#1642 Issue `closed`: TSM restore should also work without TSM.PWD in recovery system¶

Labels: enhancement, needs sponsorship, external tool, no-issue-activity

jsmeix opened issue at 2017-12-12 14:14:¶

Curently TSM backup restore requires that one has a
TSM password file 'TSM.PWD' in the recovery system
via something like

COPY_AS_IS_TSM=( ... /etc/adsm/TSM.PWD ... )

COPY_AS_IS_TSM=( ... /etc/opt/tb017/security/TSM.PWD ... )

This contradicts that in general the recovery system
should not contain secrets.
Cf. what we did for SSH keys in
https://github.com/rear/rear/issues/1511 and
https://github.com/rear/rear/issues/1512

Accordingly it should be possible for the user that
TSM backup restore also works without 'TSM.PWD'
in his recovery system.
In this case the TSM password should be asked
from the user during "rear recover".

See
https://github.com/rear/rear/issues/1534
in particular
https://github.com/rear/rear/issues/1534#issuecomment-351043472

dcz01 commented at 2017-12-13 08:10:¶

@jsmeix I think it is more easier for most of the ReaR users if the TSM.PWD or the newer password files of the TSM client are in the recovery image.
So is an automatic restore possible at the point of booting the ReaR rescue image.

jsmeix commented at 2017-12-13 09:36:¶

@dcz01
this issue is not about to no longer have TSM password files
in the recovery system.
This issue is about that the user has the final power to decide
whether or not he wants to have secrets in his recovery system.

Regarding "the user must get the final power" see for example
https://github.com/rear/rear/pull/1513#issuecomment-332123766

Of course the user can only choose between
either a recovery system with secrets that makes
unattended recovery possible
or a recovery system without secrets that may
require interactive user input during recovery.

The current shortcoming in ReaR's TSM support is
that the latter does currently not work.

jsmeix commented at 2017-12-13 14:30:¶

Regarding my "either/or" above:
Tertium datur!
With RECOVERY_UPDATE_URL it should be possible
to have the recovery system ISO image without secrets, cf.
https://github.com/rear/rear/pull/1472#issuecomment-328459748
and get the needed secrets at "rear recover" runtime
because since https://github.com/rear/rear/pull/1267
RECOVERY_UPDATE_URL should also work with HTTPS
so that it should be possible (at least in my theory) to get even
secrets at "rear recover" runtime safely into the recovery system.

github-actions commented at 2020-07-01 01:33:¶

Stale issue message

[Export of Github issue for rear/rear.]