Sep 142015
 

If you run ancient operating system with an old version of SSH client then you are going to hit this “No Kex Alg” problem soon.

have u tried

For example Solaris 9

$ ssh -Vxx
Sun_SSH_1.1, SSH protocols 1.5/2.0, OpenSSL 0x0090700f

So what a hell is it? What’s causing it? Well, modern operating system like Debian Jessie are packaged with OpenSSH 6.7 or newer  – and Openssh 6.7 disables a number of ciphers, as per changelog http://www.openssh.com/txt/release-6.7  As Russel rightly pointed out in comments section below ‘”kex” is “key exchange”.x

So it’s time to upgrade your client! However, if for some bizarre reasons those pesky sysadmins are refusing to upgrade client software then that leaves you with two options:

  • if you have physical access to client simply spill coffee or some other beverage on it (alright, just joking)
  • or edit /etc/ssh/sshd_config on the server, append the following line and restart sshd daemon
KexAlgorithms diffie-hellman-group1-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp512,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1

Now your old client should be able to connect to server plus you have successfully created security vulnerability on your machine. How exciting!

If you’re still dying to know what mechanisms your system supports run:

ssh -Q cipher
ssh -Q mac
ssh -Q kex

I know more about ssh ciphers, macs, kex now that I ever wanted to know.


Jul 172015
 

Intro

It took me a while to figure out optimal configuration for the tape library with two streamers used with Bacula backup software.

Exact model of tape library in use is Quantum Scalar i40 with two LTO5 streamers. It is hooked up directly to the main NFS server (so heavy backup traffic goes via localhost only) – server that runs bacula-sd and bacula-fd services only. Bacula director runs on separate, dedicated backup server.

Currently there are around 20 other servers connected to this system as clients, with various daily Incremental, weekly Differential and monthly Full backup level jobs scheduled for execution.

Some additional info about this setup in previous post – click here. Config files below:

insta-24

 


Relevant config files from Backup server


/etc/bacula/bacula-dir.conf

Director {  
  Name = prod-backup-dir
  QueryFile = "/etc/bacula/scripts/query.sql"
  WorkingDirectory = "/var/lib/bacula"
  PidDirectory = "/var/run/bacula"
  Password = "xxxxx"
  Messages = Daemon
  DirAddress = prod-backup.domain.com
  Maximum Concurrent Jobs = 20
}
@/etc/bacula/JobDefs/JobDefs.conf
@|"sh -c 'cat /etc/bacula/Job/*'"
@|"sh -c 'cat /etc/bacula/FileSet/*'"
@|"sh -c 'cat /etc/bacula/Schedule/*'"
@|"sh -c 'cat /etc/bacula/Clients-enabled/*'"
@|"sh -c 'cat /etc/bacula/Storage/*'"
@|"sh -c 'cat /etc/bacula/Pool/*'"
Catalog {
  Name = MyCatalog
  dbaddress = prod-db.domain.com ;
  dbname = "bacula"; dbuser = "bacula"; dbpassword = "xxxxx"
}
Messages {
  Name = Standard
  mailcommand = "/usr/lib/bacula/bsmtp -h prod-mailhub.domain.com -f \"\(Bacula\) \<%r\>\" -s \"Bacula: %t %e of %c %l\" %r"
  operatorcommand = "/usr/lib/bacula/bsmtp -h prod-mailhub.domain.com  -f \"\(Bacula\) \<%r\>\" -s \"Bacula: Intervention needed for %j\" %r"
  mail = [email protected] = all, !skipped            
  operator = [email protected] = mount
  console = all, !skipped, !saved
  append = "/var/lib/bacula/log" = all, !skipped
  catalog = all
}
Messages {
  Name = Daemon
  mailcommand = "/usr/lib/bacula/bsmtp -h localhost -f \"\(Bacula\) \<%r\>\" -s \"Bacula client %c job %n exit code %e  \" %r"
  mail = [email protected] = all, !skipped            
  console = all, !skipped, !saved
  append = "/var/lib/bacula/log" = all, !skipped
}
Console {
  Name = prod-backup-mon
  Password = "xxxxxxxxxxx"
  CommandACL = status, .status
}

Example job definition /etc/bacula/Job/Studies2010-1.conf

#----------------------------------
Job {
  Name = Studies2010-1
  Type = Backup
  Client = nfs-prod-fd
  Schedule = MonthlyCycle
  Messages = Daemon
  FileSet = Studies2010-1
  Level = Full
  Pool = lto5-pool
  Priority = 12
  Max Run Time = 1555200 # default limit is 6 days, 518400sec. bumped 3x just in case
  Spool Data = yes
  Spool Attributes = yes

}
#----------------------------------

Example fileset, /etc/bacula/FileSet/Studies2010-1.conf

#-------------------------------------------
FileSet {
  Name = "Studies2010-1"
  Include {
    Options {
      signature = MD5
      compression=GZIP5
      noatime=yes
      aclsupport = yes
      wilddir = "/export/studies/201007*"
      wilddir = "/export/studies/201008*"
     	    }
    Options {
      RegexDir = ".*"
      exclude = yes
	    }
    File = "/export/studies"
          }
}

Example Schedule, /etc/bacula/Schedule/MonthlyCycle3.conf

Schedule {
  Name = MonthlyCycle3
  Run = Level=Full Pool=lto5-pool 3rd fri at 23:30
}

Tape library, storage definition:

Storage {
  Name = TapeLibrary
  Address = prod-tapelib.comain.com
  SDPort = 9103
  Password = "xxxxxx"
  Device = QuantumScalar-I40
  Media Type = LTO-5
  Autochanger = yes
  Maximum Concurrent Jobs = 4
}

Pool of tapes defined here:

Pool {
  Name = lto5-pool
  Pool Type = Backup
  Volume Retention = 6 months
  Recycle = yes
  AutoPrune = yes
  Recycle = yes
  Label Format = LTO5
  Storage = TapeLibrary
}

 

Relevant config files from Tape Library server

 

Note that I spool data before saving to the tape – this prevents tape “shoe shine” during Incremental/Differential backups.

 

  
Storage { 
  Name = TapeLibrary
  WorkingDirectory = "/var/spool/bacula"
  Pid Directory = "/var/run"
}
Autochanger {
  Name = QuantumScalar-I40
  Device = Drive0
  Device = Drive1
  Changer Device = /dev/changer
  Changer Command = "/usr/libexec/bacula/mtx-changer %c %o %S %a %d"
}
Device {
  Name = Drive0
  Drive Index = 0
  Media Type = LTO-5
  Archive Device = /dev/nst0
  AutomaticMount = yes
  AlwaysOpen = yes
  RemovableMedia = yes
  RandomAccess = no
  AutoChanger = yes
  Alert Command = "sh -c 'smartctl -H -l error %c'"  
  Maximum Changer Wait = 600
  Maximum Rewind Wait = 600
  Maximum Open Wait = 600
  Spool Directory = /var/spool/bacula/Spool
  Maximum Spool Size = 45G
  Maximum Concurrent Jobs = 2
}
Device {
  Name = Drive1
  Drive Index = 1
  Media Type = LTO-5
  Archive Device = /dev/nst1
  AutomaticMount = yes
  AlwaysOpen = yes
  RemovableMedia = yes
  RandomAccess = no
  AutoChanger = yes
  Alert Command = "sh -c 'smartctl -H -l error %c'"
  Maximum Changer Wait = 600
  Maximum Rewind Wait = 600
  Maximum Open Wait = 600
  Spool Directory = /var/spool/bacula/Spool
  Maximum Spool Size = 45G
  Maximum Concurrent Jobs = 2
     }
Messages {
  Name = Standard
  director = prod-backup-dir = all
}
Director {
  Name = prod-backup-dir
  Password = "xxxxxxxx"
}
Director {
  Name = prod-backup-mon
  Password = "xxxxxxxxxx"
  Monitor = yes
}

Thoughts

Implementing Bacula driven backup solution requires some time and effort – but what you get in the end is sophisticated, enterprise grade backup system, capable of backing up TBs of data in organised and efficient manner.

Used in conjunction with Monitoring system it offers fully automated backup solution, with minimal operator effort required. Routine tasks boil down to: