OPENAFS-SA-2018-001 butc: require authenticated connections with -localauth

[openafs.git] / doc / man-pages / pod8 / butc.pod

=head1 NAME

butc - Initializes the Tape Coordinator process

=head1 SYNOPSIS

=for html
<div class="synopsis">

B<butc> S<<< [B<-port> <I<port offset>>] >>> S<<< [B<-debuglevel> (0 | 1 | 2)] >>>
    S<<< [B<-cell> <I<cell name>>] >>> [B<-noautoquery>] [B<-rxbind>] [B<-localauth>]
    [B<-auditlog> <I<file | sysvmq>> [B<-audit-interface> <I<interface>>]]
    [B<-allow_unauthenticated>] [B<-help>]

B<butc> S<<< [B<-p> <I<port offset>>] >>> S<<< [B<-d> (0 | 1 | 2)] >>>
    S<<< [B<-c> <I<cell name>>] >>> [B<-n>] [B<-r>] [B<-l>]
    [B<-auditl> <I<file | sysvmq>> [-B<-audit-i> <I<interface>>]]
    [B<-al>] [B<-h>]

=for html
</div>

=head1 DESCRIPTION

The B<butc> command initializes a Tape Coordinator process on a Tape
Coordinator machine, enabling an operator to direct Backup System requests
to the associated tape device or backup data file. (The Tape Coordinator
controls a backup data file if the C<FILE YES> instruction appears in the
F</usr/afs/backup/CFG_I<device_name>> file that corresponds to the Tape
Coordinator's entry in the F</usr/afs/backup/tapeconfig> file. For the
sake of simplicity, the following discusses tape devices only.)

It is conventional to start and run the Tape Coordinator in the
foreground. In this case, it runs on its own connection, which is
unavailable for any other use and must remain open the entire time the
Tape Coordinator is to accept backup requests and while it is executing
them. (When using a window manager, the connection corresponds to a
separate command shell window.) The Tape Coordinator can run in the
background if the F<CFG_I<device_name>> file is configured to eliminate
any need for the Tape Coordinator to prompt the operator. In both the
foreground and background, the Tape Coordinator writes operation traces
and other output to the standard output stream on the connection over
which it was started. Use the B<-debuglevel> argument to control the
amount of information that appears. The Tape Coordinator also writes
traces and error messages to two files in the local F</usr/afs/backup>
directory:

=over 4

=item *

The F<TE_I<device_name>> file records problems that the Tape Coordinator
encounters as it executes backup operations.

=item *

The F<TL_I<device_name>> file records a trace of operations as well as the
same errors written to the F<TE_I<device_name>> file.

=back

The Tape Coordinator creates the files automatically as it initializes. If
there are existing files, the Tape Coordinator renames them with a C<.old>
extension, overwriting the existing C<.old> files if they exist. It
derives the I<device_name> part of the file names by stripping off the
device name's F</dev/> prefix and replacing any other slashes with
underscores. For example, the files are called F<TE_rmt_4m> and
F<TL_rmt_4m> for a device called F</dev/rmt/4m>.

By default, at the beginning of each operation the Tape Coordinator
prompts for the operator to insert the first tape into the drive and press
Return.  To suppress this prompt, include the B<-noautoquery> flag on the
command line or the instruction C<AUTOQUERY NO> in the
F</usr/afs/backup/CFG_I<device_name>> file. When the prompt is suppressed,
the first required tape must be in the drive before a B<backup> command is
issued. For subsequent tapes, the Tape Coordinator uses its normal tape
acquisition routine: if the F</usr/afs/backup/CFG_I<device_name>> file
includes a C<MOUNT> instruction, the Tape Coordinator invokes the
indicated command; otherwise, it prompts the operator for the next tape.

To stop the Tape Coordinator process, enter an interrupt signal such as
Ctrl-C over the dedicated connection (in the command shell window).

To cancel a backup operation that involves a tape before it begins
(assuming the initial tape prompt has not been suppressed), enter the
letter C<a> (for C<abort>) and press Return at the Tape Coordinator's
prompt for the first tape.

Tape Coordinator operation depends on the correct configuration of certain
files, as described in the following list:

=over 4

=item *

The local F</usr/afs/backup/tapeconfig> file must include an entry for the
Tape Coordinator that specifies its device name and port offset number,
among other information; for details, L<tapeconfig(5)>.

=item *

The port offset number recorded in the Tape Coordinator's entry in the
Backup Database must match the one in the F<tapeconfig> file. Create the
Backup Database entry by using the B<backup addhost> command.

=item *

The optional F</usr/afs/backup/CFG_I<device_name>> file can contain
instructions for mounting and unmounting tapes automatically (when using a
tape stacker or jukebox, for instance) or automating other aspects of the
backup process. The I<device_name> part of the name is derived as
described previously for the F<TE_I<device_name>> and F<TL_I<device_name>>
files.

=back

=head1 CAUTIONS

If the Tape Coordinator machine is an AIX machine, use the SMIT utility to
set the device's block size to 0 (zero), indicating variable block
size. Otherwise, tape devices attached to machines running other operating
systems sometimes cannot read tapes written on AIX machines.  For
instructions, see the I<OpenAFS Administration Guide> chapter about
configuring the Backup System.

=head1 OPTIONS

=over 4

=item B<-port> <I<port offset>>

Specifies the port offset number of the Tape Coordinator to initialize.

=item B<-debuglevel>

Controls the amount and type of messages the Tape Coordinator displays on
the standard output stream. Provide one of three acceptable values:

=over 4

=item *

C<0> to display the minimum level of detail required to describe Tape
Coordinator operations, including prompts for tapes, messages that
indicate the beginning and end of operations, and error messages. This is
the default value.

=item *

C<1> to display the names of the volumes being dumped or restored as well
as the information displayed at level C<0>.

=item *

C<2> to display all messages also being written to the
F<TL_I<device_name>> log file.

=back

=item B<-cell> <I<cell name>>

Names the cell in which the Tape Coordinator operates (the cell to which
the file server machines that house affected volumes belong). If this
argument is omitted, the Tape Coordinator runs in the local cell as
defined in the local F</usr/vice/etc/ThisCell> file. Do not combine this
flag with the B<-localauth> argument.

=item B<-noautoquery>

Suppresses the Tape Coordinator's prompt for insertion of the first tape
needed for an operation. The operator must insert the tape into the drive
before issuing the B<backup> command that initializes the operation.

=item B<-rxbind>

Bind the Rx socket to the primary interface only. If not specified, the Rx
socket will listen on all interfaces.

=item B<-localauth>

Constructs a server ticket using the server encryption key with the
highest key version number in the local F</usr/afs/etc/KeyFile> or
F</usr/afs/etc/KeyFileExt>. The
B<butc> command interpreter presents the ticket, which never expires, to
the Volume Server and Volume Location Server to use in mutual
authentication.

Do not combine this argument with the B<-cell> flag, and use it only when
logged on to a server machine as the local superuser C<root>; client
machines do not have F</usr/afs/etc/KeyFile> or F</usr/afs/etc/KeyFileExt>
files.

=item B<-auditlog> <I<log path>>

Turns on audit logging, and sets the path for the audit log.  The audit
log records information about RPC calls, including the name of the RPC
call, the host that submitted the call, the authenticated entity (user)
that issued the call, the parameters for the call, and if the call
succeeded or failed.

=item B<-audit-interface> <(file | sysvmq)>

Specifies what audit interface to use. Defaults to C<file>. See
L<fileserver(8)> for an explanation of each interface.

=item B<-allow_unauthenticated>

By default the B<butc> requires clients performing TC_ RPCs to authenticate
themselves, behavior introduced in the fix for OPENAFS-SA-2018-001.
This option reverts to the historical behavior of only using the rxnull
security class for incoming connections.  Use of this option is strongly
disrecommended; it is provided only for backwards compatibility with older
clients in environments where B<backup> and B<butc> communicate over a secure
network that denies access to untrusted parties.

=item B<-help>

Prints the online help for this command. All other valid options are
ignored.

=back

=head1 EXAMPLES

The following command starts the Tape Coordinator with port offset C<7> at
debug level C<1>, meaning the Tape Coordinator reports the names of
volumes it is dumping or restoring.

   % butc -port 7 -debuglevel 1

=head1 PRIVILEGE REQUIRED

The issuer must be listed in the F</usr/afs/etc/UserList> file on every
machine where the Backup Server or Volume Location (VL) Server is running,
and on every file server machine that houses a volume to be backed up. If
the B<-localauth> flag is included, the issuer must instead be logged on
to the Tape Coordinator machine as the local superuser C<root>. In
addition, the issuer must be able to read and write to the log and
configuration files in the local F</usr/afs/backup> directory.

=head1 SEE ALSO

L<KeyFile(5)>,
L<KeyFileExt(5)>,
L<ThisCell(5)>,
L<UserList(5)>,
L<butc(5)>,
L<butc_logs(5)>,
L<tapeconfig(5)>,
L<backup_addhost(8)>

=head1 COPYRIGHT

IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved.

This documentation is covered by the IBM Public License Version 1.0.  It was
converted from HTML to POD by software written by Chas Williams and Russ
Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.