pfsense – Boot failure after upgrade to 2.4.0


Upgraded from pfsense 2.3x to 2.4.0

Upon reboot, I was unable to ssh to the box.

Once at the physical console, I noticed pfsense had encountered a panic condition,
barking about not being able to mount /dev/ad0s1a


At the prompt, I typed in “?” to review the available block devices (disks and the like)

I saw in the output the device /dev/ada0s1a, a slightly different device path from what the error message referred to.

I then entered in: ufs:/dev/ada0s1a, and boom, pfsense kicked off its regular routines (although it did keep barking about this or that package needing to be cleaned and such)

The permanent fix was to correct the mount references in /etc/fstab.

I changed any reference to ad0 to ada0, rebooted, and voila.

Next time I upgrade pfsense, I’ll read up on any known issues and the like.

Hint Hint:
2.4 New Features and Changes:

Kubernetes Deployment Error – PodToleratesNodeTaints


You have a single node (master) kubernetes deployment and you want to schedule standard pods.

The master name is your hostname: $(hostname).

Upon your attempt at deploying a service, you notice the state of the resulting pod remains in Pending.

Further investigation via kubectl describe pod {{ YOUR_POD_NAME }} reveals an error similar to
No nodes are available that match all of the following predicates:: PodToleratesNodeTaints

Due Diligence:

  • All kubernetes nodes are in a ‘Ready’ status: kubectl get nodes
  • All kubernetes nodes have sufficient resources for pod deployment: kubectl describe nodes
  • Your image is available on the docker registry you’ve specified in your kubernetes manifest (.yaml)


According to this post:

“No nodes are available that match all of the following predicates:: PodFitsHostPorts (1), PodToleratesNodeTaints”

The troubleshooting methodology was to review the kubernetes codebase:

  • Navigate to the kubernetes github repo
  • Search the repository for the relevant function
  • Kubernetes is written in golang, so search for “func PodToleratesNodeTaints”

As such, the following block of code:

if v1helper.TolerationsTolerateTaintsWithFilter(pod.Spec.Tolerations, taints, filter) {
return true, nil, nil

Will not be executed, which will trigger the next line of code:

return false, []algorithm.PredicateFailureReason{ErrTaintsTolerationsNotMatch}, nil

Effectively returning false, hence the original error

Further investigation on your master:

kubectl describe node $(hostname) | grep -i taint

If the command returns something similar to:


Then your node is unschedulable.

The fix would be to remove this taint, as follows:

kubectl taint nodes $(hostname)

You should see a confirmation similar to:

node {{ NODE_NAME }} untainted

You should now be able to schedule pods on this node


I came across the github issue description by Googling the following search term:

gls*"No nodes are available that match all of the following predicates" "PodToleratesNodeTaints"

Kubernetes, Docker volume mounts, and autofs

Environment details

  • Machine_Type: Virtual
  • OS: Oracle Enterprise Linux 7.x
  • Software: Docker 1.12.6, Kubernetes 1.7.1

Scenario: Can’t Login via ssh public key

Unable to login to docker host using public key authentication
Able to login to the host using my password
Once at the console, I observed an error similar to:
Could not chdir to home directory /home/myuser: Too many levels of symbolic links
-bash: /home/myuser/.bash_profile: Too many levels of symbolic links

Hmm wtf …

Troubleshooting Steps

A fellow admin suggested I check for docker mapped volumes that point to /home

Here’s the command I used to query for that:

sudo docker ps --filter volume=/opt --format "Name:\n\t{{.Names}}\nID:\n\t{{.ID}}\nMounts:\n\t{{.Mounts}}\n"

Boom, looks like the kubernetes weaver container is using that mapping:

Ok, so why would a docker volume mapped to /home induce such a problem?

Turns out that in some cases, binding autofs-mounted paths to docker containers can cause problems on the docker host.

This is due to the way in which kubernetes performs the volume mapping, which utilizes docker volume binds under the hood.

And, depending on how you map a volume to a docker container, you might conflict with autofs volume mounting.

For insight into a similar issue, see:

According to the above issue description, the problem we’re seeing might be fixed by adjusting the bind propagation for the volume mount in question,

However, there’s no way to control that setting via a kubernetes manifest, not at present at least, since HostPath bind propagation is currently a proposed feature in kubernetes,

So the best course of action is to simply change hostPath setting in the weave-kube manifest, e.g.

  • Change:
    path: /home
  • To:
    path: /opt/kubernetes/bind-mounts/weave-kube/home

You can then simply redeploy the offending container (sudo docker stop ecfa204283d3 && sudo docker rm ecfa204283d3 && kubectl apply -f net.yaml)

Note: You’ll have to perform similar changes to the weave manifest according to whatever other autofs mounts its hostPath(s) might conflict with.

Ensure you review your autofs settings!

Managing Virtual Machines on Ubuntu KVM

This article is a dump of my experience with setting up a viable virtual machine management platform on an Ubuntu Hypervisor with following specs:
    OS: Ubuntu 14.04.2 LTS


Check for Virtualization Support
egrep -c ‘(vmx|svm)’ /proc/cpuinfo
If 0 it means that your CPU doesn’t support hardware virtualization.
If 1 or more it does – but you still need to make sure that virtualization is enabled in the BIOS.

Issue Package Updates
    sudo apt-get update
    sudo apt-get upgrade

It is assumed you have the following packages installed
    If No:
        sudo apt-get install git python-pip

Setup libvirt and KVM

    sudo apt-get install qemu-kvm libvirt-bin virtinst bridge-utils sasl2-bin

Via bootstrap script
    curl | sudo sh

Once the installation is complete, add a designated user account
    sudo adduser `id -un` libvirtd

Add the option -l in the file /etc/default/libvirt-bin:
It should look like:

    libvirtd_opts="-d -l"

In the file /etc/libvirt/libvirtd.conf uncomment the line ( Remove # ):

    listen_tls = 0
    listen_tcp = 1
    tcp_port = "16509"

Create a saslpassword:
    sudo saslpasswd2 -a libvirt [username] // where [username] is the designated libvirt user account

    Password: xxxxxx
    Again (for verification): xxxxxx

Add firewall rule for TCP port 16509:
Create a file /etc/ufw/applications.d/libvirtd and it add the following lines:

    title=Virtualization library
    description=Open port for libvirt

Add a firewall rule in the chain
    sudo ufw allow from any to any app Libvirt
Install Administration Package
    sudo apt-get install git python-pip python-libvirt python-libxml2 novnc supervisor nginx

Validate Installation

virsh -c qemu+tcp:// nodeinfo

Please enter your authentication name: [username]
Please enter your password: [password]

Sample Output:

  CPU model:           x86_64
  CPU(s):              2
  CPU frequency:       3611 MHz
  CPU socket(s):       1
  Core(s) per socket:  2
  Thread(s) per core:  1
  NUMA cell(s):        1
  Memory size:         3019260 kB

Install WebvirtMgr

Install required Packages
    sudo apt-get install python-libvirt python-libxml2 supervisor nginx
Clone webvirtmgr project from github
    cd /var/www
    git clone git://
Set permissions
    sudo chown -R www-data:www-data /var/www/webvirtmgr
Install requirements
    cd webvirtmgr
    sudo pip install -r requirements.txt
Update Django Settings
    ./ syncdb
    ./ collectstatic
Enter the user information when prompted:

    You just installed Django’s auth system, which means you don’t have any superusers defined.
    Would you like to create one now? (yes/no): yes (Put: yes)
    Username (Leave blank to use ‘admin’): admin (Put: your username or login)
    E-mail address: username@domain.local (Put: your email)
    Password: xxxxxx (Put: your password)
    Password (again): xxxxxx (Put: confirm password)
    Superuser created successfully.
Adding additional superusers
./ createsuperuser
(Optional) Enable remote access to the WebUI via Nginx or SSH Tunnel
Usually WebVirtMgr is only available from localhost on port 8000
You can connect via ssh tunnel, like so:
ssh user@server:port -L localhost:8000:localhost:8000 -L localhost:6080:localhost:6080
You should then be able to access WebVirtMgr by typing localhost:8000 in your browser after completing the install. Port 6080 is forwarded to make noVNC work.
You can configure a redirect to have the WebUI accessible via nginx:
if not already done:
sudo mv webvirtmgr /var/www/
sudo vim /etc/nginx/conf.d/webvirtmgr.conf

server {
        listen 80 default_server;
        server_name $hostname;
        #access_log /var/log/nginx/webvirtmgr_access_log; 
        location /static/ {
            root /var/www/webvirtmgr/webvirtmgr; # or /srv instead of /var
            expires max;
        location / {
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-for $proxy_add_x_forwarded_for;
            proxy_set_header Host $host:$server_port;
            proxy_set_header X-Forwarded-Proto $remote_addr;
            proxy_connect_timeout 600;
            proxy_read_timeout 600;
            proxy_send_timeout 600;
            client_max_body_size 1024M; # Set higher depending on your needs 

Comment the Server Section as it is shown in the example:
sudo vim /etc/nginx/sites-available/
sudo vim /etc/nginx/nginx.conf
The path may differ
The end result should look like this:

        #    server {
        #        listen       80 default_server;
        #        server_name  localhost;
        #        root         /usr/share/nginx/html;
        #        #charset koi8-r;
        #        #access_log  /var/log/nginx/host.access.log  main;
        #        # Load configuration files for the default server block.
        #        include /etc/nginx/default.d/*.conf;
        #        location / {
        #        }
        #        # redirect server error pages to the static page /40x.html
        #        #
        #        error_page  404              /404.html;
        #        location = /40x.html {
        #        }
        #        # redirect server error pages to the static page /50x.html
        #        #
        #        error_page   500 502 503 504  /50x.html;
        #        location = /50x.html {
        #        }
        #    }

Restart nginx service:
sudo service nginx restart
Setup novnc
vi /etc/init.d/novnc

  # Provides:          nova-novncproxy
  # Required-Start:    $network $local_fs $remote_fs $syslog
  # Required-Stop:     $remote_fs
  # Default-Start:     2 3 4 5
  # Default-Stop:      0 1 6
  # Short-Description: Nova NoVNC proxy
  # Description:       Nova NoVNC proxy
  # PATH should only include /usr/* if it runs after the script
  DESC="WebVirtMgr NoVNC proxy"
  # read in defaults if available
  [ -f "/etc/default/${NAME}" ] && . "/etc/default/${NAME}"
  # Exit if the package is not installed
  [ -x $DAEMON ] || exit 0
  mkdir -p ${LOCK_DIR}
  chown "${USER}:${GROUP}"  ${LOCK_DIR}
  . /lib/lsb/init-functions
    start-stop-daemon --start --background --quiet --chuid "${USER}:${GROUP}" --make-pidfile --pidfile $PIDFILE --startas $DAEMON --test > /dev/null \
      || return 1
    start-stop-daemon --start --background --quiet --chuid "${USER}:${GROUP}" --make-pidfile --pidfile $PIDFILE --startas $DAEMON -- \
      $DAEMON_ARGS \
      || return 2
    start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE
    rm -f $PIDFILE
    return "$RETVAL"
  case "$1" in
      log_daemon_msg "Starting $DESC " "$NAME"
      case "$?" in
    0|1) log_end_msg 0 ;;
    2) log_end_msg 1 ;;
    log_daemon_msg "Stopping $DESC" "$NAME"
    case "$?" in
      0|1) log_end_msg 0 ;;
      2) log_end_msg 1 ;;
         status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
    log_daemon_msg "Restarting $DESC" "$NAME"
    case "$?" in
      case "$?" in
        0) log_end_msg 0 ;;
        1) log_end_msg 1 ;; # Old process is still running
        *) log_end_msg 1 ;; # Failed to start
      # Failed to stop
      log_end_msg 1
    echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
    exit 3

Setup Supervisor
sudo service novnc stop
sudo insserv -r novnc
sudo vi /etc/insserv/overrides/novnc

  # Provides:          nova-novncproxy
  # Required-Start:    $network $local_fs $remote_fs $syslog
  # Required-Stop:     $remote_fs
  # Default-Start:     
  # Default-Stop:      
  # Short-Description: Nova NoVNC proxy
  # Description:       Nova NoVNC proxy

sudo vi /etc/supervisor/conf.d/webvirtmgr.conf

  command=/usr/bin/python /var/www/webvirtmgr/ run_gunicorn -c /var/www/webvirtmgr/conf/
  command=/usr/bin/python /var/www/webvirtmgr/console/webvirtmgr-console

Restart supervisor daemon
sudo service supervisor restart

WebVirtMgr Post-Installation

I provide the below for additional considerations:

    Before libvirt was installed, virbr0 did not exist. We only had interfaces for loopback and eth0. virbr0 means “virtual bridge 0” and was automatically created by libvirt during installation. virbr0 was configured as a NAT-only interface. This means virtual machine hosts that use this bridge can get out to the network via the eth0 interface but any devices on the other side cannot initiate requests into virbr0 clients.

Here’s my networking configuration:

        auto eth0
        iface eth0 inet dhcp
        auto br0
        iface br0 inet dhcp
            bridge_ports eth0
            bridge_stp off
        auto eth1
        iface eth1 inet dhcp
        auto eth2
        iface eth2 inet dhcp

Troubleshooting The WebVirtMgr Installation

Debugging the webapp
    cd /var/www/webvirtmgr
    Enable debug mode in the
    sudo ./ runserver 0:8000
    “webvirtmgr” “authentication failed:”
        Ensure that any users specified in the connections matches what is listed in the local database
            Review administrative users
                sasldblistusers2 -f /etc/libvirt/passwd.db
                saslpasswd2 -cf /etc/libvirt/passwd.db
        If no users configured:
            add user
                saslpasswd2 -a libvirt <username>

Installing Vagrant

    Install prerequisites
        sudo apt-get install
        sudo apt-get install gcc libvirt-dev ruby-libvirt
    Download vagrant package
    Install vagrant
        sudo dpkg -i vagrant_1.7.2_x86_64.deb
Install vagrant libvirt/kvm provider
    sudo vagrant plugin install vagrant-libvirt

Recovering a Failed QNAP Raid Volume

How to recover data from QNAP drives using testdisk from SystemRescueCd


Given the following scenario:

QNAP server was factory reset, clearing the software RAID information on the QNAP OS.
As such, all drives in the RAID were essentially orphaned.
Data on the drives remained intact.

Recovery Options:

In order to recover the information, we could proceed via many troubleshooting pathways, two of which I list below:

– Rebuilding the software RAID
– Recovering the data directly from the drives

I chose the second option, since I wasn’t too handy with administration of the Linux Multiple Device Driver (MD), aka software RAID.
In this article, we will be recovering the data from ONE drive at a time, so it is best to plug in ONLY ONE of drives to be recovered, along with a spare drive on which the recovered data will be copied to.

Recovery Software:
We will be using SystemRescueCD to perform the data recovery

I assume the following:
You’ve already booted the SystemRescueCD
You either have console or ssh access (or whatever other means) to the SystemRescueCD shell
You have the drive to be recovered and a spare plugged in to your system

Lastly, this is key in Understanding QNAP volumes:
QNAP utilizes Logical Volume Management (LVM) and the Linux MD software RAID technologies to manage its storage devices.
Partition 3 Holds all the data on any given drive
Keep this in mind as you start digging for your data on the QNAP drives.

Identify the Destination Drive

Before going through the recovery, you must prep the directory on which you will be copying the recovered data to.
With the specs on your hard drive already in mind, issue the list hardware command (lshw) to determine the device name to the drive:
lshw -short -c disk
Once you match the device information to that of the spare drive, you can proceed to initialize (wipe/clean) the drive or mount it if it’s already prepared.

If the drive is already initialized, skip the next step, otherwise proceed …

Prepare the Destination Drive

You can initialize the drive for use on the SystemRescueCD as follows:
fdisk <device_name>, e.g. fdisk /dev/sda
Follow the prompts to create a Linux Partition
Note: Once the partition is created, the device you’ll actually be acting against is <device_namelogical_partition_number>, e.g. /dev/sda1
Once you’ve written the changes to the disk, you can proceed to create the filesystem on the drive:
mkfs -t <fs_type> <device_namelogical_partition_number>, e.g. mkfs -t ext4 /dev/sda1
mkfs.<fstype> <device_namelogical_partition_number>, e.g. mkfs.ext4 ext4 /dev/sda1
Once the filesystem has been created, you can mount it.
Do so first by creating a directory on which the drive will be mounted, e.g.:
mkdir /mnt/recovery

Mount the Destination Drive

Mounting the drive is quite easy, simply invoke the mount command, e.g.:
mount -t ext4 /dev/sda1 /mnt/recovery

Your destination drive is now ready to be used!

Identify the Data Partition on the Source Drive


The following commands are to be issued from the SystemRescueCD session:

First, we need to determine what MD volumes the SystemRescueCD has detected.
You can do so by displaying the contents of the mdstat file under /proc as follows:

cat /proc/mdstat

Samlpe Output:

        Personalities : [linear] [multipath] [raid0] [raid1] [raid6] [raid5] [raid4] [raid10]
        md321 : active raid1 sdb5[0]
              7168000 blocks super 1.0 [2/1] [U_]
              bitmap: 1/1 pages [4KB], 65536KB chunk
        md13 : active raid1 sdb4[25]
              458880 blocks super 1.0 [24/1] [_U______________________]
              bitmap: 1/1 pages [4KB], 65536KB chunk
        md2 : active raid1 sdb3[0]
              3897063616 blocks super 1.0 [1/1] [U]
        md256 : active raid1 sdb2[1]
              530112 blocks super 1.0 [2/1] [_U]
              bitmap: 0/1 pages [0KB], 65536KB chunk
        md9 : active raid1 sdb1[25]
              530048 blocks super 1.0 [24/1] [_U______________________]
              bitmap: 1/1 pages [4KB], 65536KB chunk

As you can see from the above output, there is a disk with a 3rd partition that is most likely an MD LVM volume.
I’d say there is a 90% chance that this is the drive and partition we’re interested in.

Take note of the device information, in this case /dev/sdb3

Invoke Testdisk Partiton Scan


So, again, we’ve detetermined the data to be on device /dev/sda3
The next step is to run testdisk against this device:
testdisk /dev/sdb3
In the ensuing dialog, choose the following order of actions:

Select a media ...: (choose the device, in this case /dev/sdb3)
Please select a partition table type ...: (choose EFI GPT)
Quick Search

At this point, the drive scan will commence.

Once it completes, you’ll be presented with a partition table as detected by testdisk.

List Files for Recovery & Copy


In the resulting partition table option, select the partition you think contains the data
Press shift + P
This will print the files on the partition
Read the instructions at the bottom of the file listing …

q to quit
: to select the current file
a to select all files
shift + C to copy the selected files
c to copy the current file

Once you invoke the copy action, you will be prompted to navigate to the destination path.

Hopefully you’ve already completed that in steps ‘Prepare the Destination Drive‘ and ‘Mount the Destination Drive

Once the copy process is started, you’ll be presented with a progress indication.

Sit tight. The wait is worth it.


[SMB] HOW-TO RECOVER data from LVM volume on a PC (UX-500P)

Synchronizing the Keepass Database Between Computers (via FTP)

How to synchronize Keepass Databases across multiple computers using an FTP Service

If you haven’t already installed KeePass, head over to the download page:

Synchronize Via URL


File > Synchronize > Synchronize with URL… (or press Ctrl+Shift +R)

Input Credentials for URL Prompt


Fill out the relevant ftp credential information ensuring you select Remember user name and password

Configuring an OpenVPN Multisite VPN Bridge Using Public Key Infrastructure (PKI)


This article covers a case-scenario in which two offices, each with a dedicated pfSense router, join together as one logical network using OpenVPN.

TUN and TAP are virtual network kernel devices, i.e. they are not backed by hardware network adapters (e.g. pci, pci-e card).

TAP is short for network tap:

  • Simulates an Ethernet device
  • Operates with layer 2 packets such as Ethernet frames

TUN is short for network tunnel:

  • Simulates a network layer device
  • Operates with layer 3 packets such as IP packets

TAP is used to create a network bridge, while TUN is used with routing.

I’ve worked with two modes of OpenVPN: Routing (TUN) and Bridging (TAP)
Routing: From what I gather, this is better for a network tunnel between client(s) where primarily point-to-point connections are required.
Bridging: From what I gather, this is better for a network tunnel between network(s) wherein ALL traffic, including broadcasts, is a requirement.
This document covers OpenVPN in Bridging (TAP) mode.
Note: From what I researched, you cannot bridge different subnets.
Bridging can only connect two segments which use the same IP subnet.
To connect different subnets you need to use IP routing.

The network configuration in this document allows broadcasts to span the network bridge.
As such, broadcasts like DHCP will traverse the bridge both ways.
Possible problems this might present:
When started, each DHCP client broadcasts a DHCP discover message (DHCPDISCOVER) to its local subnet in an attempt to find a DHCP server.
Because DHCP clients use broadcasts during their initial startup, you cannot predict which server will respond to the DHCP discover request of a client if more than one DHCP server is active on the same subnet.
This can lead to unexpected results.
One searing example is a client picking up default gateways belonging to a network that lies across the bridge.
Imagine a client from Florida using the default gateway from the site in New Jersey! No Bueno.
Luckily, there is a workaround. Block DHCP traffic from traversing the network bridge.
The instructions for this are included in the document.

The Big Picture


The network we’re working with is, with a network mask of, or 172.16.0/16.
This is essentially one giant network.
This allows for a wide range of Private IP Addresses: 172.16.(1-254).(1-254) all under one broadcast domain.
This is what I needed for my setup.
Network configuration illustrated above: two different subnets that are part of the same broadcast domain.

Create Certificate Authority

  1. Login to the web admin
  2. Click System –> Cert Manager
  3. From the CAs leaf, click the Plus button
  4. Give it descriptive name.
  5. Method: ‘Create an internal Certificate Authority‘, leave Key length and Lifetime to default.
  6. Fill in the rest of the fields as you see fit.
  7. Click Save
  8. Once this is done, we need to create our certificates for the OpenVPN server as well as any users/sites we want to connect.

Create the Server Certificate

  1. The process for creating a Cert for the server and users are almost identical. Let’s create the Server Certificate.
  2. The OpenVPN server (pfsense) must have its own cert as well as any users.
  3. Click the Certificates leaf, click the plus button.
  4. In the Method Drop down box make sure it says "Create an Internal Certificate"
  5. Give a descriptive name. A good idea is to specify server/username
  6. In the Certificate Authority drop down choose the CA you just created.
  7. In Certificate Type drop down specify whether this Cert is for the server or a user. In this case, it is a ‘Server Certificate’
  8. Fill out the rest of the info for location.
  9. Click Save

Create the User Certificate(s)

  1. Repeat the previous process, but selecting ‘User Certificate’ for the Certificate Type. Create as many certs as you need ensuring that all are based off the original CA created earlier.
  2. Click Save

Create a Certificate Revocation List


Its a good idea to create a revocation list.
Doing so allows for easily revoking client connections should the need arise.
No need to disable the OpenVPN server entirely, or delete any client certificates, or manually kill connections, nothing ugly.
To create a revocation list:
Click the Cert Revocation leaf
Press the plus button next to the CA you created.
Method: Create an internal Cert Revo list.
Give it a name and verify the CA is in the drop down box.
Click Save.
You’ll notice a new line with an edit button.
This is where you can revoke or restore certificates for users.
Congrats, you should now have the PKI in place!

Install Package: OpenVPN Bridge Fix


There is no tunnel network when using tap/bridging mode, yet the PfSense 2.0 gui required you to enter one.
This essentially wouldn’t allow you to do this through the gui.
Thankfully after user ‘jadams’ brought this to their attention, they released a package to fix this problem.
To install this package:

  1. Click System —> Packages
  2. Click the Available Packages Tab
  3. Install the OpenVPN tap Bridging Fix package

OpenVPN Server Setup – Section:General Information

  1. Click VPN —> OpenVPN
  2. In the Server leaf, click the plus button to add a server.
  3. Disables the server: unchecked (obviously)
  4. Server Mode: Remote Access (SSL/TLS)
  5. Protocol: UDP
  6. Device Mode: TAP
  7. Interface: WAN
  8. Local port: 1194 (default port but you can choose whatever port you like)
  9. Description: *************

OpenVPN Server Setup – Section:Cryptographic Settings

  1. TLS Authentication: Check both check boxes
  2. Peer Certificate Authority: Use the CA we created earlier
  3. Peer Revoke List: use the revoke list creates earlier
  4. Server Certificate: This is where you use the Server Certificate created earlier, NOT any of the User certs
  5. DH Parameters Length: I set mine to 1024
  6. Encryption Algorithm: I used AES-128-CBC
  7. Hardware Crypto: I used the BSD Cryptodev engine, as the system is on an Intel Atom with 2GB of RAM
  8. Cert Depth: One

OpenVPN Server Setup – Section:Tunnel Settings


Note:Here’s a classic Catch-22: If you want to bridge the OpenVPN tunnel with your LAN, you must first create the bridge, BUT, you can’t create the Bridge without first creating the OpenVPN tunnel!
Solution: Proceed with OpenVPN Server setup without enabling any bridge functionality.
Then, once that is complete, you create the bridge, revisit the OpenVPN server settings, and enable the option.
Ok, now back to Tunnel Settings:

  1. Tunnel Network: leave Blank. No tunnel network with Bridging (see info at top if you’re curious as to why)
  2. Bridge DHCP: This box may not yet be available (Catch-22, we revisit after we setup this OpenVPN tunnel and create the bridge)
  3. Bridge Interface: Again, we revisit after we setup this OpenVPN tunnel and create the bridge. This will be set to your LAN interface.
  4. Server DHCP Start/Stop: You can specify an IP range here. However since its bridging you can leave it blank. Your internal DHCP server will take care of it. I left these blank. One thing to keep in mind is that a client’s IP will not be displayed on the Dashboard Widget if you leave the range blank. I’ll be bringing this up on the PfSense forums.
  5. Redirect Gateway: SEE NOTE AT THE END
  6. Concurrent Connections: self explanatory, I left this blank.
  7. Compression: I checked this
  8. TOS: I left unchecked
  9. Inter-client communication: If you want different remote clients to be able to talk to each other check this box
  10. Duplicate connections: This will allow different people with the same certs you give them to connect. Not recommended, but I’m sure theres instances where it might be required.

OpenVPN Server Setup – Section:ClientSettings

  1. Dynamic IP: checked
  2. Address Pool: unchecked
  3. DNS Default domain: if you have one enter it here
  4. DNS Servers: specify up to 4
  5. NTP Server: you can specify up to 2
  6. Wins Server: if you have one

OpenVPN Server Setup – Section:Advanced Settings


Here you can setup additional routes. I left this blank.
This is the last section in the OpenVPN Server setup.
Click the Save button.

Create the LAN/OpenVPN Bridge


Click Interfaces —> Assign
Press the + button to add an interface
It will probably show up as OPT1, in the drop down box choose your OpenVPN instance
goto Interfaces —> OPT1
Enable the Interface
Give it a better description
Leave the rest default.
While still in the Interfaces —> Assign click the Bridges tab
Press the plus button to create a bridge.
Choose TWO or more interfaces you want to bridge (e.g. your LAN, and the interface we just made for your OpenVPN server) by clicking on them using the CTRL button
Give it a description

Create OpenVPN LAN Bridge

  1. Click Interfaces —> Assign
  2. Click the plus button to add an interface.
  3. It will probably show up as OPT1 in the drop down box.
  4. Choose the interface matching the OpenVPN instance you want to bridge.
  5. Click Interfaces —> OPT1
  6. Enable the Interface, give it a more appropriate description (e.g. OpenVPN)
  7. Leave the rest default.
  8. Click Save
  9. Click Interfaces —> Assign
  10. Click the Bridges leaf.
  11. Press the plus button to create a bridge.
  12. Choose TWO interfaces you want to bridge (your LAN, and the interface we just made for your OpenVPN server) by clicking on them using the CTRL button.
  13. Give it an appropriate description and click SAVE.

OpenVPN Server Setup (Revisit) – Section:Tunnel Settings – DHCP Start/DHCP End


Bridge DHCP: If and Only If (IFF) you correctly configured the bridge, OpenVPN bridge options should now be available.
Place a check mark on “Allow clients on the bridge to obtain DHCP”
Bridge Interface: Set this your LAN interface.
Click Save at the bottom.
Note: The image in this step illustrates using an ip address range as the DHCP Start and DHCP End,
but you can leave these blank if you plan on having IP Addresses assigned by the default DHCP Server settings on the pfSense box (if applicable)
or by a dedicated DHCP server on your network.
In my case, I set the address to a scope of 15 IP Addresses that lay OUTSIDE of my DHCP server’s IP Address range.

Server Firewall Rule: Allow OpenVPN Connection to WAN Port

  1. Click Firewall —> Rules
  2. Click the WAN leaf, click the plus button to add a rule.
  3. Action: Pass
  4. Disabled: unchecked
  5. Interface: WAN
  6. Protocol: UDP
  7. Source: any
  8. Destination: WAN Address
  9. Destination Port Range: This is the port of your OpenVPN server (Mine is set to the default 1194)
  10. Give it a description (e.g. ‘Allow OpenVPN to WAN’)
  11. Click Save

Server Firewall Rule: Open the Floodgates, Allow All Bridged OpenVPN Traffic

  1. Click Firewall —> Rules
  2. Click the OpenVPN leaf, click the plus button to add a rule.
  3. Action: Pass
  4. Disabled: unchecked
  5. Interface: OpenVPN
  6. Protocol: any
  7. Source: any
  8. Destination: any
  9. Destination Port Range: any
  10. Give it a description (e.g. Allow OpenVPN Traffic from Clients)
  11. Click Save


  1. Click the leaf corresponding to your OpenVPN Tap Interface (e.g. OPENVPNTAP,OVPN)
  2. Do the same as you did for the OpenVPN Leaf

Export Certificate for Use On the Client Router(s): CA Certs

  1. Click System > Cert Manager
  2. To export CA Cert and Key: click on the first downward pointing triangle.
  3. As a guide, when you hover over it, the text label is ‘Export CA …’, Save File

Export Certificate for Use On the Client Router(s): User Certs

  1. Click System > Cert Manager
  2. To Export User Cert and Key: click on the first downward pointing triangle.
  3. As a guide, when you hover over it, the text label is ‘Export Cert/Key’, Save File.
  4. You’ll also need the TLS Authentication token from the server, as this will be pasted into the Cryptographic Settings on the client side.
  5. On the OpenVPN Server, click the Server configuration (VPN > OpenVPN > Server leaf), copy the TLS Authentication.
  6. It’s up to you how you will get this TLS Authentication and these exported files to the client end(s) (e.g. in an email to yourself, or copying onto a USB stick for transfer)

Export Certificate for Use On the OpenVPN Clients (e.g. Windows)


You can connect to the PFSense OpenVPN Server via desktop clients like Windows, Mac OSX, and Ubuntu Linux
It is easiest to go about this by installing the OpenVPN Client Export Utility
Click System –> Packages
Click the Available Packages leaf
Click the plus sign to install the OpenVPN Client Export Utility
Once installation is complete, Click VPN –> OpenVPN
If the package was installed successfully, you should see the Client Export leaf. Click it.
Click ‘Configuration archive’ for the corresponding user, in my case RemoteSite1
You will be prompted to save a .zip archive containing the necessary files for connection on the client end. Save the file.
The Configuration Archive should contain at least three of these file types:
It’s up to you how you will get this Configuration Archive to the client end(s) (e.g. in an email to yourself, or copying onto a usb stick for transfer)

Client Side(s): Import the Certificates (CA Certs)


Now on the client router, Click System > Cert Manager
Click the CAs leaf, add new one.
Method: Import an existing Certificate Authority
Enter as Descriptive name the name of the certificate from the first server, in my case ‘MainOffice’
Using a text editor, open the Server cert file, in my case ‘MainOffice.crt’
Simply copy / paste the content of the file into the Certificate Data field.
We are NOT pasting anything into the second field (Certificate Private Key …)
Click Save

Client Side(s): Import the Certificates (User Certs)


Click the Certificates leaf, add new one.
Method: Import an existing Certificate
Enter as Descriptive name the name of the client router, in my case ‘RemoteSite1’
Using a text editor, open the Client cert file, in my case ‘RemoteSite1.crt’
Simply copy / paste the content of the file into the Certificate Data field.
Using a text editor, open the Client private key file, in my case ‘RemoteSite1.key’
Simply copy / paste the content of the file into the Private Key Data field.
Click Save

OpenVPN Client Setup – Section: General Information

  1. Click VPN —> OpenVPN
  2. In the Client leaf, click the plus button to add a client.
  3. Disables this client unchecked (obviously)
  4. Server Mode: Peer to Peer (SSL/TLS)
  5. Protocol: UDP
  6. Device Mode: TAP
  7. Interface: WAN
  8. Local port: blank
  9. Server host or address: enter in the OpenVPN Server WAN IP Address or Registered DNS. Note: If you’re using a dynamic hostname (e.g. *.dyndns), make sure to check the Server host name resolution box.
  10. For All Proxy options, I didn’t need these so I left them blank
  11. Server host name resolution: From what I gather, you check this box if the server is using a dynamic addresses (e.g. *
  12. Set an appropriate Description (e.g. Site to Site OpenVPN Bridge with MainOffice)

OpenVPN Client Setup – Section: Cryptographic Settings

  1. Enable authentication of TLS packets: Checked
  2. Automatically Generate a shared TLS authentication key: Unchecked
  3. Paste into the TLS Authentication field the TLS Authentication value from the server.
  4. Peer Certificate Authority: Set this to the Server CA
  5. Client Certificate: Set this to the Client Cert
  6. Encryption algorithm: Set this to match that of the Server
  7. Hardware Crypto: Set this to match that of the Server

OpenVPN Client Setup – Section: Tunnel Settings

  1. Compression: Checked
  2. All else is default
  3. Advanced: blank
  4. Click Save

Add Routings To Other Networks (Optional)


If you intend to push routes to networks not part of the bridge, you’ll need to do specify the options in the advanced section ==>>

The above will push these static routes to any clients that successfully establish a VPN connection.

(Optional) Client-Specific Overrides


Client-specific overrides allow settings to be pushed on a per-client basis.

The above picture illustrates assigning a different gateway to “client johndoe-crt”
push “route-gateway”

Verify OpenVPN Client Connections


( Optional) Block DHCP Packets From Traversing the Bridge


If you plan on keeping DHCP Scopes contained to their own sites, you should enable a firewall rule to disallow DHCP Traffic across the OpenVPN bridge.

Note:{pFsense uses Packet Filter as its firewall. Packet Filter is governed by rules that are Evaluated from Top to Bottom, on a “first match wins” basis.
For this reason, any block rules you want in place should be positioned before the allow rules.


  1. Click Firewall ==>> Rules
  2. Click the OpenVPN leaf
  3. Click the plus button to add a rule
  4. Action: Block
  5. Disabled: unchecked
  6. Interface: OpenVPN
  7. Protocol: UDP (Both IPV4 and IPV6)
  8. Source: any
  9. Source Port Range: Set range to 67-68
  10. Destination: any
  11. Destination Port Range: Set range to 67-68
  12. Give it a description (e.g. Block DHCP Traffic)
  13. Click Save


Network Connectivity is Lost Across Bridge


Scenario: Upgraded pfSense from 2.1 to 2.1.2
Removed and regenerated all certs
Enabled Active Directory Authentication
Problem: Once I got the client connected, I could not ping the gateway or any machine on my network
I noticed that ipconfig results showed no gateway definition. Turns out that’s normal
Head scratching … wtf
For a shitz and giggles I removed and readded members interfaces to the Bridge configuration.
Once I saved, voila. Worked. WTF?
TLS Error: TLS object -> incoming plaintext read error
EDIT: This should have been fixed in the latest pfSense build.



For the OpenVPN Client configuration, make sure you’re using the correct Peer Certificate Authority (CA)
This should be set to the CA you imported


Fumanchu. "The Hand of FuManChu." Site-to-site Ethernet Bridge over OpenVPN (2 of 2). Web. 26 Feb. 2012. <>.
Fumanchu. "The Hand of FuManChu." Site-to-site Bridged Ethernet Using OpenVPN (1 of 2). Web. 26 Feb. 2012. <>.
Lepalaan, Filipp. "NetBoot Over OpenVPN." OpenVPN Bridging: Netboot over VPN. Web. 26 Feb. 2012. <>.
Gibson, Steve. "GRC | OpenVPN HOWTO Guide: Routing vs Bridging ." OpenVPN: Step-by-Step HowTo Guide. Web. 26 Feb. 2012. <>.
"OpenVPN Tunnels and Bridges." Shoreline Firewall. 30 July 2011. Web. 26 Feb. 2012. <>.
"OpenVPN Client Export Files in PfSense 2.0RC." PfSense Forum. Web. 26 Feb. 2012. <>.
"How to Configure OpenVPN (lockup Version)." Lockup. Web. 26 Feb. 2012. <>.
"Pfsense 2.0.1 OpenVPN Bridging Guide – [H]ard|Forum." [H]ard|Forum. Web. 26 Feb. 2012. <>.
Stefcho. "Stefcho’s Blog." Routing Road Warrior’s Clients through a Site-To-Site VPN with PfSense 2.0 RC1 and OpenVPN. Web. 26 Feb. 2012. <>.
Stefcho. "Stefcho’s Blog." PfSense 2.0 RC1 Configuration of OpenVPN Server for Road Warrior with TLS and User Authentication. Web. 26 Feb. 2012. <>.
Vana, Yaron, and Idit Michael. "How to Simulate WAN in VMware?" Vvirtual’s Blog. Web. 26 Feb. 2012. <>.

Bacula & Bareos: A Complete Backup Solution for the Home and Enterprise

Let’s talk about the Bacula & Bareos backup programs.


Windows Platform
@!:{Before you deploy Bareos, you’ll need the following prerequisites installed and properly configured on the target server:
•    postgreSQL
•    PowerShell 2.0 or geater
This requires .Net Framework 2.0 or greater

Platform Info & Defaults Used
Item Description
OS Platform Windows Server 2003 R2 32-bit
Bareos Version 14.1.0 32-bit
PostgreSQL Version 9.3 32-bit
Bareos Service Password bareos
Installation Directory C:\Program Files\Bareos
Configuration Directory C:\Documents and Settings\All Users\Application Data\Bareos
Bareos Working Directory C:\ProgramData\Bareos

@!:{This article relies mostly on command line (cmd) user interaction


About Bacula & Bareos


What is Bacula?

A Client/Server-based backup program

In a nutshell:
Server component handles the backups, Client component sends the data to be backed up.

Simar to
Symantec Backup Exec

Bacula website:

What is Bareos?

Bareos is a fork of the Bacula project, so it boasts all of the same features as Bacula, as well as additional enhancements.

Bareos website:

For me, the most attractive feature of this fork is that the server component, the director, can now be installed on Windows.


Highly Scalable
Centrally managed
Multiplatform Client Component
Multiplatform Server Component

How Does Bacula/Bareos Work?


I yanked this verbatim from this website:

Bacula Architecture & Components
Bacula is made up of several components that can be distributed to operate on several servers. Thus a central Bacula director demon can backup multiple servers, and in turn save data to multiple servers. Even a physically distributed backup strategy can be implemented easily and above all, centrally controlled.
Bacula’s individual components consist of:
Bacula director
Bacula director is the central program which controls and monitors all key tasks such as backup, restore, verify and archive. The director usually operates as a daemon or service.
Bacula console
Bacula console is the tool through which the administrator can communicate with the Bacula director. The console comes in 3 different versions, with the simplest and most popular being a text-based shell for Linux. The text-based console offers the greatest functional scope, while the GNOME and Windows GUIs provide fast backup and restore.
Bacula file demon
Bacula file demon is the actual backup client, installed on the machines to be backed up. It is operating system-specific and sends to-be-protected data with their attributes to the Bacula Director. Or in a recovery, it writes the data back onto disk. Bacula File Demon runs as a service on the servers to be backed up and is available for Unix / Linux and Windows.
Bacula storage
Bacula storage is responsible for storing and reading the saved data and their related attributes onto backup media. It runs as a service on the server which is connected to backup hardware (tapes or disks).
Bacula catalog
Bacula catalog is responsible for the indexing of all files and volumes. It allows the administrator to find and restore desired files quickly. All used volumes, saved files and exported jobs are saved in the catalog. This offers fast and efficient file restoration and management. Bacula currently supports MySQL, PostgreSQL and SQLite as catalog databases.


Configuration Overview

Bacula/Bareos is pretty simple.

It is nothing but the sum configuration of its components. So, in essence, once you configure all of its ‘moving parts’, it will just work as intended.

Each component has its own config file
file daemon

Each config file is formatted based on resources comprised of directives
Specify values relative to the component
Are surrounded by curly braces {}

        @!:{For Bareos:
Configuration files are named as bareos-{}.conf instead of bacula-{}.conf

As a security measure, the various Bacula components must authorize themselves to each other
This is accomplished using password specification
the Storage resource password in the bacula-dir.conf file must match the Director resource password in bacula-sd.conf


Configuration Architecture


By default, the Bacula/Bareos main configuration files are monolithic
One config file
One location
Difficult to manage
More prone to user error

Since Bacula 2.2.0 you can include the output of a command within a configuration file with the ”@|” syntax.
The same applies to Bareos
This allows us to break up the configs into separate, more manageable ‘child’ configuration files
By parsing these ‘child’ configuration files
ForEach child config file
Read content
Incorporate into main config file

In our configuration, we will be using this special syntax to create a distributed configuration
That is …
The main config file will be built from child config files located in specified folders
One folder per backup client
With each folder containing relevant client configs
Easier to manage
Easier to deploy new clients
This would involve:
Installing the backup client on the host
Creating a config folder for the client
Populating configuration files in the client folder
Multiple configs
Multiple locations

The architecutre is as follows:
Any files in the “conf.dir” folder are considered part of this file
On our Windows host, we have the following layout:
conf.dir [folder]
A ‘global’ folder contains default and global definitions for fileset, jobs, messages, pool, schedule, and storage directives
Client folders contain client-specific definitions for client, fileset, jobs, messages, pool, schedule, and storage directives
global [folder]
NewJersey [folder]
njexch01 [folder]
configs {njexch01.fileset.conf;; njexch01.pools.conf …}
NewYork [folder]
nyweb03 [folder]
configs {nyweb01.fileset.conf;; nyweb01.pools.conf …}
Pennsylvania [folder]
padb01 [folder]
configs {padb01.fileset.conf;; padb01.pools.conf …}
Florida [folder]
flexch01 [folder]
configs {flexch01.fileset.conf;; flexch01.pools.conf …}
Any files in the “” folder are considered part of this file
On our Windows host, we have the following layout: [folder]
A ‘global’ folder contains default and global storage device definitions
Client folderscontains client-specific storage device definitions
global [folder]
NewJersey [folder]
NewYork [folder]
Pennsylvania [folder]
Florida [folder]


File Paths

Windows Server 2003
[shell]C:\Documents and Settings\All Users\Application Data\Bareos\bareos-dir.conf
C:\Documents and Settings\All Users\Application Data\Bareos\bareos-dir.conf.readme.txt
C:\Documents and Settings\All Users\Application Data\Bareos\bareos-fd.conf
C:\Documents and Settings\All Users\Application Data\Bareos\bareos-sd.conf
C:\Documents and Settings\All Users\Application Data\Bareos\conf.dir
C:\Documents and Settings\All Users\Application Data\Bareos\
C:\Documents and Settings\All Users\Application Data\Bareos\logs
C:\Documents and Settings\All Users\Application Data\Bareos\scripts
C:\Documents and Settings\All Users\Application Data\Bareos\tray-monitor.conf
C:\Documents and Settings\All Users\Application Data\Bareos\working


Getting Started

Let’s get down to the guts shall we?

Installing Bacula on CentOS Linux 6.x

Installing Bareoes on Windows Server 2003 R2

Installing Bacula on CentOS Linux 6.x

@!:{this should work for the RedHat equivalent.


Install MySQL and Bacula

[shell]yum install mysql-devel mysql-server
yum install bacula-storage-mysql bacula-docs
yum install bacula-director-mysql bacula-console
yum install bacula-client bacula-traymonitor[/shell]

Start and Configure MySQL for Bacula

[shell]service mysqld start
chkconfig mysqld on[/shell]

Change the MySQL root password if you have a fresh install of MySQL

[shell]mysqladmin -u root password ‘new-password'[/shell]

Creating the mysql database structure


[shell]/usr/libexec/bacula/grant_mysql_privileges -u root -p
/usr/libexec/bacula/create_mysql_database -u root -p
/usr/libexec/bacula/make_mysql_tables -u root -p
/usr/libexec/bacula/grant_bacula_privileges -u root -p[/shell]

Installing from Source [Optional]

gls*install bacula from source
see:{Bacula Client For HP-UX@

Bacula: Post-Installation

Create the backup folder(s)
[shell]mkdir /backup
chown bacula /backup
chmod 766 /backup[/shell]

Set the MySQL password for user bacula
[shell]mysql -u root -p
–Enter Password:
WHERE user=’bacula&rsquo;;
UPDATE mysql.user SET password=PASSWORD (&lsquo;somepassword&rsquo;) WHERE user=&rsquo;bacula&rsquo;;

Configure and Start the Bacula Services
[shell]chkconfig bacula-dir on
chkconfig bacula-fd on
chkconfig bacula-sd on
service bacula-dir start
service bacula-fd start
service bacula-sd start[/shell]

Update Firwall Rules (If Applicable)
Modify the iptables configuration file to allow traffic to the bacula-director
[shell]vi /etc/sysconfig/iptables[/shell]
#Allow TCP – Bacula Director
[shell]    -A INPUT -m state –state NEW -m tcp -p tcp –dport 9101 -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 9102 -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 9103-j ACCEPT
    Restart the firewall
[shell]service iptables restart[/shell]


Installing Bareoes on Windows Server 2003 R2

@!:{Before you deploy Bareos, you’ll need the following prerequisites installed and properly configured on the target server:

  • postgreSQL
  • PowerShell Installed

Preflight Information
Item Description OS Platform Windows Server 2003 R2 32-bit Bareos Version 14.1.0 32-bit PostgreSQL Version 9.3 32-bit Bareos Service Password Being Used bareos Installation Directory C:\PostgreSQL\9.3 Data Directory C:\PostgreSQL\9.3\data


Bareos Setup


Installer Filename: winbareos-14.1.0.git.1406399071-32-bit-r786.1.exe
Launch the installer
Agree to Licence • Next
Destination Folder: C:\Program Files\Bareos • Next
Type of install: Full • Next
Bareos Client Configuration
Client Name
Director Name
Network Address
Client Monitor Password
Bacula Compatibility


After installation is complete:
Ensure sufficient permissions are in place for the Bareos Service Account
Bareos config paths
[shell]cacls “C:\Documents and Settings\All Users\Application Data\Bareos\scripts” /e /g bareos:f /t[/shell]
[shell]copy “C:\Program Files\Bareos\libbareoscats-postgresql.dll” to %WINDIR%\System32[/shell]
Launch the PostgreSQL database creation scripts
Change Working Directory
[shell]cd “C:\Documents and Settings\All Users\Application Data\Bareos\scripts\”[/shell]
Create the bareos database
[shell]psql.exe -U <postgres username> -f postgresql-createdb.sql[/shell]
Grant Database Rights
[shell]psql.exe -U <postgres username> -f postgresql-grant.sql bareos[/shell]

This concludes installation on Windows Server 2003


Configuring The Services

Great! You’ve installed Bacula/Bareos
Now it’s time to configure everything
The config files we are concerned with:


Director Config [bacula-dir.conf] – Directives Explained

A pointer to the computer you want to back up
Definition of when this job will run and the type of backup
Where type can be
A pointer to the backup device (tape drive or disk storage)
Details of the SQL database which stores the catalogue (index to contents of backup)
Collection of tapes or disk files which make up the storage
You may have multiple pools in different rotations
This is the Notification Engine
Can send messages to
Log File
Path definitions for the backup selection
Answers the question: What are you backing up?
Allows inclusion/exclusion rules
The Job directive can be considered the glue that binds all other directives in the Director config
The following specifications comprise this directive:
The Pool of backup destinations
Where the destination is a backup device defined in a Storage directive

Director Config [bacula-dir.conf] – Sample

[md]@|”sh -c ‘powershell.exe -ExecutionPolicy ByPass -Command C:/Docume~1/AllUse~1/Applic~1/Bareos/scripts/Get-BareosConf.ps1′”

C:\Documents and Settings\All Users\Application Data\Bareos\bareos-sd.conf
@|”sh -c ‘powershell.exe -ExecutionPolicy ByPass -Command C:/Docume~1/AllUse~1/Applic~1/Bareos/scripts/′”[/md]

Storage Daemon Config [bacula-sd.conf] – Directives Explained

One storage record for general setup
This is the Notification Engine
Can send messages to
Defines the Director allowed to control the Storage Daemon
Defines the storage device




Managing Backup Volumes

You might need to manage the backup voulmes for various reasons, e.g.
You need to clean up some unneeded volumes that are taking up valuable disk space


Prune & Purge Multiple Volumes From The Command Line


Bacula on Linux:
echo “use bacula;SELECT volumename
FROM Media,Pool,Storage
WHERE Media.PoolId=Pool.PoolId
AND Pool.Name=’etejedadmc-full-pool’
AND Media.StorageId=Storage.StorageId
ORDER BY VolumeName ASC;
” | mysql -u root -p | tail -n+2 > MatchedVolumes.list
cat MatchedVolumes.list | xargs -n 1 -I % echo ‘prune volume=”%” yes’ | bconsole
cat MatchedVolumes.list | xargs -n 1 -I % echo ‘purge volume=”%” yes’ | bconsole
cat MatchedVolumes.list | xargs -n 1 -I % echo rm -f /mnt/backups/etejedabackups/regular/etejedadmc.ufn.local/%
cat MatchedVolumes.list | xargs -n 1 -I % echo rm -f /mnt/backups/etejedabackups/regular/etejedadmc.ufn.local/%
cat MatchedVolumes.list | xargs -n 1 -I % ls -lh /mnt/backups/etejedabackups/regular/etejedadmc.ufn.local/%
#verify purge status
cat MatchedVolumes.list | xargs -n 1 -I % echo list volume=% | bconsole |grep ‘^|’|tail -n +2|sed ‘s,|,,g’
#remove volumes
cat MatchedVolumes.list | xargs -n 1 -I % rm -f /mnt/backups/etejedabackups/regular/etejedadmc.ufn.local/%

Bareos on Windows:
echo prune volume=Default-Pool-Full-etejedadmc-fd-183-vol yes| bconsole.exe
echo prune volume=Default-Full-Full-etejedabak02-fd-23-vol yes | bconsole.exe
echo prune volume=Default-Pool-Full-etejedadmc-fd-182-vol yes | bconsole.exe
echo prune volume=Default-Pool-Full-etejedadmc-fd-40-vol yes | bconsole.exe
echo prune volume=Default-Pool-Full-etejedadmc-fd-44-vol yes | bconsole.exe
echo prune volume=Full-0001 yes | bconsole.exe
echo prune volume=Incremental-0002 yes | bconsole.exe
echo prune volume=Differential-0003 yes | bconsole.exe

echo purge volume=Default-Pool-Full-etejedadmc-fd-183-vol yes| bconsole.exe
echo purge volume=Default-Full-Full-etejedabak02-fd-23-vol yes | bconsole.exe
echo purge volume=Default-Pool-Full-etejedadmc-fd-182-vol yes | bconsole.exe
echo purge volume=Default-Pool-Full-etejedadmc-fd-40-vol yes | bconsole.exe
echo purge volume=Default-Pool-Full-etejedadmc-fd-44-vol yes | bconsole.exe
echo purge volume=Full-0001 yes | bconsole.exe
echo purge volume=Incremental-0002 yes | bconsole.exe
echo purge volume=Differential-0003 yes | bconsole.exe

How to change Maximum Volume size in Pool Definition

update pool from resource
followed by
update all volumes in pool
follow the prompts in both cases


Interacting With Bacula/Bareos


Commands Cheatsheet

Scripting Bconsole

Windows BAT: Bacula Admin Tool



Monitoring Bacula

This secions covers monitoring basics for the Bacula software


Server-Side Key Performance Indicators (KPIs)


    Nagios Monitoring:
Xymon Bacula Check Script



This section covers some warnings one should heed to avoid problems in the future.


Bacula Output File


If you use the default bacula-dir.conf or some variation of it, you will note that it logs all the Bacula output to a file.

To avoid that this file grows without limit, we recommend that you copy the file logrotate from the scripts/logrotate to /etc/logrotate.d/bacula.

This will cause the log file to be rotated once a month and kept for a maximum of five months.

You may want to edit this file to change the default log rotation preferences.




$fso = New-Object -ComObject Scripting.FileSystemObject;
Get-ChildItem -Recurse “C:\Docume~1\AllUse~1\Applic~1\Bareos\conf.dir” `
| Where-Object {!$_.PSIsContainer} `
| ForEach-Object {
‘@’ + “$conf”
$fso = New-Object -ComObject Scripting.FileSystemObject;
Get-ChildItem -Recurse “C:\Docume~1\AllUse~1\Applic~1\Bareos\” `
| Where-Object {!$_.PSIsContainer} `
| ForEach-Object {
$conf=$fso.GetFile($_.FullName).ShortPath;’@’ + “$conf”


Miscellaneous Tasks


Reset Bacula Databases and Files

Backup Existing Database And Files
[shell]/usr/bin/mysqldump -aecqQ bacula > bacula_before_purge.sql[/shell]
Stop Bacula Services
[shell]service bacula-dir stop
service bacula-fd stop
service bacula-sd stop[/shell]
Drop MySQL Tables
[shell]mysql -u root -p -e “drop database bacula;”[/shell]
Recreate Database & Grant Permissions
/usr/libexec/bacula/create_mysql_database -u root -p
/usr/libexec/bacula/make_mysql_tables -u root -p
/usr/libexec/bacula/grant_mysql_privileges -u root -p
Stop Bacula Services
[shell]service bacula-dir start
service bacula-sd start
service bacula-fd start[/shell]
@!:{Assumes you are using MySQL for the Bacula Database




Problem Scenarios
Problem Possible Cause Troubleshooting
The Bacula Director service fails to start or starts then quickly stops There is most likely an error in the configuration preventing proper function The first step in troubleshooting is to determine what the problem is
Try launching the Director interactively from command line (without the /service flag) and observing output, e.g.:
[shell]"C:\Program Files\Bareos\bareos-dir.exe" -c "C:\Documents and Settings\All Users\Application Data\Bareos\bareos-dir.conf"
[/shell] In my case, I had an error in the configuration, so I was presented with the following standard output: [diff] … bareos-dir: ERROR TERMINATION atlib/res.c:459
Config error: Could not find config Resource Full referenced on line 13 : Full Backup Pool = Full …
: line 13, col 43 of file C:\DOCUME~1\ALLUSE~1\APPLIC~1\Bareos\conf.dir\base\JOBS~1.CON[/diff]
[diff]Fatal error: Storage daemon didn't accept Device
"device-name" because: 3924 Device "device-name" not in SD Device resources or no matching Media Type[/diff]
Possibibilites include:
1. Mismatching Media Type definitions between client storage definition and bacula storage definition
2. Missing Media Type definitions in either the client storage definition, bacula storage definition, or both
3. Insufficient permissions on the backup destination folder (if Media Type is File)
4. Storage daemon not running
5. You updated parameters for a storage device or pertinant configuration, but did not restart the storage daemon to finalize the changes [attr style="width:300px"
[diff]Fatal error: Storage daemon didn't accept Device "device-name" command[/diff] An error in the Storage Daemon configuration Double-check your SD configuration
Common problems include:
1. Invalid or non-existing path specified in Device directive (applies to Disk backup types)
[diff]Error: Director's comm line to SD dropped.
… Fatal error: filed/dir_cmd.c:2208 Comm error with SD. bad response to Append Data. ERR=Input/output error[/diff]
An error in the Storage Daemon configuration Double-check your SD configuration
Common problems include:
1. Invalid or non-existing path specified in Device directive (applies to Disk backup types)

@!:{Again, make sure to restart the storage daemon if you make any changes to the storage daemon configuration!

Filesystem Permissions



see:{Bacula volumes – running low on disk space@
see:{File storage: disk full, how to recover@
see:{gls*bacula delete failed jobs
see:{Purge Jobs @
see:{gls*bacula disk full recycle
see:{Bacula disk space management@
see:{Run sql-command from bash-script?@
see:{produce a separate sql@
see:{Volume Status is Full instead of Purge@
see:{gls*bconsole list vol status purged
see:{Bacula Cheat Sheet@
see:{Reset Bacula database and files@

Installing PostgreSQL on Windows Server 2003

This Article covers installation of PostgreSQL Version 9.3 32-bit on Windows Server 2003 32-bit OS


Item Description OS Platform Windows Server 2003 R2 32-bit PostgreSQL Version 9.3 32-bit PostgreSQL Service Account Username :postgres
Password: postgres Installation Directory
C:\PostgreSQL\9.3 Data Directory C:\PostgreSQL\9.3\data

@!:{This article presents the steps from the command line (cmd) perspective.

Launch PostgreSQL Installation


Installer Filename: postgresql-9.3.5-1-windows.exe
Launch the installer
Next • Data Directory: C:\PostgreSQL\9.3\data • Password: postgre • Port: 5432 • Locale: Default locale • Next …

Create The PostgreSQL Service User & Initialize Database Instance


Create the PostgreSQL User Account
[shell]net user postgres /add[/shell]

Set the password for the User Account to ‘postgres’
[shell]net user postgres postgres[/shell]

Register the PostgreSQL Windows Service and set logon as the postgres user
[shell]pg_ctl register -N postgres -U postgres -P postgres -D "C:/PostgreSQL/9.3/data"[/shell]

Set appropriate permissions on the PostgreSQL data directory
[shell]cacls c:\PostgreSQL\9.3\data /e /g postgres:F[/shell]

Initialize the database instance, specifying the data directory from above
[shell]initdb -U postgres -A password -E utf8 -W -D "C:/PostgreSQL/9.3/data"[/shell]

Start the PostgreSQL Service
[shell]net start postgres[/shell]

This covers the installation and default configuration of PostgreSQL on Windows Server 2003 R2

Post-Installation Notes

Ensure the postgreSQL bin folder is in Path environmental variable





Troubleshooting Scenarios
Error Possible Cause Possible Solution When you attempt starting the PostgreSQL service, you encounter an error similar to: "The postgres service on Local Computer started and then stopped. Some services stop automatically if they have no work to do, for example, the Performance Logs and Alerts service." The PostgreSQL Database Instance has not been initialized Initialize the database instance then try starting the service again
Additionally, you can verify that the PostgreSQL service account has adequate permissions on the data directory When you try executing any arbitrary PostgreSQL queries, you encounter an error similar to: "Execution of PostgreSQL by a user with administrative permissions is not permitted.
The server must be started under an unprivileged user ID to prevent
possible system security compromises. See the documentation for
more information on how to properly start the server.
You registered the PostgreSQL service with an administrative user De-register service
[shell]pg_ctl.exe unregister -N postgres
Register service as a non-administrative user account (e.g. postgres)
[shell]pg_ctl register -N postgres -U postgres -P postgres -D "C:/PostgreSQL/9.3/data"[/shell] You try to initialize the database instance but encount an error similar to: "initdb: directory "C:/PostgreSQL/9.3/data" exists but is not empty
If you want to create a new database system, either remove or empty
the directory "C:/PostgreSQL/9.3/data" or run initdb
with an argument other than "C:/PostgreSQL/9.3/data".
You are trying to initialize the database instance, but the data directory is not empty Delete the contents of the data directory and retry initializing the database instance Upon initializing the database instance, you encounter errors related to permissions, similar to:
fixing permissions on existing directory C:/PostgreSQL/9.3/data … initdb: could not change permissions of directory "C:/PostgreSQL/9.3/data": Permission denied
The PostgreSQL service account does not have adequate permissions on the data directory Grant full permissions on the data directory to the PostgreSQL service account, e.g.:
[shell]cacls c:\PostgreSQL\9.3\data /e /g postgres:F[/shell]

LAMP Stack with VirtualHosts On Centos 6.x

This article illustrates how to install the Apache Mysql PHP Stack on Centos 6.x.

Additionally, with this configuration, you can serve Multiple Domains using the Virtual Hosts Apache directive.

Install Apache

Invoke yum for installation of Apache
yum install -y httpd mod_ssl httpd-devel
@!:{httpd-devel libraries were included in order to have module compile capabilities, as well as being able to install modules from source

Enable autostart of the Apache service

chkconfig httpd on
Start the Apache service
service service httpd resart

Install PHP

Install PHP, et al

yum install -y php php-mysql php-common php-mbstring php-mcrypt php-devel php-xml php-pecl-memcache php-pspell php-snmp php-xmlrpc php-gd

Restart the Apache service

service httpd restart

Check DNS

Ensure there exists a DNS entry for the domain you want to use.

If this is a lab setup, or completely local, you can simply create a hosts entry for the domain, e.g.

vi /etc/hosts


Virtual Hosts

The NameVirtualHost directive allows us to host multiple websites on a single web server.


You want to host on your web server
You also want to host on your web server

In order to accomplish this, you’ll need to:
– enable the NameVirtualHost directive
– create appropriate configuration files for the domains in question, e.g.:


For now, let’s configure just one domain,


Create Vhosts Config Directories

Create a vhost config folder

mkdir -p /etc/httpd/vhost.d

Configure NameVirtualHost Directive

Add an include directive to the apache config file:

vim /etc/httpd/conf/httpd.conf
    Include vhost.d/*.conf

@!:{The above makes it so that any files ending in .conf under the folder vhost.d are included as part of the httpd.conf configuration
Notice that vhost.d is a relative path. The full path would be evaluated as ServerRoot/vhost.d, where ServerRoot is /etc/httpd (see the httpd.conf file for more information)

Comment out any Listen directives and add an include directive to a separate ports settings config file:

#Listen 80
Include ports.conf

@!:{The above makes it so that the ports.conf file is included as part of the httpd.conf configuration
What this accomplishes is a separation of port specification from the main config file

Create a ports config file

vi /etc/httpd/ports.conf

With contents:

Listen $Port
NameVirtualHost $IPPUBLIC:$Port
NameVirtualHost $IPPRIVATE:$Port
NameVirtualHost *:$Port

Where $Port is the numeric value of the port number through which you want Apache to listen for traffic

NameVirtualHost *:80

Restart Apache

service httpd restart

Create The Config File for the Virtual Host/Domain

Create a config file for your domain

vim /etc/httpd/vhost.d/mydomain1.conf


   <VirtualHost *:80>

    DocumentRoot /var/www/vhosts/
    <Directory /var/www/vhosts/>
    Options Indexes FollowSymLinks MultiViews
    AllowOverride All

    CustomLog /var/log/httpd/ combined
    ErrorLog /var/log/httpd/

    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    LogLevel warn


Make sure your document root exists!

mkdir /var/www/vhosts/
#–OR Try this One-liner–#
ls /var/www/vhosts/ 2> /dev/null || echo does not exist;echo creating folder;mkdir -p /var/www/vhosts/ && echo created folder!


Modify Firewall

You’ll need to poke a hole in the firewall to allow communication to the Apache listening port (by default port 80):
Edit iptables config

vi /etc/sysconfig/iptables
A INPUT -m state –state NEW -m tcp -p tcp –dport 80 -j ACCEPT

Restart iptables

service iptables restart




Error – Could not find …


1. Problem: When navigating to your domain via web browser, you receive an error similar to ‘could not find’

Q:{Is DNS setup correctly?


if error then ensure DNS record exists on your DNS server

if Windows, try the ipconfig /flushdns command

Q:{Is Firewall to blame?

telnet $yourdomain $port


telnet 80

if error then ensure Firewall port is open:

vi /etc/sysconfig/iptables
e.g. -A INPUT -m state –state NEW -m tcp -p tcp –dport 80 -j ACCEPT

Restart firewall:

service iptables restart

2. Test website access again
Hopefully Success!

3. Test PHP functionality:

vi /var/www/vhosts/


Test website access again

If you’ve made numerous changes, try restarting the Apache service again
service httpd restart
If all else fails, and if you have the option to do so, reboot the server

Error – requested URl was not found on this server


In this case, I created the config file for the domain under vhosts.d, but had forgotten to give it a .conf file extension. doh!
Note how I used the watch command to ‘watch’ for changes to log files under /var/log/httpd.
This functions much like inotifywait for troubleshooting using log files.