Category Archives: Intermediate

Don't reinvent the wheel ...

As a developer or DevOps you probably heard it a hundred times before:
" ... ah and by the way for the new project ... try to find an existing library to solve the problem. Don't reinvent the wheel, that would cost too much time."

And probably there were more than a couple of times when - after scrambling through dozens of GitHub projects - you thought: "I wish I had started to reinvent the wheel right from the beginning!"

So here are my top 5 reasons why to "reinvent the wheel":

  1. The only already existing code is a "rainy-Sunday-afternoon-good-enough-for-my-Raspberry Pi-home-project-provided-as-is-without-comments-or-error-checking-only-once-tested-on-my-12-year-old-20-minutes-startup-time-crashes-every-2-hours-Windows-Vista-laptop" GitHub project.
  2. The only GitHub project you can find is bloated with functionality you don't need at all, and it takes you 2 days to find out that the 10 lines of poorly written code that you actually need does not work anyway.
  3. You need to install 15 additional mysterious libraries that were last updated 8 years ago.
  4. The only existing project is a 8 GB of RAM sucking Java monster that takes 5 minutes for cold start.
  5. You spend the next 2 years fixing bugs in code that was never meant to run in production environment.

Share

Evolution of Managed Network Services

Network

... or how to get rid of monolithic service architectures.

1991 - CORBA
A distributed management framework for network services. The father of it all. First on Uni* systems, later on other operating systems as well.

Pros:
- Not monolithic as everything before.
- The "O" stands for "Object", so it must be totally awesome.

1996 - DCOM
A distributed management framework for network services. The Microsoft way. Back in the days Microsoft reinvented everything to set new standards and own them.

Pros:
- Not monolithic as everything before.
- The "O" stands for "Object", so it must be totally awesome.

1997 - Java JNDI and RMI
A distributed management framework for network services. Along came the bytecode revolution with Java, and yes, of course Java wanted to do it the Java way.

Pros:
- Not monolithic as everything before.
- It's Java, so it must be totally awesome.

1999 - Java JNDI and EJB
A distributed management framework for network services. Way cooler than RMI.

Pros:
- Not monolithic as everything before.
- Even more object-oriented, so it must be totally awesome.

1999 - Java JNDI and Tomcat
A distributed management framework for network services. Way cooler than EJB.

Pros:
- Not monolithic as everything before.
- Everyone is using it, so it must be totally awesome.

2003 - SOAP
Distributed network services. Can be used by other programming languages than Java. In case there are any. Lacks service discovery, as e.g. CORBA already provided out of the box more than 20 years ago. So you need an additional layer called ESB.

Pros:
- Not monolithic as everything before.
- The "O" stands for "Object", so it must be totally awesome.

201? - REST
Distributed network services. Advancement of SOAP.

Pros:
- Almost the same as SOAP, just a bit smaller.

2015 - Cloud Microservices
A distributed management framework for network services. Based on REST. Lacks service discovery though, as e.g. CORBA already provided out of the box more than 20 years ago. So you need an additional layer called service mesh.

Pros:
- Not monolithic as everything before.
- It has the word "Cloud" in it, so it must be totally awesome.

202? - ...
Not sure what it will be called, but sure as hell it will be a distributed management framework for network services. And it will be way hotter than everything before, because it will not be monolithic.

Share

Let's Encrypt Certificate for SMTP with STARTTLS

TLS Encryption

Let's Encrypt provides an easy way to get free certificates not only for web servers, but also for email servers like Postfix.

The way Let's Encrypt usually works requires you to setup a web server. Let's Encrypt sends you a challenge, and you have to prove ownership of the domain by providing a response to that challenge. You do this by placing the response in a certain URL on your web server:
http://www.yourserver.com/.well-known/acme-challenge/FgedPYS65N3HfwmM7IWY2...

That way you prove that you are the owner of the domain "yourserver.com". But there is another even easier way to prove ownership of a domain: DNS. You place the response in a specific TXT record of your domain: _acme-challenge.www.yourserver.com

  • You can use your domain hosting service (GoDaddy, Whois, etc.) to create a new TXT record.
  • The "certbot" command line client does all the rest in just one call.
  • Under Debian 9 and 10, "certbot" is part of the official package repository.
  • You can run certbot on any Linux client. You don't have to run it on the email server.

Example

In this example the public hostname of your mail server is mx.yourserver.com. Therefore you have to create a TXT record called _acme-challenge.mx.yourserver.com . The value of the TXT record is in the output of certbot.

# certbot certonly --manual --preferred-challenges dns -d mx.yourserver.com
 
Saving debug log to /var/log/letsencrypt/letsencrypt.log 
Plugins selected: Authenticator manual, Installer None 
Obtaining a new certificate 
Performing the following challenges: 
dns-01 challenge for mx.yourserver.com 
 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
NOTE: The IP of this machine will be publicly logged as having requested this 
certificate. If you're running certbot in manual mode on a machine that is not 
your server, please ensure you're okay with that. 
 
Are you OK with your IP being logged? 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
(Y)es/(N)o: Y 
 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Please deploy a DNS TXT record under the name 
_acme-challenge.mx.yourserver.com with the following value: 
 
1A4RACHEISTBLUTWURST_egTVadkeiieikeieisfkfk
 
Before continuing, verify the record is deployed. 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Press Enter to Continue 
Waiting for verification... 
Cleaning up challenges 
 
IMPORTANT NOTES: 
 - Congratulations! Your certificate and chain have been saved at: 
   /etc/letsencrypt/live/mx.yourdomain.com/fullchain.pem 
   Your key file has been saved at: 
   /etc/letsencrypt/live/mx.yourdomain.com/privkey.pem 
   Your cert will expire on 2020-02-15. To obtain a new or tweaked 
   version of this certificate in the future, simply run certbot 
   again. To non-interactively renew *all* of your certificates, run 
   "certbot renew" 
 - If you like Certbot, please consider supporting our work by: 
 
   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate 
   Donating to EFF:                    https://eff.org/donate-le
Share

C++ - The Beast is Back (Halloween Special)

C++ The Beast is Back

Do you remember the time when programming languages like Visual Basic and Java came out and flourished, because they let programmers forget about all the underlying technical details of computers, so they could focus more on things like algorithms and use cases?

"I don't wanna waste my time with solving memory management problems or all those other low level stuff. These days are finally over!" Many programmers hated C++ because they were annoyed by memory leaks, pointers, byte sizes of variable types and data structures, compiler errors, linker warnings, ... the list goes on and on.

And managers? They loved Java and Visual Basic. Less tech talk about problems nobody really understands anyway, faster time to market, happy customers, what else could you want?

It seemed like the days of C and C++ were counted. Maybe they could still be used for some low level system programming, but certainly not application programming. Instead let's move on and jump on the ponderous but convenient bytecode train. Just add some more RAM modules to the server, and triple the disk space of those cloud containers, then we're done. What a beautiful simple world it is now, the world of software programming. Right? Right?? Right???

The Return of the Beast

Well ... not so fast (pun intended). New emerging technologies like Big Data, Blockchain and AI become part of everyday application development. And what about IoT (edge cloud)? Small IoT devices don't have Terabytes of RAM and server scale CPU processors. All of these rapidly growing technologies require lean and fast code modules tailored to their specific requirements.

I recently came across a free eBook from O'Reilly: C++ Today - The Beast is Back. It is from 2015, but large parts are still valid today. I highly recommend reading it. Once you have finished, here is my very own top 6 list of reasons why "the beast is back":

  1. Coding discipline
    Source code formatting, code commenting, coding guidelines, best practices: Python brought discipline back into aspiring programmers. Coders are now less annoyed by investing time in high quality source code, because they realize it will in turn create higher quality software that is easier to maintain and safes time and money in the end. C++ development also requires a lot of discipline and attention to details, but you are rewarded with a minimum disk and memory footprint and unparalleled performance.
  2. Focus on technology
    Tech is back: Logging in with SSH to a remote git server? Using vim to fix a typo in some Python source files? No problem. Today there are more tutorials out there about vim and the Linux command line than ever before. Students again want to get in touch with the underlying technology and learn how stuff works under the hood. Knowing the memory footprint of a running program is not considered evil sorcery any more.
  3. New standards
    C++ has come a long way since the last decade:
    C++11, C++14, C++17, C++20
    New programming ideas and standards are coming up every year, and C++ is adapting fast.
  4. New technologies
    Blockchain, IoT, Big Data and Deep Learning: Exciting new technologies are all about performance, data crunching, sheer numbers. You need a lean and fast beast like C++ to tame them. For example the core of TensorFlow, today's most popular machine learning framework, is written in C++.
  5. Low competition
    In July 2019 Microsoft announced they are thinking about moving from C++ to Rust for developing internal and external software. My question: What do you do with the rest of the weekend? Seriously: It might sound like a great idea to get rid of stack overflow problems and the like, but porting tons of code from C++ to Rust will probably take decades. Furthermore, Rust is not nearly as developed and stable as C++. There sure are still heaps of banana skins hidden beneath the shiny new surface of Rust.
  6. Go green, go C++
    In 2018 the first YouTube video hit 5 billion views and burned as much energy as 40,000 US homes use in a year. This should make it very clear that every innocent clickety-click-click-barely-touching-the-shiny-polished-surface-of-your-tiny-cutesy-iphone has a huge impact on telecommunication infrastructure and cloud data centers spread around the globe. Cloud services are run by software. The more efficient the software is, the less energy these services consume (CPU, hard drive, memory, etc.). Unfortunately today's most famous programming languages JavaScript, Java and Python are rather energy inefficient. Compiled languages like C++ use less memory, produce less hard drive read/writes and consume less CPU cycles, thus making them far more energy efficient.

Share

iptables: Block traffic by country (Debian 10)

You need the package versions from at least Debian 10 testing for this to work. Installing specific packages from the testing branch is beyond the scope of this article, but there are many tutorials online.

  • Switch to legacy iptables (I did not try it with the new nftables packet filter that came with Debian 10):
sudo update-alternatives --config iptables 
There are 2 choices for the alternative iptables (providing /usr/sbin/iptables). 

 Selection    Path                       Priority   Status 
------------------------------------------------------------ 
 0            /usr/sbin/iptables-nft      20        auto mode 
* 1            /usr/sbin/iptables-legacy   10        manual mode 
 2            /usr/sbin/iptables-nft      20        manual mode 

Press <enter> to keep the current choice[*], or type selection number: 1
  • Install iptables module "geoip" (from testing) and dependencies:
sudo aptitude install xtables-addons-common/testing xtables-addons-dkms/testing libnet-cidr-lite-perl libtext-csv-xs-perl
  • Make sure you have the right version (from Debian testing):
apt show xtables-addons-common
...
Version: 3.5-0.1
...
  • Download and build geoip database (zipped CSV file from MaxMind):
sudo -i
mkdir /usr/share/xt_geoip/ 
cd /usr/share/xt_geoip/
/usr/lib/xtables-addons/xt_geoip_dl
cd GeoLite2-Country-CSV_* 
/usr/lib/xtables-addons/xt_geoip_build
cp *iv? ..
  • Check your iptables rules in INPUT chain. It should look something like this, if you already setup iptables:
# iptables --line-numbers -nL  INPUT

Chain INPUT (policy DROP) 
num  target     prot opt source               destination          
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
2    ACCEPT     ...
3    ACCEPT     ...
...
8    LOG        all  --  0.0.0.0/0            0.0.0.0/0            state INVALID,NEW LOG flags 0 level 4 prefix "DROP input:"
  • Add iptables rule to block all incoming traffic from e.g. Prague/Czech Republic. Make sure to insert the new rule after the RELATED/ESTABLISHED rule and before any other ACCEPT rules. In this example, the rule is inserted as line number 2.
iptables -I INPUT 2 -m geoip --src-cc CZ -j DROP
  • In the second example we block all traffic except the one that is originating from the United States. TCP traffic is not simply dropped, but spoofed by the DELUDE target.
iptables -I INPUT 2 -m geoip ! --src-cc US -j DROP
iptables -I INPUT 2 -p tcp -m geoip ! --src-cc US -j DELUDE

Important things to note:

  • You have to reinstall package "xtables-addons-common" with every new kernel version because it is compiled during package installation using the current kernel source (see /usr/src/xtables-addons-*).
  • For more information about the DELUDE target in the second example, see "man xtables-addons". It spoofs nmap scans and makes it harder for port scanners to scan the destination host. It is only valid for TCP traffic.
Share

Android smartphone "Cubot Echo"

Smartphone

Cubot is a Chinese Android smartphone brand that offers a wide variety of inexpensive phone models. With the Cubot Echo (released in 2016) you get surprisingly good quality at a low price.

One of the main advantages of Cubot smartphones is their native Android version (stock Android). Many smartphone manufacturers heavily modify Android and add tons of "features" and apps that you don't really need and are more annoying than helpful. They hope to create a unique customer experience that makes users get accustomed to their brand so they choose the same brand again for their next phone. Moreover these modifications often slow down overall performance and introduce security holes.

Cubot ships all their models with an almost native Android version. No modifications (except necessary adaptions to hardware), no annoying apps or background tasks that cannot be removed, etc.

Cubot Echo
https://www.cubot.net/smartphones/echo/spec.html

Pros
+ Very good overall hardware quality compared to cheap price (unbreakable display, strong body for outdoor use)
+ Good display, camera quality and performance compared to cheap price
+ Large 5.0 inch display
+ HDR photography
+ Up to 128 GB micro sdcard (supported, but not included)
+ Native Android user experience, no annoying modifications or add-ons
+ Removable battery
+ Cheap price

Cons
- Android security patch level only from 05.06.2017, but latest firmware update (which will be installed automatically after setup) DOES include security patch for WiFi WPA2 KRACK attack (build 08.02.2018). Android 6 Marshmallow does no longer receive security updates from Google, but you can install the unofficial Android alternative LineageOS based on Android 7 Nougat.
- No 4G / LTE support
- A bit heavy
- Released in 2016, a little bit outdated

Verdict
You can get the Cubot Echo for as cheap as 60 EUR. If you can live with the security issues and the missing LTE support, that's a definitive buy. Especially considering that the upcoming Google Pixel 3 flagship for 850 EUR guarantees Android security updates for only 3 years. You could buy 14 Cubot Echos for that price. And the Google Pixel 3 does not have a removable battery, which makes it very hard to replace.

Cubot comparison chart

Cubot EchoCubot J5
Android VersionAndroid 6 Marshmallow
(no longer supported)
Unofficial support for LineageOS
based on Android 7 Nougat
Android 9
ProcessorMT6580 1.3 GHz Quad-coreMT6580 1.3 GHz Quad-core
Display5" IPS
(1300:1 contrast)
5.5" IPS
(18:9 format, 1300:1 contrast)
Brightness (cd/㎡)450450
Memory (RAM / ROM)2 GB / 16 GB2 GB / 16 GB
Max. Additional Storageup to 128 GB (not included)up to 128 GB (not included)
Camera (Back / Front)13 MP / 5 MP8 MP / 5 MP (interpolated)
LTEnono
Extras - Micro + standard dual SIM (no eSIM)
- A-GPS
- USB OTG
- Special sound chip with big speaker
- Unbreakable case
- Dual nano SIM (no eSIM)
- A-GPS
- Curved display sides
- Gradient color case
Battery3000 mAh (removable)2800 mAh (removable)
Price~ 60 €~ 65 €
Cubot NovaCubot Magic
Android VersionAndroid 8.1 OreoAndroid 7 Nougat
ProcessorMT6739 1.5 GHz Quad-coreMT6737 1.3 GHz Quad-core
Display5.5" HD+
(18:9 format, 1300:1 contrast)
5" IPS
(1300:1 contrast)
Brightness (cd/㎡)450450
Memory (RAM / ROM)3 GB / 16 GB3 GB / 16 GB
Max. Additional Storageup to 128 GB (not included)up to 128 GB (not included)
Camera (Back / Front)13 MP / 8 MP13 MP / 5 MP
(13 MP +2 MP Dual Back Camera)
LTEyesyes
Extras - Dual 4G nano SIM (no eSIM)
- A-GPS
- Fingerprint sensor
- Dual micro SIM and dual standby (no eSIM)
- A-GPS
- Curved display sides
Battery2800 mAh (removable)2600 mAh (removable)
Price~ 70 €~ 70 €

Share

Add entropy to KVM virtual guests (Why is key creation so slow?)

Problem

Cryptographic key creation (GnuPG, SSH, etc.) in virtual guests may be very slow because there is not enough entropy.

$ cat /proc/sys/kernel/random/entropy_avail 
7

Solution

Add /dev/urandom from virtual host in virt-manager. Click on "Add Hardware".

Add "RNG" device.

This is what will be added to the qemu xml file in /etc/libvirt/qemu:

<domain type='kvm'>
  ---
  <devices>
    ...
   <rng model='virtio'> 
     <backend model='random'>/dev/urandom</backend> 
     <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/> 
   </rng> 
 </devices> 
</domain>

In the virtual guest, install "rng-tools" (Ubuntu 18.04).

$ sudo apt-get install rng-tools

If something goes wrong, the rngd daemon will complain in /var/log/syslog.

Oct 13 22:48:07 guest rngd: read error 
Oct 13 22:48:07 guest rngd: message repeated 99 times: [ read error] 
Oct 13 22:48:07 guest rngd: No entropy sources working, exiting rngd

If rngd is working correctly, check entropy level again.

$ cat /proc/sys/kernel/random/entropy_avail
3162
Share

Security Guidelines

Computer Security

Physical Device Security

  • Always completely switch off your computer and lock your computer safely away, even if you just visit the bathroom. Screen saver locking or putting the laptop into sleep mode is not enough (Cold Boot Attacks).
    https://blog.f-secure.com/cold-boot-attacks
  • Don't display anything important on your computer screen (Van-Eck-Phreaking).
    https://twitter.com/windyoona/status/1023503150618210304
    http://www.eweek.com/security/researchers-discover-computer-screens-emit-sounds-that-reveal-data
  • Don't type in anything important on your keyboard or touchscreen.
    http://www.eweek.com/security/researchers-discover-computer-screens-emit-sounds-that-reveal-data
  • Install USBGuard to protect against unknown USB devices.
    (Note that USB IDs and serial numbers of USB devices can easily be replicated. Once an attacker knows the type of USB device you are using, and its serial number, USBGuard can easily be bypassed. That means: Never lend someone your USB stick, never accept a USB device from untrustworthy persons ... which means anyone.)

Software Security

  • Always use fingerprints to identify certificates for important web services. Don't rely solely on CAs.
    https://www.theregister.co.uk/2018/09/06/certificate_authority_dns_validation/

Useful Links

  • Ubuntu Security
    https://www.ubuntu.com/security
  • Ubuntu Security Features Matrix
    https://wiki.ubuntu.com/Security/Features
  • End User Device Security Guidance for Ubuntu 18.04 LTS from the NCSC (National Cyber Security Center, part of GCHQ)
    https://www.ncsc.gov.uk/guidance/eud-security-guidance-ubuntu-1804-lts
Share

Password security - it is not about length or complexity

Password

Passwörter sollten nach Möglichkeit nicht im Klartext am Bildschirm angezeigt werden. Neben dem offensichtlichen Shoulder Surfing ("über die Schulter schauen"), gibt es auch sog. Seitenkanalangriffe in blickgeschützten Bereichen.

Das ursprünglich für ältere Röhrenmonitore entwickelte Van-Eck-Phreaking, bei dem die elektromagnetische Strahlung über größere Distanzen aufgezeichnet wird, lässt sich offenbar auch für moderne LCD-Monitore mit HDMI-Kabel ausnutzen. Aus der empfangenen elektromagnetischen Strahlung wird dann das ursprüngliche Monitorbild rekonstruiert. Die dazu notwendige Elektronik ist mittlerweile schon für ambitionierte Hobby-Bastler erschwinglich.

Einige Quellen im Internet weisen ebenso auf relativ hohe elektromagetische Strahlungen und akustische Signale von aktuellen PC-Grafikkarten und Flachbildschirmen/Touchscreens in Kombination mit Monitor- und Stromkabeln hin, die im Prinzip wie eine Antenne funktionieren.

Um Sicherheitsproblemen in diesem Bereich von vornherein aus dem Weg zu gehen, kann man z.B. moderne Passwortmanager verwenden, die Passwörter automatisch generieren und dann über die Zwischenablage in die Anwendung kopieren, ohne das Passwort selbst im Klartext eintippen oder auf dem Bildschirm anzeigen zu müssen.

Share

Upgrading from Ubuntu 16.04 LTS to 18.04 LTS

Overall changes

Canonical support has been dropped from the following packages. They have been moved to the universe repo.

  • tcpd
  • xinetd
  • isc-dhcp-server-ldap
  • ntp, ntpdate
    There might be problems to automatically start previously configured ntp service at boot time. As a replacement, systemd-timesyncd.service is now enabled by default and provides SNTP client services. Default time server is ntp.ubuntu.com, or the one obtained from systemd-networkd.service (s. "man timesyncd.conf" for configuration).
  • firewalld
  • ssmtp

New versions

  • kernel 4.4 -> 4.15
  • bind 9.10.3 -> 9.11.3
    https://kb.isc.org/category/81/0/10/Software-Products/BIND9/Release-Notes/
    https://www.isc.org/downloads/bind/bind-9-11-new-features/
  • bacula-fd 7.0.5 -> 9.0.6
    http://www.bacula.org/9.0.x-manuals/en/main/New_Features_in_7_4_0.html
    http://www.bacula.org/9.0.x-manuals/en/main/New_Features_in_9_0_0.html
  • systemd 229 -> 237
    https://github.com/systemd/systemd/blob/master/NEWS
  • libvirt 1.3.1 -> 4.0.0
    https://libvirt.org/news.html
  • virt-manager 1.3.2 -> 1.5.1
    https://github.com/virt-manager/virt-manager/blob/master/NEWS.md

Installing Bacula client from source

Again the new bacula-fd version 9.0.6 might be a problem, if you are running a Bacula server with an older version (s. Upgrade from Ubuntu Desktop 14.04 LTS to 16.04 LTS). In your job output, you will see an error like this:

25-Apr 02:15 server-dir JobId 5638: FD compression disabled for this Job because AllowCompress=No in Storage resource.
25-Apr 02:15 server-dir JobId 5638: Error: getmsg.c:178 Malformed message: Jmsg JobId=5638 type=9 level=1524615306 client-fd JobId 5638:      Unchanged file skipped: /etc/inputrc

25-Apr 02:15 server-dir JobId 5638: Error: getmsg.c:178 Malformed message: Jmsg JobId=5638 type=9 level=1524615306 client-fd JobId 5638:      Unchanged file skipped: /etc/bind/db.empty

25-Apr 02:15 server-sd JobId 5638: Fatal error: bsock.c:547 Packet size=1073742451 too big from "client:192.168.0.1:9103. Terminating connection.
25-Apr 02:15 server-dir JobId 5638: Error: getmsg.c:178 Malformed message: Jmsg JobId=5638 type=9 level=1524615306 client-fd JobId 5638:      Unchanged file skipped: /etc/bind/Kexample2.+163+42584.private

25-Apr 02:15 server-sd JobId 5638: Fatal error: append.c:149 Error reading data header from FD. n=-2 msglen=0 ERR=No data available
25-Apr 02:15 server-dir JobId 5638: Error: getmsg.c:178 Malformed message: Jmsg JobId=5638 type=9 level=1524615306 client-fd JobId 5638:      Unchanged file skipped: /etc/bind/zones.rfc1918

25-Apr 02:15 server-sd JobId 5638: Elapsed time=00:00:01, Transfer rate=186  Bytes/second
25-Apr 02:15 server-dir JobId 5638: Error: getmsg.c:178 Malformed message: Jmsg JobId=5638 type=4 level=1524615307 client-fd JobId 5638: Error: bsock.c:649 Write error sending 884 bytes to Storage daemon:192.168.0.1:9103: ERR=Broken pipe

25-Apr 02:15 server-dir JobId 5638: Error: getmsg.c:178 Malformed message: Jmsg JobId=5638 type=3 level=1524615307 client-fd JobId 5638: Fatal error: backup.c:843 Network send error to SD. ERR=Broken pipe

25-Apr 02:15 server-dir JobId 5638: Error: getmsg.c:178 Malformed message: Jmsg JobId=5638 type=4 level=1524615317 client-fd JobId 5638: Error: bsock.c:537 Socket has errors=1 on call to Storage daemon:192.168.0.1:9103

25-Apr 02:15 server-dir JobId 5638: Fatal error: bsock.c:547 Packet size=1073741935 too big from "Client: client-fd:client.example.com:9102. Terminating connection.
25-Apr 02:15 server-dir JobId 5638: Fatal error: No Job status returned from FD.

Here is how to install bacula-fd 5.2.13 from source on Ubuntu 18.04:

  • systemctl stop bacula-fd
  • Install packages required for building bacula client from source:
    apt-get install build-essentials libssl1.0-dev
  • Download bacula-5.2.13.tar.gz and bacula-5.2.13.tar.gz.sig from https://sourceforge.net/projects/bacula/files/bacula/5.2.13/
  • Import Bacula Distribution Verification Key and check key fingerprint (fingerprint for my downloaded Bacula key is 2CA9 F510 CA5C CAF6 1AB5  29F5 9E98 BF32 10A7 92AD):
    gpg --recv-keys 10A792AD
    gpg --fingerprint -k 10A792AD
  • Check signature of downloaded files:
    gpg --verify bacula-5.2.13.tar.gz.sig
  • tar -xzvf bacula-5.2.13.tar.gz
  • cd bacula-5.2.13
  • ./configure --prefix=/usr/local --enable-client-only --disable-build-dird --disable-build-stored --with-openssl --with-pid-dir=/var/run/bacula --with-systemd
  • check output of previous configure command
  • make && make install
  • check output of previous command for any errors
  • create new file /etc/ld.so.conf.d/local.conf:
    /usr/local/lib
  • ldconfig
  • Delete the following files:
    rm /lib/systemd/system/bacula-fd.service
    rm /etc/init.d/bacula-fd
    (In fact you can remove the bacula-fd 9.0.6 package completely, just make sure to copy the directory /etc/bacula somewhere safe before you do, and restore it afterwards.)
  • Create file /etc/systemd/system/bacula-fd.service (see below)
  • systemctl daemon-reload
  • systemctl start bacula-fd

/etc/systemd/system/bacula-fd.service:

[Unit] 
Description=Bacula File Daemon service 
Documentation=man:bacula-fd(8) 
Requires=network.target 
After=network.target 
RequiresMountsFor=/var/lib/bacula /etc/bacula /usr/sbin 
 
# from http://www.freedesktop.org/software/systemd/man/systemd.service.html 
[Service] 
Type=forking 
User=root 
Group=root 
Environment="CONFIG=/etc/bacula/bacula-fd.conf" 
EnvironmentFile=-/etc/default/bacula-fd 
ExecStartPre=/usr/local/sbin/bacula-fd -t -c $CONFIG 
ExecStart=/usr/local/sbin/bacula-fd -u root -g root -c $CONFIG 
ExecReload=/bin/kill -HUP $MAINPID 
SuccessExitStatus=15 
Restart=on-failure 
RestartSec=60 
PIDFile=/run/bacula/bacula-fd.9102.pid 

[Install] 
WantedBy=multi-user.target

Make sure that in you bacula-fd.conf, you have:

Pid Directory = /run/bacula

... and that the directory actually exists.

Some notable changes to systemd

When using systemd's default tmp.mount unit for /tmp, the mount point will now be established with the "nosuid" and "nodev" options. This avoids privilege escalation attacks that put traps and exploits into /tmp. However, this might cause problems if you e. g. put container images or overlays into /tmp; if you need this, override tmp.mount's "Options=" with a drop-in, or mount /tmp from /etc/fstab with your desired options.

systemd-resolved now listens on the local IP address 127.0.0.53:53 for DNS requests. This improves compatibility with local programs that do not use the libc NSS or systemd-resolved's bus APIs for name resolution. This minimal DNS service is only available to local programs and does not implement the full DNS protocol, but enough to cover local DNS clients. A new, static resolv.conf file, listing just this DNS server is now shipped in /usr/lib/systemd/resolv.conf. It is now recommended to make /etc/resolv.conf a symlink to this file in order to route all DNS lookups to systemd-resolved, regardless if done via NSS, the bus API or raw DNS packets. Note that this local DNS service is not as fully featured as the libc NSS or systemd-resolved's bus APIs. For example, as unicast DNS cannot be used to deliver link-local address information (as this implies sending a local interface index along), LLMNR/mDNS support via this interface is severely restricted. It is thus strongly recommended for all applications to use the libc NSS API or native systemd-resolved bus API instead.

systemd-resolved gained a new "DNSStubListener" setting in resolved.conf. It either takes a boolean value or the special values "udp" and "tcp", and configures whether to enable the stub DNS listener on 127.0.0.53:53.

The new ProtectKernelModules= option can be used to disable explicit load and unload operations of kernel modules by a service. In addition access to /usr/lib/modules is removed if this option is set.

Units acquired a new boolean option IPAccounting=. When turned on, IP traffic accounting (packet count as well as byte count) is done for the service, and shown as part of "systemctl status" or "systemd-run --wait". If CPUAccounting= or IPAccounting= is turned on for a unit a new structured log message is generated each time the unit is stopped, containing information about the consumed resources of this invocation.

Share