Frank Sweetser wrote:
> Arno Lehmann wrote:
>
>> Hi,
>>
>> 29.07.2008 12:51, Frank Sweetser wrote:
>>
>>> Arno Lehmann wrote:
>>>
>>>>>> In any case, resetting the SELinux attributes is rather trivial ...
>>>>>>
>>>>> This is something I have to do. And could dedicate paid time to it, if I
>>>>> feel that is going somewhere.
>>>>>
>>>> Surely.
>>>>
>>>>
>>>>> I have read that Amanda handles SELinux, but the information regarding
>>>>> that is cryptic as well.
>>>>>
>>>> As Amanda relies on dump or tar to do actual backups, you end up with the
>>>> question of those handle the xattribs. dump usually does, regarding tar I'm
>>>> unsure. the tar info and man pages on my system don't talk about that.
>>>>
>>> In the case of tar at least, the main upstream version is not selinux aware.
>>> RedHat/Fedora ship with a version that has been patched to handle xattr
>>> support, which should be helpful. I can dig up the patch from the tar that
>>> Fedora ships if anyone is interested.
>>>
>> That points us at one other problem with Amandas approach: No platform
>> independenca. A backup done with dump on a Sun can be practically
>> useless if you need to restore to a Windows or linux box... Similarly,
>> xattrs captured by a patched tar don't help you much if you've got to
>> restore to a newly installed replacement system.
>>
>
> Indeed - the only way I'd feel even remotely comfortable using Amandas backup
> methodology would be to use a dedicated copy of GNU tar or cpio to ensure
> consistency. Once you get outside of the Linux/*BSD world, there are too many
> weird vendor quirks that could make life interesting in an uncomfortable way.
>
>
>> I still see the advice to disable SELinux if third party applications
>> don't work on RH quite often... In fact I always wonder why people
>> install and use SELinux if they're not capable of managing it, but
>> that's another story...
>>
>
> Indeed. Let's just be grateful that Bacula only has to concern itself with a
> very small and simple portion of SELinux to work =)
>
I'm not sure why Amanda bashing periodically rears its head on this
list. It seems irrelevant to the purposes of the list.
If I were in a Solaris shop, and I were using Amanda, I would choose to
use ufsdump. I wouldn't particularly care that it was Solaris specific,
because that would be appropriate. Not only would I always have
something to recover to, but my choice for recovery would always be one
of my Solaris servers.
If I were in a mixed shop with no dominant platform, then (as Frank
suggested) I would choose to use GNU Tar. That would give the ability to
recover data to whichever server I wanted. OS and installed software
backups would still be platform specific, and there just isn't any way
around that -- you can't run a Solaris SPARC binary on a Linux AMD box.
Sometimes, (with a boot partition) even if you recover from one Solaris
SPARC box to a slightly different Solaris SPARC box, you have to go
through the contortions of rebuilding the device tree, etc.
If a vendor for a particular OS or distribution implements access
controls or extended attributes that are different from other OS's or
distributions (say Redhat distributing SELinux, or the MacOSX additions
to BSD), then that has to be dealt with somehow. Since the vendor
includes tools like dump or gnutar in their distribution, they need to
modify or patch those to work with their extensions, if necessary,
otherwise their distribution is arguably broken. If the vendor does
their job, then Amanda just works. Whether the vendor does their job or
not, Bacula developers have to re-invent those code changes to capture
the access controls and extended attributes. That has in some instances
resulted in delays and periods of time when Bacuala does not back up
those features and people have to develop workarounds. This can be done,
and has been described on the list; but, nevertheless, it is extra work
and effort.
As for recovering from one platform to another, there are posix
standards for extended attributes and acl's. With GNU Tar, you can
specify that you want to capture extended attributes (and it is SELinux
aware, see http://linux.die.net/man/1/tar and look for --xattrs), and
you can also specify that you want a posix (or pax) archive. Your
individual platforms still need to support those, if you expect to
recover them, but that's completely separate from what tool you choose
to back them up with. If you recover to a platform that doesn't support
them, you will lose the attributes and perhaps be violating company
security policies in some instances.
---------------
Chris Hoogendyk
-
O__ ---- Systems Administrator
c/ /'_ --- Biology & Geology Departments
(*) \(*) -- 140 Morrill Science Center
~~~~~~~~~~ - University of Massachusetts, Amherst
<hoogendyk AT bio.umass DOT edu>
---------------
Erdös 4
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
|