PDA

View Full Version : 2.5.0b1 test reports



ian
November 22nd, 2005, 12:49 PM
All,

If you have used 2.5.0 (successfully or otherwise), please post a test report here. If you find a bug, note that too.

Useful information in test reports:

Test date
Platform and version of server and clients
Number and size of volumes backed up.
Dump tools used (tar, dump, samba, etc) and version
Type of backup media: LTO/DLT/AIT/Disk
Tapetype used
Strategies/levels tested
Authentication method used
What amanda commands used during testing?
If you find any problems, please document them.

ian
November 22nd, 2005, 12:53 PM
Tested successfully on a Fedora Core 3 laptop, backing up only itself to disk with the on-disk vtape API. Tape-spanning was used without issue, and data was sucessfully restored. This test used tar dump format and BSD authentication.

I ran multiple runs of amdump, but since there is only one disk, Amanda likes to do a full dump every time.

martineau
November 24th, 2005, 03:31 PM
I have done many test before 2.5.0b1 was released:

- interoperability between 2.4.5 and 2.5.0
- 2.4.5 as server or client
- 2.5.0 as server or client
- only with gnutar
- with and without indexing
- with server, client or no compression

The other were done with 2.5.0 as server and client.

- I killed some program to see how amanda recover and retry the backup.
- gnutar
- index gtar
- sendbakcup
- client gzip
- server gzip
- dumper
- chunker

- I tested one dump direct to tape.

- I tested ssh and rsh auth method.

Jean-Louis

pkunst
November 28th, 2005, 10:23 AM
just tried building on Solaris9/10 and AIX 5.2. when configured from another directory e.g. ../../amanda-2.5.0b1/configure ... i get at compile-time:

In file included from ../../../amanda-2.5.0b1/tape-src/output-file.c:38:
../../../amanda-2.5.0b1/common-src/amanda.h:241:26: amanda-int.h: No such file or directory
make[1]: *** [output-file.lo] Error 1
make[1]: Leaving directory `/home/amanda/src/amanda-2.5.0b1-builds/Solaris10/tape-src'

get this result when using --with-src=<absolute path> also, using gcc 3.4.2, GNU make, ...

paddy
November 28th, 2005, 06:59 PM
Can you please provide the output of configure run?

I'm interested in the line

"checking whether posix fcntl locking works..."

Thanks,
Paddy

pkunst
November 29th, 2005, 12:49 AM
checking whether posix fcntl locking works... yes

# uname -a
SunOS tron 5.9 Generic_118558-14 sun4u sparc SUNW,Ultra-60

pkunst
November 29th, 2005, 01:02 AM
tried building in src-tree, using VisualAge C 6 gives:

cc -DHAVE_CONFIG_H -I. -I. -I../config -I../common-src -I../common-src -I../restore-src -I../tape-src -q32 -D_LARGE_FILES -qlonglong -q32 -D_LARGE_FILES -qlonglong -g -c -M driverio.c -DPIC -o .libs/driverio.o
"logfile.h", line 74.1: 1506-046 (S) Syntax error.
make[1]: *** [driverio.lo] Error 1
make[1]: Leaving directory `/space/src/amanda-2.5.0b1/server-src'

using gcc 3.4.2, compiler options for native cc are used (used CC=gcc when configure'd, gcc in PATH):

gcc -DHAVE_CONFIG_H -I. -I. -I../config -I./../regex-src -q32 -D_LARGE_FILES -qlonglong -q32 -D_LARGE_FILES -qlonglong -g -O2 -MT alloc.lo -MD -MP -MF .deps/alloc.Tpo -c alloc.c -DPIC -o .libs/alloc.o
gcc: unrecognized option `-q32'
gcc: unrecognized option `-qlonglong'
gcc: unrecognized option `-q32'
gcc: unrecognized option `-qlonglong'
In file included from alloc.c:33:
amanda.h:816: error: conflicting types for 'bind'
/usr/include/sys/socket.h:434: error: previous declaration of 'bind' was here

(somewhen later make bails out)

ian
December 1st, 2005, 07:59 AM
Over the course of the last week, I gave 2.5.0b1 another test. The server was Redhat FC4, with three clients: itself, a RHEL4 machine, and a FC3 laptop. Used BSD authentication.

Backed up a total of 10 DLEs, totalling 15.5 GB. Did full and level 1 dumps, with a successful multi-level restore.
Used tar on all hosts, versions ranged from 1.14 to 1.15.1.

Drive is a Quantum DLT7000 with standard tapetype.

In this test, I managed to get a stack trace/core dump for a niggly intermittent crash in chg-scsi. Details in separate bug report.

ktill
December 9th, 2005, 08:22 PM
Hi,
I have added a dumptype "encrypt" option. Code has been commited to the sourceforge,
rpm will be available next week on www.zmanda.com.
I have updated the encryption section on :
http://wiki.zmanda.com/index.php/Backup_server#Server-side_and_Client-side_encryption

I have tested it on different configuration,
a) client-compress, server-encrypted.
b) client-compress, client-encrypted
c) server-compress, server-encrypted

Please use it and send us your feedback. Thanks!

Kevin Till
Amanda Developer

sgw
December 10th, 2005, 09:02 AM
I am running 2.5.0b1 successfully since Nov, 26th.
The AMANDA-server is a Suse 10.0 OSS system, with itself and 3 other Suse-systems as clients. There are two main configs dumped, one dumps ~40GB per run to a HP-DLT1 drive, the other dumps ~20GB to a HP-DDS3 drive.

The DLT still has hw-compression enabled (haven't yet found out how to disable that, mt doesn't work) so I am not using any sw-compression with this. I use GNUtar 1.15.1 for all the DLEs, incrementals are doing fine and restoring also.

I am now going to have a closer look at the new encrypt-option ...

ktill
January 5th, 2006, 01:25 PM
My understanding is that FC4 only enforces targeted policy which only protectes a few daemons and amanda is not one of them. So amanda should work fine even when selinux (default targeted policy) is enabled.
One data point, I enabled SELinux's targeted policy:

[ktill@boston ~]$ sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 18
Policy from config file:targeted

Policy booleans:
allow_ypbind inactive
dhcpd_disable_trans inactive
httpd_disable_trans inactive
httpd_enable_cgi active
httpd_enable_homedirs active
httpd_ssi_exec active
httpd_tty_comm inactive
httpd_unified active
mysqld_disable_trans inactive
named_disable_trans inactive
named_write_master_zonesinactive
nscd_disable_trans inactive
ntpd_disable_trans inactive
portmap_disable_trans inactive
postgresql_disable_transinactive
snmpd_disable_trans inactive
squid_disable_trans inactive
syslogd_disable_trans inactive
winbind_disable_trans inactive
ypbind_disable_trans inactive

amanda( 2.5.0b1) backup and recover work fine.
Has anyone used amanda on SELinux when STRICT policy is enforced?

bwil150n
February 26th, 2006, 08:04 PM
First the software details:
Red Hat Enterprise Linux AS release 4 (Nahant Update 2)
selinux-policy-targeted-1.17.30-2.110
selinux-policy-targeted-sources-1.17.30-2.110
libselinux-1.19.1-7
amanda-2.4.4p3-1
amanda-client-2.4.4p3-1
kernel-smp-2.6.9-5.0.5.EL

The output from sestatus:
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 18
Policy from config file:targeted

Policy booleans:
allow_ypbind active
dhcpd_disable_trans inactive
httpd_builtin_scripting active
httpd_disable_trans inactive
httpd_enable_cgi active
httpd_enable_homedirs active
httpd_ssi_exec active
httpd_tty_comm inactive
httpd_unified active
mysqld_disable_trans inactive
named_disable_trans inactive
named_write_master_zonesinactive
nscd_disable_trans inactive
ntpd_disable_trans inactive
pegasus_disable_trans inactive
portmap_disable_trans inactive
postgresql_disable_transinactive
snmpd_disable_trans inactive
squid_disable_trans inactive
syslogd_disable_trans inactive
use_nfs_home_dirs inactive
use_samba_home_dirs inactive
use_syslogng inactive
winbind_disable_trans inactive
ypbind_disable_trans inactive

While running SELinux permissive does allow amanda to connect and do backups, enforcing stops amanda cold in her tracks.

I'm forging ahead with reading, searching, and experimenting but if anyone has a canned solution, I'd appreciate it.

Thanks in advance!

paddy
February 27th, 2006, 09:44 AM
bwil150n,

Are you using 2.5.0b1 or 2.4.4p3 rpms from Redhat?

What do you mean "stops amanda cold in her tracks"? I guess you have
enabled targetted policy. Did you have any rules specific to amanda.
Did the amdump fails or restore operation fail? Did you try amcheck?
More information on the failure would be appreciated.

Kevin has tested 2.5.0b1 and 2.5.0b2 images with SE Linux targetted policy
enabled (See his reports earlier in the thread).

Thanks,
Paddy

bwil150n
March 1st, 2006, 11:33 AM
Paddy,

I'm running 2.4.5p1-2 on Debian 2.4.25 on a separate network, which means this is probably in the wrong forum.

Proceeding anyway with names changed to protect...

FAILURE AND STRANGE DUMP SUMMARY:
ajax / lev 0 FAILED 20060228 [too many dumper retry]
brillo / lev 0 FAILED 20060228 [too many dumper retry]

Using /var/lib/amanda/DailySet1/amdump.1 from Wed Mar 1 00:45:01 PST 2006

ajax:/ 0 driver: (aborted:could not connect to data port: Connection refused)(too many dumper retry)
(same error for brillo)

Amanda Tape Server Host Check
-----------------------------
Holding disk /backup/amanda: 217256088 kB disk space available, using 216207512 kB
amcheck-server: slot 9: date 20060201 label C0000009 (exact label match)
NOTE: skipping tape-writable test
Tape C0000009 label ok
NOTE: info dir /var/lib/amanda/DailySet1/curinfo/ajax: does not exist
NOTE: it will be created on the next run.

I know that amanda works if selinux is set to permissive, but my security model requires enforcing. I have tested against a permissive configuration and saw the audit trails regarding amanda so I'm certain amanda is not the problem.

As far as the selinux configuration goes, it is unmodified from the policy-targeted rpm. I'm working with policy 18 specifically.

I did read Kevin's report. It shows selinux is enabled, but running in permissive mode, not enforcing mode, making those results invalid in this case.

In searching the SELinux threads I have seen bits and pieces of patchs where amanda.te is mentioned, however that particular file does not ship with the rpm. I'm left to wonder if there is anyone on the board that has a working setup that fits the criteria I've spelled out in this and previous posts?

Thanks!

ktill
March 1st, 2006, 12:17 PM
Hi,

I now see some problem by turning on the enforcing mode with targetted policy.

It's:
Mar 4 07:57:07 localhost kernel: audit(1141487827.180:0): avc: denied { associate } for pid=3176 exe=/usr/lib/amanda/sendsize name=ktill2.zmanda.com_home_ktill_0.new scontext=user_u:object_r:unlabeled_t tcontext=system_u:object_r:fs_t tclass=filesystem
Mar 4 07:57:07 localhost kernel: audit(1141487827.188:0): avc: denied { associate } for pid=3176 exe=/usr/lib/amanda/sendsize name=ktill2.zmanda.com_home_ktill_1.new scontext=user_u:object_r:unlabeled_t tcontext=system_u:object_r:fs_t tclass=filesystem

audit2allow indicates:
allow unlabeled_t fs_t:filesystem { associate };

I'll see if what we can do on the Amanda side. Will let you know ASAP.

--Kevin

ktill
March 1st, 2006, 02:14 PM
[ croos post from "suggestion box" ]
Hi,

my understanding is that the tagetted policy has no enforcement on Amanda per se. I was playing with the "strict" policy, as a result, the guntar-list directory is labled. Once I removed the label by doing "chcon -R user_ubject_r:usr_t guntar-list-directory". Amanda is working again running in targetted enforced mode.

Check your /tmp/amanda/sendsize.*debug file to see if it has problem opening the gnutar-list file.

--Kevin

bwil150n
March 1st, 2006, 04:49 PM
[ croos post from "suggestion box" ]
Hi,

my understanding is that the tagetted policy has no enforcement on Amanda per se. I was playing with the "strict" policy, as a result, the guntar-list directory is labled. Once I removed the label by doing "chcon -R user_ubject_r:usr_t guntar-list-directory". Amanda is working again running in targetted enforced mode.

Check your /tmp/amanda/sendsize.*debug file to see if it has problem opening the gnutar-list file.

--Kevin


Apparently RHEL4 puts the gnutar stuff in /var/log/amanda -- or at least that is where I found the sendsize...debug files. Anyway, I ran chcon -R user_u:object_r:usr_t /var/log/amanda and I will wait for the results tomorrow. Just for good measure I made a /tmp/amanda and ran chcon on that one too. I'll report back the results tomorrow morning. I'm hoping for good things.

Brad

ktill
March 1st, 2006, 04:56 PM
"Apparently RHEL4 puts the gnutar stuff in /var/log/amanda -- or at least that is where I found the sendsize...debug files."

guntar-lists is not a log file, it's a directory where file contains list of files to be backed up on the client. I think RHEL4 puts them in /var/lib/amanda/gnutar-lists/.

If it's still not working right tomorrow, report the amanda-related AVC message on /var/log/messages and errors in /var/log/amanda/sendsize.*.debug.

Thanks!

--Kevin

bwil150n
March 2nd, 2006, 05:47 AM
:o

Duly noted and adjustments made. News at 11.

Brad

bwil150n
March 3rd, 2006, 12:17 PM
The backup still failed. Please see the attachment for details. ajax is the client and flagpole is the server.

ktill
March 3rd, 2006, 12:31 PM
The attachment file shows no error. The AVC messages are positive acknowledgement s- (granted). Is there any other AVC messages like denied and/or sendbackup? Search /var/log/messages for sendbackup.

Looking at the your previous post, here is what's failing:
==========
ajax:/ 0 driver: (aborted:could not connect to data port: Connection refused)(too many dumper retry)
==========
We need to find out what's restricting the data port connection. Also I need answers to the following:
1) amanda works well when it's in permissive mode?
2) is there a firewall between the server and the client?

--Kevin Till

bwil150n
March 3rd, 2006, 12:47 PM
1) amanda works well when it's in permissive mode? -- Yes it does.
2) is there a firewall between the server and the client? -- Yes there is.

If RedHat is watching this list, maybe someone there can explain why amand.te is not in the targeted-source rpm...

ktill
March 3rd, 2006, 12:58 PM
>1) amanda works well when it's in permissive mode? -- Yes it does.
permissive mode with firewall running, amanda works?

>2) is there a firewall between the server and the client? -- Yes there is.
what have you done to the firewall to accomodate amanda.

>If RedHat is watching this list, maybe someone there can explain why amand.te is not in >the targeted-source rpm...
because amanda is not one of the few daemons that targeted policy is enforcing.
Strict policy will enforce every daemons and thus amanda.te is in
selinux-policy-strict-sources-1.17.30-2.noarch.rpm.

bwil150n
March 3rd, 2006, 01:21 PM
>1) amanda works well when it's in permissive mode? -- Yes it does.
permissive mode with firewall running, amanda works? -- This workstation is running permissive and it gets backed up every night.

>2) is there a firewall between the server and the client? -- Yes there is.
what have you done to the firewall to accomodate amanda. Out of 11 or so machines backed up with this system both locally and remotely only those running SEL targeted enforcing fail.

>If RedHat is watching this list, maybe someone there can explain why amand.te is not in >the targeted-source rpm...
because amanda is not one of the few daemons that targeted policy is enforcing.
Strict policy will enforce every daemons and thus amanda.te is in
selinux-policy-strict-sources-1.17.30-2.noarch.rpm.

As much as I would like to move up to strict, I'm afraid of how it might break things in the name of security. This is a public-facing system I inherited. Unfortunately I don't have enough infrastructure built into my test systems to adequately test a production look-alike. So my approach is to solve small things, one at a time.

I'm going to grab that package to extract that version...hopefully that will compile better than the one I have.