From 36cd64837bfe3cc628c0806fce655c4df2d3c230 Mon Sep 17 00:00:00 2001 From: Kern Sibbald Date: Mon, 9 Oct 2006 22:21:19 +0000 Subject: [PATCH] Updates --- docs/manual/dataencryption.tex | 26 +++++++++++++++------- docs/manual/supportedoses.tex | 40 +++++++++++++++++----------------- docs/manual/tips.tex | 34 ++++++++++++++--------------- docs/manual/version.tex | 2 +- 4 files changed, 56 insertions(+), 46 deletions(-) diff --git a/docs/manual/dataencryption.tex b/docs/manual/dataencryption.tex index 75ad43b2..07e89c01 100644 --- a/docs/manual/dataencryption.tex +++ b/docs/manual/dataencryption.tex @@ -16,14 +16,15 @@ contents. It is very important to specify what this implementation does NOT do: \begin{itemize} -\item There is still one major gotcha, namely, it's possible for the - director to restore new keys or a Bacula configuration file to the - client, and thus force later backups to be made with a compromised - key and/or with no encryption at all. You can avoid this by not backing - up your encryption keys using Bacula, and not changing the location - of the keys in your Bacula File daemon configuration file. However, - please be sure your File daemon keys securely backed up preferably - off-site. +\item There is one important restore problem to be aware of, namely, it's + possible for the director to restore new keys or a Bacula configuration + file to the client, and thus force later backups to be made with a + compromised key and/or with no encryption at all. You can avoid this by + not not changing the location of the keys in your Bacula File daemon + configuration file, and not changing your File daemon keys. If you do + change either one, you must ensure that no restore is done that restores + the old configuration or the old keys. In general, the worst effect of + this will be that you can no longer connect the File daemon. \item The implementation does not encrypt file metadata such as file path names, permissions, and ownership. Extended attributes are also currently @@ -54,6 +55,15 @@ home with the owner of the machine. NOTE!!! If you lose your encryption keys, backups will be unrecoverable. {\bf ALWAYS} store a copy of your master keys in a secure, off-site location. +The basic algorithm used for each backup session (Job) is: +\begin{enumerate} +\item The File daemon generates a session key. +\item The FD encrypts that session key via PKE for all recipients (the file +daemon, any master keys). +\item The FD uses that session key to perform symmetric encryption on the data. +\end{enumerate} + + \subsection*{Building Bacula with Encryption Support} \index[general]{Building Bacula with Encryption Support} \addcontentsline{toc}{subsection}{Building Bacula with Encryption Support} diff --git a/docs/manual/supportedoses.tex b/docs/manual/supportedoses.tex index 2142722f..027f1650 100644 --- a/docs/manual/supportedoses.tex +++ b/docs/manual/supportedoses.tex @@ -14,24 +14,11 @@ \addcontentsline{toc}{subsection}{Supported Operating Systems} \begin{itemize} -\item Linux systems (built and tested on RedHat Enterprise Linux 3.0). -\item If you have a recent Red Hat Linux system running the 2.4.x kernel and - you have the directory {\bf /lib/tls} installed on your system (normally by - default), bacula will {\bf NOT} run. This is the new pthreads library and it -is defective. You must remove this directory prior to running Bacula, or you -can simply change the name to {\bf /lib/tls-broken}) then you must reboot -your machine (one of the few times Linux must be rebooted). If you are not -able to remove/rename /lib/tls, an alternative is to set the environment -variable "LD\_ASSUME\_KERNEL=2.4.19" prior to executing Bacula. For this -option, you do not need to reboot, and all programs other than Bacula will -continue to use /lib/tls. - -This problem does not occur with 2.6 kernels. - -\item Most flavors of Linux (Gentoo, SuSE, Mandriva, Debian, ...). +\item Linux systems (built and tested on SuSE 10.1). +\item Most flavors of Linux (Gentoo, RedHat, Fedora, Mandriva, Debian, ...). \item Solaris various versions. -\item FreeBSD (tape driver supported in 1.30 -- please see some {\bf - important} considerations in the +\item FreeBSD (tape driver supported in 1.30 -- for FreeBSD older than + version 5.0, please see some {\bf important} considerations in the \ilink{ Tape Modes on FreeBSD}{FreeBSDTapes} section of the Tape Testing chapter of this manual.) \item Windows (Win98/Me, WinNT/2K/XP) Client (File daemon) binaries. @@ -40,10 +27,23 @@ This problem does not occur with 2.6 kernels. \item OpenBSD Client (File daemon). \item Irix Client (File daemon). \item Tru64 -\item Bacula is said to work on other systems (AIX, BSDI, HPUX, ...) but we +\item Bacula is said to work on other systems (AIX, BSDI, HPUX, NetBSD, ...) but we do not have first hand knowledge of these systems. -\item RHat 7.2 AS2, AS3, AS4, Fedora Core 2, SuSE SLES 7,8,9 and Debian Woody and Sarge Linux on +\item RHat 7.2 AS2, AS3, AS4, Fedora Core 2,3,4,5, SuSE SLES 7,8,9,10,10.1 and Debian Woody and Sarge Linux on S/390 and Linux on zSeries. \item See the Porting chapter of the Bacula Developer's Guide for information on porting to other systems. - \end{itemize} + +\item If you have a older Red Hat Linux system running the 2.4.x kernel and + you have the directory {\bf /lib/tls} installed on your system (normally by + default), bacula will {\bf NOT} run. This is the new pthreads library and it + is defective. You must remove this directory prior to running Bacula, or you + can simply change the name to {\bf /lib/tls-broken}) then you must reboot + your machine (one of the few times Linux must be rebooted). If you are not + able to remove/rename /lib/tls, an alternative is to set the environment + variable "LD\_ASSUME\_KERNEL=2.4.19" prior to executing Bacula. For this + option, you do not need to reboot, and all programs other than Bacula will + continue to use /lib/tls. +\item The above mentioned {\bf /lib/tls} problem does not occur with 2.6 kernels. + +\end{itemize} diff --git a/docs/manual/tips.tex b/docs/manual/tips.tex index ff127ec2..55287381 100644 --- a/docs/manual/tips.tex +++ b/docs/manual/tips.tex @@ -302,7 +302,7 @@ each {\bf Incremental} backup, and the file is totally rewritten during each Note, one disadvantage of writing to an NFS mounted volume as I do is that if the other machine goes down, the OS will wait forever on the fopen() call that Bacula makes. As a consequence, Bacula will completely stall until -the machine exporting the NSF mounts comes back up. A possible solution to this +the machine exporting the NFS mounts comes back up. A possible solution to this problem was provided by Andrew Hilborne, and consists of using the {\bf soft} option instead of the {\bf hard} option when mounting the NFS volume, which is typically done in {\bf /etc/fstab}/. The NFS documentation explains these @@ -325,7 +325,7 @@ output has been partially truncated to fit on the page here: \footnotesize \begin{verbatim} (in the Console program) -*{\bf restore} +*restore First you select one or more JobIds that contain files to be restored. You will then be presented several methods of specifying the JobIds. Then you will be allowed to @@ -337,12 +337,12 @@ To select the JobIds, you have the following choices: 4: Enter SQL list command 5: Select the most recent backup for a client 6: Cancel -Select item: (1-6): {\bf 5} +Select item: (1-6): 5 The defined Client resources are: 1: Minimatou 2: Rufus 3: Timmy -Select Client (File daemon) resource (1-3): {\bf 2} +Select Client (File daemon) resource (1-3): 2 The defined FileSet resources are: 1: Kerns Files Item 1 selected automatically. @@ -360,7 +360,7 @@ You are now entering file selection mode where you add and remove files to be restored. All files are initially added. Enter "done" to leave this mode. cwd is: / -$ {\bf done} +$ done 84 files selected to restore. Run Restore job JobName: kernsrestore @@ -370,10 +370,10 @@ FileSet: Kerns Files Client: Rufus Storage: File JobId: *None* -OK to run? (yes/mod/no): {\bf no} -{\bf quit} +OK to run? (yes/mod/no): no +quit (in a shell window) -{\bf cp ../working/restore.bsr /mnt/deuter/files/backup/rufus.bsr} +cp ../working/restore.bsr /mnt/deuter/files/backup/rufus.bsr \end{verbatim} \normalsize @@ -452,12 +452,12 @@ Bacula to append to the tape, you do the following: \footnotesize \begin{verbatim} -{\bf update} +update Update choice: 1: Volume parameters 2: Pool from resource 3: Slots from autochanger -Choose catalog item to update (1-3): {\bf 1} +Choose catalog item to update (1-3): 1 Defined Pools: 1: Default 2: File @@ -467,7 +467,7 @@ Select the Pool (1-2): +-------+---------+--------+---------+-----------+------+----------+------+-----+ | 1 | test01 | DDS-4 | Error | 352427156 | ... | 31536000 | 1 | 0 | +-------+---------+--------+---------+-----------+------+----------+------+-----+ -Enter MediaId or Volume name: {\bf 1} +Enter MediaId or Volume name: 1 \end{verbatim} \normalsize @@ -491,11 +491,11 @@ Parameters to modify: 9: Volume Files 10: Pool 11: Done -Select parameter to modify (1-11): {\bf 9} +Select parameter to modify (1-11): 9 Warning changing Volume Files can result in loss of data on your Volume Current Volume Files is: 10 -Enter new number of Files for Volume: {\bf 11} +Enter new number of Files for Volume: 11 New Volume Files is: 11 Updating Volume "test01" Parameters to modify: @@ -510,7 +510,7 @@ Parameters to modify: 9: Volume Files 10: Pool 11: Done -Select parameter to modify (1-10): {\bf 1} +Select parameter to modify (1-10): 1 \end{verbatim} \normalsize @@ -528,7 +528,7 @@ Possible Values are: 4: Full 5: Used 6: Read-Only -Choose new Volume Status (1-6): {\bf 1} +Choose new Volume Status (1-6): 1 New Volume status is: Append Updating Volume "test01" Parameters to modify: @@ -543,7 +543,7 @@ Parameters to modify: 9: Volume Files 10: Pool 11: Done -Select parameter to modify (1-11): {\bf 11} +Select parameter to modify (1-11): 11 Selection done. \end{verbatim} \normalsize @@ -721,7 +721,7 @@ start by doing a {\bf list volumes} in the Console program: \footnotesize \begin{verbatim} -{\bf list volumes} +list volumes Using default Catalog name=BackupDB DB=bacula Pool: Default diff --git a/docs/manual/version.tex b/docs/manual/version.tex index e7b01c69..883b54e2 100644 --- a/docs/manual/version.tex +++ b/docs/manual/version.tex @@ -1 +1 @@ -1.39.23 (28 September 2006) +1.39.25 (08 October 2006) -- 2.39.5