Bacularis, problem with connection to remote host and call curl

[Romain Delmas]

Hello Marcin,

At first i hope everything is well with you.

I need your help with a problem i can't figure out how to solve... and my colleague, Philippe Deslalande, enjoying a well-deserved vacation...

For one of our webservers we have an error in the GUI interface and from get cURL calls.

1. With the second Bacularis, if we can connect to the web interface, including 2FA, as soon as we're on it, even if we can browse the pages, we always have the same message on the screen :

"Error code 100. Problem with connection to the remote host. cURL error 0."

And there's nothing we can do.

2. At the same time, if i'm using curl with this call :

"curl -v -X GET 'https://my-fqdn:my-port/oauth/authorize?response_type=code&client_id=XXX&scope=XXX&redirect_uri=XXX' -H 'Content-Type: application/x-www-form-urlencoded'"

which works perfectly on the firtst webserver, on the second one i obtain :

"HTTP/1.1 401 Unauthorized (...) {"error":"access_denied"}"

3. I checked everythinf i have and i did not notice any difference between the second webserver and the first one (document root, api/web/oauth conf, access rights...), i tried to add verbosity on the webserver and i get this bacularis-web.log :

"2024-03-07 11:04:57 [Application] ConfigIni.php:177: ERROR [Bacularis.API.Config.api] Required section 'api' not found in config.

2024-03-08 08:39:12 [Application] BaculumAPIClient.php:189: API REQUEST ==> https://localhost:port/api/v2/directors?director=
2024-03-08 08:39:12 [Application] BaculumAPIClient.php:460:
2024-03-08 08:39:12 [Application] BaculumAPIClient.php:486: stdClass Object
(
    [error] => 100
    [output] => Problem with connection to remote host. cURL error 0: .
)"

But, then again, i did not notice any difference with the first server... and the API/Config/api.conf looks very complete...

So, maybe I missed something absolutely obvious but any little help would be appreciated !

Looking forward to your help, and thanking you in advance for your insight !

Kind regards,
Romain

[Marcin Haba]

Hello Romain,

Welcome to the Bacularis user list.

Thanks for describing to us your problem with Bacularis. Well, it
looks like in the 'API/Config/api.conf' the '[api]' section is
missing.

This message:

Problem with connection to remote host. cURL error 0:

means that the web interface received from the API something that is
not valid JSON. In this case it can receive HTML from the API initial
wizard that could be activated due to a not complete api.conf file.

I would propose to review the api.conf and make sure that [api]
section like this is on place:

[api]
auth_type = "oauth2"
debug = "0"
lang = "en"

and that in the INI-style is not any syntax error.

Thanks in advance for your feedback. Greetings for Philippe.

Best regards,
Marcin Haba (gani)

> --
> You received this message because you are subscribed to the Google Groups "bacularis" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to bacularis+...@googlegroups.com.
> To view this discussion on the web, visit https://groups.google.com/d/msgid/bacularis/4beaed3e-7160-4ce4-bcd5-b9ebb49c96e7n%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.



--
"Greater love hath no man than this, that a man lay down his life for
his friends." Jesus Christ

"Większej miłości nikt nie ma nad tę, jak gdy kto życie swoje kładzie
za przyjaciół swoich." Jezus Chrystus

[Romain Delmas]

Hello Marcin,

Thanks for your fast response.

I've checked this file (/vendor folders are symbolic links):
- /usr/share/bacularis/protected/API/Config/api.conf

[api]
auth_type = "oauth2"
debug = "1"
lang = "en"

I changed the debug from 0 to 1 precisely to have more material (bacularis-web.log appear since in Logs's API folder) but i did not notice any INI-style error here...

I tried a "grep 'api.conf' -R" on /usr or /etc to be sure to check the right file and it seems the good one.

I also tried to delete this part and rewrite it, without any success...

Whatever, thanks four your feedback !

[Marcin Haba]

Hello Romain,

Thanks for the answer and providing more details.

For the missing [api] section, this error message does not happen in
other cases. Could you tell me if you have only one this type of
errors in logs, or you have many? If there is only one it could happen
in time when you were editing the api.conf, the content was incomplete
and at the same time a request came to the API.

For the cURL command and error:

"HTTP/1.1 401 Unauthorized (...) {"error":"access_denied"}"

API returns this access denied error in two cases:

1) if client_id provided in the url does not exist in the API OAuth2
accounts. You can check if this client_id section is in

/usr/share/bacularis/protected/API/Config/oauth2.conf

2) if the provided redirect_uri parameter is different than this
assigned for given client_id in oauth2.conf file. Please note that
protocol (http/https), port and all other parts of the redirect_uri
address have meaning and have to be the same on both sides.


So, I would propose to check these two things in the oauth2.conf file.
If something is different, you need to correct it and retry the cURL
command. At the end please write to us if it helped.

Good luck.

Best regards,
Marcin Haba (gani)

> To view this discussion on the web, visit https://groups.google.com/d/msgid/bacularis/5c832e47-d832-49e6-8617-739e0de1e26an%40googlegroups.com.

[Romain Delmas]

Hi,

About your first asking, i get several of same errors (~/API/Logs/bacularis-web.log) :

2024-03-08 14:43:38 [Application] ConfigIni.php:177: ERROR [Bacularis.API.Config.api] Required section 'api' not found in config.
2024-03-08 14:43:38 [Application] BaculumAPIClient.php:189: API REQUEST ==> https://localhost:9097/api/v2/oauth2/clients/XXXXXclientIDXXXXX?director=
2024-03-08 14:43:38 [Application] BaculumAPIClient.php:460:
2024-03-08 14:43:38 [Application] BaculumAPIClient.php:486: stdClass Object

(
    [error] => 100
    [output] => Problem with connection to remote host. cURL error 0: .
)

2024-03-08 14:45:51 [Application] ConfigIni.php:177: ERROR [Bacularis.API.Config.api] Required section 'api' not found in config.
2024-03-08 14:45:51 [Application] ConfigIni.php:177: ERROR [Bacularis.API.Config.api] Required section 'api' not found in config.
2024-03-08 14:45:51 [Application] ConfigIni.php:177: ERROR [Bacularis.API.Config.api] Required section 'api' not found in config.
2024-03-08 14:45:52 [Application] ConfigIni.php:177: ERROR [Bacularis.API.Config.api] Required section 'api' not found in config.
2024-03-08 14:45:52 [Application] ConfigIni.php:177: ERROR [Bacularis.API.Config.api] Required section 'api' not found in config.

About your explanation, i re-checked /usr/share/bacularis/protected/API/Config/oauth2.conf on both bacularis:

1. I tried to push a GET cURL call by testing with differents clientsID and scopes present in the config file on the second bacularis without any success : "error":"access_denied".

2. I tried with the same way of acting on our first bacularis and these times i get the rights clients code without any problem ou error or denied access : https://my-webserver-fqdn:port/web/redirect?code=bXXXXXXXXXXXXXXc7

The variable redirect_uri, the webserver name/protocol/port (except what makes them different), all are the same on the oauth2 config file but the feedbacks are differents : each time i tried to use oauth2/api.conf on the second bacularis it's like there're missing...

I even tried the heavy-duty method by putting all /usr/share/bacularis files from the first bacularis to the second for nothing 0:) Desperate attempt  -_-'

Thx again for your time,

Kind regards,

Romain

[Marcin Haba]

Hello Romain,

Thanks for all these details.

I was able to reproduce the same behaviour as occurs in your
environment. It is when the web server user is not able to read
content of the Config/ directory.

I would propose to run this command from the root user account putting
in place WEBUSER the web server/PHP user:

sudo -u WEBUSER ls -l /usr/share/bacularis/protected/API/Config/

For rpms installations it will be:

sudo -u apache ls -l /usr/share/bacularis/protected/API/Config/

For debs installation it will be:

sudo -u www-data ls -l /usr/share/bacularis/protected/API/Config/

Also as you wrote that you copied Bacularis files between systems I
have a note that if you use in your system SELinux, then after each of
this copying you need to re-label Bacularis files. It will be command
like this:

restorecon -i -R PATH/TO/BACULARIS/CONFIG/DIR

I hope that this time we will be successful :-)

Best regards,
Marcin Haba (gani)

> To view this discussion on the web, visit https://groups.google.com/d/msgid/bacularis/d3ec7ee9-e151-4e07-b5db-3a9e557dff79n%40googlegroups.com.

[Romain Delmas]

Hey !

You've got something here.

I only and simply checked access permissions of the usr/share/bacularis files with a 'ls -la' from root and as the rendering was seamless on both sides, ie:

-rw------- 1 www-data www-data  Mar  8 14:49 api.conf
-rw------- 1 www-data www-data  Oct 31 09:42 bacularis.users
-rw------- 1 www-data www-data  Oct 31 09:42 basic.conf
-rw------- 1 www-data www-data  Mar  8 15:42 oauth2.conf
-rw------- 1 www-data www-data   Mar  9 14:05 session.dump

i did not test "sudo -u www-data ls -l /usr/share/bacularis/protected/API/Config/" ... 

And you're right, i've got a Permission denied on the second bacularis one...

I tryed the same command on the parent group with success and i get :

ls -ld /usr/share/bacularis/protected/API/
drwxr-xr-x  www-data www-data 4096 Mar  6 15:52 /usr/share/bacularis/protected/API/

Everything seemed well but it was not... So, i had to destroy the symbolic link and to recreate it with chmod 700 and the appropriate chown and... \o/  the sudo -u www-data ls -l command works AND the curl request get the appropriate code response when i tried the call.

That's a big and good progress. It's just perfect.

Now i get Error 4 - Problem with connection to bconsole. Output=>Connecting to Director website:port, Exitcode=>1 BUT i'll see that on monday.

And when i tested a ss -tlnp | grep 'port'  i get nothing, sooooo i'm pretty sure tha's the reason why.

A very and great thanks ! i did not think to try to focus the listing with the webserver user... just well thought out and brillant.

With many thanks,

Kind regards,

Romain

[Marcin Haba]

Hello Romain,

Many thanks for your mail. Great to hear that we solved it :-) It was
not the easiest case, fortunately successful.

Bacularis Web and API do checking if these directories are readable
and writable. If something is wrong with it, in the API or Web panel
is displayed an error page with list directories, that Bacularis does
not have access and that should have access.

What is not checked and what could be checked is the execute bit,
which for directories has additional meaning. I need to think adding
checking the execute bit.

Best regards,
Marcin Haba (gani)

> To view this discussion on the web, visit https://groups.google.com/d/msgid/bacularis/31890c75-e256-4bd8-8930-bcd75be27163n%40googlegroups.com.

[Romain Delmas]

Hey !

Thanks again for all your advices and your help.

Just a final asking. 

You probably know that Philippe built a cluster bacularis system. So, the first bacularis works perfectly, IHM and API included ; then, now, with your lights, on the second one, i can make all API request with curl and interact with the API part of the webserver (the reason why we 'lost' permissions access files/folders despite the good informations displayed on the terminal seems does'nt belong to this world...). But the IHM part still doest not work.

I get this error on the IHM:
Error 4 - Problem with connection to bconsole. Output=>Connecting to Directormy-webserver:port-bacula-dir, Exitcode=>1

Error also present on the /usr/share/bacularis/protected/API/Logs/bacularis-web.log :

2024-03-11 09:28:41 [Application] BaculumAPIClient.php:189: API REQUEST ==> https://localhost:port/api/v2/directors?director=
2024-03-11 09:28:41 [Application] BaculumAPIClient.php:460: {"output":["director-dir"],"error":0}
2024-03-11 09:28:41 [Application] BaculumAPIClient.php:486: stdClass Object
(
    [output] => Array
        (
            [0] => director-dir
        )
    [error] => 0
)

2024-03-11 09:28:41 [Application] BaculumAPIClient.php:189: API REQUEST ==> https://localhost:port/api/v2/config?director=director-dir
2024-03-11 09:28:41 [Application] BaculumAPIClient.php:460: {"output":[{"component_type":"dir","component_name":"director-dir","state":true,"error_msg":""},{"component_type":"sd","component_name":"director-sd","state":true,"error_msg":""},{"component_type":"fd","component_name":"director-fd","state":true,"error_msg":""},{"component_type":"bcons","component_name":"director-dir","state":true,"error_msg":""}],"error":0}
2024-03-11 09:28:41 [Application] BaculumAPIClient.php:486: stdClass Object
(
    [output] => Array
        (
            [0] => stdClass Object
                (
                    [component_type] => dir
                    [component_name] => director-dir
                    [state] => 1
                    [error_msg] =>

            [1] => stdClass Object
                (
                    [component_type] => sd
                    [component_name] => director-sd
                    [state] => 1
                    [error_msg] =>
                )
            [2] => stdClass Object
                (
                    [component_type] => fd
                    [component_name] => director-fd
                    [state] => 1
                    [error_msg] =>
                )
            [3] => stdClass Object
                (
                    [component_type] => bcons
                    [component_name] => director-dir
                    [state] => 1
                    [error_msg] =>
                )
        )
    [error] => 0
 )                

That's something i don't find strange because of:

~$ sudo netstat -anp | grep LISTEN | grep bacula
tcp        0      0 0.0.0.0:port            0.0.0.0:*               LISTEN      2598014/bacula-fd
tcp        0      0 0.0.0.0:port            0.0.0.0:*               LISTEN      2598021/bacula-sd

 

Which is compliant with the daemon status :

~$ sudo systemctl status bacula-dir.service

● bacula-dir.service - Bacula Director Daemon service
     Loaded: loaded (/lib/systemd/system/bacula-dir.service; enabled; vendor preset: enabled)
     Active: failed (Result: exit-code) since Mon 2024-03-11 10:24:45 CET; 59min ago
    Process: 2702747 ExecStart=/opt/bacula/bin/bacula-dir -fP -c /opt/bacula/etc/bacula-dir.conf (code=exited, status=1/FAILURE)
   Main PID: 2702747 (code=exited, status=1/FAILURE)
        CPU: 47ms

Mar 11 10:24:45 my-webserver bacula-dir[2702747]: bacula-dir: bdb.h:143-0 bdb.h:143 update UPDATE Pool SET NumVols=2,MaxVols=0,UseOnce=0,UseCatalog=1,AcceptAnyVolume=0,VolRetention='300',VolUseDuration='300',MaxVolJobs=1,MaxVolFiles=0,MaxVolBytes=0,Recycle=1>
Mar 11 10:24:45  my-webserver   bacula-dir[2702747]: ERROR:  cannot execute UPDATE in a read-only transaction
Mar 11 10:24:45  my-webserver   bacula-dir[2702747]: bacula-dir: bdb.h:143-0 bdb.h:143 update UPDATE Pool SET NumVols=0,MaxVols=0,UseOnce=0,UseCatalog=1,AcceptAnyVolume=0,VolRetention='31536000',VolUseDuration='86400',MaxVolJobs=0,MaxVolFiles=0,MaxVolBytes=0,Re>
Mar 11 10:24:45  my-webserver   bacula-dir[2702747]: ERROR:  cannot execute UPDATE in a read-only transaction
Mar 11 10:24:45  my-webserver   bacula-dir[2702747]: bacula-dir: bdb.h:143-0 bdb.h:143 update UPDATE Storage SET AutoChanger=0 WHERE StorageId=3 failed:
Mar 11 10:24:45  my-webserver   bacula-dir[2702747]: ERROR:  cannot execute UPDATE in a read-only transaction
Mar 11 10:24:45  my-webserver   bacula-dir[2702747]: 11-Mar 10:24 bacula-dir ERROR TERMINATION
Mar 11 10:24:45  my-webserver  bacula-dir[2702747]: Please correct configuration file: /opt/bacula/etc/bacula-dir.conf
Mar 11 10:24:45  my-webserver   systemd[1]: bacula-dir.service: Main process exited, code=exited, status=1/FAILURE
Mar 11 10:24:45  my-webserver   systemd[1]: bacula-dir.service: Failed with result 'exit-code'.

Which brings me to my question : it seems to me that before we could navigate on the two bacularis webserver without any problem even if the daemon was in this same state... Did i dream or that's something possible ? And if it's something possible, what could be blocking ?

With all my greetings !

Best regards,

Romain

[Marcin Haba]

Hello Romain,

Thanks for describing all the details and providing outputs.

For your problem with connection via bconsole your assumption is
correct that the Bacula Director is not running so bconsole is not
able to connect to it. To solve it we need to find an answer to a
question - why the Bacula Director is not running. And the answer we
can find in the provided systemctl status command output:

ERROR: cannot execute UPDATE in a read-only transaction

It is because when the Director starts, it tries to update the catalog
database records if needed. In this case the database seems to be
read-only and the Director is not able to do the update and it fails.

Are you using database replication? Maybe you are connected in Bacula
to the slave database note that is read-only? Anyway, the problem here
looks to be between Director and database where the Director cannot
write to the database.

Best regards,
Marcin Haba (gani)

> To view this discussion on the web, visit https://groups.google.com/d/msgid/bacularis/4b5e9c9e-2503-4315-8664-804aa341a80bn%40googlegroups.com.

[Romain Delmas]

Hi, 

Thanks again for your answer.

That's exactly what we have : a cluster with a master/slave server and database replication between the first and the second server.

That's the reason why the state "no running" is actualy normal as long as we are on normal mode (ie: not in a system of switching from one to the other).

Which means that the current state, allowing api calls without the bconsole web browser, is logical and what we must have.

So, I will leave the server as it was before Philippe's vacation ! i'm saved \o/

Thank you for your time, comments and advices,

Kind regards,

Romain

[Marcin Haba]

Hi Romain,

Now I understand why the database is in the read-only state. Yes, in
this case the API will be fully functional while working only with the
active node resources. For the slave node and API, there exists only a
few API endpoints that enable getting data without available the
bconsole connection to Director. So, without working Director the
problem with connection to bconsole is something expected.

Ideally if the Director would have an option to work with a read-only
catalog. However it is one of the main Director tasks - working with
the database and keeping it up-to-date. Unfortunately I don't know any
Bacula directive that could enable the read-only access.

Best regards,
Marcin Haba (gani)

> To view this discussion on the web, visit https://groups.google.com/d/msgid/bacularis/3be8769c-93af-45c8-bacf-e488cb5728adn%40googlegroups.com.