ReLoad

Thierry Jaouen WikiBlog
"Rien à foutre d'être lu,
tant que je peux me relire."

User Tools

Site Tools


blog:2012:03:19:bacula_storage_et_mount

Bacula Storage et Mount

Juste pour mémoire.

bacula-sd.conf

Device {
   # ---------------------------
   Name = "backup-misc"
   Archive Device = /mnt/bacula-data/misc
   Maximum Concurrent Jobs = 10
   # ---------------------------
   Device Type = File
   Media Type = File
   RemovableMedia = No
   Random Access = Yes
   LabelMedia = Yes
   Random Access = Yes
   AutomaticMount = Yes
   AlwaysOpen = No
   # ---------------------------
   Requires Mount = Yes
   Mount Point = "/mnt/bacula-data"
   Mount Command = "sudo /usr/local/bin/mount_crypt_device start"
   Unmount Command = "sudo /usr/local/bin/mount_crypt_device stop"
   # ---------------------------
}

Sudo

Comme bacula n'est pas root, il faut passé par sudo qui est configurer comme suit:

User_Alias BACULA=bacula
Cmnd_Alias MOUNTCRYPT=/usr/local/bin/mount_crypt_device
BACULA  ALL=NOPASSWD:MOUNTCRYPT

scripte

Le scripte doit donc repondre a 3 commandes:

start
stop
status

start → Mounter
stop → Demounter
status → dire si mounté ou pas.

Dans mon cas, c'est un scripte qui mounte une partition chiffrée avec cryptsetup

Pour mémoire: mount_crypt_device

#!/bin/bash

MODE="$1"

MAPPER_NAME='bacula-data'

case "$MODE" in
  start)
      cryptdev start ${MAPPER_NAME} xvdb1
      ;;
  stop)
      cryptdev stop ${MAPPER_NAME}
      ;;
  status)
      cryptdev status ${MAPPER_NAME}
      ;;
  *)
      echo "$0 {start|stop|status}";
      ;;
esac

# -----------------
# EOF

xvdb1 est le disk chiffré (ça aurait pu être sdb1 , sdc2 , etc…)

Mais surtout cryptdev :

#!/bin/bash

# -----------------------------------------

MODE="$1"                        ; # start|stop|status

MAPPER_NAME="$2"                 ; # bacula-data

DEVICE="$3"                      ; # xvdb2

# Exemple:
# ... start bacula-data xvdb2
# ... status bacula-data
# ... stop bacula-data

# -----------------------------------------

MOUNT_SRC="/dev/mapper/${MAPPER_NAME}"
MOUNT_DST="/mnt/${MAPPER_NAME}"

getpass()
{
  echo "mot_de_passe_secret" 

  # En fait, c'est simplifié parce que le mot de passe n'est pas en local...
  # mais recuperer via le net avec un truc comme ça:
  #    HTTP_USER=mon_user
  #    HTTP_PASSWD=secret_password
  #    HTTP_URL=url_pour_recuperer_le_mot_de_passe
  #  La reponse est: password:mot_de_passe
  #    wget -q -O - --no-check-certificate --http-user="${HTTP_USER}" --http-passwd="${HTTP_PASSWD}" "${HTTP_URL}" | egrep "^password:" | awk -F':' '{ print $2; }' | tr -d "\r\n"
}

case "$MODE" in
  start)

      if [ -z "$MAPPER_NAME" ] ; then
        echo "MAPPER_NAME missing" >&2
        exit 1
      fi

      if [ -z "$DEVICE" ] ; then
        echo "DEVICE missing" >&2
        exit 1
      fi

      if cat /proc/mounts | egrep -q "^${MOUNT_SRC}" ; then
        echo "Already mounted!"
      else
        if getpass | cryptsetup luksOpen "/dev/${DEVICE}" ${MAPPER_NAME} -d - ; then
          if mount ${MOUNT_SRC} ${MOUNT_DST} ; then
            logger -t "$0" "mount OK"
            exit 0
          fi
        fi
      fi
      ;;
  stop)
      if [ -z "$MAPPER_NAME" ] ; then
        echo "MAPPER_NAME missing" >&2
        exit 1
      fi

      if cat /proc/mounts | egrep -q "^${MOUNT_SRC}" ; then
        if umount ${MOUNT_DST} ; then
          if cryptsetup luksClose ${MAPPER_NAME} ; then
            logger -t "$0" "unmount OK"
            exit 0
          fi
        fi
      else
        echo "Nothing mounted!"
      fi
      ;;
  status)
      if [ -z "$MAPPER_NAME" ] ; then
        echo "MAPPER_NAME missing" >&2
        exit 1
      fi

      if cat /proc/mounts | egrep -q "^${MOUNT_SRC}" ; then
        echo "OK"
      else
        echo "Not mounted"
      fi
      ;;
  *)
      echo "$0 {start|stop|status}";
      ;;
esac

# -----------------
# EOF

Comments




If you can't read the letters on the image, download this .wav file to get them read to you.
blog/2012/03/19/bacula_storage_et_mount.txt · Last modified: 2012/03/19 16:38 by thierry