.oO  |  List directory  |  History  |  Similar  |  Print version
Current user: guest | Change | Preferences
Home 
Main 
   Databases 
   qmail 
   Old Braindump Pages 
Linux 
FreeBSD 

Main > Bacula
 
rw-rw-r--   ian   linux

Bacula

If RPM's are not available for your version, then rebuild for your Linux version.

rpmbuild --rebuild --define "build_su9 1" --define "build_mysql5 1" bacula-2.0.2-1.src.rpm

Version 1.38.0 of bacula supports SSL/TLS when compiled from source, but the available RPMS were not built with SSL/TLS support.

Download/Compile (SUSE)

I installed the available RPM first so I could replace the binaries with SSL-enabled ones.

I downloaded the source package for 1.38.x (tar.gz) and did a configure with SSL and the options I found in the .spec file of the SRC rpm:

Server:

./configure \
        --prefix=/usr \
        --sbindir=/usr/sbin \
        --sysconfdir=/etc/bacula \
        --with-scriptdir=/etc/bacula \
        --enable-smartalloc \
        --with-openssl \
        --with-sqlite \
        --with-working-dir=/var/bacula \
        --with-pid-dir=/var/run \
        --with-subsys-dir=/var/lock/subsys \
        --with-dir-user=bacula \
        --with-dir-group=bacula \
        --with-sd-user=bacula \
        --with-sd-group=disk \
        --with-fd-user=root \
        --with-fd-group=bacula

Client (fd):

./configure \
        --prefix=/usr \
        --sbindir=/usr/sbin \
        --sysconfdir=/etc/bacula \
        --with-scriptdir=/etc/bacula \
        --enable-smartalloc \
        --with-openssl \
        --enable-client-only \
        --with-working-dir=/var/bacula \
        --with-pid-dir=/var/run \
        --with-subsys-dir=/var/lock/subsys

and installed the binaries over top of the RPM ones:

make -j6

make -C src/dird/ install
make -C src/console/ install
make -C src/filed/ install
make -C src/stored/ install

Download/Compile (Debian)

This is a complete source installation, not replacing existing packages (since there are none for 1.38 yet)

apt-get install mysql-server libmysqlclient15-dev libssl-dev libreadline5-dev

/usr/sbin/groupadd -g 90 bacula
/usr/sbin/useradd -c "Bacula" -d /var/lib/bacula -m -k /dev/null -g bacula -u 90 -s /bin/bash bacula

./configure \
        --prefix=/usr \
        --sbindir=/usr/sbin \
        --sysconfdir=/etc/bacula \
        --with-scriptdir=/etc/bacula \
        --enable-smartalloc \
        --with-openssl \
        --with-mysql \
        --with-working-dir=/var/lib/bacula \
        --with-pid-dir=/var/run \
        --with-subsys-dir=/var/lock \
        --with-dir-user=bacula \
        --with-dir-group=bacula \
        --with-sd-user=bacula \
        --with-sd-group=bacula \
        --with-fd-user=root \
        --with-fd-group=bacula

make -j6 && make install

cd /etc/init.d/ && ln -s /etc/bacula/bacula . && /usr/sbin/update-rc.d bacula defaults

Generate certificates

cd /etc/bacula

The first time, generate a new CA certificate for signing

sed -i 's/365"/3650"/' /usr/lib/ssl/misc/CA.pl
/usr/lib/ssl/misc/CA.pl -newca

Generate a CSR signing request, and then sign it. The challenge password can be empty, but be sure the Common Name matches the DNS name you will use to connect to the remote bacula-fd server!

/usr/lib/ssl/misc/CA.pl -newreq-nodes
SSLEAY_CONFIG="-days 3650" /usr/lib/ssl/misc/CA.pl -sign

mv newkey.pem bacula-<client>.key  -OR-  head -15 newreq.pem > bacula-<client>.key
mv newcert.pem bacula-<client>.crt

copy (scp) bacula-<client>.key bacula-<client>.crt and cacert.pem to the FD client machine and change ownership/permissions.

chmod 640 bacula-<client>.* cacert.pem
chgrp bacula bacula-<client>.* cacert.pem

Add relevant sections to the .conf files

/etc/bacula/bacula-dir.conf

Director {
  ...
  # console --> director server
  TLS Enable = yes
  TLS Require = yes
  TLS Verify Peer = yes
  TLS Key = /etc/bacula/bacula-<client>.key
  TLS Certificate = /etc/bacula/bacula-<client>.crt
  TLS CA Certificate File = /etc/bacula/demoCA/cacert.pem
}

Client {
  ...
  # director --> file daemon client
  TLS Enable = yes
  TLS Require = yes
  TLS Key = /etc/bacula/bacula.key
  TLS Certificate = /etc/bacula/bacula.crt
  TLS CA Certificate File = /etc/bacula/demoCA/cacert.pem
}

Storage {
  ...
  # director --> storage daemon client
  TLS Enable = yes
  TLS Require = yes
  TLS Key = /etc/bacula/bacula.key
  TLS Certificate = /etc/bacula/bacula.crt
  TLS CA Certificate File = /etc/bacula/demoCA/cacert.pem
}

/etc/bacula/bacula-fd.conf

Director {
  ...
  # director --> filedaemon server
  TLS Enable = yes
  TLS Require = yes
  TLS Verify Peer = yes
  TLS Key = /etc/bacula/bacula.key
  TLS Certificate = /etc/bacula/bacula.crt
  TLS CA Certificate File = /etc/bacula/cacert.pem
}

FileDaemon {
  ...
  # file daemon --> storage daemon client
  TLS Enable = yes
  TLS Require = yes
  TLS Key = /etc/bacula/bacula-<client>.key
  TLS Certificate = /etc/bacula/bacula-<client>.crt
  TLS CA Certificate File = /etc/bacula/cacert.pem
}

/etc/bacula/bacula-sd.conf

Storage {
  ...
  # file daemon --> storage daemon server
  TLS Enable = yes
  TLS Require = yes
  TLS Verify Peer = yes
  TLS Key = /etc/bacula/bacula.key
  TLS Certificate = /etc/bacula/bacula.crt
  TLS CA Certificate File = /etc/bacula/cacert.pem
}

Director {
  ...
  # director --> storage daemon server
  TLS Enable = yes
  TLS Require = yes
  TLS Verify Peer = yes
  TLS Key = /etc/bacula/bacula.key
  TLS Certificate = /etc/bacula/bacula.crt
  TLS CA Certificate File = /etc/bacula/cacert.pem
}

/etc/bacula/bconsole.conf

Director {
  ...
  # bconsole --> director client
  TLS Enable = yes
  TLS Require = yes
  TLS Key = /etc/bacula/bacula.key
  TLS Certificate = /etc/bacula/bacula.crt
  TLS CA Certificate File = /etc/bacula/demoCA/cacert.pem
}

Reference http://braindump.mrzesty.net/Main/Bacula

Comments: 0 New comment

Prev. Nagios Delivery Test   Upgrade SpamAssassin to 3.1.0 Next

Home | Main | Linux | FreeBSD

coWiki 0.3.4 (Boron) /