fd: job.c:1745 3000 OK bootstrap
>> sme-fd: job.c:1702 >stored: read data 28
>> sme-fd: job.c:1745 3000 OK data
>> sme-fd: restore.c:248 Got hdr: Files=0 FilInx=1 Stream=1, File
>> attributes.
>> sme-fd: restore.c:260 Got stream: File attributes len=96 extract=0
>> sme-fd: restore.c:343 File /home/httpd/html/horde/index.php
>> attrib=P0A FHYC IGk B A A A 59 BAA I BGRImB BEy5GP BGRD8F A A U
>> attribsEx=
>> sme-fd: restore.c:361
>> Outfile=/tmp/bacula-restores/home/httpd/html/horde/index.php
>> sme-fd: create_file.c:88 type=3 newmode=81a4
>> file=/tmp/bacula-restores/home/httpd/html/horde/index.php
>> sme-fd: create_file.c:186 Make
>> path /tmp/bacula-restores/home/httpd/html/horde
>> sme-fd: create_file.c:205 Create
>> file /tmp/bacula-restores/home/httpd/html/horde/index.php
>> sme-fd: create_file.c:210 Create
>> file: /tmp/bacula-restores/home/httpd/html/horde/index.php
>> (no debugging symbols found)
>> sme-fd: attr.c:243 -rw-r--r-- 1 root root 3709
>> 2007-05-11
>> 12:01:41 /tmp/bacula-restores/home/httpd/html/horde/index.php
>> sme-fd: restore.c:248 Got hdr: Files=1 FilInx=1 Stream=22, 22.
>> sme-fd: restore.c:260 Got stream: 22 len=640 extract=1
>> sme-fd: restore.c:248 Got hdr: Files=1 FilInx=1 Stream=20, Encrypted
>> File data.
>> sme-fd: restore.c:260 Got stream: Encrypted File data len=3712
>> extract=1
>> sme-fd: restore.c:975 decrypted len=3696 encrypted len=3712
>> sme-fd: restore.c:248 Got hdr: Files=1 FilInx=1 Stream=20, Encrypted
>> File data.
>> sme-fd: restore.c:260 Got stream: Encrypted File data len=16 extract=1
>> sme-fd: restore.c:975 decrypted len=16 encrypted len=16
>> sme-fd: restore.c:248 Got hdr: Files=1 FilInx=1 Stream=19, Signed
>> digest.
>> sme-fd: restore.c:260 Got stream: Signed digest len=318 extract=1
>> sme-fd: restore.c:248 Got hdr: Files=1 FilInx=2 Stream=1, File
>> attributes.
>> sme-fd: restore.c:260 Got stream: File attributes len=108 extract=1
>> sme-fd: restore.c:1059 Flush decrypt len=1 buf_len=3712
>> sme-fd: restore.c:1072 Encryption writing full block, 3709 bytes,
>> remaining 0 bytes in buffer
>> sme-fd: restore.c:1096 Call store_data
>> sme-fd: restore.c:1101 Flush write 3709 bytes, JobBytes=3709
>> sme-fd: restore.c:839 Could not find a valid public key for signature
>> on /tmp/bacula-restores/home/httpd/html/horde/index.php
>>
>> Program received signal SIGSEGV, Segmentation fault.
>> [Switching to Thread -1211208784 (LWP 4619)]
>> 0x001d748e in EVP_MD_CTX_cleanup () from /lib/libcrypto.so.4
>> (gdb)
>>
>>
>>
>> Hope that can help...
>> why does it say it could not find a valid public key ? The job I am
>> trying to restore was backed up with this master key (maybe the master
>> key was not taken ?)
>>
>>
>>
>>
>> Le vendredi 11 mai 2007 à 15:59 +0200, massano jerome a écrit :
>>> Last info about my problem : after a failed restore (with the master
>>> keypair), the File Daemon is shut down.
>>>
>>> Le vendredi 11 mai 2007 à 15:34 +0200, massano jerome a écrit :
>>>> Just more info that could help : Bacula 2.0.3 compiled form
>>>> sources on a
>>>> SMEserver (linux distribution based on CentOS) with Mysql.
>>>>
>>>> Le vendredi 11 mai 2007 à 15:26 +0200, massano jerome a écrit :
>>>>> Hello. Thank you for your answer.
>>>>>
>>>>> Ok. I did what you told me, but it doesn't work : here is the
>>>>> output :
>>>>> The message of the console are in french, I have made a
>>>>> translation of
>>>>> them (between brackets).
>>>>>
>>>>> ----
>>>>> *messages
>>>>> 11-mai 15:09 nec-dir: Start Restore Job RestoreFiles.
>>>>> 2007-05-11_15.09.00
>>>>> *messages
>>>>> 11-mai 15:09 nec-sd: Ready to read from volume "Vol0093" on device
>>>>> "FileStorage" (/tmp).
>>>>> 11-mai 15:09 nec-sd: Forward spacing Volume "Vol0093" to file:block
>>>>> 0:185.
>>>>> 11-mai 15:09 nec-dir: RestoreFiles.2007-05-11_15.09.00 Fatal error:
>>>>> Network error with FD during Restore: ERR=Aucune donnée
>>>>> disponible (No
>>>>> data available)
>>>>> 11-mai 15:09 nec-sd: RestoreFiles.2007-05-11_15.09.00 Fatal error:
>>>>> read.c:139 Error sending to File daemon. ERR=Connexion ré-
>>>>> initialisée
>>>>> par le correspondant (Connection reset by peer)
>>>>> 11-mai 15:09 nec-sd: RestoreFiles.2007-05-11_15.09.00 Error:
>>>>> bnet.c:439
>>>>> Write error sending 14384 bytes to client:192.168.0.4:36643:
>>>>> ERR=Connexion ré-initialisée par le correspondant (Connection
>>>>> reset by
>>>>> peer)
>>>>> 11-mai 15:09 nec-dir: RestoreFiles.2007-05-11_15.09.00 Fatal
>>>>> error: No
>>>>> Job status returned from FD.
>>>>> 11-mai 15:09 nec-dir: RestoreFiles.2007-05-11_15.09.00 Error:
>>>>> Bacula
>>>>> 2.0.3 (06Mar07): 11-mai-2007 15:09:03
>>>>> JobId: 388
>>>>> Job: RestoreFiles.2007-05-11_15.09.00
>>>>> Client: sme-fd
>>>>> Start time: 11-mai-2007 15:09:02
>>>>> End time: 11-mai-2007 15:09:03
>>>>> Files Expected: 50,388
>>>>> Files Restored: 0
>>>>> Bytes Restored: 0
>>>>> Rate: 0.0 KB/s
>>>>> FD Errors: 0
>>>>> FD termination status: Error
>>>>> SD termination status: Error
>>>>> Termination: *** Restore Error ***
>>>>>
>>>>> 11-mai 15:09 nec-dir: Begin pruning Jobs.
>>>>> 11-mai 15:09 nec-dir: No Jobs found to prune.
>>>>> 11-mai 15:09 nec-dir: Begin pruning Files.
>>>>> 11-mai 15:09 nec-dir: No Files found to prune.
>>>>> 11-mai 15:09 nec-dir: End auto prune.
>>>>>
>>>>> ----
>>>>>
>>>>> It works perfectly when I use the original keypair.
>>>>> Can anyone see where the problem comes from ?
>>>>>
>>>>>
>>>>>
>>>>> Le jeudi 10 mai 2007 à 21:34 -0700, Landon Fuller a écrit :
>>>>>> On May 10, 2007, at 4:51 AM, massano jerome wrote:
>>>>>>
>>>>>>> Le jeudi 10 mai 2007 à 12:01 +0200, Kern Sibbald a écrit :
>>>>>>>> On Thursday 10 May 2007 11:14, massano jerome wrote:
>>>>>>>>> Hello.
>>>>>>>>> I know this kind of mail is supposed to be sent on the user
>>>>>>>>> list,
>>>>>>>>> but
>>>>>>>>> i've asked for it 3 times, and nobody could answer me. Maybe
>>>>>>>>> somebody in
>>>>>>>>> the dev list can help me ?
>>>>>>>> Maybe you didn't get an answer because it is rather obvious. If
>>>>>>>> you encrypt
>>>>>>>> something with an encryption key, you must make a secure non-
>>>>>>>> encrypted copy
>>>>>>>> of the encryption key, or use the master key, which is to the
>>>>>>>> best
>>>>>>>> of my
>>>>>>>> knowledge documented (at least a number of users are using it).
>>>>>>>>
>>>>>>>> When you figure out how to do it, please let us know.
>>>>>>>>
>>>>>>> This is what I understood. I have made a copy of my master
>>>>>>> key, but in
>>>>>>> the documentation it is not said how I can use the master key to
>>>>>>> recover
>>>>>>> my files. It is only documented how I can create it and use it to
>>>>>>> encrypt, but not how to restore encrypted data. This is why I
>>>>>>> sent
>>>>>>> it to
>>>>>>> the list (I read the documentation BEFORE sending ^^). So if
>>>>>>> somebody
>>>>>>> can tell me how to use my Master Key to restore previously
>>>>>>> encrypted
>>>>>>> backups...
>>>>>> It is preferable to retain a secure, non-encrypted copy of the
>>>>>> client's own encryption keypair. However, should you lose the
>>>>>> client's keypair, recovery with the master keypair is possible.
>>>>>>
>>>>>> You must:
>>>>>> 1) Concatenate the master private and public key into a single
>>>>>> keypair file, ie:
>>>>>> cat master.key master.cert >master.keypair
>>>>>>
>>>>>> 2) Set the PKI Keypair statement in your bacula configuration
>>>>>> file:
>>>>>> PKI Keypair = master.keypair
>>>>>>
>>>>>> 3) Start the restore. The master keypair will be used to
>>>>>> decrypt the
>>>>>> file data.
>>>>>>
>>>>>> -landonf
>>>>>
>>>>> -------------------------------------------------------------------
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
> Don't miss this year's exciting event. There's still time to save $100.
> Use priority code J8TL2D2.
> http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
> _______________________________________________
> Bacula-users mailing list
> Bacula-users AT lists.sourceforge DOT net
> https://lists.sourceforge.net/lists/listinfo/bacula-users
>
--
Arno Lehmann
IT-Service Lehmann
www.its-lehmann.de
-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
Don't miss this year's exciting event. There's still time to save $100.
Use priority code J8TL2D2.
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
|
