Tuxevaras Blog

Ich hab mir mal gedacht, meinen Mediacenter System, mit einem KVM Gast auf dem auch dieser Blog laeuft, ein wenig ausfallsicherer zu machen. Dazu also vergangene Woche eine gleich grosse zweite HDD gekauft. Heute habe ich dann endlich die Zeit gefunden, dem laufenden LVM ein Software RAID1 unter zu schieben. Diese Anleitung war dabei sehr hilfreich, auch wenn ein paar Aufrufe an lokale Gegebenheiten anpassen muessen (mein Mediacenter laeuft z.B. auf Ubuntu). Insgesamt ist es schon erstaunlich wie flexibel Linux beim Umgang mit Block-Devices ist.

Gerade ein wenig mit Funambol herumgespielt. Da mein Nokia E71 ein wenig empfindlich im Bezug auf Zertifikate ist, sollte der Funambol auch das Zertifikat meines Servers haben, welches eh schon im Telefon als vertrauenswuerdig hinterlegt ist (CAcert.org signed).

Natuerlich ist sowas bei Java immer alles nicht so einfach. Zertifikat kein Provlem, aber Private Key importieren is nicht. Aber wie ich dann raus gefunden habe, gibt es mit keytool in Java 1.6 endlich die Moeglichkeit einen Private Key + Zertifikat zu importieren, wenn ein PKCS#12 File vorliegt.

Der ist ja dank Openssl recht schnell erstellt:

openssl pkcs12 -export -in /etc/apache2/server.crt -inkey /etc/apache2/server.key -out /root/server.p12

Und dann kann der Import losgehen:

keytool -importkeystore -deststorepass changeit -destkeypass changeit -srckeystore /root/server.p12 -srcstoretype PKCS12 -srcstorepass 1234 -srcalias 1 -destalias tomcat

Wichtig ist “-srcalias 1″, damit keytool auch weiss, dass es den ersten Datensatz aus dem P12 File lesen soll. Ausserdem ist in meinem Fall (Funambol) noch wichtig, dass “-destalias tomcat” angegeben wird.

Nach einem Neustart des Funambol Dienstes liefert er das neu importierte Zertifikat aus.

As promised here comes part two of my “Backup with Bacula and LUKS encrypted USB disks” howto. In part one I explained how to prepare the disks for using them with autofs and how to configure autofs itself. Now we have a good basis for Bacula to use those disks as storage for the backups.
As I said I want to use those disks as virtual tapes in a virtual tape library. This gives us the most flexibility in changing the disks or not (holidays, etc.). With vchanger you get a nice tool to emulate such a virtual tape library. After installation the vchanger binary should be available at /usr/local/bin. I created a config file called vchanger.conf at /usr/local/etc with the following content:

# changer_name  -  [required] Name of this autochanger
changer_name = "usbchanger1"
# state_dir - Directory where virtual drive state and symlinks are created
#             [Default: /var/lib/bacula/]
state_dir = "/var/lib/bacula/usbchanger1"
# logfile  -  Path to a file where errors and debugging info will be logged.
#             [Default: none]
logfile = "/var/lib/bacula/usbchanger1.log"
# slots_per_magazine  -  Number of slots each of the autochanger's magazines
#                        will have. [Default: 10]
slots_per_magazine = 10
# virtual_drives  -  Number of virtual drives to use. [Default: 1]
Virtual_Drives = 1
# magazine  -  [Required] Gives the mountpoint directory of a magazine.
#              Multiple magazine directives may be specified to define
#              a multi-magazine autochanger. Each magazine has the same
#              number of slots, so the autochanger will have
magazine = "/mnt/usbchanger1/magazine"

To use that virtual device with Bacula, modify the configuration of the Bacula storage daemon.

[..]
Autochanger {
 Name = usb-changer-1
 Device = usb-changer-1-drive-0
 Changer Command = "/usr/local/bin/vchanger %c %o %S %a %d"
 Changer Device = "/usr/local/etc/vchanger.conf"
}
#---  drive 0 of the usb-changer-1 autochanger
Device {
 Name = usb-changer-1-drive-0
 DriveIndex = 0
 Autochanger = yes;
 DeviceType = File
 MediaType = File
 ArchiveDevice = /var/lib/bacula/usbchanger1/0/drive0
 RemovableMedia = no;
 RandomAccess = yes;
}
[..]

And add this device as storage to you Bacula director’s configuration.

[..]
Storage {
 Name = usbchanger1   # same as defined by 'baculasd' in vchanger config file
 Address = hostname.of.my.baculasd.system
 SDPort = 9103
 Password = "mysecretpasswort"
 Device = usb-changer-1  # name of the Autochanger resource defined in bacula-sd.conf
 Media Type = File
 Autochanger = yes;
}
[..]

Now we can start initializing the tape library by adding the tapes. For each disk run the following commands after it has been attached to the server.

chown bacula:disk /mnt/usbchanger1/magazine/
vchanger -u bacula -g disk /usr/local/etc/vchanger.conf initmag 1
bconsole << EOF
label barcodes
yes
2
quit
EOF

Now the virtual tape changer is married with Bacula and I am sure they will have a very good time together.

All other things you need to know, e.g. how to to configure Bacula to you needs, what a good backup strategy is, do apply to any other backup media as well. So I am not handling them in this howto. I hope this helped you somehow and feedback is always welcome.

I think is is time again to share some interesting stuff with you.
A few month ago, I have set up a new backup solution with Bacula and USB disks as backup media. I am not going to argue why Bacula is our preferred backup software or why USB disks are great for backups. You will have to find it out on your own. So let’s get more into detail now.

As our company policies require all media to be encrypted, no excepetion was made for the backup media of cause. This were the requirements for the new system:

1. Attached USB disks must be accessible by the system and backup software, without the need of manual actions by the backup operator
2. The filesystem should be in an unmounted state when detaching the USB disk to prevent data corruption. Also, no manual actions should be needed.
3. The disks have always to be mounted to the same location for Bacula to use them
4. The backup should be as flexible as possible, e.g. it should not really matter if the disk was changed or not. This is really important on holidays, as I do not want to update volume attributes all the time.

The solution for the first three requirements is a combination of LUKS encryption with a keyfile and an automounter like autofs. Encrypting with LUKS and a keyfile is really easy as you will see. To fulfill the last requirement I have chosen a Bacula configuration based on a virtual tape changer. But first we have to prepare udev with some config and scripts to make a device available for autofs.

UDEV CONFIG & SCRIPTS

/etc/udev/rules.d/99-unlock-lucks.rules
This rules makes UDEV call /usr/local/bin/unlock-luks with the name of the new device and the name the decrypted device should get by the device mapper (here: bacula) as parameter.

ACTION=="add",BUS=="usb",KERNEL=="sd?1",RUN+="/usr/local/bin/unlock-luks /dev/%k bacula"

/usr/local/bin/unlock-luks
This script takes care if a new device was attached to the system. If UDEV calls this script and the device mapper still sees the device, this is caused by the device mapper taking a long time before dropping a detached device from its database. In case the system still thinks the device is mounted, force an umount and close the crypto device before setting up the new crypto device. If this looks very strange to you, I can appease you, It’s working pretty well for month now. Of cause this script has to be made executable.

(
  ISATTACHED=`dmsetup ls | grep ^bacula | wc -l`
  if [ $ISATTACHED -eq 1 ]
  then
    umount /dev/mapper/$2 --force
    cryptsetup luksClose $2
  fi
  cryptsetup --key-file=/etc/luks.key luksOpen $1 $2
)

Now that UDEV is prepared let’s create some fully encrypted USB disks:

CREATING A KEYFILE
First of all, we need to create a good keyfile. In 2010 a 4096 bit key should be enough. To create such a keyfile dd does a good job:

dd if=/dev/random of=/etc/luks.key bs=1024 count=4

ENCRYPTING THE DISK
I suppose you only have one partition on your USB disk, so encrypt it. Usually USB disks are handled by the SCSI subsystem, so it device name starts with sd. Warning: The next step overwrites any existing data on that partition.

cryptsetup luksFormat /dev/ /etc/luks.key

FORMATTING THE ENCRYPTED PARTITION
Before you really can format the partition you should unplug the disk and reattach it to the system. If your UDEV configuration and scripts work as expected, you should see the device /dev/mapper/bacula. Finally put a filesystem onto the new device with

mke2fs -j -T largefile -L "usbchanger1" /dev/mapper/bacula

As you can see the filesystem also gets labled with usbchanger1. This is neccesarry for the automounter to identify the filesystem. I used the largefile flag, as each volume Bacula creates is a big file of several gigabytes.

CONFIGURING AUTOFS
I suppose there is nothing special about the two files for you. Just create the mountpoint /mnt/usbchanger1, modify or create the two files and restart the autofs daemon.

/etc/auto.master

/mnt/usbchanger1    /etc/auto.usbchanger1    --timeout=10

/etc/auto.usbchanger1

magazine  -fstype=auto,rw  :/dev/disk/by-label/usbchanger1

That’s all for now. You should now be able to attach an USB disk with an encrypted filesystem on it to the system and access it through the path /mnt/usbchanger1/magazine. If nothing keeps the device open it will be unmounted after ten seconds. Now you are ready to configure Bacula. I am going to explain this in part 2 of this tutorial soon.