Bacula

Diff: Bacula

Legend:

Removed

Changed

Added

Ownership:	rw-rw-r-- ian linux
Modified:	10 Mar 08, 19:32
Modified by:	Ian Samuel (ian)
Rev.:	21 (Old)

Ownership:	rw-rw-r-- ian linux
Modified:	15 Jun 08, 21:34
Modified by:	Ian Samuel (ian)
Rev.:	22 (Current)

+ %TITLE%

<toc>

If RPM's are not available for your version, then rebuild for your Linux version.

<code>
rpmbuild --rebuild --define "build_su9 1" --define "build_mysql5 1" bacula-2.0.2-1.src.rpm
</code>

Version 1.38.0 of bacula supports SSL/TLS when compiled from source, but the available RPMS were not built with SSL/TLS support.

+ Download/Compile (SUSE)

I installed the available RPM first so I could replace the binaries with SSL-enabled ones.

I downloaded the source package for 1.38.x (tar.gz) and did a configure with SSL and the options I found in the .spec file of the SRC rpm:

*Server:*

<code>
./configure \
--prefix=/usr \
--sbindir=/usr/sbin \
--sysconfdir=/etc/bacula \
--with-scriptdir=/etc/bacula \
--enable-smartalloc \
--with-openssl \
--with-sqlite \
--with-working-dir=/var/bacula \
--with-pid-dir=/var/run \
--with-subsys-dir=/var/lock/subsys \
--with-dir-user=bacula \
--with-dir-group=bacula \
--with-sd-user=bacula \
--with-sd-group=disk \
--with-fd-user=root \
--with-fd-group=bacula
</code>

*Client (fd):*

<code>
./configure \
--prefix=/usr \
--sbindir=/usr/sbin \
--sysconfdir=/etc/bacula \
--with-scriptdir=/etc/bacula \
--enable-smartalloc \
--with-openssl \
--enable-client-only \
--with-working-dir=/var/bacula \
--with-pid-dir=/var/run \
--with-subsys-dir=/var/lock/subsys
</code>

and installed the binaries over top of the RPM ones:

<code>
make -j6

make -C src/dird/ install
make -C src/console/ install
make -C src/filed/ install
make -C src/stored/ install
</code>

+ Download/Compile (Debian)

This is a complete source installation, not replacing existing packages (since there are none for 1.38 yet)

<code>
apt-get install mysql-server libmysqlclient15-dev libssl-dev libreadline5-dev

/usr/sbin/groupadd -g 90 bacula
/usr/sbin/useradd -c "Bacula" -d /var/lib/bacula -m -k /dev/null -g bacula -u 90 -s /bin/bash bacula

./configure \
--prefix=/usr \
--sbindir=/usr/sbin \
--sysconfdir=/etc/bacula \
--with-scriptdir=/etc/bacula \
--enable-smartalloc \
--with-openssl \
--with-mysql \
--with-working-dir=/var/lib/bacula \
--with-pid-dir=/var/run \
--with-subsys-dir=/var/lock \
--with-dir-user=bacula \
--with-dir-group=bacula \
--with-sd-user=bacula \
--with-sd-group=bacula \
--with-fd-user=root \
--with-fd-group=bacula

make -j6 && make install

cd /etc/init.d/ && ln -s /etc/bacula/bacula . && /usr/sbin/update-rc.d bacula defaults
</code>

+ Generate certificates

<code>
cd /etc/bacula
</code>

The first time, generate a new CA certificate for signing

<code>
sed -i 's/365"/3650"/' /usr/lib/ssl/misc/CA.pl
/usr/lib/ssl/misc/CA.pl -newca
</code>

Generate a CSR signing request, and then sign it. The challenge password can be empty, but be sure the Common Name matches the DNS name you will use to connect to the remote bacula-fd server!

<code>
/usr/lib/ssl/misc/CA.pl -newreq-nodes
SSLEAY_CONFIG="-days 3650" /usr/lib/ssl/misc/CA.pl -sign

mv newkey.pem bacula-<client>.key -OR- head -15 newreq.pem > bacula-<client>.key
mv newcert.pem bacula-<client>.crt
</code>

copy (scp) =bacula-<client>.key= =bacula-<client>.crt= and =cacert.pem= to the FD client machine and change ownership/permissions.

<code>
chmod 640 bacula-<client>.* cacert.pem
chgrp bacula bacula-<client>.* cacert.pem
</code>

+ Add relevant sections to the .conf files

=/etc/bacula/bacula-dir.conf=

<code>
Director {
...
# console --> director server

TLS Enable = yes

TLS Require = yes
TLS Verify Peer = yes
TLS Key = /etc/bacula/bacula-<client>.key
TLS Certificate = /etc/bacula/bacula-<client>.crt
TLS CA Certificate File = /etc/bacula/demoCA/cacert.pem
}

Client {
...
# director --> file daemon client

TLS Enable = yes

TLS Require = yes
TLS Key = /etc/bacula/bacula.key
TLS Certificate = /etc/bacula/bacula.crt
TLS CA Certificate File = /etc/bacula/demoCA/cacert.pem
}

Storage {
...
# director --> storage daemon client

TLS Enable = yes

TLS Require = yes
TLS Key = /etc/bacula/bacula.key
TLS Certificate = /etc/bacula/bacula.crt
TLS CA Certificate File = /etc/bacula/demoCA/cacert.pem
}
</code>

=/etc/bacula/bacula-fd.conf=

<code>
Director {
...
# director --> filedaemon server

TLS Enable = yes

TLS Require = yes
TLS Verify Peer = yes
TLS Key = /etc/bacula/bacula.key
TLS Certificate = /etc/bacula/bacula.crt
TLS CA Certificate File = /etc/bacula/cacert.pem
}

FileDaemon {
...
# file daemon --> storage daemon client

TLS Enable = yes

TLS Require = yes
TLS Key = /etc/bacula/bacula-<client>.key
TLS Certificate = /etc/bacula/bacula-<client>.crt
TLS CA Certificate File = /etc/bacula/cacert.pem
}
</code>

=/etc/bacula/bacula-sd.conf=

<code>
Storage {
...
# file daemon --> storage daemon server

TLS Enable = yes

TLS Require = yes
TLS Verify Peer = yes
TLS Key = /etc/bacula/bacula.key
TLS Certificate = /etc/bacula/bacula.crt
TLS CA Certificate File = /etc/bacula/cacert.pem
}

Director {
...
# director --> storage daemon server

TLS Enable = yes

TLS Require = yes
TLS Verify Peer = yes
TLS Key = /etc/bacula/bacula.key
TLS Certificate = /etc/bacula/bacula.crt
TLS CA Certificate File = /etc/bacula/cacert.pem
}
</code>

=/etc/bacula/bconsole.conf=

<code>
Director {
...
# bconsole --> director client

TLS Enable = yes

TLS Require = yes
TLS Key = /etc/bacula/bacula.key
TLS Certificate = /etc/bacula/bacula.crt
TLS CA Certificate File = /etc/bacula/demoCA/cacert.pem
}
</code>