View Issue Details

Related ChangesetsJump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0000290bareos-corestorage daemonpublic2014-05-01 20:312015-03-25 19:19
Reporteraef Assigned To 
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Platformx86_64OSDebian GNU/LinuxOS Version7.x "Wheezy"
Product Version13.2.2 
Summary0000290: Storage to storage copy jobs don't work with TLS enabled.
DescriptionBasically, I can't find a way in which the two storage daemons actually start a TLS session to talk to each other. They just authenticate each other via CRAM-MD5 and are afterwards stuck forever.

Here's what I already wrote in my post titled "Storage to storage copy stuck without error message" on the bareos-users mailing list:

I intend to switch my small Bacula setup to Bareos because of the
addition of the storage to storage copy jobs. After backing up on a
local network I want to copy the data to an off-site location. All my
Bareos components are talking to each other through TLS. I set up a
test, but I can't get the copy job to actually work. After a copy job is
started, the two storage daemons seem to authenticate each other and
then absolutely nothing happens anymore. I'll post my configuration in
hope of advice how to make it run.

The machine Alpha is the backup server including the Bareos director and
on-site storage daemon. Beta is a system to be backed up and therefore
includes a Bareos file daemon. Gamma is supposed to be the off-site
backup storage consists of yet another Bareos storage daemon. The
configurations for all the systems and debug log files for both storage
daemons just after the copy job is executed on the director are attached
to this mail. Note that some sections have been anonymized for privacy
and secrity reasons.

After a lot of work testing different scenarios, the only way I found so
far to make storage to storage copy jobs work at all is to completely
disable TLS in the storage resource of both storage daemons taking part
in the copy job. If you do that it works as described.

The things I tried included different approaches to CA Certificate
directives, disabling IPv6, using all kinds of different jobs to be
copied and probably some more mutations of my setup.

Transport security is an absolute necessity for my backups and therefore
this renders storage to storage copy jobs completely useless to me.

So is this expected not to work with TLS? Why isn't that mentioned
anywhere? Will this be fixed? As Bacula recently announced the storage
to storage copy feature as well, do they use the same code with the same
limitations?
Steps To ReproduceSee attached configuration.
TagsNo tags attached.

Activities

mvwieringen

mvwieringen

2014-05-01 22:56

developer  

alpha-bareos-dir.conf (3,475 bytes)
mvwieringen

mvwieringen

2014-05-01 22:56

developer  

alpha-bareos-sd.conf (1,574 bytes)
mvwieringen

mvwieringen

2014-05-01 22:57

developer  

beta-bareos-fd.conf (1,259 bytes)
mvwieringen

mvwieringen

2014-05-01 22:57

developer  

gamma-bareos-sd.conf (1,163 bytes)
mvwieringen

mvwieringen

2014-05-01 23:02

developer  

alpha-baros-sd.log (4,730 bytes)
mvwieringen

mvwieringen

2014-05-01 23:02

developer  

gamma-baros-sd.log (5,616 bytes)
mvwieringen

mvwieringen

2014-05-01 23:05

developer   ~0000844

So cleaned up the bug report to have the configs and logs just as multiple
attachments.
mvwieringen

mvwieringen

2014-05-01 23:09

developer   ~0000845

TLS is just not a tested setup with this particular Job type. So I think we
just have a subtle bug somewhere in the TLS handshake get the feeling either
both are thinking they are the server and one must act as client.

As to how bacula implemented their SD-SD replication no idea don't really
keep track of what happens there. Might work might not. Not that we also care
as it should work here and we hope to fix this subtle bug soon if we figure
out what is the actual problem and what is the obvious fix.
mvwieringen

mvwieringen

2014-05-02 13:34

developer   ~0000846

Fix committed to bareos playground branch with changesetid 1707.
mvwieringen

mvwieringen

2014-05-08 12:43

developer   ~0000848

Fix committed to bareos master branch with changesetid 1744.
mvwieringen

mvwieringen

2014-05-10 20:55

developer   ~0000854

Fix committed to bareos master branch with changesetid 1751.
mvwieringen

mvwieringen

2015-03-25 16:51

developer   ~0001472

Fix committed to bareos2015 bareos-14.2 branch with changesetid 4795.
joergs

joergs

2015-03-25 19:19

developer   ~0001621

Due to the reimport of the Github repository to bugs.bareos.org, the status of some tickets have been changed. These tickets will be closed again.
Sorry for the noise.

Related Changesets

bareos: playground 4c216c2b

2014-05-02 09:55

mvwieringen

Ported: N/A

Details Diff		 Storage to storage copy jobs don't work with TLS.

When both SDs think they are a TLS server the handshake will never be a
success. Now changed the code to use the initiate variable we have which
we already use to know who starts the challenge protocol. That way we
get one TLS server and one TLS client which should work much better.

Fixes 0000290: Storage to storage copy jobs don't work with TLS enabled.		 Affected Issues
0000290
mod - src/dird/authenticate.c Diff File
mod - src/filed/authenticate.c Diff File
mod - src/lib/bnet.c Diff File
mod - src/stored/authenticate.c Diff File

bareos: master de7e0d87

2014-05-02 09:55

mvwieringen

Ported: N/A

Details Diff		 Storage to storage copy jobs don't work with TLS.

When both SDs think they are a TLS server the handshake will never be a
success. Now changed the code to use the initiate variable we have which
we already use to know who starts the challenge protocol. That way we
get one TLS server and one TLS client which should work much better.

Fixes 0000290: Storage to storage copy jobs don't work with TLS enabled.		 Affected Issues
0000290
mod - src/dird/authenticate.c Diff File
mod - src/filed/authenticate.c Diff File
mod - src/lib/bnet.c Diff File
mod - src/stored/authenticate.c Diff File

bareos2015: bareos-14.2 f80fc018

2014-05-02 11:55

mvwieringen

Ported: N/A

Details Diff		 Storage to storage copy jobs don't work with TLS.

When both SDs think they are a TLS server the handshake will never be a
success. Now changed the code to use the initiate variable we have which
we already use to know who starts the challenge protocol. That way we
get one TLS server and one TLS client which should work much better.

Fixes 0000290: Storage to storage copy jobs don't work with TLS enabled.		 Affected Issues
0000290
mod - src/dird/authenticate.c Diff File
mod - src/filed/authenticate.c Diff File
mod - src/lib/bnet.c Diff File
mod - src/stored/authenticate.c Diff File

bareos2015: bareos-14.2 696b6cd9

2014-05-10 22:45

mvwieringen

Ported: N/A

Details Diff		 Don't show unauthorized schedules/jobs in status scheduler.

Fixes 0000290: Error in bconsole-ACL		 Affected Issues
0000290
mod - src/dird/ua_status.c Diff File

Issue History

Date Modified Username Field Change
2014-05-01 20:31 aef New Issue
2014-05-01 22:56 mvwieringen File Added: alpha-bareos-dir.conf
2014-05-01 22:56 mvwieringen File Added: alpha-bareos-sd.conf
2014-05-01 22:57 mvwieringen File Added: beta-bareos-fd.conf
2014-05-01 22:57 mvwieringen File Added: gamma-bareos-sd.conf
2014-05-01 22:58 mvwieringen Additional Information Updated
2014-05-01 23:02 mvwieringen File Added: alpha-baros-sd.log
2014-05-01 23:02 mvwieringen File Added: gamma-baros-sd.log
2014-05-01 23:03 mvwieringen Additional Information Updated
2014-05-01 23:05 mvwieringen Note Added: 0000844
2014-05-01 23:09 mvwieringen Note Added: 0000845
2014-05-01 23:09 mvwieringen Assigned To => mvwieringen
2014-05-01 23:09 mvwieringen Status new => feedback
2014-05-02 13:34 mvwieringen Changeset attached => bareos playground 4c216c2b
2014-05-02 13:34 mvwieringen Note Added: 0000846
2014-05-02 13:34 mvwieringen Status feedback => resolved
2014-05-02 13:34 mvwieringen Resolution open => fixed
2014-05-08 12:43 mvwieringen Changeset attached => bareos master de7e0d87
2014-05-08 12:43 mvwieringen Note Added: 0000848
2014-05-10 20:55 mvwieringen Changeset attached => bareos master fa247360
2014-05-10 20:55 mvwieringen Note Added: 0000854
2014-05-10 20:57 mvwieringen Changeset removed bareos master fa247360 =>
2014-10-20 17:01 mvwieringen Status resolved => closed
2014-10-20 17:01 mvwieringen Assigned To mvwieringen =>
2015-03-25 16:51 mvwieringen Changeset attached => bareos2015 bareos-14.2 696b6cd9
2015-03-25 16:51 mvwieringen Changeset attached => bareos2015 bareos-14.2 f80fc018
2015-03-25 16:51 mvwieringen Note Added: 0001472
2015-03-25 16:51 mvwieringen Status closed => resolved
2015-03-25 19:19 joergs Note Added: 0001621
2015-03-25 19:19 joergs Status resolved => closed