• Passwords
• Storage Devices
• Certificates (if you are using Encryption)

Well, over the past few week’s I’ve been able to work around this problem by storing additional information in a CouchDB DB.

It is not the ideal solution, but it is a start and I’m okay with that. I should also warn you, I do HORRIBLE things here with Bash and JSON. Since Bash doesn’t know about JSON, I rely upon awk. I know, I know, I should re-write all of this in a nice new language like Python or Ruby…

First thing is first, I had to create a new database:

$ curl -kX PUT https://puppet.bayphoto.local/bacula_meta
{"ok":true}

I’m not going to worry about that name, to me it is a database that contains some metadata of our clients.

My client creation tool that I posted in my previous Bacula article has been updated to do a little bit more. Aside from no longer using TEMPLATE files, I’ve added some additional code to push a few details into this new bacula_meta database. Here is my “write_json” function:

# Some NEW Variables:
export COUCH_SERVER="https://puppet.bayphoto.local"
export DB="bacula_meta"
export CERTDIR="$BDIR/certs"
 
write_json()
{
   curl -H "Content-Type: application/json" -kX PUT -d '{ "_id": "'${HOSTNAME}'","passhash": "'${PASSHASH}'" }' $COUCH_SERVER/$DB/$HOSTNAME
}

The document I create is simple, it is named after the short hostname of the client added to backups, and for this first run we store that and the password.

The “main” function of the script first tests to see if a document in the bacula_meta db exists, and if not it will create a new client. If it does exist, you can either continue and re-create the bacula client’s configuration, or quite:

TEST=`curl -k -s -X GET $COUCH_SERVER/$DB/$HOSTNAME`
if [[ $TEST == *not_found* ]]
then
       # Generate a bacula password.
       export PASSHASH=`dd if=/dev/random bs=6 count=4 2>/dev/null | openssl base64`
 
       # This is the actual .conf configuration
       print_client_conf
 
       # Create a new client document in $DB
       write_json
 
       # Create SSL key-pair
       create_keys
 
       # Adding the client .conf file for the director to source.
       echo \@$BDIR/clients.d/$HOSTNAME.conf >> $BDIR/clients.conf
 
       echo 'created client definition: '$BDIR/clients.d/$HOSTNAME.conf
       echo 'for '$HOSTNAME
else
       echo 'client '$HOSTNAME 'already exists.'
       echo 'Do you want to override the current configuration for:'
       echo '      '$HOSTNAME
       read -p "[y/N] " prompt
       prompt=${prompt,,}
       if [[ $prompt =~ ^(yes|y)$ ]]
       then
               # if we choose to override, a new client conf will be generated and added and commited.
 
               # Lets re-obtain our stored client password first
               export PASSHASH=`curl -k  -X GET $COUCH_SERVER/$DB/$HOSTNAME | awk -F: 'gsub("{|}","") { print $5 }'`
 
               # print out a new cliend.conf
               print_client_conf
 
               # Push the clients key-pair back to couchdb       
               curl -k -X PUT $COUCH_SERVER/$DB/$HOSTNAME/$FQDN-fd.pem?rev=$DOC_REV --data-binary @$CERTDIR/$FQDN-fd.pem  -H "Content-Type: application/octet-stream"
 
                grep -w $HOSTNAME $BDIR/clients.conf
                if [ $? -eq 0 ]
                then
                        echo 'client '$HOSTNAME 'already exists...'
                else
                        echo \@$BDIR/clients.d/$HOSTNAME.conf >> $BDIR/clients.conf
                fi
 
       else
               echo "Ok, no clients were modified or added!"
       fi
fi

The other addition was a create_keys function. Our clients encrypt their data to the storage node (we send some backup volumes to S3 storage, which is over http and not stored in any sort of encrypted format), and we needed a decent way to distribute the keys (using Puppet…).

This was difficult for me to do. What I failed to understand about adding attachments to CouchDB is you have to reference the current document _rev, and after a LOT of trial and error I finally got it. The DOC_REV variable grabs the current documents revision:

DOC_REV=`curl -k -s -X GET $COUCH_SERVER/$DB/$HOSTNAME | awk -F ':|"' '{ print $10}'`

Which is then used when I actually PUT the file in there:

curl -k -X PUT $COUCH_SERVER/$DB/$HOSTNAME/$CN-fd.pem?rev=$DOC_REV --data-binary @${CERTDIR}/$CN-fd.pem  -H "Content-Type: application/octet-stream"

create_keys()
{
  DOC_REV=`curl -k -s -X GET $COUCH_SERVER/$DB/$HOSTNAME | awk -F ':|"' '{ print $10}'`
  C="US"
  ST="California"
  L="Santa Cruz"
  O="Bay Photo Lab"
  OU="IT"
  CN="${HOSTNAME}.bayphoto.local"
  EMAIL="bayit@bayphoto.com"
 
openssl genrsa -out ${CERTDIR}/${CN}.key 2048
openssl req -new -key ${CERTDIR}/${CN}.key -x509 -out ${CERTDIR}/${CN}.cert <<EOF
${C}
${ST}
${L}
${O}
${OU}
${CN}
$EMAIL
EOF
echo ""
 
cat ${CERTDIR}/${CN}.key ${CERTDIR}/${CN}.cert > ${CERTDIR}/${CN}-fd.pem
 
curl -k -X PUT $COUCH_SERVER/$DB/$HOSTNAME/$CN-fd.pem?rev=$DOC_REV --data-binary @${CERTDIR}/$CN-fd.pem  -H "Content-Type: application/octet-stream"
}

So what does adding a new client look like using this updated tool?

# ./cclient.bash -s Standard -h client-a
INSERT 0 1
{"ok":true,"id":"client-a","rev":"1-0841684988ec85c6d2b16cb941a739ac"}
Generating RSA private key, 2048 bit long modulus
..............................................................+++
..............+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:State or Province Name (full name) [Some-State]:Locality Name (eg, city) []:Organization Name (eg, company) [Internet Widgits Pty Ltd]:Organizational Unit Name (eg, section) []:Common Name (eg, YOUR name) []:Email Address []:
{"ok":true,"id":"client-a","rev":"2-21d4e7bc019c2176dfa2583b320387ab"}
created client definition: /usr/local/etc/bacula/clients.d/client-a.conf
for client-a

And my new record in CouchDB has all the right data:

curl -kX GET https://puppet.bayphoto.local/bacula_meta/client-a
{"_id":"client-a","_rev":"2-21d4e7bc019c2176dfa2583b320387ab","hostname":"client-a","passhash":"y9WBgacrd8JbZjrefeZHKbPk9Kda5UQc","_attachments":{"client-a.bayphoto.local-fd.pem":{"content_type":"application/octet-stream","revpos":2,"digest":"md5-kqi8ODloPxT6D6IxZbCoVg==","length":3411,"stub":true}}}

Thats ugly… how about a nice screenshot!

Now that we have the Bacula tool pushing passwords and and certificates, we need to get Puppet to pull the data.

I found a github project called couchdblookup:
https://github.com/camptocamp/puppet-couchdb/blob/master/lib/puppet/parser/functions/couchdblookup.rb

I placed that couchdblookup.rb file into one of my Puppet modules (etc/puppet/environments/production/bacula/lib/puppet/parser/functions/couchdblookup.rb), and created a bacula::fd::cert class:

 
class bacula::fd::cert inherits bacula::fd {
 
  # Pull bacula client password from our
  # CouchDB server
  $couchdb_bind_address = "puppet.bayphoto.local"
  $couchdb_port = "5984"
  $couchdb_base_url = "https://${couchdb_bind_address}:${couchdb_port}"
  $bacula_meta = "${couchdb_base_url}/bacula_meta/${hostname}"
  $bacula_fd_cert = "${couchdb_base_url}/bacula_meta/${hostname}/${fqdn}-fd.pem"
 
  $bacula_fd_passhash = couchdblookup($bacula_meta, "passhash")
 
  file { "master.cert":
    name    => $operatingsystem ? {
      FreeBSD  => "/usr/local/etc/bacula/certs/master.cert",
      windows  => "C:\Program Files\Bacula\master.cert",
      default  => "/etc/bacula/certs/master.cert",
    },
    owner   => 0,
    mode    => 0640,
    source  => "puppet:///bacula/master.cert",
  }
 
  exec { "fd.cert":
    path    => ["/usr/bin","/usr/local/bin","/bin","/sbin","/usr/sbin","/usr/local/sbin","/usr/local/libexec","/usr/libexec"],
    command => $operatingsystem ? {
      FreeBSD  => "fetch -o /usr/local/etc/bacula/certs/${fqdn}-fd.pem $bacula_fd_cert",
      windows  => "C:/scripts/curl.exe -sk $bacula_fd_cert -o \"\Program Files\Bacula\\${::fqdn}-fd.pem\"",
      default  => "curl -sk $bacula_fd_cert -o /etc/bacula/certs/${fqdn}-fd.pem",
    },
  }
 
}

As you can see, I’m also working on getting Windows systems into our Puppet environment.

It is incredibly immature right now, and Windows lacks a lot of tools I take for granted. It would make my life a lot easier if Microsoft just tool all the BSD licensed userland tools like diff, fetch (or curl), md5, ssh, etc… to make my Puppet automation easier. You NEED diff.exe to use Puppet on windows, otherwise templating won’t work.

Aside from the windows side of things being a pain, this has been working out well enough.

From one Lab to another

After 9.5 years with one employer (LLNL), I joined Bay Photo Lab in Santa Cruz.

This has brought on many changes, not just a career change but a significant change in my way of life.

First off, I’m renting a room until my family gets down here. I have this weird double life now, where during the week I live alone in a small room with no heating, and then I go back home on the weekend. Not seeing the kids is the hardest part. We typically do a video chat on Wednesday nights, but when I come home Owen is usually a little stand-offish and Caralyne is unhappy during the week (especially when I have to leave). Its sad.

Here was the bathroom in my place for the first week. As in, I did not have one.

Like a kid fresh out of his parents home, I have to do things like laundry, and all of my own dishes.

I'm in no hurry to hurry back

My commute is significantly different. I drive a lot less during the week, I’m about 3 miles from work. Some days I choose to walk, and other days I’ll drive in after jogging back home during lunch. It is pretty awesome, it has been 12 years since I have lived and worked in the same place.

Let’s talk about Bay Photo. I had a slight idea of what they did when I initially interviewed with them IT team here (Rob and Patrick), and I did some simple Google-ing. However, after working here for two months, it is incredibly impressive how much they do and how great the people are here.

Bay Photo Lab has a nice small company feel to it, and it is inCREDIBLY friendly here. People are pretty passionate about the work they do here, and so is the IT team here.

This has been really awesome, as passion (and really, it should be called “the desire to do the right thing”) was something LLNL did not reward or encourage.

Rob, my counterpart here, has been essentially on his own and he has a lot of great ideas that I can help him implement. We both really love technology and open source, so we hardly have to bring each other up to speed. I no longer have to talk until I’m blue in the face to extol the virtues of FreeBSD, Puppet, Bacula, Wiki’s, Git, code management tools, etc… they are accepted as a matter of fact. I’m also allowed to run whatever OS I want for whatever reason. Rob and I were talking about DragonflyBSD’s HAMMER filesystem, and how we are both just looking for an excuse to use it.

I couldn’t even afford to entertain that though while at LLNL. It was hard enough getting OS’s approved, because it was never about technical merit, and the thought of trying to defend yet another OS was enough to prevent me from using it.

Work has been rewarding, and I can honestly say that I’ve never worked harder at a job that before. I’ve refined my workflow a bit, and with the help of my friend Steve, I’ve been shown how to use JIRA and FishEye to keep track of my projects. Now when I come in to work, I don’t have to sit here and think about where I was yesterday, I an just pull up my project page and review my tasks.

I also now have somewhat of a social life, which is pretty exciting! Tuesday nights I drive to Monterey and have dinner with Glenn and Erin:

Glenn and Eric cookin' in the kitchen

Delicious pizza!

We have dinner, converse, and then we bust out the instruments. I had to drop my music class at DVC, but having someone to be musical with is very fulfilling. No tour dates or T-Shirts just yet, but we have a great time. I’m looking forward to getting my gear down here so we can get really crazy

I also get to see Steve and Summer a whole lot more, and we typically meet up on Thursday nights. It will be nice when I’m finally moved down in the area so we can do that on the weekend, have a BBQ or something.

Well, that about sums up the last two months I’ve been here. I’ll be moving to Felton in the beginning of the month, so more after that!

Coal was the dog I dreamed of having; he was the combination of all the Aussies I’ve had growing up.

He was the best. That dog never seemed to have a down moment. He was always happy, and always looking for trouble. I also felt like he was an extension to me, but I suspect that is me projecting my own personality on him. Lets be honest, he wasn’t an extension of me, he was better than me. He was me and more. Filled with unconditional love and never had a bad day, a temper tantrum, and a moment of self-involved narcissism. I was lucky to be with him.

I’ve always had an Australian Shepard; Max, Buddy, and then my parents both had Shasta and Happy. I loved their energy, friendliness, how expressive they seemed to be with their eyes. Even the ridiculous smile, which they always greeted me with.

They all lived to a average and predictable age (Shasta is still going strong) and I was prepared for their natural deaths. Over the years, both of my parents have gotten Aussie’s, and I’ve loved them too. I couldn’t be happier when I would visit and show them all the affection I could.

Not Coal. I’m not prepared to accept that he is gone, it still hasn’t fully processed yet. I keep looking at this pictures and even though I get upset, I still think that I’ll see him when I get home. Or when I look in the backyard, I expect to see him up to his usual shenanigans.

I didn’t get enough time with him, and I’m mad that I let him out early that morning instead of just keeping him in the house. I know that he just had it in him to escape and run around. He loved it, he loved exploring and being free, and that was noticeable when we first got him and he tried to escape the backyard.

His attempts to escape got really bad after Zoey died. It seemed that having her around helped ground him, especially when he got scared from loud noises like fireworks or gun shots. We knew we wanted to get out of Antioch for the kids, but when Coal started getting scared and trying to take off if we were not home, I knew he needed to move to a safer place as well. I just thought if he could make it until we moved, he would be happier and better off.

He just kept getting out though, and he got lucky every time. People would find him and bring him home to us, and I’d give them what ever I could to show my appreciation. He’d be happier than ever that he got to run around and then get delivered back to us, and it was concerning to me that he never came home on his own. That night I closed up where I noticed he had escaped from

I’m so sad that I didn’t get him to Santa Cruz, and that I wont get to hug him, kick the soccer ball around with him, go on walks, watch him sleep, kiss his cute snout with that black button nose. I’m going to miss him terribly.

I’ve shared an album on Picasa, please enjoy:

Coal

Goodbye Coal, I’m so sorry I couldn’t keep you safe. This is how I’ll always remember the two of us.

Well, after about 9 and a half years with Lawrence Livermore National Laboratory 11/09 was my last day. Now, I wasn’t the only admin besides Jenny (thats the aquilino1@llnl.gov email you see there), but she was my closest friend and peer while I was there. There was a little poetic license there, but it was accurate.

It is hard to quantify the emotions about leaving LLNL. I do not know if I have the appropriate words to describe the feeling.

How about this:

Remember when you left the comfortable confines of high school? That microcosm was your entire world. You had spend the majority of your adolescent life being a part of that world; your friends, you responsibilities, and learning that environment. When you left high school, it was sort of scary, and it was hard to imagine how things would be after leaving high school. The only certainty was the regiment of “work” that you learned in school would continue on (hopefully to college).

Its a big scary world out there, and when you are “institutionalized” you may not want to leave even if it is time.

This is where I am at. It was time for me to forge a new path in my career, and I was starting to feel a little confined by the Lab’s philosophy of what I.T. is. I was also feeling a bit over-specialized. Not in what I specifically do, which is *NIX Administration, but things that only a national lab has to deal with. That is a bit more complicated, so despite the fact that I could have made a lifetime out of LLNL, I was not getting the fulfillment I require. I look for technical challenges, not inter-personally communication challenges.

Like high school, I will keep some of the friends I had made there. Also like high school, I will soon find myself in a different environment where my vantage point and perspective will be force to change and adapt to the new culture. There is nothing wrong with that as long as I continue to have a healthy respect for the past, it is after-all what brought me here.

Most importantly, I will have my anchor: the “work”. The core of my skill set may be re-balanced for the new job, but it will not fundamentally change and I am happy to accept that.

So far, after two full days have gone by, I’m pretty excited about the growing list of projects and tasks that we are facing. Renting in a shared house with two other room mates isn’t so awesome though, I’ll be a full fledged germaphobe (mysophobia) in no time. I clean my dishes but I sort of freak out of my sponge touches anything else but my dish.

Here is to new adventures!

The City only publishes this as a PDF image, comparing the year selected, and the previous year. It also only goes back to 2005.

To help view this as a possible trend, and not just a snapshot in time, I typed up all of them in Google Docs – City of Antioch Crime Stats

It does some some improvement after a few years of growth, it is still however an order of magnitude worse than other cities in California.

According to Homesurfer.com’s Crime report, even the Sister city to Antioch, Pittsburg had 323 per 100,000 “incidents” in one year (2008). While Antioch had 869 per 100,000.

Compare that to places like Moraga which had 35 incidents per 100,000 or heck, even Oakley’s 248, which borders Antioch on the eastern side.

Here is a decent table output:

I applaud the police department for making a dent over the past two years, and even more so for publishing this data (Concord and Pittsburg did not have this information easily accessible). Even with their effort, I don’t think I’ll be hanging around to see if it pays off.

I hope that Antioch becomes a nice bedding community again. The type of place where people like my grandfather, only had to drawn their weapon once during a domestic dispute, and never had to fire it.

I enjoyed it a lot, because I really like to share information. It is especially rewarding when it is something I have taken a great interest in, like the FreeBSD Operating System.

The design of the course was simple, I did my best to fill in the gap that a Solaris or Linux administrator might have. Everyone on the team has experience with Unix, mostly Solaris and Red Hat, so I skipped a lot of the basics.

This was also done in 1.5 hours increments over a few months. None of us had the time to dedicate four or so days in a real class room environment where I could concoct lab exercises. I wish we could have, that would have been GREAT. Alas, I wrote these up in my spare time and put them up on the calendar for the team.

I even created a certificate for those that attended all of them :)

Cert: fbsd-admin-template

So, here is what I’m going to do. I think it is important to share, so I converted all of my slides and material into Google’s Presentation document and made them Public.

Both to read and write.

So, if you feel that there are typo’s, errors, or something can be added, I want to extend to opportunity to anyone to correct them.

Part1:
FreeBSD Training #1 – Introduction
Part 2:
FreeBSD Training #2 – Software Management
Part 3:
FreeBSD Training #3 – Service Management
Part 4:
FreeBSD Training #4 – Hardware Management

The last class was me running through SysInstall. My logic for that was simple, everyone should first know how to install and manage software and services before they begin installing a fresh OS.

There you go Internets, enjoy, and please don’t add Viagra links in my presentations :)

As mentioned many times, this is a FreeBSD based environment. Some good sysinfo output below:

Operating system release: FreeBSD 8.2-RELEASE
OS architecture: amd64
Kernel build dir location: /usr/obj/usr/src/sys/GENERIC
Currently booted kernel: /boot/kernel/kernel

Currently loaded kernel modules (kldstat(8)):
zfs.ko
opensolaris.ko

Bootloader settings for the Director/Database node:

The /boot/loader.conf has the following contents:
kern.ipc.semmni=1024
kern.ipc.semmns=2048
kern.ipc.semmnu=1024

All of the storage nodes and the director are running a GENERIC kernel with very few system tweaking. One of the storage nodes has a Chelsio 10Gb controller, but that hasn’t had a high enough load to crack the 1Gb/sec barrier.

I’m using Bacula from the ports tree, and the directory has a special Make flag to build with gcc’s debugging symbols. Jenny worked on getting that setup when we were having some stability issues.

The Bacula configuration one the director node is backed by a git repository. It adds a little bit of complexity for a systems administrator, when they want to add a client, but the benefit is clear. This backup project actually enforces change control and tracks all of the commits by who.

I’ve also setup Redmine as a project front-end, and I’ve begun to file tickets and reference what commit fixed what. This not only tracks my progress, but it is the first time I’ve had a backup server that was clearly documented and had some type of accountability.

A snippet of the Redmine site

The Structure

I’ve compared projects like bacula to a large box of LegosTM. It doesn’t enforce a structure by any means, and I’ve taken it upon myself to add meaning to the otherwise flat and incomprehensible bacula-dir.conf

The Bacula Port on FreeBSD installs all configuration files in /usr/local/etc.

Write, the Director, only contains the following in /usr/local/etc/bacula-dir.conf:

@/usr/local/etc/bacula/bacula-dir.conf
@/usr/local/etc/bacula/storage.conf
@/usr/local/etc/bacula/clients.conf
@/usr/local/etc/bacula/messages.conf
@/usr/local/etc/bacula/schedules.conf
@/usr/local/etc/bacula/pools.conf

As you can see, I place everything in etc/bacula/.

Here is a beautiful output of tree(1):

bacula
|-- bacula-dir.conf
|-- bin
|   |-- create_client.sh
|   `-- package_list.sh
|-- clients.conf
|-- clients.d
|   |-- 10am
|   |-- 10pm
|   |-- 11pm
|   |-- 12am
|   |-- 1am
|   |-- 2am
|   |-- 3am
|   |-- 4am
|   |-- 4pm
|   |-- 5am
|   |-- 5pm
|   |-- 6am
|   |-- 6pm
|   |-- 7am
|   |-- 7pm
|   |-- 8am
|   |-- 8pm
|   |-- 9am
|   |-- 9pm
|   |-- TEMPLATE-mac
|   |-- TEMPLATE-unix
|   `-- TEMPLATE-win32
|-- excludes.d
|   |-- common.conf
|   |-- mac.conf
|   |-- unix.conf
|   `-- win32.conf
|-- messages.conf
|-- pools.conf
|-- schedules.conf
|-- storage.conf
`-- storage.d
    |-- write-01.conf
    |-- write-02.conf
    |-- write-03.conf
    |-- write-04.conf
    |-- write-05.conf
    `-- write-06.conf

Storage Nodes

All of the storage nodes are using ZFS as the filesystem/Volume manager.

write-06# zpool list
NAME         SIZE   USED  AVAIL    CAP  HEALTH  ALTROOT
filevol001  90.6T  33.3T  57.3T    36%  ONLINE  -

They all have one volume, /filevol001, and I created 512 “drives” within that volume. Effectivly, each storage node has 512 drives, and clients are randomly assigned a drive.

Since I have 6 storage nodes, I wrote a little shell script to handle the directory creation:

#!/bin/bash
i=1
 
while [ $i -le 512 ]
do
        install -d -o bacula -g bacula -m 770 /filevol001/drive$i
        ((i++))
done

Simple, right? I also wrote a script to generate the bacula-sd.conf file on a storage node as well:

#!/bin/bash
 
usage()
{
cat << EOF
    Usage $0 NUMBER > /usr/local/etc/bacula-sd.conf
 
    Where "NUMBER" is just a single digit indicating which storage node this is.
 
    Example, for write-07:
    $ make_sd.sh 7 > /usr/local/etc/bacula-sd.conf
EOF
}
 
i=1
 
if [[ -z $1 ]]
then
    usage
    exit
fi
 
printf "Storage {\n"
printf "\tName = write-0$1.llnl.gov-sd\n"
printf "\tSDAddress = write-0$1.llnl.gov\n"
printf "\tSDPort = 9103\n"
printf "\tWorkingDirectory = \"/var/db/bacula\"\n"
printf "\tPid Directory = \"/var/run\"\n"
printf "\tMaximum Concurrent Jobs = 516\n"
printf "}\n"
 
printf "#\n"
printf "# List Directors who are permitted to contact Storage daemon\n"
printf "#\n"
printf "Director {\n"
printf "\tName = write.llnl.gov-dir\n"
printf "\tPassword = \"ItsASecret\"\n"
printf "}\n"
 
printf "#\n"
printf "# Restricted Director, used by tray-monitor to get the\n"
printf "#   status of the storage daemon\n"
printf "#\n"
printf "Director {\n"
printf "\tName = write.llnl.gov-mon\n"
printf "\tPassword = \"ItsANotherSecret\"\n"
printf "\tMonitor = yes\n"
printf "}\n"
 
printf "Messages {\n"
printf "\tName = Standard\n"
printf "\tdirector = write.llnl.gov-dir = all\n"
printf "}\n"
 
 
printf "Device {\n"
printf "\tName = W0$1FileStorage\n"
printf "\tMedia Type = File\n"
printf "\tArchive Device = /filevol001\n"
printf "\tLabelMedia = yes;\n"
printf "\tRandom Access = Yes;\n"
printf "\tAutomaticMount = yes;\n"
printf "\tRemovableMedia = no;\n"
printf "\tAlwaysOpen = no;\n"
printf "\tMaximum Concurrent Jobs = 2\n"
printf "}\n"
 
while [ $i -le 512 ]
do
        printf "\n"
        printf "Device {\n"
        printf "\tName = W0$1FileStorageD$i\n"
        printf "\tMedia Type = File\n"
        printf "\tArchive Device = /filevol001/drive$i\n"
        printf "\tLabelMedia = yes;\n"
        printf "\tRandom Access = Yes;\n"
        printf "\tAutomaticMount = yes;\n"
        printf "\tRemovableMedia = no;\n"
        printf "\tAlwaysOpen = no;\n"
        printf "\tMaximum Concurrent Jobs = 2\n"
        printf "}\n"
        ((i++))
done

On the Directory, a storage node definition is saved in /usr/local/etc/bacula/storage.d/write-0{N}.conf, which is included in /usr/local/etc/bacula/storage.conf:

@/usr/local/etc/bacula/storage.d/write-01.conf
@/usr/local/etc/bacula/storage.d/write-02.conf
@/usr/local/etc/bacula/storage.d/write-03.conf
@/usr/local/etc/bacula/storage.d/write-04.conf
@/usr/local/etc/bacula/storage.d/write-05.conf
@/usr/local/etc/bacula/storage.d/write-06.conf

Client Generation

There are two components, the TEMPLATE file (there are three, TEMPLATE-unix, TEMPLATE-win32 and TEMPATE-mac) and the shell script.

The Client TEMPLATE File

Here is what one of the TEMPLATE files looks like:

#
# Client Definition, the Password here must match
#  the clients bacula-fd.conf Client definition.
#
# Using Vi/m, you can easily replaced HOSTNAME with
#  the short hostname of the client with:
#  %s/HOSTNAME/yourhostname/
#
#

Client {
    Name = HOSTNAME.llnl.gov
    Address = HOSTNAME.llnl.gov
    FDPort = 9102
    Catalog = Catalog001
    Password = "ItsASecret"
    File Retention = 40 days
    Job Retention = 1 months
    AutoPrune = yes
    Maximum Concurrent Jobs = 10
    Heartbeat Interval = 300
}

Console {
    Name = HOSTNAME.llnl.gov-acl
    Password = ItsASecret
    JobACL = "HOSTNAME.llnl.gov RestoreFiles", "HOSTNAME.llnl.gov"
    ScheduleACL = *all*
    ClientACL = HOSTNAME.llnl.gov
    FileSetACL = "HOSTNAME.llnl.gov FileSet"
    CatalogACL = Catalog001
    CommandACL = *all*
    StorageACL = *all*
    PoolACL = HOSTNAME.llnl.gov-File
}

Job {
    Name = "HOSTNAME.llnl.gov"
    Type = Backup
    Level = Incremental
    FileSet = "HOSTNAME.llnl.gov FileSet"
    Client = "HOSTNAME.llnl.gov"
    Storage = FileStorageD##
    Pool = HOSTNAME.llnl.gov-File
    Schedule = "@@"
    Messages = Standard
    Priority = 10
    Write Bootstrap = "/var/db/bacula/%c.bsr"
    Maximum Concurrent Jobs = 10
    Reschedule On Error = yes
    Reschedule Interval = 1 hour
    Reschedule Times = 1
    Max Wait Time = 30 minutes
    Cancel Lower Level Duplicates = yes
    Allow Duplicate Jobs = no
    RunScript {
        RunsWhen = Before
        FailJobOnError = no
        Command = "/etc/scripts/package_list.sh"
        RunsOnClient = yes
    }
}

Pool {
    Name = HOSTNAME.llnl.gov-File
    Pool Type = Backup
    Recycle = yes
    AutoPrune = yes
    Volume Retention = 1 months
    Maximum Volume Bytes = 10G
    Maximum Volumes = 100
    LabelFormat = "HOSTNAME.llnl.govFileVol"
    Maximum Volume Jobs = 5
}

Job {
    Name = "HOSTNAME.llnl.gov RestoreFiles"
    Type = Restore
    Client= HOSTNAME.llnl.gov
    FileSet="HOSTNAME.llnl.gov FileSet"
    Storage = FileStorageD##
    Pool = HOSTNAME.llnl.gov-File
    Messages = Standard
    #Where = /tmp/bacula-restores
}

FileSet {
    Name = "HOSTNAME.llnl.gov FileSet"
    Include {
        Options {
            signature = MD5
            compression = GZIP6
                        fstype = ext2
                        fstype = xfs
                        fstype = jfs
                        fstype = ufs
                        fstype = zfs
                        onefs = no
                        Exclude = yes
                        @/usr/local/etc/bacula/excludes.d/common.conf
        }
                File = /
                File = /usr/local
                Exclude Dir Containing = .excludeme
    }
    Exclude {
        @/usr/local/etc/bacula/excludes.d/unix.conf
    }
}

The Create Client Script

So here is what really makes creating clients easy for us, the create_client script.

I didn’t want to do it this way, really, so part of me is very ashamed of this tool. I would have preferred to re-write this in Python, or make a web page out of it, and let admins create clients from their desktop. Or, I would have loved to create a puppet module to handle this automagically (but that would exlcude everything that *isn’t* running Puppet, which is huge).

With that disclaimer, here is my create_client shell script:

#!/usr/bin/env bash
# usage: cclient -t unix -s 12am -h hostname
#
 
umask 022
 
# Variables
## Randomize Schedule
SCHEDULES="4pm 5pm 6pm 7pm 8pm 9pm 10pm 11pm 12am 1am 2am 3am 4am 5am 6am 7am 8am 9am 10am"
s=($SCHEDULES)
num_s=${#s[*]}
RAND_SCHED=${s[$((RANDOM%num_s))]}
# Randomize which storage node we use
NODES="write-06 write-01 write-06 write-01 write-02 write-03 write-04 write-05"
n=($NODES)
num_n=${#n[*]}
RAND_NODE=${n[$((RANDOM%num_n))]}
 
export DRIVE=`jot -r 1 1 512`
export BDIR="/usr/local/etc/bacula"
export TYPE="unix"
export SCHEDULE=$RAND_SCHED
export HOSTNAME=""
export STORAGE_NODE=$RAND_NODE
export GIT_DIR="/usr/local/etc/bacula/.git"
export CLASS="desktop"
 
if [ $(whoami) == "root" ]
then
cat << EOF
                Please do not run this as root. This script runs a
                git add/commit, which is how changes are managed and
                tracked. If you run this as root, then it shows up
                as carlson39 or root.
 
                If you encounter a problem with your normal OUN account,
                please contact Mike Carlson, or submit a bug here:
                https://st-scm.llnl.gov/redmine/snt/projects/bacula/issues/new
EOF
 
exit 1
fi
 
usage()
{
cat << EOF
 
        Usage: $0 [OPTION]... -h HOSTNAME
 
        This script will generate a bacula client definition.
 
        OPTIONS:
        -s      schedule, (4pm|5pm|6pm|7pm|8pm|9pm|10pm|11pm|12am|1am|2am|3am|4am|5am|6am|7am|8am|9am). The default schedule is random.
        -t      type, (unix|win32|mac), unix is the default
        -n      storage node (write-01|write-02|...), the default is random.
        -h      hostname (use the short hostname)
EOF
}
 
cd $BDIR
 
while getopts 'c:t:s:n:h:' OPTION
do
        case $OPTION in
                c)
                        CLASS=$OPTARG
                        ;;
                t)
                        TYPE=$OPTARG
                        ;;
                s)
                        SCHEDULE=$OPTARG
                        ;;
                h)
                        HOSTNAME=$OPTARG
                        echo $HOSTNAME | egrep -q "(llnl.gov|ucllnl.org)"
                        if [ $? -eq 0 ]
                        then
                        HOSTNAME=`echo $HOSTNAME|sed -e 's/.llnl.gov//' -e 's/.ucllnl.org//'`
                        fi
 
                        ;;
                n)
                        STORAGE_NODE=$OPTARG
                        ;;
                ?)
                        usage
                        exit
                        ;;
        esac
done
 
if [[ -z $CLASS ]] || [[ -z $TYPE ]] || [[ -z $SCHEDULE ]] || [[ -z $HOSTNAME ]] || [[ -z $STORAGE_NODE ]]
then
        usage
        exit 1
fi
 
grep -w $HOSTNAME $BDIR/clients.conf
if [ $? -eq 0 ]
then
        echo 'client '$HOSTNAME 'already exists...'
else
        export RETRY_COUNT="2"
 
        if [ $STORAGE_NODE == "write-01" ]
        then
                DRIVE=`jot -r 1 33 512`
                sed -e 's/HOSTNAME/'$HOSTNAME'/g' -e 's/FileStorageD##/FileStorageD'$DRIVE'/' -e 's/\@\@/'$SCHEDULE'/' -e 's/RETRY_COUNT/'$RETRY_COUNT'/g' $BDIR/clients.d/TEMPLATE-$TYPE > $BDIR/clients.d/$SCHEDULE/$HOSTNAME.conf
                echo \@$BDIR/clients.d/$SCHEDULE/$HOSTNAME.conf >> $BDIR/clients.conf
        else
                export SN=`echo $STORAGE_NODE | cut -c 7-8`
                sed -e 's/HOSTNAME/'$HOSTNAME'/g' -e 's/FileStorageD##/W'$SN'FileStorageD'$DRIVE'/' -e 's/\@\@/'$SCHEDULE'/' -e 's/RETRY_COUNT/'$RETRY_COUNT'/g' $BDIR/clients.d/TEMPLATE-$TYPE > $BDIR/clients.d/$SCHEDULE/$HOSTNAME.conf
                echo \@$BDIR/clients.d/$SCHEDULE/$HOSTNAME.conf >> $BDIR/clients.conf
        fi
 
        chgrp st-bacula-admins $BDIR/clients.d/$SCHEDULE/$HOSTNAME.conf
        git add $BDIR/clients.d/$SCHEDULE/$HOSTNAME.conf $BDIR/clients.conf
        git commit
        echo 'created client definition: '$BDIR/clients.d/$SCHEDULE/$HOSTNAME.conf
        echo 'for '$HOSTNAME'.llnl.gov'
fi

This is always a work in progress, but at the core, it is a simple sed wrapper with a lot of randomization and a git commit.

Why all the randomization?

Because I had to add around 1000 clients in a VERY short amount of time. We didn’t have a problem pushing the Bacula client to all of the platforms, nor the bacula-fd.conf file either. What I could not do was spend the time to create and manage all of the resources for each client. That is why I have so many devices/drives, so I can attempt to have a 1:1 without having to actually think about it.

So, I wrote ANOTHER script to wrap around this one when I need to do bulk client creations. I’m not going to post that, it just loops through the above command.

Pre-Job command – Package List

I only do this on the Unix/Linux clients, and I thought it was a cool idea.

Yeah, I will pat myself on the back a little bit for that :)

I exclude the Operating System from backups for two reasons, 1) to reduce backing up duplicate and reproducible data and 2) Our build/Imaging process is so quick and clean it is just faster to rebuild than restore everything.

Still, I needed a way to keep the state of installed packages/software.

This is where the pre-job command comes in handy. This part right here:

    RunScript {
        RunsWhen = Before
        FailJobOnError = no
        Command = "/etc/scripts/package_list.sh"
        RunsOnClient = yes
    }

That package_list.sh file looks like this:

 
#!/usr/bin/env bash
 
export PLIST="/root/plist.txt"
 
case "`uname -s`" in
Linux)
                if [ -x /usr/bin/lsb_release ]; then
                        DIST=`lsb_release -d`
                fi
 
                # RHEL
                if [ -x /usr/bin/up2date ]; then
                        rpm -qa > $PLIST
                fi
 
                # RHEL 5
                if [ -x /usr/bin/yum ]; then
                        if [ -f /var/run/yum.pid ]; then
                                echo "Yum currently in use, exiting gracefully..."
                                exit 0
                        else
                        /usr/bin/yum list installed | awk '{print $1}' > $PLIST
                        fi
                fi
 
                # Ubuntu
                if [ -x /usr/bin/dpkg ]; then
                        /usr/bin/dpkg --get-selections | awk '{print $1}' > $PLIST
                fi
                ;;
 
FreeBSD)
                pkg_info|awk '{print $1}' > $PLIST
                ;;
SunOS)
                pkginfo |awk '{print $1}' > $PLIST
                ;;
esac

That file, /root/plist.txt, gets backed up.

Now we have a record of what was installed on our Unix platforms :)

That is it for now, see you at Part 3

Background

Over a year ago, I took it upon myself to replace a single Legato Networker server with Bacula. One of our collaborators had decided to ship us (for no reason at all really, I think they were cleaning out their data center) a Sun X4200 AMD server, and two StorageTek/Sun NAS servers.

I had no reason for the NAS heads, but the JBOD was full of drives and the Sun X4200 was useful enough. So, I gutted them (Since the StoragTek NAS heads were identical in almost every way to a standard X4200), put as much memory and CPU’s as I could in one system. This was my first Bacula server. It had around 2TB of FC storage and it made a nice replacement backup server for the 50 or so clients that were on the Networker server. The OS was not Solaris, as you might guess since I was using Sun hardware, but FreeBSD.

Since was focusing only on disk based backups, and FreeBSD has two fantastic large file systems (UFS2 and ZFS), this was my underlying storage platform. Combine that with the current choice of software (in the case, Bacula 5.0.x and PostgreSQL 8/9) from the Ports tree, it really makes the perfect open source software and hardware stack.

After spending a good amount of time wrapping my head around Bacula, and really, just carelessly diving into it, I was very happy with how fast and stable it was shaping up to be.

Around the same time, I was asked to pick up the project that literally went no where for years: The dreaded Backup Project for all of the S&T directorate. A mix of all OS’s, desktops, servers, laptops, etc… and around 3000 active machines online with lots of important data.

No small feat, and there are many reasons why this had been a difficult project to wrangle. One thing for sure, is we knew we had a lot of unique programmatic data.

I knew what software I wanted to use, and I was pretty set on using commodity hardware and reasonably priced storage. The next part was to define some constants in the environment.

The Initial Concepts

First up, I knew of the largest painful aspects of our computing environment:

1. Budget constraints – We are not rich, and IT always seems to be underfunded. This project had to be as frugal as possible, yet still deliver.
2. Diverse platforms – We have Windows, OS X and a mix of RHEL and Ubuntu for desktops. Server platforms range all across the board: Windows, OSX, RHEL, Solaris, FreeBSD, AIX, etc…
3. Mission critical data – Lets face it, the Lab doesn’t make a car, or a VCR. We have a LOT of critical scientific knowledge that is only stored in bits and bytes. That is our product, scientific data that is truly unique.
4. A campus like geography –  the Lab is 1 sq. mile with a mixture of trailers, new buildings, and some buildings that are over 50 years old. The network backbone ranges from 10Gbps to 10Mbps. The poses a problem when it comes to backups.

• A distributed disk based storage backend for Bacula
• Smaller retention window – 1 month
• Reduce the amount of data that has to even go over the network
• Skip “reproducible data” such has installed programs like Office, and exclude the OS itself
• Enable client side compression. The effectively distributes the compression for all clients. Saves a lot of disk space :)
• Skip virtual machine images, like vmdk and vmem files, and treat important virtual machines as separate clients.

For Bacula itself, I had decided that each client would have its own resources. Very little is shared between each client, so for example client-001 would get all of these resources:

• Pool = “Client-001-File”
• Storage = a randomly assigned drive on one of the storage nodes
• Maximum Volume bytes = 10Gb
• Maximum Volumes = 100
• AutoPrune and Recycling enabled
• Job = “client-001″ (one for backup and one for restore)
• FileSet = “client-001 FileSet”

What this prevents is cross-client data contamination. What is also prevented, and I found out later, was concurrent backups. More on that later though.

After feeling a bit more comfortable with a simple all-in-one server, I was ready to spec out new hardware. This was good, because at the same time it was our end of year budget crunch, and hardware had to be procured.

The Hardware

For storage, I had a few concepts I was floating around.

One, was to use MooseFS, a distributed filesystem , across a bunch of cheap node with a modest amount of storage.

The other, idea was to buy a handful of servers with a lot of internal storage, around 18TB or so. Them distribute them across the “campus” as a kind of Bacula storage node cloud.

The last idea was to take a more traditional backup server approach, and buy a server with as much expandable storage as possible and back everything up to that.

In the end, when a bunch of hardware showed up (I had *some* control over the hardware, but not all aspects since some of the managers took it upon themselves to purchase everything), I scrapped the MooseFS idea after talking it over with Jenny, and we took the last two: 4 HP servers with 17TB or RAID6 internal storage, and a large 140TB SAN array (Winchester Systems, great stuff!) as the primary backup node:

Our Environment

This model served us well for a while. We had a primary storage node that backed up a users primary desktop, and the smaller storage nodes were used to back up servers and infrastructure data.

There was room for improvement right away though. As soon as it was in production, I quickly mapped out what I felt were the next steps in making a robust backup environment.

More on that in another installment :)

Continue to Part 2…

]]> http://www.mywushublog.com/2011/07/bacula-in-the-enterprise-part-1/feed/ 0 http://www.mywushublog.com/2011/07/using-duplicity/ http://www.mywushublog.com/2011/07/using-duplicity/#comments Thu, 21 Jul 2011 05:04:40 +0000 Mike Carlson http://www.mywushublog.com/?p=1503 A while ago, I posted about how I backup my server with Duplicity to Amazon’s S3 storage.

To follow up, here is a little guide I wrote on using Duplicity in the everyday work environment

Overview

Duplicity is a backup tool that will create compressed and encrypted (uses gnupg) backup archives. It can use a variety of protocols as the target (file, ftp, webdav, imap, ssh/scp, rsync, hsi, s3 and hsi).

Since it is aware of previous backup jobs, incremental backups from that last full, and some basic collection management, it is preferred over simpler tools like rsync.

Since Duplicity uses GnuPG to compress and encrypt the save sets, you’ll need to enter a passphrase. This make duplicity a little difficult to automate, you can do one of two things:

• embed the the gnupg passphrase in the backup job, or use a gnupg-agent
• disable encryption and just compress the save set

To only compress and not encrypt, use the ”’–no-encryption”’ option.

Installation

Duplicity is available in the EPEL channel, so on RHEL 5 systems just type

yum install duplicity

On Ubuntu, you can install it using aptitude:

aptitude install duplicity

On FreeBSD, you can install it using:

pkg_add -r duplicity

Preparation

You’ll need a location to store your archives. Lets assume it is a locally mounted volume at /backups.

Usage

The syntax is pretty simple:

duplicity [full|incr|collection-status|list-current-files] source target-url

The ‘target-url’ can be one of many protocols:

• file:///backups
• scp://user@host/backups
• webdav://user@backup-server/backups/

Since we are assuming a locally mounted device, we’ll use the ”’file:///”’ url.

Full Backups

duplicity full ~/ file:///backups/

GnuPG passphrase:
Local and Remote metadata are synchronized, no sync needed.
Last full backup date: none
Retype passphrase to confirm: 

--------------[ Backup Statistics ]--------------
StartTime 1274121911.36 (Mon May 17 11:45:11 2010)
EndTime 1274126391.50 (Mon May 17 12:59:51 2010)
ElapsedTime 4480.14 (1 hour 14 minutes 40.14 seconds)
SourceFiles 53369
SourceFileSize 43240385480 (40.3 GB)
NewFiles 53369
NewFileSize 43240385480 (40.3 GB)
DeletedFiles 0
ChangedFiles 0
ChangedFileSize 0 (0 bytes)
ChangedDeltaSize 0 (0 bytes)
DeltaEntries 53369
RawDeltaSize 43219504708 (40.3 GB)
TotalDestinationSizeChange 37539659285 (35.0 GB)
Errors 0
-------------------------------------------------

Incremental Backup

Incremental backups are easy, just replace ‘full’ with ‘incr’, and here, we also upped the Gzip compression level to ’9′

duplicity incr --gpg-options "-z 9" /home/mcarlson file:///media/0654-E203/backups
GnuPG passphrase:
Local and Remote metadata are synchronized, no sync needed.
Last full backup date: Mon May 17 11:45:04 2010
--------------[ Backup Statistics ]--------------
StartTime 1274130893.40 (Mon May 17 14:14:53 2010)
EndTime 1274131032.77 (Mon May 17 14:17:12 2010)
ElapsedTime 139.36 (2 minutes 19.36 seconds)
SourceFiles 53437
SourceFileSize 43628122482 (40.6 GB)
NewFiles 172
NewFileSize 434867245 (415 MB)
DeletedFiles 96
ChangedFiles 58
ChangedFileSize 1175654577 (1.09 GB)
ChangedDeltaSize 0 (0 bytes)
DeltaEntries 326
RawDeltaSize 444524537 (424 MB)
TotalDestinationSizeChange 442395156 (422 MB)
Errors 0
-------------------------------------------------

Restore

You can either restore the entire archive with the ”’restore”’ option, or a set of files with ”’files-to-restore”’:

Lets assume we did something like this:

rm -rf FreeBSD

This was obviously a mistake and we quickly need those files back:

duplicity --file-to-restore src/FreeBSD file:///backups/ FreeBSD
GnuPG passphrase:
Local and Remote metadata are synchronized, no sync needed.
Last full backup date: Mon May 17 11:45:04 2010

Lets verify that our files are in fact there again:

ls -al FreeBSD
total 24
drwxr-xr-x  6 mcarlson mcarlson 4096 2009-08-31 15:51 .
drwxrwxr-x 65 mcarlson mcarlson 4096 2010-05-17 16:23 ..
drwxr-xr-x  2 mcarlson mcarlson 4096 2009-08-31 15:51 6.4
drwxr-xr-x  2 mcarlson mcarlson 4096 2009-08-31 15:25 7.0
drwxr-xr-x  2 mcarlson mcarlson 4096 2009-08-31 15:50 8.0
drwxr-xr-x  6 mcarlson mcarlson 4096 2009-08-31 15:52 i386

Managing your Archive(s)

Duplicity does not store any policy or retention details, so it is up the the individual to remove older save sets.

Collection Status

First thing you can do is run get a status of your save sets. Duplicity will scan your target-url, in this case ‘file:///backups’ and print a simple report on what backups types have ran, the date it was ran at, and the number of files:

duplicity collection-status file:///media/0654-E203/backups

Local and Remote metadata are synchronized, no sync needed.
Last full backup date: Mon May 17 11:45:04 2010
Collection Status
-----------------
Connecting with backend: LocalBackend
Archive dir: /home/mcarlson/.cache/duplicity/0e6da04424dcfd02a2dae71879be23fa

Found 0 secondary backup chains.

Found primary backup chain with matching signature chain:
-------------------------
Chain start time: Mon May 17 11:45:04 2010
Chain end time: Mon May 17 14:14:48 2010
Number of contained backup sets: 2
Total number of contained volumes: 1447
 Type of backup set:                            Time:      Num volumes:
                Full         Mon May 17 11:45:04 2010              1430
         Incremental         Mon May 17 14:14:48 2010                17
-------------------------
No orphaned or incomplete backup sets found.

Collection Pruning

You can remove older backup archives with ”’remove-older-than”’ or ”’remove-all-but-n-full”’, and you can clean out failed save sets with the ”’cleanup”’ options.

All of these require the target-url as the 2nd argument.

Here, we will remove any archive that is older than 1 month (1M).

duplicity remove-older-than 1M file:///backups/

Last full backup date: Sat May  1 00:20:02 2010
There are backup set(s) at time(s):
Thu Apr  1 00:15:17 2010
Sun Apr  4 00:01:23 2010
Sun Apr 11 00:01:29 2010
Which can't be deleted because newer sets depend on them.
Deleting backup sets at times:
Sun Apr 26 12:15:33 2009
Sun Apr 26 14:45:25 2009
Sun Apr 26 14:58:38 2009
Sun May  3 00:01:37 2009
Sun May 10 00:00:39 2009
Sun May 17 00:00:42 2009
Sun May 24 00:00:53 2009
Sun May 31 00:00:50 2009
Sun Jun  7 00:01:04 2009
Sun Jun 14 00:00:55 2009
Sun Jun 21 00:01:17 2009
Sun Jun 28 00:01:10 2009
Sun Jul  5 00:03:09 2009
Sun Jul 12 00:01:10 2009
Sun Jul 19 00:01:18 2009
Sun Jul 26 00:01:52 2009
Sun Aug  2 00:01:27 2009
Sun Aug  9 00:02:39 2009
Sun Aug 16 00:01:52 2009
Sun Aug 23 00:01:33 2009
Sun Aug 30 00:01:42 2009
Sat Sep  5 17:23:02 2009
Sun Sep  6 00:00:41 2009
Sun Sep 13 00:00:47 2009
Sun Mar  7 00:04:47 2010
Sun Mar 14 00:07:12 2010
Sun Mar 21 00:01:36 2010
Sun Mar 28 00:02:14 2010

]]> http://www.mywushublog.com/2011/07/using-duplicity/feed/ 0 http://www.mywushublog.com/2011/07/cheap-two-factor-authentication-with-google/ http://www.mywushublog.com/2011/07/cheap-two-factor-authentication-with-google/#comments Tue, 19 Jul 2011 05:29:27 +0000 Mike Carlson http://www.mywushublog.com/?p=1489 I can be a glutton for punishment for a nearly trivial amount of gain. So lets bring on the two-factor authentication for my personal FreeBSD server.

I’ve been using Google’s 2-step verification since Jenny told me about it, along with my android powered phone.

What is nice about Google’s Authenticator app is its availability for multiple smartphone platforms:

• Android version 1.5 or later
• BlackBerry OS 4.2 – 4.7
• iPhone iOS 4 or later

How it works is pretty simple. First, you have to install the GAuthenticator app form whatever market your smartphone uses. Once you convert your Google account, you are presented with a QR code, which you can scan with your smart phone. This ties your phone’s GAuth app to your account.

I’ve been doing this for the last month or so, and everything has been working out just fine. There are a lot of cool things you can do with this extra layer of authentication. Since not all web services or applications support the verification code generated from your phone, you can have backup passwords (which are only usable once, but great if you don’t have your phone with you), as well as application passwords. These static and randomly generated passwords are revoke-able.

Alright, so, how does this apply as a cheap way to do two-factor authentication?

Okay, I know, a phone isn’t exactly cheap. I’m sure a RSA token, or (expecially) a Gooze token or far more economical if you don’t already have a iPhone, Android or BB.

A lot of people in IT do have one of these phones, and the app is free. Hence me calling this cheap…

Anyway, the Google Authenticator project also has a PAM module, it is really simple and easy to compile/install. Simple check out the mercurial repository and use gmake to compile:

[server]-[mcarlson] 9:40pm: ~/projects/google-authenticator/libpam>gmake
gcc --std=gnu99 -Wall -O2 -g -fPIC -c  -o google-authenticator.o google-authenticator.c
gcc --std=gnu99 -Wall -O2 -g -fPIC -c  -o base32.o base32.c
gcc --std=gnu99 -Wall -O2 -g -fPIC -c  -o hmac.o hmac.c
gcc --std=gnu99 -Wall -O2 -g -fPIC -c  -o sha1.o sha1.c
gcc -g   \
              -o google-authenticator google-authenticator.o base32.o hmac.o sha1.o
gcc --std=gnu99 -Wall -O2 -g -fPIC -c  -o pam_google_authenticator.o pam_google_authenticator.c
pam_google_authenticator.c: In function 'log_message':
pam_google_authenticator.c:69: warning: implicit declaration of function 'pam_get_item'
gcc -shared -g  -o pam_google_authenticator.so pam_google_authenticator.o base32.o hmac.o sha1.o
gcc --std=gnu99 -Wall -O2 -g -fPIC -c  -o demo.o demo.c
gcc -DDEMO --std=gnu99 -Wall -O2 -g -fPIC -c  -o pam_google_authenticator_demo.o pam_google_authenticator.c
pam_google_authenticator.c: In function 'log_message':
pam_google_authenticator.c:69: warning: implicit declaration of function 'pam_get_item'
gcc -g  -rdynamic                                         \
               -o demo demo.o pam_google_authenticator_demo.o base32.o hmac.o sha1.o
gcc -DTESTING --std=gnu99 -Wall -O2 -g -fPIC -c  -o pam_google_authenticator_testing.o pam_google_authenticator.c
pam_google_authenticator.c: In function 'log_message':
pam_google_authenticator.c:69: warning: implicit declaration of function 'pam_get_item'
gcc -shared -g  -o pam_google_authenticator_testing.so pam_google_authenticator_testing.o base32.o hmac.o sha1.o
gcc --std=gnu99 -Wall -O2 -g -fPIC -c  -o pam_google_authenticator_unittest.o pam_google_authenticator_unittest.c
gcc -g  -rdynamic -lc                                     \
                             \
              -o pam_google_authenticator_unittest pam_google_authenticator_unittest.o base32.o hmac.o sha1.o

At this point, as root, you can install the two important files:

[server]-[mcarlson] 9:42pm: ~/projects/google-authenticator/libpam>sudo gmake install
Password:
cp pam_google_authenticator.so /usr/lib
cp google-authenticator /usr/local/bin

After I did all of this by hand I though “I should make another Port!!”

Turns out, I just missed it. On a FreeBSD system, you can install this with a simple:

$ portinstall security/pam_google_authenticator

Silly me…

I decided to only add the PAM object to /etc/pam.d/sshd (here is the diff):

--- /usr/src/etc/pam.d/sshd     2010-06-13 19:09:06.000000000 -0700
+++ /etc/pam.d/sshd     2011-07-17 22:05:18.000000000 -0700
@@ -9,6 +9,7 @@
 auth           requisite       pam_opieaccess.so       no_warn allow_local
 #auth          sufficient      pam_krb5.so             no_warn try_first_pass
 #auth          sufficient      pam_ssh.so              no_warn try_first_pass
+auth           required        pam_google_authenticator.so noskewadj
 auth           required        pam_unix.so             no_warn try_first_pass
 
 # account

This PAM plugin is pretty forgiving, if a user has not ran the /usr/local/bin/google-authenticator tool, it will gracefully fail and allow for a normal authentication conversation.

When I ran the google-authenticator tool, I was presented a URL (to a QR Code image), and a list of backup codes. I scanned the QR image with my smart phone’s Google Authenticator app, which tied mcarlson@server.m87-blackhole.org to the one time passcode that my phone now generates.

When I log in to my server now, I get this:

This server is public facing, so two factor is legitimately safer

And my phone has something similar to this:

I'm not alice... or am I?

Other users are not bothered with this, unless they choose to do so.

Final Thoughts

This is a good tool, and more people should consider taking advantage of protecting their identity with really easy tools like this. I started using this because it really hit my how much I rely on my Google account. Not just email, but the calendar, the Music service, plus all of my other online activities like Amazon and domain registration all end up terminating at my gmail account. It would be devastating if it was compromised.

I’m also a big fan of open source security tools that use well understood approaches and well documented algorithms. That means there are more eyes on it, good and bad, but at least it is out there in the open for everyone to evaluate.

I’d like to test out a few more things, like can I use the same ~/.google_authenticator file on multiple systems, or do I need one on each system (and therefore, a 1:1 identity mapping on my phone). How well would this work in an environment with a central home directory NFS server?

Chris logged in using ssh keys without being prompted, and that makes also want to test out if this can play alongside ssh keys as well.

I think companies, such as the one I work for, should consider a cheap service like this to help protect public facing servers. If you can provide Blackberrys and iPhones to your employees, it would be nice if they could actually use it for work.

]]> http://www.mywushublog.com/2011/07/cheap-two-factor-authentication-with-google/feed/ 2