Latest news

Today we rebuilt and published DEB packages for both free and subscription repositories. This update is required due to changes introduced in the Debian php-fpm package, which Bacularis depends on, and which may prevent the Bacularis interface from working correctly in certain configurations.

More specifically, Debian package maintainers have introduced additional hardening options in the php-fpm systemd unit. The option affecting Bacularis is:

ProtectSystem=full

At the time of writing, this change is not yet available in stable Debian package branches, but it is expected to arrive soon:

• PHP 7.4 (from version 7.4.33-27) – commit
• PHP 8.1 (from version 8.1.34-5) – commit
• PHP 8.2 (from version 8.2.31-2) – commit
• PHP 8.3 (from version 8.3.31-2) – commit
• PHP 8.4 (from version 8.4.21-2) – commit
• PHP 8.5 (from version 8.5.6-2) – commit

As a result, Bacularis needed to be adjusted to work with this change. In the updated Bacularis packages, PHP-FPM integration has been adapted to comply with the new security restrictions (ProtectSystem=full) introduced by Debian PHP package.

We have therefore prepared new packages that resolve this issue and we strongly recommend updating your packages.

We would also like to thank community member @MajorFault, who notified us about this upcoming change, allowing us to react quickly before the updated php-fpm packages reach Debian repositories. More details are available in Bacularis-Web GitHub Issue #13.

Below is a short Q&A regarding this update.

Q: What is the issue?

A: The ProtectSystem=full option causes /usr, /boot, /efi, and /etc to be mounted as read-only for selected processes. In this case, when ProtectSystem=full is enabled, the PHP-FPM process used by Bacularis is unable to write data and configuration files to the /etc/bacularis directory because it becomes read-only for the PHP-FPM process. Bacularis will also be unable to modify Bacula configuration files in /etc/bacula.

Q: Who is affected by this issue?

A: This issue affects Bacularis instances installed using any installation method on DEB-based systems if they store data in locations protected by ProtectSystem=full.

Q: What package versions contain the fix?

A: For free repositories, the updated packages use version:

6.0.0~codename-1
 
For subscription repositories:

6.1.0~codename-1
 
For example, on Debian 13 Trixie:

6.0.0~trixie-1
6.1.0~trixie-1
 
The updated packages use release suffix -1.

Q: My Bacularis installation works fine and I did not need to update anything. Why?

A: This may happen because the updated php-fpm package has not yet reached your system repositories.

Q: When does this issue become visible?

A: The issue will appear after updating php-fpm if Bacularis packages remain on an older version without the fix.

Q: What does the web interface look like when the problem occurs?

A: The interface displays only a blank page with the following error message:

Bacularis API - Missing dependencies

Please make readable and writeable by the web server user the following directory:
/usr/share/bacularis/protected/vendor/bacularis/bacularis-api/API/Config

To run Bacularis API please correct above requirements and refresh this page in web browser.

Q: Does this change affect RPM packages?

A: No. This issue affects DEB-based systems only.

Q: Which distributions received updated Bacularis packages?

A: All DEB packages in both free and subscription repositories have been updated:

• Debian 11 Bullseye
• Debian 12 Bookworm
• Debian 13 Trixie
• Ubuntu 20.04 Focal
• Ubuntu 22.04 Jammy
• Ubuntu 24.04 Noble
• Ubuntu 25.04 Plucky
• Ubuntu 25.10 Questing
• Ubuntu 26.04 Resolute

Q: My Bacularis installation uses another installation method (Composer/manual installation). Does this affect me too?

A: The installation method itself is less important than the operating system and the location where Bacularis configuration files are stored. If your system is DEB-based and Bacularis files are located under /usr or /etc, this issue may affect your installation.

If Bacularis is installed in another location such as /var (for example /var/www), you are not affected.

Q: How can I fix it?

A: If you use Bacularis packages from Bacularis.com, update Bacularis to the latest version.

If you use another installation method (Composer or manual installation) and encounter this issue, apply the fix manually using the instructions provided in the Troubleshooting section of the Bacularis documentation.

Q: Does this affect Bacularis Docker container images based on Debian?

A: No. Debian-based Bacularis containers do not use systemd, so they are not affected.

Q: My system uses PHP packages installed from sources other than official Debian or Ubuntu repositories. Will the new Bacularis packages fix the issue?

A: No. In this case you will need to apply the fix manually. Please refer to the Troubleshooting section in the Bacularis documentation.

Q: Is there anything else I should know about this issue?

A: When ProtectSystem=full is enabled, installing Bacula from the web interface is not possible. This affects both local installation through the Initial Wizard during the first Bacularis startup and remote installation using the deployment feature. We have prepared a solution for this issue in the Troubleshooting section.