Re: [Bacula-users] can't start bacula-fd on a CentOS 7 host

Hey Ana / all,

Forgot to hit reply-all. Whoops! Adding the list to the correspondence. :)

Have you confirmed that your "WorkingDirectory = /var/bacula" exists?

OK thanks. That got the bacula client started on web1 :)

I've been able to verify it's started there:

[root@web1:~/certs] #lsof -i :9102

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

bacula-fd 5403 root 3u IPv4 2922313 0t0 TCP *:bacula-fd (LISTEN)

However a couple things still need to be worked out I think. For one, the bacula client isn't logging anything to it's log directory:

[root@web1:~/certs] #ls -l /var/log/bacula/

total 0

I did try creating the log manually and chowning it to the bacula user:

[root@web1:~/certs] #ls -l /var/log/bacula/bacula.log

-rw-r--r-- 1 bacula bacula 0 Mar 1 22:28 /var/log/bacula/bacula.log

However that didn't seem to make any difference, and I don't see the log filling up with anything.

And going back to the bacula server, it looks like the client still can't be contacted:

*st client

The defined Client resources are:

1: ops.jokefire.com

2: web1.jokefire.com

Select Client (File daemon) resource (1-2): 2

Connecting to Client web1.jokefire.com at web1.jokefire.com:9102

Failed to connect to Client web1.jokefire.com.

====

Even tho I can hit the correct port on the client from the server, verifying that it's open:

[root@ops:~] #telnet web1.jokefire.com 9102

Trying 162.243.60.6...

Connected to web1.jokefire.com (162.243.60.6).

Escape character is '^]'.

Checking messages on the server I see this error repeatedly:

*messages

01-Mar 23:15 ops.jokefire.com JobId 0: Error: openssl.c:74 Connect failure: ERR=error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca

01-Mar 23:15 ops.jokefire.com JobId 0: Fatal error: TLS negotiation failed with FD at "web1.jokefire.com:9102".

This is the process I used to create the cert on the client:

1) copied over ca.key from the bacula server to the client

Create web1.jokefire.com key and certificate signing request

2) openssl genrsa -des3 -out web1.jokefire.com.key 4096

3) openssl req -new -key web1.jokefire.com.key -out web1.jokefire.com.csr

Sign the web1.jokefire.com certificate

4) openssl x509 -req -days 3650 -in web1.jokefire.com.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out web1.jokefire.com.crt

Really important! Remove the password from the web1.jokefire.com private key

5) openssl rsa -in web1.jokefire.com.key -out web1.jokefire.com.key

And I was able to verify the ca.key .. it looks ok to me:

[root@web1:~/certs] #openssl x509 -in /etc/pki/CA/certs/ca.crt -noout -text

Certificate:

Data:

Version: 3 (0x2)

Serial Number: 9373003421479956496 (0x821398f397d57010)

Signature Algorithm: sha1WithRSAEncryption

Issuer: C=US, ST=NJ, L=Newark, O=Jokefire LLC, OU=Ops, CN=ops.jokefire.com CA

Validity

Not Before: Dec 6 01:57:10 2013 GMT

Not After : Dec 4 01:57:10 2023 GMT

Subject: C=US, ST=NJ, L=Newark, O=Jokefire LLC, OU=Ops, CN=ops.jokefire.com CA

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

Public-Key: (4096 bit)

Modulus:

00:cf:33:ad:4b:60:c4:a0:23:ae:4e:a7:39:6b:b2:

d8:e0:39:b7:3f:9f:91:7d:be:5a:a3:77:16:b4:cc:

3a:ad:a2:4c:5c:be:6f:19:c7:fb:9f:7f:ae:0d:cd:

6d:df:59:cf:2f:8a:7c:fe:32:82:56:06:94:43:19:

91:4d:e3:62:10:bf:8a:08:8b:99:96:12:70:da:5c:

dc:25:90:17:69:8b:c4:98:30:54:7a:96:fe:49:04:

62:45:f2:ed:5c:c3:b8:c6:6f:0c:4a:46:e5:e9:96:

8b:37:49:55:54:0c:1b:e0:48:06:f2:1e:45:3b:70:

cc:f7:2b:3c:14:85:e1:e9:fe:9e:e6:52:c7:d9:d6:

cb:b9:44:94:49:2e:bd:a1:43:c3:38:ac:c9:9a:bf:

98:ec:db:8c:5b:9d:ea:b0:84:b1:c0:47:2f:b5:63:

8f:26:0d:c7:24:f3:bf:98:65:97:44:6a:d6:83:90:

24:ca:4c:34:95:50:72:58:61:1b:a3:47:0b:54:fc:

6f:e2:68:02:83:d9:6a:6a:fd:48:6c:ce:be:14:06:

40:67:a5:53:f3:a0:d1:25:2f:77:9b:c9:79:63:ff:

d3:b7:4e:f5:55:7a:f6:14:84:ae:32:1e:9b:3e:bf:

37:97:4d:f0:bb:62:10:04:9f:10:83:c7:91:2c:f8:

0e:8d:60:78:28:69:49:03:80:11:a6:80:af:4a:c5:

7a:18:5b:d5:44:71:5a:65:2d:21:b5:0a:12:d6:a9:

b0:4c:37:d8:9a:28:d1:d3:30:a3:90:9c:28:e6:c3:

fd:ee:52:a8:84:c1:0f:c1:a6:c9:3f:61:f5:3f:a2:

98:ae:26:2f:34:d3:d8:44:ff:73:cf:7b:2a:48:0c:

2a:04:8e:29:8d:4b:23:99:61:47:b6:bb:ae:d2:92:

42:78:07:ec:8c:83:7f:d8:18:4a:0e:8c:ca:b0:41:

63:63:8d:a0:8c:82:46:7c:68:94:44:16:d4:23:e9:

02:e9:53:1b:47:91:be:65:60:24:63:14:5a:71:4a:

3e:0d:c9:43:5a:8c:17:c7:4a:bb:ea:c2:75:34:53:

d5:55:d9:69:18:aa:a9:49:8b:5e:e4:21:20:e3:70:

a6:2f:8a:10:d1:35:14:89:b7:18:4c:41:99:46:03:

c2:0f:bc:4f:d6:72:88:67:37:16:87:9b:42:17:87:

8c:52:e3:25:dd:23:32:dd:8f:b9:0a:0c:43:af:76:

b6:21:e4:a0:8d:24:6b:a0:5e:34:04:c2:a3:df:02:

0f:48:55:a0:a7:45:db:91:7a:b8:36:c7:29:a3:2f:

de:c8:98:da:37:28:f4:82:48:91:11:e0:be:14:59:

6c:44:c3

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Subject Key Identifier:

CB:7E:8F:08:AE:1B:85:41:3B:AD:C5:65:AA:AA:75:9D:21:C0:4E:F2

X509v3 Authority Key Identifier:

keyid:CB:7E:8F:08:AE:1B:85:41:3B:AD:C5:65:AA:AA:75:9D:21:C0:4E:F2

DirName:/C=US/ST=NJ/L=Newark/O=Jokefire LLC/OU=Ops/CN=ops.jokefire.com CA

serial:82:13:98:F3:97:D5:70:10

X509v3 Basic Constraints:

CA:TRUE

Signature Algorithm: sha1WithRSAEncryption

67:48:08:af:8c:c3:15:95:27:91:a0:5a:c8:45:76:0a:d9:c5:

85:32:eb:53:39:76:3c:4d:38:19:56:2c:0c:4b:e1:02:11:f1:

ad:98:7f:ab:41:5b:30:10:77:1f:f9:15:84:88:11:45:13:d6:

54:b5:a5:e2:e3:a8:f7:2a:a9:38:57:4d:e4:e8:4b:89:73:81:

2c:fe:15:0a:2a:5e:5e:53:20:79:d4:4f:84:74:ef:e2:1e:30:

a7:6d:e6:44:9f:cc:a7:9d:d6:a0:0d:6c:4a:53:53:55:17:c0:

c4:f6:34:d5:c6:33:f4:79:30:b9:45:0c:2c:af:72:56:2e:98:

fc:7c:2a:b3:bc:9a:be:7d:af:de:a5:49:9b:73:c5:bb:2a:53:

c5:b4:5a:08:98:a4:01:41:3a:d8:47:9a:f7:8f:7c:ad:64:ad:

65:1b:05:19:9c:a5:9e:49:f3:56:b2:d4:17:ac:e1:3c:a9:95:

d4:04:6c:e8:f8:b7:2b:b0:5b:a4:e9:c6:1f:83:97:8c:27:34:

7d:23:3e:fa:ff:9b:77:81:48:5f:14:95:b8:c5:79:77:96:0d:

2c:ab:c7:67:59:f9:fc:ad:d7:97:f3:38:0e:1b:01:18:9f:7e:

c9:d7:f5:27:2c:95:a8:d2:8b:c2:87:86:dc:b7:bd:b5:08:ba:

5e:a0:12:c9:9c:b7:2f:a9:23:45:d8:39:ca:72:a9:34:06:59:

23:08:09:b4:ec:4c:68:78:24:ea:97:fa:44:37:d9:a9:b6:9c:

b7:44:21:0d:7a:0a:4b:d7:f0:90:3b:f5:f0:64:84:27:1d:f9:

85:28:2e:a5:c0:06:33:db:93:39:b3:bd:c1:90:bb:aa:79:bd:

51:26:5e:63:41:d4:aa:b8:22:0d:ed:04:ff:9e:65:40:8c:98:

d5:1d:88:35:81:5e:7a:9a:f6:df:08:c9:dd:12:0a:4d:af:94:

9b:7a:fe:49:00:6a:98:ce:e3:5f:50:56:77:4e:33:a8:2c:7c:

59:76:74:60:12:a2:db:ef:cf:be:41:8f:27:67:74:e5:5b:d0:

02:5c:a3:9c:5f:59:dd:ef:95:38:5e:2d:b5:2f:ca:06:b6:b4:

49:8e:bc:be:65:08:07:39:5d:3b:f6:11:9e:50:ce:c5:38:c8:

c6:ae:63:b6:48:28:52:8c:46:7a:34:8c:40:8a:41:35:d9:44:

0b:ba:3c:6e:03:22:68:4a:1a:08:95:40:90:f2:a2:c8:70:99:

a2:5c:28:38:5b:51:45:db:5f:a3:ec:ae:9e:7e:62:87:6e:2e:

53:c0:9a:de:c7:9c:a3:f1:11:f2:82:a1:9d:67:1f:ba:7d:ed:

47:19:ec:ce:1a:a5:82:88

I was hoping someone might have some other thoughts on how to get this working.

Thanks!

Tim

On Sun, Mar 1, 2015 at 8:50 PM, Ana Emília M. Arruda <emiliaarruda AT gmail DOT com> wrote:

Hi Tim!

Have you confirmed that your "WorkingDirectory = /var/bacula" exists?

Best regards,
Ana

On Sun, Mar 1, 2015 at 10:04 PM, Tim Dunphy <bluethundr AT gmail DOT com> wrote:
Hey guys,

OK I was able to get bacula-client version 7 installed on a CentOS 7 machine.

[root@web1:~/certs] #rpm -qa | grep bacula
bacula-libs-7.0.5-1.el7.x86_64
bacula-common-7.0.5-1.el7.x86_64
bacula-client-7.0.5-1.el7.x86_64

But the service fails to start:

[root@web1:~/certs] #service bacula-fd status -l
Redirecting to /bin/systemctl status -l bacula-fd.service
bacula-fd.service - Bacula-FileDaemon, a Backup-client
Loaded: loaded (/usr/lib/systemd/system/bacula-fd.service; disabled)
Active: failed (Result: start-limit) since Sun 2015-03-01 19:59:57 EST; 2min 11s ago
Docs: man:bacula-fd(8)
Process: 28324 ExecStart=/usr/sbin/bacula-fd -f $OPTS -c $CONFIG -u $FD_USER -g $FD_GROUP (code=exited, status=1/FAILURE)
Main PID: 28324 (code=exited, status=1/FAILURE)

Mar 01 19:59:57 web1 systemd[1]: bacula-fd.service: main process exited, code=exited, status=1/FAILURE
Mar 01 19:59:57 web1 systemd[1]: Unit bacula-fd.service entered failed state.
Mar 01 19:59:57 web1 systemd[1]: bacula-fd.service holdoff time over, scheduling restart.
Mar 01 19:59:57 web1 systemd[1]: Stopping Bacula-FileDaemon, a Backup-client...
Mar 01 19:59:57 web1 systemd[1]: Starting Bacula-FileDaemon, a Backup-client...
Mar 01 19:59:57 web1 systemd[1]: bacula-fd.service start request repeated too quickly, refusing to start.
Mar 01 19:59:57 web1 systemd[1]: Failed to start Bacula-FileDaemon, a Backup-client.
Mar 01 19:59:57 web1 systemd[1]: Unit bacula-fd.service entered failed state.

Here's my bacula-fd config:

[root@web1:~/certs] #cat /etc/bacula/bacula-fd.conf
#
# Default Bacula File Daemon Configuration file
#
# For Bacula release 5.2.13 (19 February 2013) -- redhat
#
# There is not much to change here except perhaps the
# File daemon Name to
#

#
# List Directors who are permitted to contact this File daemon
#
Director {
Name = ops.jokefire.com
Password = Duk30fZh0u
TLS Certificate = /etc/pki/tls/certs/web1.jokefire.com.crt
TLS Key = /etc/pki/tls/private/web1.jokefire.com.key
TLS CA Certificate File = /etc/pki/CA/certs/ca.crt
TLS Enable = yes
TLS Require = yes
}

#
# "Global" File daemon configuration specifications
#
FileDaemon { # this is me
Name = web1.jokefire.com
FDport = 9102 # where we listen for the director
WorkingDirectory = /var/bacula
Pid Directory = /var/run
Maximum Concurrent Jobs = 20
TLS Certificate = /etc/pki/tls/certs/web1.jokefire.com.crt
TLS Key = /etc/pki/tls/private/web1.jokefire.com.key
TLS CA Certificate File = /etc/pki/CA/certs/ca.crt
TLS Enable = yes
TLS Require = yes
}

# Send all messages except skipped files back to Director
Messages {
Name = Standard
director = cloud-dir = all, !skipped, !restored
}

And here are my certs and how they're permissioned:

-r-------- 1 root root 2212 Feb 13 18:24 /etc/pki/CA/certs/ca.crt
-r-------- 1 bacula bacula 1428 Mar 1 19:58 /etc/pki/tls/certs/web1.jokefire.com.crt
-r-------- 1 bacula bacula 891 Mar 1 19:58 /etc/pki/tls/private/web1.jokefire.com.key

I'd appreciate any advice you guys can give on how to troubleshoot this. I am not at all familiar with CentOS 7 just yet. It seems they do things a little differently on this latest version of the OS.

Thanks
Tim

--
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users

GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/

_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users