System Advancements at the Monastery

“Give people what they want, but leave them wanting more and they are yours forever.” — P.T. Barnum

Normally, I would recommend against using a recently released operating system and the latest beta version of a software package. Since I was tasked with looking for problems that might arise with Mac OS X 10.5 (Leopard), I figured I would also test out the beta release of Amanda 2.6. I will be doing a couple follow ups to this posted. Today, we will only focus on the initial setup. Later posts will deal with:

• Directions on how to use Kerberos with Amanda
• Amanda-server-side gpg-encrypted backups
• Set up transport encryption with SSH
• Doing Backup & Recovery
• MySQL Backup and Recovery

One factor that slowed me down in finishing this post was the changes made in Leopard. Simply put, I ran into more problems than I expected. I wish I had started off by finding NetMojo’s fantastic series titled “Tiger to Leopard Server Migration” (part 1, part 2, part 3, part 4). Part 4, changes its title to “Kerberos and Single Sign-on in Leopard Server.” This is great material that anyone planning on migrating to Leopard needs to read.

Getting back to Amanda, there is an excellent installation guide, “Installation/OS Specific Notes/Installing Amanda on Mac OS X,” which I followed when doing the below setup.

Prerequisites

First, if you have not installed Apple’s Xcode 3, you need to do so. Xcode is Apple’s suite of tools for developing software on Mac OS X. Without it, you will not be able to even compile a file. It is not installed by default, but is available for free from Apple Developer Connection. The good news for Leopard users is that X11 is installed by default. Prior Mac OS Xs had X11 as an optional add-on to Xcode.

Second, MacPorts will make software installation much easier. The MacPorts Project is an open-source community initiative to design an easy-to-use system for compiling, installing, and upgrading either command-line, X11 or Aqua based open-source software on the Mac OS X operating system. While I tend to like to configure software to my specific environment and needs, for many software packages such as awk, glib, etc., most peple would simply go with the default configuration options anyway. MacPorts makes life considerably easier. It is similar to the FreeBSD ports collection. Please refer to the MacPorts Guide for additional information on how to use the ports command.

If you have upgraded to Max OS X Leopard, please check your /usr/lib directory for any libraries ending with a ” 1″ (that is a space followed by 1). For example, “/usr/lib/ruby 1” and “/usr/X11R6 1“. These files are created, possibly as a backup copy, when Leopard or Xcode 3 is installed. If you fail to remove those libraries, you will get an error “i686-apple-darwin9-gcc-4.0.1: 1/lib: No such file or directory.”

I also ran into problems with an existing copy of MacPorts where ports were installed under Tiger. You may want to do a fresh install of MacPorts. Just move /opt/local under another directory (so you have it in case you need to switch back) and reinstall MacPorts. It took care of the problems I was having. Of course, from what I read, many problems are bypassed if you are working on a server with a clean install of Leopard. For many of us, upgrades are a fact of life that have to be dealt with.

Where I work, the firewall block rsync access. To configure MacPorts to use some other method than rsync, do the following:

1. Check out a working copy of the ports tree to some place on your hard disk, such as to your home directory:
   

   root # svn co http://svn.macports.org/repository/macports/trunk/dports dports

2. Edit the file /opt/local/etc/macports/sources.conf. Comment out the line starting with “rsync://” and add a new line pointing to your working copy, in URL form. For example: file:///Users/msmart/dports

Below are a few port commands to help with basic operation and navigation:

list

The list option is used to get a list of all available ports.

 root # port list

search

The search option is very useful to find port names by partial matches.

 root # port search glib2
glib2   devel/glib2   2.14.0   Library with data structure functions and other constructs

deps

The deps option shows you the dependencies of a port.

 root # port deps glib2
glib2 has build dependencies on:
	pkgconfig
glib2 has library dependencies on:
	gettext
	libiconv

install

The option install is used to install a port.

 root # port install glib2
Skipping org.macports.activate (glib2 ) since this port is already active
--->  Cleaning glib2

contents

The contents option displays the files that have been installed by a given port. Uninstalled ports will always show no contents.

 root # port contents glib2
Port glib2 contains:
  /opt/local/bin/glib-genmarshal
  /opt/local/bin/glib-gettextize
etc.

installed

The installed option displays all installed ports.

 root # port installed

Additional software prerequisites are:

• GNU-tar – Use GNU tar 1.15 or later version on Amanda clients. Mac OS X 10.5 comes with GNU tar 1.15.1.
• Perl – Requires Perl 5.6.0 or later. Mac OS X 10.5 comes with Perl version 5.8.8.
• glib2 – Upcoming versions of Amanda incorporating the Device API will require that glib2 version 2.2.0 or later be installed. Use macports to install with the command “port install glib2“.
• Awk – Will come Mac OS X.
• GNUplot – Use macports to install with the command “port install gnuplot“.
• readline library – Use macports to install with the command “port install readline“.
• GnuPG – The free software version of the OpenPGP privacy standard. This will be covered in later postings and can be skipped for now. For Mac OS X, you would want to install Mac GnuPG.
• sharutils – For the tool uuencode, use macports to install sharutils with the command “port install sharutils“.

In a later post, we will go through installation of GnuPG to do gpg-encrypted backups. In the meantime, why not check out my posting “FireGPG, GnuPG, and WebMail Services“? The post will provide information on setting up a way to send encrypted emails through your favorite mailer, such as Google and Yahoo.

While I am pointing to useful links, TrueCrypt has released a new version of their encryption software, 5.0, that supports Mac OS X and full drive encryption. You will still want to encrypt your backup files. It is great to have an encrypted hard drive in case anyone walks off with it. While that drive is connected to your host, the host has access to the encrypted area. Which means, someone hacks in and the encryption will not help. If you dump out the files to tape, having the files encrypted will help if any of those tapes go missing.

Setup Accounts

NetInfo, the system configuration database, no longer exists in Mac OS X 10.5. The entire structure for managing local users, groups, and other such things has been completely replaced by Local Directory Services. In Leopard, the DirectoryService daemon does the job of the DirectoryService, lookupd, and the memberd daemons. This should reduce unnecessary lookups and interprocess communication. The Netinfo Database is now a series of XML files living in /var/db/dslocal/. This gives you the ability to manipulate that database in just about any scripting language. There is now a command line utility dscl to perform some advanced functions formerly covered by NetInfo Manager. The dscl command does not do everything. Below are some of Leopard’s new and enhanced tools:

• dsenableroot – enables or disables the root account. This has been on OS X for a while now, but it may be more useful now that NetInfo Manager is gone.
• dseditgroup – group record manipulation tool. Also present in 10.4, but will get more usage now.
• dscacheutil – gather information, statistics and initiate queries to the Directory Service cache. New in Leopard allowing you to look into the Directory Service cache and flush it if necessary. Semi-analogous to lookupd -d.
• dserr – prints a description for an error code.
• dsmemberutil – various operations for the membership APIs, including state dump, check memberships, UUIDs, etc. Allows you to check group membership and do some debugging on what groups the system thinks a user is in.

In the example below, for this document I am going to use the hostname “amanda.securitymonks.com” as the backup server. There is no such server. Please modify this hostname for your installation.

 root# sudo dscl localhost -create /Local/Default/Users/amandabackup
 root# sudo dscl localhost -create /Local/Default/Users/amandabackup RecordName amandabackup
 root# sudo dscl localhost -create /Local/Default/Users/amandabackup UserShell /bin/bash
 root# sudo dscl localhost -create /Local/Default/Users/amandabackup RealName "Backup User"
 root# sudo dscl localhost -create /Local/Default/Users/amandabackup UniqueID 5000
 root# sudo dscl localhost -create /Local/Default/Users/amandabackup PrimaryGroupID 0
 root# sudo dscl localhost -create /Local/Default/Users/amandabackup NFSHomeDirectory \
          /Users/amandabackup
 root# sudo ditto -rsrcFork '/System/Library/User Template/English.lproj/' /Users/amandabackup
 root# sudo sh -c "echo 'amanda.securitymonks.com amandabackup' \
          > /Users/amandabackup/.amandabackuphosts"
 root# sudo chown -R amandabackup:wheel /Users/amandabackup
 root# sudo passwd amandabackup

Since you may have some pre-Leopard servers and desktops that need backing up, here is how to create the required accounts and groups in NetInfo:

 root# sudo niutil -create / /users/amandabackup
 root# sudo niutil -createprop / /users/amandabackup shell /bin/bash
 root# sudo niutil -createprop / /users/amandabackup realname "Backup User"
 root# sudo niutil -createprop / /users/amandabackup uid 5000
 root# sudo niutil -createprop / /users/amandabackup gid 0
 root# sudo niutil -createprop / /users/amandabackup home /Users/amandabackup
 root# sudo ditto -rsrcFork '/System/Library/User Template/English.lproj/' /Users/amandabackup
 root# sudo sh -c "echo 'amanda.securitymonks.com amandabackup' > /Users/amandabackup/.amandahosts"
 root# sudo chown -R amandabackup:wheel /Users/amandabackup
 root# sudo passwd amandabackup

System Settings

Since we plan on later using Kerberos authentication, we will add the following lines at the appropriate place in /etc/services:

 root# vi /etc/services

Add the following lines:

kamanda         10081/tcp   # amanda backup services (Kerberos)
kamanda         10081/udp   # amanda backup services (Kerberos)
amandaidx       10082/tcp   # amanda backup services
amidxtape       10083/tcp   # amanda backup services

Create /etc/amandates:

 root# sudo touch /etc/amandates
 root# sudo chmod 660 /etc/amandates
 root# sudo chown -R amandabackup:wheel /etc/amandates

Create directories where Amanda can store data:

 root# sudo mkdir -p /usr/local/lib/amanda
 root# sudo touch /usr/local/lib/amanda/exclude.gtar
 root# sudo mkdir -p /usr/local/var/amanda/gnutar-lists/
 root# sudo chown -R amandabackup:wheel /usr/local/lib/amanda /usr/local/var/amanda/

Software Setup

If you are using MacPorts, and have not added it to your path, do so now with the command:

 root # PATH="$PATH:/opt/local/bin"

Now configure, make, and install the Amanda software. Be warned, under Leopard, there maybe be warnings concerning “rm: conftest.dSYM: is a directory.” It appears passing -g and any flavor of -O (even -O0) to the Leopard built-in gcc will result in one of these .dSYM directories. I have been told that when you do cc -o foo foo.c, because temporary object files are deleted, and DWARF stores its debugging information in the temporary object files, Apple’s gcc runs the ‘dsymutil’ command before deleting the object file to create a file that will hold the application debugging information. Unfortunately, they chose to use, not a file, but a “bundle” directory structure. In the end, it is safe for our purposes to ignore the warning.

 root# wget http://superb-west.dl.sourceforge.net/sourceforge/amanda/amanda-2.6.0b2.tar.gz
 root# tar xzf amanda-2.6.0b2.tar.g
 root# cd amanda-2.6.0b2
 amanda-2.6.0b2 root# ./configure --with-user=amandabackup --with-group=admin
 amanda-2.6.0b2 root# make
 amanda-2.6.0b2 root# make install

In Mac OS X 10.4 (Tiger), Apple introduced launchd, replacing init and xinetd. While init and xinetd still existed, launchd had superseded them in many instances. In Leopard, init and xinetd have been dropped completely. To get Amandad to run when packets from the server arrive, you’ll need a launchd script. Apple’s Getting started with launchd provides background on launchd. Jaharmi, over on his blog Irreality has written several postings involving new keys, and different behavior of keys under Leopard. Jaharmi has provided some very valuable information. Macavenger has posted, “10.5: Use launchd to restart crashed apps,” which is another interesting read. There is freeware software for Leopard that offers a graphical user interface for launchd, Lingon. Lingon is a very valubale tool that greatly simplifies using launchd.

Steven Karel created the original property list which we will modified for our specific paths. Amanda supports “bsd”, “bsdudp”, “bsdtcp”, “ssh” and Kerberos authentication between Amanda server and the client. The authentication is used for backup process (amdump) as well as recovery process (amrecover). I am going to post later how to setup SSH and Kerberos authentication. For now, we will use bsdtcp authentication where the TCP protocol is used between Amanda server and client. On the client, two reserved ports are used. On the server, all data streams are multiplexed to one port. Add the following to the /Library/LaunchDaemons/org.amanda.amandad.bsdtcp.plist file:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN"

     "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>Label</key>
	<string>org.amanda.amandad.bsdtcp</string>
	<key>UserName</key>
	<string>amandabackup</string>
	<key>GroupName</key>
	<string>wheel</string>
	<key>InitGroups</key>
	<true/>
	<key>ProgramArguments</key>
	<array>
		<string>/usr/local/libexec/amandad</string>
		<string>-auth=bsdtcp</string>
	</array>
	<key>Sockets</key>
	<dict>
		<key>ipv4</key>
		<dict>
			<key>SockFamily</key>
			<string>IPv4</string>
			<key>SockServiceName</key>
			<string>amanda</string>
			<key>SockType</key>
			<string>stream</string>
		</dict>
		<key>ipv6</key>
		<dict>
			<key>SockFamily</key>
			<string>IPv6</string>
			<key>SockServiceName</key>
			<string>amanda</string>
			<key>SockType</key>
			<string>stream</string>
		</dict>
	</dict>
	<key>inetdCompatibility</key>
	<dict>
		<key>Wait</key>
		<false/>
	</dict>
</dict>
</plist>

Now we launch amandad with BSDTCP authentication with the following command:

 root # launchctl load -w /Library/LaunchDaemons/org.amanda.amandad.bsdtcp.plist

To confirm that it is running, we can check with the netstat or lsof command:

 root # netstat -na | grep 10080
tcp6       0      0  *.10080                *.*                    LISTEN
tcp4       0      0  *.10080                *.*                    LISTEN
 root# lsof | grep amanda
launchd       1     root   44u     IPv4 0x5016a68        0t0       TCP *:amanda (LISTEN)
launchd       1     root   60u     IPv6 0x3bb6984        0t0       TCP *:amanda (LISTEN)

To stop Amanda, issue the command:

 root # launchctl unload -w /Library/LaunchDaemons/org.amanda.amandad.bsdtcp.plist

There is still much work to be done, but we are well on our way to setting up a backup system under Mac OS X 10.5 (Leopard). If you want to move ahead, I have given you some links at the start of this post. Lois Garcia and Pavel Pragin have written the “The 15-Minute Backup Solution.” W. Curtis Preston, author of the must-read “Backup & recover” maintains a blog Backup Central full of invaluable information. I will end here, heeding the words of the great showman P.T. Barnum, “Give people what they want, but leave them wanting more and they are yours forever.”