Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 584442 - app-backup/bacula-7.4.0: bacula-dir fails to start on systemd
Summary: app-backup/bacula-7.4.0: bacula-dir fails to start on systemd
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: --- normal (vote)
Assignee: Thomas Beierlein
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-05-29 09:59 UTC by Michael Schmid
Modified: 2016-07-06 04:55 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Schmid 2016-05-29 09:59:48 UTC 
<Possible duplicate of bug 504368, even though the description and solution described there don't match exactly (anymore?).>

Steps to reproduce:
1. Install bacula with default USE-flags on a machine using systemd
2. Run the scripts from the postinstall message to set up bacula-dir's database
3. Run "systemctl start bacula-dir" as root, this fails to start despite the service existing

I believe that this happens because systemd runs /usr/sbin/bacula-dir as bacula:bacula.

However, bacula:bacula does not have permission to either read /etc/bacula/bacula-dir.conf, execute /usr/sbin/bacula-dir, or write its PID file to /var/run, so the service fails to start. If that didn't happen immediately, it would also exit with a little delay because /var/lib/bacula/bacula.db also doesn't have the right permissions.

As far as I can tell, this could be fixed by running bacula-dir with root privileges (as root:bacula) as is done in OpenRC:
- Change /usr/lib64/system/bacula-dir.service to have User=root

It might also be fixed (probably more safely in terms of security?) by adjusting everything else to work with the bacula:bacula permissions on bacula-dir:
- Chmod o+x /usr/sbin/bacula-dir (or change owner to bacula:bacula)
- Change ownership of /etc/bacula/bacula-dir.conf to bacula:bacula
- Create /var/run/bacula, owned by bacula:bacula (u=rwx might be required)
- Change /etc/bacula/bacula-dir.conf to have PidDirectory="/var/run/bacula" 
- Change /usr/lib64/system/bacula-dir.service to use /var/run/bacula rather than /var/run; the same for /etc/init.d/bacula-dir
- Change OpenRC's /etc/conf.d/bacula-dir to run bacula-dir with the more limited bacula:bacula permission
- Change the /usr/libexec/bacula/create_sqlite3_database script to run "chmod bacula:bacula /var/lib/bacula/bacula.db" [also make the ebuild chmod this file if it exists for existing installs?]

With the second solution, I have not tried out if it is safe to do what might be logical to do and put the PID files for bacula-sd and bacula-fd into /var/run/bacula as well. Or if something else in /var/lib/bacula need permission adjustments in case Bacula does various things like send out mail.
Comment 1 Thomas Beierlein gentoo-dev 2016-06-21 18:53:07 UTC 
Can reproduce the behaviour after having installed a systemd system again. I am on it.
Comment 2 Thomas Beierlein gentoo-dev 2016-06-23 05:28:13 UTC 
Fixed in bacula-7.4.0-r1:

> app-backup/bacula: Let bacula-dir start successful under systemd (Bug #584442)
> 
> Change systemd's bacula-dir.service so that bacula-dir is run as root:bacula.
> While not perfect from a security point it makes bacula under systemd
> compatible with OpenRC environment.

I choose to run bacula-dir as root:bacula to stay in sync with the OpenRC behaviour.

Please test and let me know if it works at your side. If ok it needs to be backported to the older versions in tree.
Comment 3 Thomas Beierlein gentoo-dev 2016-07-06 04:55:11 UTC 
Backported fixes to bacula-5.2.13-r5 and bacula-7.0.5-r2.

> app-backup/bacula: Backport fixes from bug #584442 to let bacula-dir start under systemd

If there are still problems with that please reopen the bug.