Bacula TLS 协商失败

tag-icon tag-icon ssl backup openssl bacula
Bacula TLS 协商失败

Bacula 存在问题,Director 和存储位于同一台主机 (...151),客户端位于另一台主机 (...139)。我在 Director 和客户端之间未使用 TLS/SSL,因此运行作业时出现错误。如何修复?

bconsole 消息

Error: openssl.c:81 Connect failure: ERR=error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter
Fatal error: TLS negotiation failed with FD at "10.7.0.139:9102"
Error: getmsg.c:217 Malformed message: [TLS negotiation failed with DIR at "10.7.0.151:9102"]
Warning: Unexpected Client Job message: 2999 Authentication failed.

bconsole 状态客户端

Automatically selected Storage: bacula0-storage
Connecting to Storage bacula0-storage at 10.7.0.151:9103
Connecting to Client Bacula_F13-fd at 10.7.0.139:9102
Failed to connect to Client.

Bacula-dir.conf

    Director {                                                          
      Name = bacula0-dir
      DIRport = 9101
      QueryFile = "/usr/local/share/bacula/query.sql"
      WorkingDirectory = "/var/db/bacula"
      PidDirectory = "/var/run"
      Maximum Concurrent Jobs = 2
      Password = "console-pass"                                         
      Messages = Daemon
      DirAddress = 10.7.0.151
    }
    
    Catalog {                           
      Name = MyCatalog
      dbname = "bacula"; dbuser = "bacula"; dbpassword = "999"; dbport=5432; dbaddress = 127.0.0.1;
    }
    
    Console {                                   
      Name = bacula0-mon
      Password = "console-pass"
      CommandACL = status, .status
    }
##########Client_configuration##############################
Client {                   
      Name = Bacula_F13-fd
      Address = 10.7.0.139
      FDPort = 9102
      Catalog = MyCatalog
      Password = "cleint_Bacula_F13"           # password for FileDaemon
      File Retention = 60 days                 # 60 days
      Job Retention = 6 months                 # six months
      AutoPrune = yes                          # Prune expired Jobs/Files
      TLS Enable = no
      TLS Require = no
      TLS Verify Peer = no
    }
    
    Storage {
      Name = bacula0-storage2  
      Address = 10.7.0.151                     # N.B. Use a fully qualified name here
      SDPort = 9103
      Password = "device-pass"
      Device = DISK3
      Media Type = FileXXXx
    }
    
    Pool {                     
      Name = File_pool_for_Bacula_F11
      Pool Type = Backup
      Recycle = yes                            # Bacula can automatically recycle Volumes
      AutoPrune = yes                          # Prune expired volumes
      Volume Retention = 2 hours 15 min        # one year
      Maximum Volumes = 4
      Maximum Volume Jobs = 7 
      Maximum Volume Bytes = 1G                         # Limit Volume size to something reasonable
      Label Format = "F11_HoursIncre-"                          # Auto label
    }
    Job {                                                                                                                           
     Name = "Backup_configfiles_Bacula_F13"
     Type = Backup
     Client = Bacula_F13-fd
     Storage = bacula0-storage2
     Messages = Standard
     Pool = File_pool_for_Bacula_F11
     Level = Full
     FileSet = "Configfile Set"
     Schedule = "WeeklyCycle"
     Write Bootstrap = "/var/db/bacula/%n.bsr"
     Priority = 11                                      
    }
    
    Job {                                                
      Name = "Restore_configfiles_Bacula_F13"
      Type = Restore
      Client = Bacula_F13-fd
      Storage = bacula0-storage2
      FileSet="Configfile Set"
      Pool = File_pool_for_Bacula_F11
      Messages = Standard
      Where = /backup/Bacula_F13_configfile_re
    }

Bacula-fd.conf

FileDaemon {                          
  Name = Bacula_F13-fd
  FDport = 9102                 
  WorkingDirectory = /var/db/bacula
  Pid Directory = /var/run
  Maximum Concurrent Jobs = 20
  Plugin Directory = /usr/local/lib
  FDAddress = 10.7.0.139
  CommCompression = no
  TLS Enable = no
  TLS Require = no
}

Messages {
  Name = Standard
  director = bacula0-dir = all, !skipped, !restored, !saved
}

Bacula-fd.conf(远程主机客户端)

# List Directors who are permitted to contact this File daemon
Director {
  Name = bacula0-dir
  Password = "client_Bacula_F13"
#  Address = 10.7.0.151
#  Connect To Director = yes
  TLS Enable = no
  TLS Require = no
  TLS Verify Peer = no
}

FileDaemon {                          # this is me
  Name = Bacula_F13-fd
  FDport = 9102                  # where we listen for the director
  WorkingDirectory = /var/db/bacula
  Pid Directory = /var/run
  Maximum Concurrent Jobs = 20
  Plugin Directory = /usr/local/lib
  FDAddress = 10.7.0.139
  CommCompression = no
  TLS Enable = no
  TLS Require = no
}

# Send all messages except skipped files back to Director
Messages {
  Name = Standard
  director = bacula0-dir = all, !skipped, !restored, !saved
}

答案1

当客户端和导演之间的密码不匹配时,即使您没有配置 TLS,也会出现错误。

您的配置中有拼写错误。

bacula-dir.conf: Password = "cleint_Bacula_F13"

Bacula-fd.conf Password = "client_Bacula_F13"

答案2

在将 Bacula 从 9 升级到 13(以及将 Baculum 从 9 升级到 11)时,我在尝试访问 Web 界面(即 Baculum)时收到此错误。值得注意的是,尽管如此,我还是能够从命令行打开 bconsole,没有任何明显问题——我认为如果 Bacula 本身的密码不匹配,这将失败。以下是我用来调试它的步骤:

  1. 我确保目录中的所有文件的密码都相同/opt/bacula/etc/。(就我而言,我认为我拥有所有默认设置。)
  2. 我做了一堆无果的调试。
  3. 我最终/etc/baculum/Config-api-apache/api.conf像这样编辑:
# ...
[bconsole]
enabled = "1"
bin_path = "/usr/sbin/bconsole"
### cfg_path = "/etc/bacula/bconsole.conf" # Old line
cfg_path = "/opt/bacula/etc/bconsole.conf" # New line
# ...

此后还有其他几行也引用了/etc/bacula,我也对其进行了修改。

换句话说,问题在于 Baculum 查看的是原始安装位置中的旧 Bacula 配置文件(具有不同的密码集),/etc/baculua/而不是新位置中的新配置文件/opt/bacula/

相关内容