Juste pour mémoire. ~~READMORE~~
Device {
# ---------------------------
Name = "backup-misc"
Archive Device = /mnt/bacula-data/misc
Maximum Concurrent Jobs = 10
# ---------------------------
Device Type = File
Media Type = File
RemovableMedia = No
Random Access = Yes
LabelMedia = Yes
Random Access = Yes
AutomaticMount = Yes
AlwaysOpen = No
# ---------------------------
Requires Mount = Yes
Mount Point = "/mnt/bacula-data"
Mount Command = "sudo /usr/local/bin/mount_crypt_device start"
Unmount Command = "sudo /usr/local/bin/mount_crypt_device stop"
# ---------------------------
}
Comme bacula n'est pas root, il faut passé par sudo qui est configurer comme suit:
User_Alias BACULA=bacula Cmnd_Alias MOUNTCRYPT=/usr/local/bin/mount_crypt_device BACULA ALL=NOPASSWD:MOUNTCRYPT
Le scripte doit donc repondre a 3 commandes:
start stop status
start → Mounter
stop → Demounter
status → dire si mounté ou pas.
Dans mon cas, c'est un scripte qui mounte une partition chiffrée avec cryptsetup…
Pour mémoire: mount_crypt_device
#!/bin/bash
MODE="$1"
MAPPER_NAME='bacula-data'
case "$MODE" in
start)
cryptdev start ${MAPPER_NAME} xvdb1
;;
stop)
cryptdev stop ${MAPPER_NAME}
;;
status)
cryptdev status ${MAPPER_NAME}
;;
*)
echo "$0 {start|stop|status}";
;;
esac
# -----------------
# EOF
xvdb1 est le disk chiffré (ça aurait pu être sdb1 , sdc2 , etc…)
Mais surtout cryptdev :
#!/bin/bash
# -----------------------------------------
MODE="$1" ; # start|stop|status
MAPPER_NAME="$2" ; # bacula-data
DEVICE="$3" ; # xvdb2
# Exemple:
# ... start bacula-data xvdb2
# ... status bacula-data
# ... stop bacula-data
# -----------------------------------------
MOUNT_SRC="/dev/mapper/${MAPPER_NAME}"
MOUNT_DST="/mnt/${MAPPER_NAME}"
getpass()
{
echo "mot_de_passe_secret"
# En fait, c'est simplifié parce que le mot de passe n'est pas en local...
# mais recuperer via le net avec un truc comme ça:
# HTTP_USER=mon_user
# HTTP_PASSWD=secret_password
# HTTP_URL=url_pour_recuperer_le_mot_de_passe
# La reponse est: password:mot_de_passe
# wget -q -O - --no-check-certificate --http-user="${HTTP_USER}" --http-passwd="${HTTP_PASSWD}" "${HTTP_URL}" | egrep "^password:" | awk -F':' '{ print $2; }' | tr -d "\r\n"
}
case "$MODE" in
start)
if [ -z "$MAPPER_NAME" ] ; then
echo "MAPPER_NAME missing" >&2
exit 1
fi
if [ -z "$DEVICE" ] ; then
echo "DEVICE missing" >&2
exit 1
fi
if cat /proc/mounts | egrep -q "^${MOUNT_SRC}" ; then
echo "Already mounted!"
else
if getpass | cryptsetup luksOpen "/dev/${DEVICE}" ${MAPPER_NAME} -d - ; then
if mount ${MOUNT_SRC} ${MOUNT_DST} ; then
logger -t "$0" "mount OK"
exit 0
fi
fi
fi
;;
stop)
if [ -z "$MAPPER_NAME" ] ; then
echo "MAPPER_NAME missing" >&2
exit 1
fi
if cat /proc/mounts | egrep -q "^${MOUNT_SRC}" ; then
if umount ${MOUNT_DST} ; then
if cryptsetup luksClose ${MAPPER_NAME} ; then
logger -t "$0" "unmount OK"
exit 0
fi
fi
else
echo "Nothing mounted!"
fi
;;
status)
if [ -z "$MAPPER_NAME" ] ; then
echo "MAPPER_NAME missing" >&2
exit 1
fi
if cat /proc/mounts | egrep -q "^${MOUNT_SRC}" ; then
echo "OK"
else
echo "Not mounted"
fi
;;
*)
echo "$0 {start|stop|status}";
;;
esac
# -----------------
# EOF