Commit 33644e92 authored by Benjamin "Ziirish" SANS's avatar Benjamin "Ziirish" SANS
Browse files

update scripts for latest burp relases (>2.1 and >2.2)

parent 355c30f4
......@@ -36,8 +36,9 @@ do
done
```
I provide *builders* for ubuntu/trusty, ubuntu/xenial, debian/wheezy,
debian/jessie and debian/stretch. Feel free to add new!
I provide *builders* for ubuntu/trusty, ubuntu/xenial, ubuntu/artful,
ubuntu/bionic, debian/wheezy, debian/jessie, debian/stretch and debian/buster.
Feel free to add new!
You have to install all the scripts in `/home/builder` and you should
......@@ -60,18 +61,28 @@ get started.
Then we create our repos:
```
GPG_KEY_EMAIL=<the_email_of_your_gpg_key>
mkdir repos/ubuntu
cd repos/ubuntu
for dist in trusty xenial
for dist in trusty xenial artful bionic
do
mkdir $dist
cd $dist
freight init -g <the_email_of_your_gpg_key> -c $PWD/etc/freight.conf --libdir=$PWD/lib --cachedir=$PWD/cache --suite="stable latest"
freight init -g $GPG_KEY_EMAIL -c $PWD/etc/freight.conf --libdir=$PWD/lib --cachedir=$PWD/cache --suite="stable latest"
cd ..
done
cd ..
mkdir debian
cd debian
for dist in jessie wheezy stretch buster
do
mkdir $dist
cd $dist
freight init -g $GPG_KEY_EMAIL -c $PWD/etc/freight.conf --libdir=$PWD/lib --cachedir=$PWD/cache --suite="stable latest"
cd ..
done
```
Then you can do the same for Debian.
```
# Usage
......@@ -95,28 +106,43 @@ webserver.
Here is a sample configuration for Nginx:
```
location /repos/ubuntu/xenial {
location /repos/ubuntu/xenial {
alias /home/builder/repos/ubuntu/xenial/cache;
autoindex on;
}
autoindex on;
}
location /repos/ubuntu/trusty {
alias /home/builder/repos/ubuntu/trusty/cache;
autoindex on;
}
autoindex on;
}
location /repos/debian/stretch {
alias /home/builder/repos/debian/stretch/cache;
autoindex on;
}
location /repos/ubuntu/artful {
alias /home/builder/repos/ubuntu/artful/cache;
autoindex on;
}
location /repos/ubuntu/bionic {
alias /home/builder/repos/ubuntu/bionic/cache;
autoindex on;
}
location /repos/debian/jessie {
alias /home/builder/repos/debian/jessie/cache;
autoindex on;
}
autoindex on;
}
location /repos/debian/wheezy {
alias /home/builder/repos/debian/wheezy/cache;
autoindex on;
}
autoindex on;
}
location /repos/debian/stretch {
alias /home/builder/repos/debian/stretch/cache;
autoindex on;
}
location /repos/debian/buster {
alias /home/builder/repos/debian/buster/cache;
autoindex on;
}
```
# simple config for burp_ca
RANDFILE = /dev/urandom
CA_DIR = /var/lib/burp/CA
[ ca ]
dir = $ENV::CA_DIR
database = $dir/index.txt
serial = $dir/serial.txt
certs = $dir/certs
new_certs_dir = $dir/newcerts
crlnumber = $dir/crlnumber.txt
unique_subject = no
default_md = sha256
default_days = 7300
default_crl_days = 7300
#????
name_opt = ca_default
cert_opt = ca_default
x509_extensions = usr_cert
copy_extensions = copy
policy = policy_anything
[ usr_cert ]
basicConstraints = CA:FALSE
[ policy_anything ]
commonName = supplied
# This is an example config file for the burp server.
mode = server
# The default addresses to listen on depend upon compile time options.
# They may be overridden here.
#address = 0.0.0.0
port = 4971
# The port and address options have been removed in 2.2.10
# You must use listen instead
listen = 0.0.0.0:4971
max_children = 5
# Optionally configure additional ports.
# port = 5971
# max_children = 6
# Think carefully before changing the status port address, as it can be used
# to view the contents of backups.
#status_address = localhost
# If you do not wish to run a status server at all, comment status_port out.
status_port = 4972
# The status_port and status_address options have been removed in 2.2.10
# You must use listen_status instead
listen_status = 127.0.0.1:4972
max_status_children = 5
# Optionally configure additional status_ports.
# status_port = 5972
# max_status_children = 6
directory = /var/spool/burp
dedup_group = global
clientconfdir = /etc/burp/clientconfdir
# Choose the protocol to use.
# 0 to decide automatically, 1 to force protocol1 mode (file level granularity
# with a pseudo mirrored storage on the server and optional rsync). 2 forces
# protocol2 mode (inline deduplication with variable length blocks).
# Like many other settings, this can be set per client in the clientconfdir
# files.
# protocol = 0
pidfile = /run/burp/burp.server.pid
hardlinked_archive = 0
working_dir_recovery_method = delete
umask = 0022
syslog = 1
stdout = 0
# The following options can restrict what the client can do.
# Restore clients can override all of these expect for force_backup.
client_can_delete = 1
# Set client_can_force_backup to 0 to only allow timed backups.
client_can_force_backup = 1
client_can_list = 1
# Set client_can_restore to 0 if you want restores to only be initialised by
# the server.
client_can_restore = 1
client_can_verify = 1
# Ratelimit throttles the send speed. Specified in Megabits per second (Mb/s).
# ratelimit = 1.5
# Network timeout defaults to 7200 seconds (2 hours).
# network_timeout = 7200
# Server storage compression. Default is zlib9. Set to zlib0 to turn it off.
#compression = zlib9
# When the client version does not match the server version, log a warning.
# Set to 0 to turn it off.
version_warn = 1
# More configuration files can be read, using syntax like the following
# (without the leading '# ').
# . path/to/more/conf
# Location of autoupgrade files to serve to clients. Leave it commented out
# to not autoupgrade clients.
# autoupgrade_dir = /etc/burp/autoupgrade/server
# You can have as many 'keep' lines as you like.
# For example, if running backups daily, setting 7, 4, 6 will keep
# 7 daily backups, 4 weekly, and 6 four-weekly backups.
keep = 7
# keep = 4
# keep = 6
# Run as different user/group.
user = burp
group = backup
# CA options.
# If you want your server to be a certificate authority and generate its own
# certificates, uncomment the following lines. If the directory specified in
# ca_conf does not exist, the server will create, populate it, and the paths
# indicated by ssl_cert_ca, ssl_cert, ssl_key and ssl_dhfile below will be
# overwritten. See docs/burp_ca.txt for more information.
ca_conf = /etc/burp/CA-2.1.cnf
ca_name = burpCA
ca_server_name = burpserver
ca_burp_ca = /usr/sbin/burp_ca
# Check for revoked certificates in the certificate revocation list.
# Turn this off if you use the old ssl_extra_checks_script server script.
ca_crl_check = 1
# SSL certificate authority - same file on both server and client
ssl_cert_ca = /var/lib/burp/ssl/server/ssl_cert_ca.pem
# Server SSL certificate
ssl_cert = /var/lib/burp/ssl/server/ssl_cert-server.pem
# Server SSL key
ssl_key = /var/lib/burp/ssl/server/ssl_cert-server.key
# Server SSL ciphers
#ssl_ciphers =
# Server SSL compression. Default is zlib5. Set to zlib0 to turn it off.
#ssl_compression = zlib5
# SSL key password, for loading a certificate with encryption.
#ssl_key_password = password
# Server DH file.
ssl_dhfile = /var/lib/burp/ssl/server/dhfile.pem
# The default timer_script treats the first timer_arg as the minimum interval
#timer_script = /usr/share/burp/scripts/timer_script
# Ensure that 20 hours elapse between backups
# Available units:
# s (seconds), m (minutes), h (hours), d (days), w (weeks), n (months)
timer_arg = 20h
# Allow backups to start in the evenings and nights during weekdays
timer_arg = Mon,Tue,Wed,Thu,Fri,00,01,02,03,04,05,19,20,21,22,23
# Allow more hours at the weekend.
timer_arg = Sat,Sun,00,01,02,03,04,05,06,07,08,17,18,19,20,21,22,23
# Note that, if you specify no timebands, the default timer script will never
# allow backups.
# Uncomment the notify_success_* lines for email notifications of backups that
# succeeded.
# In the subject line, the following are substituted:
# %b - "backup"/"restore"/"verify"
# %c - client name
# %w - number of warnings, if any
#notify_success_script = /usr/share/burp/scripts/notify_script
#notify_success_arg = sendmail -t
#notify_success_arg = To: youremail@example.com
#notify_success_arg = From: burp
#notify_success_arg = Subject: %b succeeded: %c %w
# Uncomment the following to have success notifications only if there were
# warnings.
#notify_success_warnings_only = 1
# Uncomment the following to have success notifications only if there were
# new or changed files.
#notify_success_changes_only = 1
# Uncomment the following for email notifications of backups that failed.
#notify_failure_script = /usr/share/burp/scripts/notify_script
#notify_failure_arg = sendmail -t
#notify_failure_arg = To: youremail@example.com
#notify_failure_arg = From: burp
#notify_failure_arg = Subject: %b failed: %c %w
# The server can run scripts on each connection after authentication and before
# disconnecting.
#server_script_pre = /usr/share/burp/scripts/ssl_extra_checks_script
#server_script_pre_arg = /etc/burp/crl
#server_script_pre_arg = /etc/burp/burp-server.conf
#server_script_pre_arg = /usr/share/burp/scripts/server-pre-script.local
# Set server_script_pre_notify to 1 to have notifications on server_script_pre
# returning non-zero. Most people will want to leave this off - it could
# result in a lot of emails because clients normally connect once every 20
# minutes. Requires notify_failure_script to be set above.
#server_script_pre_notify = 0
#server_script_post =
#server_script_post_arg =
#server_script_post_arg =
#server_script_post_run_on_fail=0
# As for server_script_pre_notify, but for post.
#server_script_post_notify = 0
# Clients that are able to list and restore files belonging to any other
# client. If this is too permissive, you may set a restore_client for
# individual original clients in the individual clientconfdir files.
# restore_client = someclient
# restore_client = someotherclient
# Whether or not the server process should cache the tree when a monitor client
# is browsing a backup. Advantage: speed. Disadvantage: more memory is used.
#monitor_browse_cache = 1
# Source external configurations
. /etc/burp/conf.d/*.conf
......@@ -3,6 +3,7 @@ Description=BackUp and Restore Program Server Daemon
Documentation=man:burp(8)
[Service]
RuntimeDirectory=burp
EnvironmentFile=-/etc/default/burp
ExecStart=/usr/sbin/burp $DAEMON_ARGS -F
......
# Please leave this file empty
burp-server (2.1.32-1) experimental; urgency=low
Starting with the 2.1.x branch, the burp-server packages has been reworked
in order to implement some security best practices.
The main change is to switch the default daemon user from "root:root" to
"burp:backup".
These changes should only be implemented on fresh install to avoid
messing up with existing backups.
However, if you never touched the burp-server.conf file, it is possible this
upgrade will prevent existing clients to connect to the server. This is due
to a change in the "ca_conf" setting.
The burp-server daemon user changed from "root:root" to "burp:backup". This
change may prevent your server to launch.
Before 2.1.x, the default burp-server.conf contained:
#user = root
#group = root
ca_conf = /etc/burp/CA.cnf
Now it contains:
user = burp
group = backup
ca_conf = /etc/burp/CA-2.1.cnf
If you encounter one of these issues, you just have to revert those changes.
-- Benjamin SANS <ziirish@ziirish.info> Mon, 02 Jul 2018 16:53:00 +0200
burp-server (2.2.10-1) experimental; urgency=low
Starting with burp-2.2.10, the 'address'/'port' and
'status_address'/'status_port' options have been replaced by 'listen' and
'listen_status' respectively.
If you choose not to override your burp-server.conf during the installation,
you'll have to manually add those settings otherwise your burp-server won't
be able to start anymore.
If you had:
address = 0.0.0.0
port = 4971
status_address = 127.0.0.1
status_port = 4972
You'll have to replace those lines by:
listen = 0.0.0.0:4971
listen_status = 127.0.0.1:4972
-- Benjamin SANS <ziirish@ziirish.info> Wed, 19 Sep 2018 15:28:00 +0200
burp-server (2.1.32-1) experimental; urgency=low
Starting with the 2.1.x branch, the burp-server packages has been reworked
in order to implement some security best practices.
The main change is to switch the default daemon user from "root:root" to
"burp:backup".
These changes should only be implemented on fresh install to avoid
messing up with existing backups.
However, if you never touched the burp-server.conf file, it is possible this
upgrade will prevent existing clients to connect to the server. This is due
to a change in the "ca_conf" setting.
The burp-server daemon user changed from "root:root" to "burp:backup". This
change may prevent your server to launch.
Before 2.1.x, the default burp-server.conf contained:
#user = root
#group = root
ca_conf = /etc/burp/CA.cnf
Now it contains:
user = burp
group = backup
ca_conf = /etc/burp/CA-2.1.cnf
If you encounter one of these issues, you just have to revert those changes.
-- Benjamin SANS <ziirish@ziirish.info> Mon, 02 Jul 2018 16:53:00 +0200
burp-server (2.1.32-1) experimental; urgency=low
* Added NEWS.Debian file
* Switch daemon user from "root:root" to "burp:backup"
* Added a new conf.d directory to hold user custom configuration
-- Benjamin SANS <ziirish@ziirish.info> Mon, 02 Jul 2018 16:54:00 +0200
burp (2.1.28-1) experimental; urgency=low
* New upstream release 2.1.28
-- Benjamin SANS <ziirish@ziirish.info> Wed, 20 Jun 2018 11:42:00 +0200
burp (2.1.26-1) experimental; urgency=low
* New upstream release 2.1.26
-- Benjamin SANS <ziirish@ziirish.info> Tue, 16 Jan 2018 17:32:00 +0100
burp (2.0.54-1) stable; urgency=low
* New stable version
-- Benjamin SANS <ziirish@ziirish.info> Thu, 3 Jan 2017 00:00:00 +0100
burp (2.0.53-1) UNRELEASED; urgency=low
* New upstream release
-- Terje Bakken <terje@terki.no> Tue, 23 Dec 2016 00:11:00 +0100
burp (1.3.26-2) experimental; urgency=low
* Reformated changelog
* Changed copyright from /debian/* from GPL-2 to AGPL-3
* Added Vcs-Browser to control file
* Bumpt dephelper to 9
* Bumpt compat to 9
-- Bastiaan Franciscus van den Dikkenberg <bas@dikkenberg.net> Thu, 07 Mar 2013 14:48:39 +0100
burp (1.3.26-1) unstable; urgency=low
* New upstream release version 1.3.26
- When a read_blockdev option matches a symlink, backup the destination as
a raw block device.
- Avi Rozen's valgrind cleanup. Includes a fix for a bug in restore_client.c
where overwrite_ok checked the wrong stat struct when considering a FIFO.
- Add '-v' option to bedup (output the names of duplicate files).
- Add '-d' option to bedup (delete duplicates instead of hardlinking - not
for use on burp storage directories).
-- Bastiaan Franciscus van den Dikkenberg <bas@dikkenberg.net> Tue, 05 Mar 2013 15:26:40 +0100
burp (1.3.24-1) unstable; urgency=low
* New upstream release version 1.3.24
- Bug fix for strip_vss/split_vss truncating backups of changed files on
Windows.
- Bug fix for autoupgrade failing on Windows if autoupgrade_dir has been
modified.
- Bug fix for listing backups created with split_vss=1.
- Bug fix for restoring uncompressed encrypted backups created with
split_vss=1.
- Bug fix for making backups with min_file_size and split_vss=1.
- Bug fix for Debian init do_stop() function from Peter Maloney.
- Bug fix for resuming backups where a file to patch has already been
hard linked into place. Also get the client to report a more helpful
message if any similar problem happens.
- Bug fix for signal handler race conditions.
- Bug fix for the forkchild child not exiting when execv fails.
- Changed the run_script() code to take an array.
- Added server_script_pre_notify and server_script_post_notify options.
- Rework the test script so that it can test Windows clients.
- Attempt a Windows signal handler to try to shut VSS down nicely on certain
signals, such as Ctrl-C.
- Include an example server side offsite rsync backup script. This is not
quite working properly, but it may still be useful.
- Big fix to stop Windows going to sleep during a backup, from Avi Rozen.
- unable to set datapath" backup resume bug (Closes: #695641)
- spelling error: 'overriddden' (Closes: #685568)
- error in client_can_list section (Closes: #694506)
- - Bastiaan Franciscus van den Dikkenberg <bas@dikkenberg.net> Tue, 29 May 2012 12:45:58 +0200
burp (1.3.22-1) UNRELEASED; urgency=low
* New upstream release version 1.3.22
- Contributions from Avi Rozen:
+ Added a '-j' option to format the long file list as JSON. Intended
for use with burpfs (https://github.com/ZungBang/burpfs).
+ Bug fix for list/verify/restore when regex is long and/or contains
a colon.
+ Bug fix for split_vss backups being restored on a linux
restore_client with the -f (force) option. Prevents overwrite of the
destination file with the vss footer.
- Contributions for burp_ca from Patrick Koppen:
+ Bug fix for the size option.
+ Use shell numeric comparison instead of string comparison.
+ Added subjectAltName patch (in case it is needed outside of burp).
-- Bastiaan Franciscus van den Dikkenberg <bas@dikkenberg.net> Wen, 03 jan 2012 12:00:00 +0200
burp (1.3.18-1) UNRELEASED; urgency=low
* New upstream release version 1.3.18
- Bug fix for split/strip_vss = 1 on the client side always causing all files
to be backed up.
- Make configure report /usr as the default prefix.
-- Bastiaan Franciscus van den Dikkenberg <bas@dikkenberg.net> Tue, 18 dec 2012 12:12:34 +0200
burp (1.3.6-1) UNRELEASED; urgency=low
* New upstream release version 1.3.6
-- Bastiaan Franciscus van den Dikkenberg <bas@dikkenberg.net> Tue, 29 May 2012 12:45:58 +0200
burp (1.3.4-2) unstable; urgency=low
* Fixes building isues with hppa and powerpcspe and sparc64
Changed debhelper version to (>= 8)
-- Bastiaan Franciscus van den Dikkenberg <bas@dikkenberg.net> Fri, 04 May 2012 11:57:30 +0200
burp (1.3.4-1) unstable; urgency=low
* New upstream release version 1.3.3
- Fixed make error during build process
- Fixed compression directive not fully functional only numeric value
allowed Debian bug: (Closes: #665843)
- Fix "Build of version 1.3.2 failing" (Closes: #669107)
- Tidy up "Raw partition" (Closes: #670598)
- Prevent client from browsing backups (Closes: #670599)
- Prevent client from running a restore (Closes: #670600)
- Fix "Document or implement ability to prevent *client* from initiating
manual backup (Closes: #670601)
-- Bastiaan Franciscus van den Dikkenberg <bas@dikkenberg.net> Sat, 28 Apr 2012 09:22:05 +0200
burp (1.3.1-1) unstable; urgency=low
* New upstream release version 1.3.1
- Switched to Standards-Version 3.9.3 Debian bug: (Closes: #661001)
- respect noopt in DEB_BUILD_OPTIONS. Debian bug: (Closes: #661281)
- Fixed typo in logrotate script Debian bug: (Closes: #660964)
- added debug package Debian bug: (Closes: #661267)
- Add 'exclude_fs =' option for Linux so that you can skip partitions
types (for example, tmpfs) without generating warnings.
- If recovery method 'resume' is set, but the includes/excludes change,
switch to 'use', then start a new backup.
- In the tests, check to see whether it looks like the server has finished
the backup before moving on, rather than just waiting a set amount of time.
- Remove embedded uthash code. It will need to be installed as a dependency.
For example, in Debian, you might run 'apt-get install uthash-dev'.
- Add Bas van den Dikkenberg's tweaks for getting burp into official Debian
and Ubuntu repositories. Burp is now in debian sid and ubuntu precise.
- Make the server tell the client what extra_comms features it supports, so
that, in future, old servers are more likely to work with new clients.
- Improve 'make clean'.
- Add option to strip off leading path components on restore.
- Fix segfault that was happening on the server when SSL_accept() failed.
- Move burp and bedup to /usr/sbin (you need to check that any cron jobs
are pointing there too).
- Moved list of things to do to https://github.com/grke/burp/issues
-- Bastiaan Franciscus van den Dikkenberg <bas@dikkenberg.net> Mon, 27 Feb 2012 15:34:17 +0100
burp (1.3.0+20120214git-1) unstable; urgency=low
* New version from GIT
* Compilation bug solved for in farm (Closes: #659692)
* New upstream release from GIT branch 1.3.1 on advise of author
* Add 'exclude_fs =' option for Linux so that you can skip partitions
types (for example, tmpfs) without generating warnings.
* If recovery method 'resume' is set, but the includes/excludes change,
switch to 'use', then start a new backup.
* In the tests, check to see whether it looks like the server has finished
the backup before moving on, rather than just waiting a set
amount of time.(Closes: #659462)
* Add man pages for bedup and burp_ca.
* Remove embedded uthash code. It will need to be installed
as a dependency. (Closes: #659454)
-- Bastiaan Franciscus van den Dikkenberg <bas@dikkenberg.net> Tue, 14 Feb 2012 15:47:01 +0100
burp (1.3.0-3) unstable; urgency=low
* Forgot to add 1 patch
-- Bastiaan Franciscus van den Dikkenberg <bas@dikkenberg.net> Sun, 12 Feb 2012 14:50:29 +0100
burp (1.3.0-2) unstable; urgency=low
* added forwarded header to patches
* removed changelog entries from patches
* removed debian/README (Closes: #659453)
* removed blank MAILTO header in cronjob and
redirected output to /var/log/burp-client (Closes: #659452)
* added extra logrotate for /var/log/burp-client
* changed /var/run to /run (Closes: #659464)
* thanks to Justin B Rye from debian-l10n-english team for
helping with linguistic support
-- Bastiaan Franciscus van den Dikkenberg <bas@dikkenberg.net> Sat, 11 Feb 2012 23:48:03 +0100
burp (1.3.0-1) unstable; urgency=low
* changed file permissions in rules file
* removed empty todo and readme
* fixed a typo in the control file
* override_dh_auto_configure restore is necessary to run
./configure without any options
the configure files places the files in the correct
directory for a Debian build
* added watch file
* made patch to move PID file
* fixed lintian errors
* corrected the Copyright file
* initial release (Closes: #658152)
* switched to 3.0 (quilt)
* made lintian override file for file permissions
* added man pages for bedup and burp_ca
-- Bastiaan Franciscus van den Dikkenberg <bas@dikkenberg.net> Fri, 10 Feb 2012 17:14:13 +0100