How do I change the director_name?
#138
Comments
|
Well, I guess the process is:
And I guess it should be correct.
Under the hood, there are a few collected resources that depend on the director name:
|
|
That's exactly what I did. One of the reasons I want to make this change is because I remember the last time I built a new Bacula DIR/SD VM is that there was no easy way to try it with limited scope -- it was all or nothing because I had to follow the process you detailed. For some reason that's not working now. I haven't yet tried it, but I suspect simply trying to deploy the new canonical FQDN is going to yield the same problem. If you have any other ideas, I'm all ears. |
|
These problems are hard to diagnose… maybe there are other steps and you have to run more than 2 batches of updates across your nodes to reach a consistent state. I use It may be useful to understand what is going on by querying PuppetDB: Last time I renamed a Bacula node, I also remember having a bad time not seeing what I expected, and it happened that everything was fine, I just was updating the wrong node / wrong environment causing exported resources to not be exported as I wanted… |
|
I rebuilt my PuppetDB from the PC1 repos, maybe v4 or so, but definitely not v5 or v6. Hence some of the delay. Still had no luck with any of this and I knew that my DB was rebuilt from scratch since I didn't migrate any data. I tried to push forth on my new dir/sd build and sort everything out there: new VM, no lingering cruft in case something moved elsewhere over time -- all that. Proper debugging has been challenging because I cannot get However, I've made some progress by searching this model for In summary, it seems there are way too many cases where |
While it's certainly possible to pass a CNAME to bacula::director_name, doing so makes authentication fail between the Dir and SD since the Dir only identifies itself by its canonical FQDN. This commit changes the Dir's identity to match the bacula::director_name so that either way is possible. See voxpupuli#138. Signed-off-by: John Florian <[email protected]>
|
CNAMEs are indeed somewhat troublesome as you point out @jflorian. There is some amount of desire to be able to authenticate both the client, storage, and director to each other using the Puppet CA. To this end, you will probably see some use of the I suspect that there could certainly be some clean up with respect to which names to use when, since ideally there are only a few places to update in order to do what you are after here. In your last comment, are the CNAMEs that you are placing in the data variables not updating the configuration, or does bacula fail to communicate to the CNAME host? |
|
That commit resolved one of many issues. IIRC, in this particular case, it was necessary for the DIR and SD to recognize one another. I want to say the sd.conf was empty or missing something critical. My memory is a bit fuzzy. I thought I'd try to worm my way through all of the related issues but hit a bit of a stone wall once I realized the certificates were in need of SANs (as you mentioned). I wasn't sure how to do that with Puppet's CA and the task starting getting overly ambitious. Given that I'm going through a painful divorce and that I had ZERO backups (my pool was a mess so I had already wiped it to start anew), I figured it better to kick this can down the road for now. Thus I built out my latest Bacula DIR/SD using canonical hostnames (instead of the desired CNAMEs) as I've done before. It stinks because Bacula, as designed, requires the DIR to be the same or newer version than the clients it serves. If you have bleeding edge clients (e.g., Fedora), you'll need a bleeding edge DIR too which means you need to be constantly rebuilding it. Puppet and this module make the build easy but due to the issues I started finding here, there doesn't seem to be any good/easy way to handle migrations short of "starting over" each time. Being able use CNAMEs would alleviate most of this pain. I wish I had time to help tackle this, but my head is not in a good place this year. 🤕 |
|
Not a worry @jflorian. Take all the time you need. Positive vibes are headed your way. |
|
Thanks @xaque208, divorce is awful and I don't even know if I've got to the worst part yet. 😞 |
I have a good working setup in which I had set
bacula::director_nameandbacula::storage_nameto the FQDN of my Director/Storage host (one and the same). This FQDN follows my convention of suffixing the OS release (e.g.,scooby-f28.doubledog.org) so that when I rebuild this VM, I can have both new and old hosts existing (e.g.,scooby-f30.doubledog.org). The idea here is that I should only need to change a pair of CNAMEs (e.g.,bacula-dir.doubledog.organdbacula-sd.doubledog.org) in my DNS to transition to a newer Bacula server with an easy/safe rollback, if necessary.So, while I presently have
bacula::director_nameset toscooby-f28.doubledog.org(and similarly forstorage_name, I'd like to change this instead tobacula-dir.doubledog.org(andbacula-sd.doubledog.org), but when I do this all but one of my hosts disappear from the/etc/bacula/conf.d/client.conffile. (This one client is a very new build,scooby-f30to be exact, but at this stage it's nothing more than I basic server with no setup yet beyond being a normal Bacula client.) I know that the exported resources are at play here, but I'm failing to determine what I need to do to rectify the problem. I've triedpuppet node deactivate <FQDN>for the missing clients, but that doesn't help. I do seeTODO Document the use of director_nameininit.ppso I suppose I'm knocking on that door. 😉The text was updated successfully, but these errors were encountered: