Bug 1376453
| Summary: | bacula-sd reports "Permission denied" on device though running as root | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | André Schramm <andre.schramm> |
| Component: | bacula | Assignee: | Josef Ridky <jridky> |
| Status: | CLOSED NOTABUG | QA Contact: | qe-baseos-daemons |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.8 | CC: | andre.schramm, yves.mulleneers |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-09-20 11:45:26 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Thank you for this report. This issue has been discussed with upstream authors with following results: 1) The main problem is in different versions of the Director and the SD. Bacula does not support running with different versions of the Director and SD. Versions supported DIR == SD (only) FD <= DIR/FD So different DIR and SD is not supported and in general will not work. And the FD must be the same version as the DIR/SD or older, but not newer. 2) When is first point resolved and if the permission problem still persist on the SD which is running with root, it is probably because the SELINUX is enabled and the rules have not been appropriately adapted. The Bacula project does not use or support SELINUX. While Red Hat welcomes bug reports on Red Hat products here in our public bugzilla database, please keep in mind that bugzilla is not a support tool or means of accessing support. If you would like technical support please visit our support portal at access.redhat.com or call us for information on subscription offerings to suit your needs. I have got one more highlight to this topic from upstream.
I have put the message from upstream below.
---- UPSTREAM MESSAGE ----
I think that this behavior is caused by wrong Bacula usage by the user.
Please look at following steps that user did (with my comments):
1) [root@bacula-sd ~]# /usr/libexec/bacula/mtx-changer /dev/sg5 load 1
/dev/nst0 0
To load/unload volume in storage managed by Bacula, the user has to
umount the storage first. Otherwise Bacula SD will have wrong tape
drive state remembered and from this reason Bacula can try load volume
already loaded or can try unload volume not loaded.
2) [root@bacula-dir ~]# bconsole
*status storage=Quantum-Changer
...
Device status:
Autochanger "Quantum-Changer" with devices:
"LTO5" (/dev/nst0)
Device "LTO5" (/dev/nst0) open but no Bacula volume is currently mounted.
Drive 0 status unknown.
Total Bytes Read=0 Blocks Read=0 Bytes/block=0
Positioned at File=0 Block=0
====
...
In this output the "no Bacula volume is currently mounted" state means
that Bacula SD doesn't know about loaded tape from slot 1 to tape
drive /dev/nst0. So, before loading volume by mtx-changer the storage
wasn't unmounted (it was mounted).
3) *label storage=Quantum-Changer pool=LTO5-Pool slots=1-3 barcodes
It can fail because of above problem.
4) *unmount storage=Quantum-Changer
It can fail because of above problem.
5) [root@bacula-sd ~]# /etc/init.d/bacula-sd stop
All Bacula SD devices are freed.
6) [root@bacula-sd ~]# cp /etc/init.d/bacula-sd /etc/init.d/bacula-sdd
I am not sure if it is required.
7) [root@bacula-sd init.d]# /etc/init.d/bacula-sdd start
After starting Bacula SD, all devices are mounted again and tape
drives (with volumes or without) are initialized in Bacula SD.
*label storage=Quantum-Changer pool=LTO5-Pool slots=1-3 barcodes
Devices were mounted and initliazed correctly, so no error.
*unmount storage=Quantum-Changer
Devices were mounted and initliazed correctly, so no error.
---- END OF MESSAGE ----
Please let us know if the message was helpful for you.
Thanks for your reply. To put it short: We don't think this is a bug in Bacula, but rather in the CentOS init script or sth. related. Otherwise we would have directly reported it to the Bacula team. And we did not use the CentOS bug tracker as it would have ended up here anyway. A short summary would be: the error "Permission denied" goes away if one simply renames /etc/init.d/bacula-sd to /etc/init.d/bacula-sdd and starts the latter. Nothing else is changed in any of the configuration files, only the name of the init script. Basically, we were trying to set up a new/second tape lib in an existing scenario. The snippets from bconsole do not show everything we did, but should only show the difference between the actual and expected command outputs. Let aside the tape loading behind Bacula's back (which would have confused it) and the unmount on a not mounted tape (which nevertheless flawlessly worked in the second example). The label scenario was Bacula with the new tape lib and all tapes unlabeled. Running the label command after starting /etc/init.d/bacula-sd gives "Permission denied" and detects no slots in the changer. Simply running /etc/init.d/bacula-sdd works as expected: 40 slots are detected and the tapes are labeled correctly. So it looks like the name of the init script somehow interferes with something else and/or causes "Permission denied". But what was important was the "DIR == SD" constraint. Though I checked up the versions compatibility list [1] beforehand, I only focused on the FD. So our current setup with different versions of DIR and SD might be working (as it does with /etc/init.d/bacula-sdd), but is not officially supported and we'll have to change it anyway. It thus is unclear whether it is worth debugging this bug within the current setup. [1] http://wiki.bacula.org/doku.php?id=versions_compatibility Bacula Storage Deamon is executed as user bacula. On my system this user must be added to group tape. This command solved the 'permission denied' problem. # usermod -a -G tape bacula Obviously, tape devices are owned by group tape. Thanks for your reply. As the topic states, the SD was running as root when the error occurred. I came across "Bug #905530 - bacula-director runs as root not bacula user" and it was the same for the SD at that time. I tried the solution from #905530 to run SD as user bacula, which was added to the tape group before. As this did not work, I changed SD_USER and SD_GROUP back to root. This was done on a customer system I no longer have access to, so I cannot provide any further information. Thanks for your help and this Bugzilla account is hereby closed. |
Description of problem: bacula-sd reports "Permission denied" on the device though it runs as root and all the devices are read-/writable for root. When trying to read the tape barcode labels, 0 slots instead of 40 are detected. But if one simply copies and renames the init script, everything works fine. Setup: Server "bacula-dir" (Gentoo): running bacula-dir Server "bacula-sd" (CentOS 6.8): running bacula-sd, has tape lib "Quantum-Changer" attached The bacula versions are not identical, but this should be no problem acc. to the bacula compatibility wiki and does not explain the effect. Version-Release number of selected component (if applicable): bacula-storage-common-5.0.0-13.el6.x86_64 How reproducible: Always Steps to Reproduce: 1. Load a tape [root@bacula-sd ~]# /usr/libexec/bacula/mtx-changer /dev/sg5 load 1 /dev/nst0 0 Loading media from Storage Element 1 into drive 0...done 2. Run bconsole and check the status [root@bacula-dir ~]# bconsole Connecting to Director bacula-dir:9101 1000 OK: bacula-dir Version: 5.2.12 (12 September 2012) Enter a period to cancel a command. *status storage=Quantum-Changer Connecting to Storage daemon Quantum-Changer at 192.168.99.160:9103 bacula-sd Version: 5.0.0 (26 January 2010) x86_64-redhat-linux-gnu redhat Daemon started 14-Sep-16 16:12, 0 Jobs run since started. Heap: heap=135,168 smbytes=17,871 max_bytes=115,156 bufs=70 max_bufs=72 Sizes: boffset_t=8 size_t=8 int32_t=4 int64_t=8 Running Jobs: No Jobs running. ==== Jobs waiting to reserve a drive: ==== Terminated Jobs: JobId Level Files Bytes Status Finished Name =================================================================== 15441 Incr 0 0 Cancel 01-Sep-16 16:59 bacula-4 15451 Full 57,660 27.12 G Cancel 02-Sep-16 14:24 bacula-sd-2 15452 Full 0 0 Error 02-Sep-16 14:54 bacula-sd-2 15453 Full 0 0 Error 02-Sep-16 14:57 bacula-sd-2 15454 Full 0 0 Error 02-Sep-16 15:34 bacula-sd-2 15455 Full 0 0 Cancel 02-Sep-16 16:00 bacula-sd-2 ==== Device status: Autochanger "Quantum-Changer" with devices: "LTO5" (/dev/nst0) Device "LTO5" (/dev/nst0) open but no Bacula volume is currently mounted. Drive 0 status unknown. Total Bytes Read=0 Blocks Read=0 Bytes/block=0 Positioned at File=0 Block=0 ==== Used Volume status: ==== ==== 3. Try to label or unmount the tape Actual results: *label storage=Quantum-Changer pool=LTO5-Pool slots=1-3 barcodes Automatically selected Catalog: MyCatalog Using Catalog "MyCatalog" Connecting to Storage daemon Quantum-Changer at 192.168.99.160:9103 ... 3306 Issuing autochanger "slots" command. Device "LTO5" has 0 slots. No slots in changer to scan. *unmount storage=Quantum-Changer 3301 Issuing autochanger "loaded? drive 0" command. 3991 Bad autochanger "loaded? drive 0" command: ERR=Child exited with code 1. Results=cannot open SCSI device '/dev/sg5' - Permission denied 3002 Device "LTO5" (/dev/nst0) unmounted. Now doing the following: [root@bacula-sd ~]# /etc/init.d/bacula-sd stop Shutting down bacula-sd: [ OK ] [root@bacula-sd ~]# cp /etc/init.d/bacula-sd /etc/init.d/bacula-sdd [root@bacula-sd init.d]# /etc/init.d/bacula-sdd start Starting bacula-sd: [ OK ] This leads to the expected results (detecting 40 slots and no permission errors): *label storage=Quantum-Changer pool=LTO5-Pool slots=1-3 barcodes Connecting to Storage daemon Quantum-Changer at 192.168.99.160:9103 ... 3306 Issuing autochanger "slots" command. Device "LTO5" has 40 slots. Connecting to Storage daemon Quantum-Changer at 192.168.99.160:9103 ... 3306 Issuing autochanger "list" command. The following Volumes will be labeled: Slot Volume ============== 1 000001 2 000002 3 000003 Do you want to label these Volumes? (yes|no): no *unmount storage=Quantum-Changer 3307 Issuing autochanger "unload slot 1, drive 0" command. 3002 Device "LTO5" (/dev/nst0) unmounted. Additional info: [root@bacula-sd ~]# rpm -qa | egrep '(bacula|mt-st|mtx)' | sort bacula-common-5.0.0-13.el6.x86_64 bacula-console-5.0.0-13.el6.x86_64 bacula-director-common-5.0.0-13.el6.x86_64 bacula-director-mysql-5.0.0-13.el6.x86_64 bacula-storage-common-5.0.0-13.el6.x86_64 bacula-storage-mysql-5.0.0-13.el6.x86_64 mt-st-1.1-5.el6.x86_64 mtx-1.3.12-5.el6.x86_64 [root@bacula-sd ~]# rpm -vV bacula-storage-common S.5....T. c /etc/bacula/bacula-sd.conf ......... /etc/rc.d/init.d/bacula-sd ......... /usr/libexec/bacula/disk-changer ......... /usr/libexec/bacula/dvd-handler ......... /usr/libexec/bacula/mtx-changer ......... /usr/sbin/bacula-sd ......... /usr/sbin/bextract ......... /usr/sbin/bls ......... /usr/sbin/btape ......... d /usr/share/man/man8/bacula-sd.8.gz ......... d /usr/share/man/man8/bcopy.8.gz ......... d /usr/share/man/man8/bextract.8.gz ......... d /usr/share/man/man8/bls.8.gz ......... d /usr/share/man/man8/bscan.8.gz ......... d /usr/share/man/man8/btape.8.gz [root@bacula-sd ~]# ps aux | grep bacula-sd root 32116 0.0 0.0 246808 1920 ? Ssl 14:44 0:00 /usr/sbin/bacula-sd -v -d 10 -c /etc/bacula/bacula-sd.conf -u root -g root [root@bacula-sd init.d]# ll /dev/nst* /dev/sg* /dev/st* /dev/sch* crw-rw----. 1 root tape 9, 128 Sep 2 16:15 /dev/nst0 crw-rw----. 1 root tape 9, 224 Sep 2 16:15 /dev/nst0a crw-rw----. 1 root tape 9, 160 Sep 2 16:15 /dev/nst0l crw-rw----. 1 root tape 9, 192 Sep 2 16:15 /dev/nst0m crw-rw----. 1 root disk 86, 0 Sep 2 16:15 /dev/sch0 crw-rw----. 1 root disk 21, 0 Jul 8 17:14 /dev/sg0 crw-rw----. 1 root disk 21, 1 Jul 8 17:14 /dev/sg1 crw-rw----. 1 root disk 21, 10 Sep 10 16:15 /dev/sg10 crw-rw----. 1 root disk 21, 11 Sep 10 16:18 /dev/sg11 crw-rw----. 1 root disk 21, 12 Sep 10 16:18 /dev/sg12 crw-rw----. 1 root disk 21, 13 Sep 10 16:18 /dev/sg13 crw-rw----. 1 root disk 21, 14 Sep 10 16:18 /dev/sg14 crw-rw----. 1 root disk 21, 15 Sep 10 16:18 /dev/sg15 crw-rw----. 1 root disk 21, 2 Jul 8 17:14 /dev/sg2 crw-rw----. 1 root disk 21, 3 Jul 8 17:14 /dev/sg3 crw-rw----. 1 root tape 21, 4 Sep 2 16:15 /dev/sg4 crw-rw----. 1 root tape 21, 5 Sep 2 16:15 /dev/sg5 crw-rw----. 1 root cdrom 21, 6 Jul 8 17:14 /dev/sg6 crw-rw----. 1 root disk 21, 7 Sep 10 16:15 /dev/sg7 crw-rw----. 1 root disk 21, 8 Sep 10 16:15 /dev/sg8 crw-rw----. 1 root disk 21, 9 Sep 10 16:15 /dev/sg9 crw-rw----. 1 root tape 9, 0 Sep 2 16:15 /dev/st0 crw-rw----. 1 root tape 9, 96 Sep 2 16:15 /dev/st0a crw-rw----. 1 root tape 9, 32 Sep 2 16:15 /dev/st0l crw-rw----. 1 root tape 9, 64 Sep 2 16:15 /dev/st0m