From owner-freebsd-geom@FreeBSD.ORG Mon Aug 20 11:07:45 2012 Return-Path: Delivered-To: freebsd-geom@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0E02E10656B7 for ; Mon, 20 Aug 2012 11:07:45 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id E27B28FC1D for ; Mon, 20 Aug 2012 11:07:44 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q7KB7ics047653 for ; Mon, 20 Aug 2012 11:07:44 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q7KB7hw9047576 for freebsd-geom@FreeBSD.org; Mon, 20 Aug 2012 11:07:43 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 20 Aug 2012 11:07:43 GMT Message-Id: <201208201107.q7KB7hw9047576@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-geom@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-geom@FreeBSD.org X-BeenThere: freebsd-geom@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: GEOM-specific discussions and implementations List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Aug 2012 11:07:45 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/170379 geom [geom] geom_multipath: rotate only considers last 2 va o kern/170038 geom [geom] geom_mirror always starts degraded after reboot o kern/169539 geom [geom] [patch] fix ability to run gmirror on MSI MegaR a bin/169077 geom bsdinstall(8) does not use partition labels in /etc/fs f kern/165745 geom [geom] geom_multipath page fault on removed drive o kern/165428 geom [glabel][patch] Add xfs support to glabel o kern/164254 geom [geom] gjournal not stopping on GPT partitions o kern/164252 geom [geom] gjournal overflow o kern/164143 geom [geom] Partition table not recognized after upgrade R8 a kern/163020 geom [geli] [patch] enable the Camellia-XTS on GEOM ELI o kern/162690 geom [geom] gpart label changes only take effect after a re o kern/162010 geom [geli] panic: Provider's error should be set (error=0) o kern/161979 geom [geom] glabel doesn't update after newfs, and glabel s o kern/161752 geom [geom] glabel(8) doesn't get gpt label change o bin/161677 geom gpart(8) Probably bug in gptboot o kern/160562 geom [geom][patch] Allow to insert new component to geom_ra o kern/160409 geom [geli] failed to attach provider f kern/159595 geom [geom] [panic] panic on gmirror unload in vbox [regres p kern/158398 geom [headers] [patch] includes o kern/158197 geom [geom] geom_cache with size>1000 leads to panics o kern/157879 geom [libgeom] [regression] ABI change without version bump o kern/157863 geom [geli] kbdmux prevents geli passwords from being enter o kern/157739 geom [geom] GPT labels with geom_multipath o kern/157724 geom [geom] gpart(8) 'add' command must preserve gap for sc o kern/157723 geom [geom] GEOM should not process 'c' (raw) partitions fo o kern/157108 geom [gjournal] dumpon(8) fails on gjournal providers o kern/155994 geom [geom] Long "Suspend time" when reading large files fr o kern/154226 geom [geom] GEOM label does not change when you modify them o kern/150858 geom [geom] [geom_label] [patch] glabel(8) is not compatibl o kern/150626 geom [geom] [gjournal] gjournal(8) destroys label o kern/150555 geom [geom] gjournal unusable on GPT partitions o kern/150334 geom [geom] [udf] [patch] geom label does not support UDF o kern/149762 geom volume labels with rogue characters o bin/149215 geom [panic] [geom_part] gpart(8): Delete linux's slice via o kern/147667 geom [gmirror] Booting with one component of a gmirror, the o kern/145818 geom [geom] geom_stat_open showing cached information for n o kern/145042 geom [geom] System stops booting after printing message "GE o kern/143455 geom gstripe(8) in RELENG_8 (31st Jan 2010) broken o kern/142563 geom [geom] [hang] ioctl freeze in zpool o kern/141740 geom [geom] gjournal(8): g_journal_destroy concurrent error o kern/140352 geom [geom] gjournal + glabel not working o kern/135898 geom [geom] Severe filesystem corruption - large files or l o kern/134113 geom [geli] Problem setting secondary GELI key o kern/133931 geom [geli] [request] intentionally wrong password to destr o bin/132845 geom [geom] [patch] ggated(8) does not close files opened a o bin/131415 geom [geli] keystrokes are unregulary sent to Geli when typ o kern/131353 geom [geom] gjournal(8) kernel lock o kern/129674 geom [geom] gjournal root did not mount on boot o kern/129645 geom gjournal(8): GEOM_JOURNAL causes system to fail to boo o kern/129245 geom [geom] gcache is more suitable for suffix based provid o kern/127420 geom [geom] [gjournal] [panic] Journal overflow on gmirrore o kern/124973 geom [gjournal] [patch] boot order affects geom_journal con o kern/124969 geom gvinum(8): gvinum raid5 plex does not detect missing s o kern/123962 geom [panic] [gjournal] gjournal (455Gb data, 8Gb journal), o kern/123122 geom [geom] GEOM / gjournal kernel lock o kern/122738 geom [geom] gmirror list "losts consumers" after gmirror de o kern/122067 geom [geom] [panic] Geom crashed during boot o kern/121364 geom [gmirror] Removing all providers create a "zombie" mir o kern/120091 geom [geom] [geli] [gjournal] geli does not prompt for pass o kern/115856 geom [geli] ZFS thought it was degraded when it should have o kern/115547 geom [geom] [patch] [request] let GEOM Eli get password fro f kern/113957 geom [gmirror] gmirror is intermittently reporting a degrad o kern/113837 geom [geom] unable to access 1024 sector size storage o kern/113419 geom [geom] geom fox multipathing not failing back o kern/107707 geom [geom] [patch] [request] add new class geom_xbox360 to o kern/94632 geom [geom] Kernel output resets input while GELI asks for o kern/90582 geom [geom] [panic] Restore cause panic string (ffs_blkfree o bin/90093 geom fdisk(8) incapable of altering in-core geometry o kern/87544 geom [gbde] mmaping large files on a gbde filesystem deadlo o bin/86388 geom [geom] [geom_part] periodic(8) daily should backup gpa o kern/84556 geom [geom] [panic] GBDE-encrypted swap causes panic at shu o kern/79251 geom [2TB] newfs fails on 2.6TB gbde device o kern/79035 geom [vinum] gvinum unable to create a striped set of mirro o bin/78131 geom gbde(8) "destroy" not working. 74 problems total. From owner-freebsd-geom@FreeBSD.ORG Tue Aug 21 16:11:26 2012 Return-Path: Delivered-To: freebsd-geom@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 72ED1106564A; Tue, 21 Aug 2012 16:11:26 +0000 (UTC) (envelope-from zeus@ibs.dn.ua) Received: from relay.ibs.dn.ua (relay.ibs.dn.ua [91.216.196.25]) by mx1.freebsd.org (Postfix) with ESMTP id AF9E78FC08; Tue, 21 Aug 2012 16:11:19 +0000 (UTC) Received: from ibs.dn.ua (relay.ibs.dn.ua [91.216.196.25]) by relay.ibs.dn.ua with ESMTP id q7LG7gj9054451; Tue, 21 Aug 2012 19:07:42 +0300 (EEST) Message-ID: <20120821190742.54449@relay.ibs.dn.ua> Date: Tue, 21 Aug 2012 19:07:42 +0300 From: Zeus Panchenko To: Organization: I.B.S. LLC X-Mailer: MH-E 8.2; GNU Mailutils 2.99.97; GNU Emacs 23.4.1 X-Face: &sReWXo3Iwtqql1[My(t1Gkx; y?KF@KF`4X+'9Cs@PtK^y%}^.>Mtbpyz6U=,Op:KPOT.uG )Nvx`=er!l?WASh7KeaGhga"1[&yz$_7ir'cVp7o%CGbJ/V)j/=]vzvvcqcZkf; JDurQG6wTg+?/xA go`}1.Ze//K; Fk&/&OoHd'[b7iGt2UO>o(YskCT[_D)kh4!yY'<&:yt+zM=A`@`~9U+P[qS:f; #9z~ Or/Bo#N-'S'!'[3Wog'ADkyMqmGDvga?WW)qd=?)`Y&k=o}>!ST\ Cc: freebsd-fs@FreeBSD.ORG Subject: `zpool create' fails on geli ... X-BeenThere: freebsd-geom@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Zeus Panchenko List-Id: GEOM-specific discussions and implementations List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Aug 2012 16:11:26 -0000 hi all, SYNOPSIS: `zpool create poolname device.eli' available on .eli device only after dd some random data to .eli first I am trying to get ZFS on GELI disk ... Here is the issue: #> uname -a FreeBSD 9.0-RELEASE #0 amd64 for /dev/ada2 I do: #> geli init -K /path/key -s 4096 -a hmac/sha256 -e aes-xts /dev/ada2 Enter new passphrase: Reenter new passphrase: Metadata backup can be found in /var/backups/ada2.eli and can be restored with the following command: # geli restore /var/backups/ada2.eli /dev/ada2 #> geli attach -k /path/key /dev/ada2 now I have .eli device #> ls -al /dev/*eli lrwxr-xr-x 1 root wheel 8 Aug 16 15:43 /dev/ad14.eli -> ada2.eli crw-r----- 1 root operator 0, 99 Aug 16 15:43 /dev/ada2.eli now I am trying to create zfs on it: > zpool create geliz /dev/ada2.eli cannot create 'geliz': one or more devices is currently unavailable `zpool create -f ...' gave the same result and in messages I have plenty rows like these: cat /var/log/messages ... GEOM_ELI: ada2.eli: 131072 bytes corrupted at offset 444539600896. GEOM_ELI: ada2.eli: 131072 bytes corrupted at offset 444539863040. GEOM_ELI: ada2.eli: 8192 bytes corrupted at offset 270336. GEOM_ELI: ada2.eli: 8192 bytes corrupted at offset 444539609088. GEOM_ELI: ada2.eli: 8192 bytes corrupted at offset 444539871232. GEOM_ELI: ada2.eli: 4096 bytes corrupted at offset 444540313600. GEOM_ELI: ada2.eli: 8192 bytes corrupted at offset 65536. GEOM_ELI: ada2.eli: 8192 bytes corrupted at offset 8192. GEOM_ELI: ada2.eli: 8192 bytes corrupted at offset 0. GEOM_ELI: ada2.eli: 8192 bytes corrupted at offset 262144. ... but after #> dd if=/dev/random of=/dev/ada2.eli bs=10m count=10 10+0 records in 10+0 records out 104857600 bytes transferred in 7.124000 secs (14718922 bytes/sec) I was able to do it! #> zpool create geliz /dev/ada2.eli pool was successfully created but pool status looks weird for me: #> zpool status geliz pool: geliz state: ONLINE status: One or more devices has experienced an unrecoverable error. An attempt was made to correct the error. Applications are unaffected. action: Determine if the device needs to be replaced, and clear the errors using 'zpool clear' or replace the device with 'zpool replace'. see: http://www.sun.com/msg/ZFS-8000-9P scan: none requested config: NAME STATE READ WRITE CKSUM geliz ONLINE 0 0 0 ada2.eli ONLINE 10 0 0 errors: No known data errors after `zscub' and `zpool clear' I have clean pool: #> zpool status geliz pool: geliz state: ONLINE scan: scrub repaired 0 in 0h0m with 0 errors on Thu Aug 16 16:36:44 2012 config: NAME STATE READ WRITE CKSUM geliz ONLINE 0 0 0 ada2.eli ONLINE 0 0 0 errors: No known data errors QUESTION: 1. Am I correct to think I really have correct ZFS over GELI set? 2. Why it was needed to dd? What am I missing here, please? may somebody explain that for me please ...? -- Zeus V. Panchenko jid:zeus@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET) From owner-freebsd-geom@FreeBSD.ORG Tue Aug 21 17:28:24 2012 Return-Path: Delivered-To: freebsd-geom@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 252731065675 for ; Tue, 21 Aug 2012 17:28:24 +0000 (UTC) (envelope-from a@carniajeu.com) Received: from mail-ob0-f182.google.com (mail-ob0-f182.google.com [209.85.214.182]) by mx1.freebsd.org (Postfix) with ESMTP id D850B8FC19 for ; Tue, 21 Aug 2012 17:28:23 +0000 (UTC) Received: by obbun3 with SMTP id un3so73991obb.13 for ; Tue, 21 Aug 2012 10:28:23 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:sender:x-originating-ip:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :x-gm-message-state; bh=xyAc0Aqjg7DnkLezV/kMPYgv9Hbfy1WnXGBG3k4Vv4A=; b=kQJuoarVH3C1MPIHts2XRkHpdjkXzxGMDgyWEm1h/wAEqI2+jLdggqmtrkr4XiZzPh wtGjIbzHNThACh7i/cCku5zODcWSfgC19Z/A+3VR8PQJJxqxXkffRXD7SNnCEkPfvHZP wsx449qj0nmgyRIC/ToHUmePEVBoHeterlgT4nh6eRbsBKa0fM4lWvqe/p6ZQMsZiieN LBfHTL0XAo2n940UFGo4NVq3ajHPKYtXpGagNhFnZ8q6dVtuiWsa+9ndqikwBIe5vOBz EZTMPPMWqo1H+2R9u9G0GOzgnoEq0HGhzpLhtDejMGxz8bFf4AsZpNkQsO5nH4Mk3mio 8giw== MIME-Version: 1.0 Received: by 10.182.53.103 with SMTP id a7mr13473515obp.3.1345570103063; Tue, 21 Aug 2012 10:28:23 -0700 (PDT) Sender: a@carniajeu.com Received: by 10.182.114.35 with HTTP; Tue, 21 Aug 2012 10:28:22 -0700 (PDT) X-Originating-IP: [46.53.195.78] In-Reply-To: <20120821190742.54449@relay.ibs.dn.ua> References: <20120821190742.54449@relay.ibs.dn.ua> Date: Tue, 21 Aug 2012 20:28:22 +0300 X-Google-Sender-Auth: LmVeiTxU_UCTFYVrW0OeI0Mb8p8 Message-ID: From: Alaksiej Carniajeu To: Zeus Panchenko Content-Type: text/plain; charset=ISO-8859-1 X-Gm-Message-State: ALoCoQmHHDx+0lU6Pep0IX50lY7WZGeEOO1CSvcj2+OEsiWfDFuzvIda9y+l/bFLRPHnSjpY02v+ Cc: freebsd-fs@freebsd.org, freebsd-geom@freebsd.org Subject: Re: `zpool create' fails on geli ... X-BeenThere: freebsd-geom@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: GEOM-specific discussions and implementations List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Aug 2012 17:28:24 -0000 Geli doesn't initialize checksums, when geli device is created. They will be calculated only on write. That's why these "XXX bytes corrupted" messages appeared. I believe it's better to fill your whole geli device with any data before use with ZFS, if integrity verification (-a) was enabled for it. On Tue, Aug 21, 2012 at 7:07 PM, Zeus Panchenko wrote: > hi all, > > SYNOPSIS: `zpool create poolname device.eli' available on .eli device only after dd some > random data to .eli first > > I am trying to get ZFS on GELI disk ... > > Here is the issue: > > #> uname -a > FreeBSD 9.0-RELEASE #0 amd64 > > for /dev/ada2 I do: > > #> geli init -K /path/key -s 4096 -a hmac/sha256 -e aes-xts /dev/ada2 > Enter new passphrase: > Reenter new passphrase: > > Metadata backup can be found in /var/backups/ada2.eli and > can be restored with the following command: > > # geli restore /var/backups/ada2.eli /dev/ada2 > > > #> geli attach -k /path/key /dev/ada2 > > now I have .eli device > > #> ls -al /dev/*eli > lrwxr-xr-x 1 root wheel 8 Aug 16 15:43 /dev/ad14.eli -> ada2.eli > crw-r----- 1 root operator 0, 99 Aug 16 15:43 /dev/ada2.eli > > now I am trying to create zfs on it: > >> zpool create geliz /dev/ada2.eli > cannot create 'geliz': one or more devices is currently unavailable > > `zpool create -f ...' gave the same result and in messages I have plenty > rows like these: > > cat /var/log/messages > ... > GEOM_ELI: ada2.eli: 131072 bytes corrupted at offset 444539600896. > GEOM_ELI: ada2.eli: 131072 bytes corrupted at offset 444539863040. > GEOM_ELI: ada2.eli: 8192 bytes corrupted at offset 270336. > GEOM_ELI: ada2.eli: 8192 bytes corrupted at offset 444539609088. > GEOM_ELI: ada2.eli: 8192 bytes corrupted at offset 444539871232. > GEOM_ELI: ada2.eli: 4096 bytes corrupted at offset 444540313600. > GEOM_ELI: ada2.eli: 8192 bytes corrupted at offset 65536. > GEOM_ELI: ada2.eli: 8192 bytes corrupted at offset 8192. > GEOM_ELI: ada2.eli: 8192 bytes corrupted at offset 0. > GEOM_ELI: ada2.eli: 8192 bytes corrupted at offset 262144. > ... > > > > but after > #> dd if=/dev/random of=/dev/ada2.eli bs=10m count=10 > 10+0 records in > 10+0 records out > 104857600 bytes transferred in 7.124000 secs (14718922 bytes/sec) > > I was able to do it! > > #> zpool create geliz /dev/ada2.eli > > pool was successfully created > > but pool status looks weird for me: > > #> zpool status geliz > pool: geliz > state: ONLINE > status: One or more devices has experienced an unrecoverable error. An > attempt was made to correct the error. Applications are unaffected. > action: Determine if the device needs to be replaced, and clear the errors > using 'zpool clear' or replace the device with 'zpool replace'. > see: http://www.sun.com/msg/ZFS-8000-9P > scan: none requested > config: > > NAME STATE READ WRITE CKSUM > geliz ONLINE 0 0 0 > ada2.eli ONLINE 10 0 0 > > errors: No known data errors > > after `zscub' and `zpool clear' I have clean pool: > > #> zpool status geliz > pool: geliz > state: ONLINE > scan: scrub repaired 0 in 0h0m with 0 errors on Thu Aug 16 16:36:44 2012 > config: > > NAME STATE READ WRITE CKSUM > geliz ONLINE 0 0 0 > ada2.eli ONLINE 0 0 0 > > errors: No known data errors > > > QUESTION: > > 1. Am I correct to think I really have correct ZFS over GELI set? > > 2. Why it was needed to dd? What am I missing here, please? > > > may somebody explain that for me please ...? > > -- > Zeus V. Panchenko jid:zeus@im.ibs.dn.ua > IT Dpt., I.B.S. LLC GMT+2 (EET) > _______________________________________________ > freebsd-geom@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-geom > To unsubscribe, send any mail to "freebsd-geom-unsubscribe@freebsd.org" From owner-freebsd-geom@FreeBSD.ORG Tue Aug 21 17:30:06 2012 Return-Path: Delivered-To: freebsd-geom@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 529FD1065741; Tue, 21 Aug 2012 17:30:06 +0000 (UTC) (envelope-from freebsd-listen@fabiankeil.de) Received: from smtprelay05.ispgateway.de (smtprelay05.ispgateway.de [80.67.31.93]) by mx1.freebsd.org (Postfix) with ESMTP id E60928FC08; Tue, 21 Aug 2012 17:30:05 +0000 (UTC) Received: from [78.35.144.130] (helo=fabiankeil.de) by smtprelay05.ispgateway.de with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.68) (envelope-from ) id 1T3sDJ-0006EO-PP; Tue, 21 Aug 2012 19:26:01 +0200 Date: Tue, 21 Aug 2012 19:22:55 +0200 From: Fabian Keil To: Zeus Panchenko Message-ID: <20120821192255.1048b445@fabiankeil.de> In-Reply-To: <20120821190742.54449@relay.ibs.dn.ua> References: <20120821190742.54449@relay.ibs.dn.ua> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=PGP-SHA1; boundary="Sig_/JtMKgxnF8HmUGIITc6GY6Fo"; protocol="application/pgp-signature" X-Df-Sender: Nzc1MDY3 Cc: freebsd-fs@FreeBSD.ORG, freebsd-geom@FreeBSD.ORG Subject: Re: `zpool create' fails on geli ... X-BeenThere: freebsd-geom@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-fs@FreeBSD.ORG List-Id: GEOM-specific discussions and implementations List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Aug 2012 17:30:06 -0000 --Sig_/JtMKgxnF8HmUGIITc6GY6Fo Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Zeus Panchenko wrote: > I am trying to get ZFS on GELI disk ... Good idea, I never use ZFS without it. =20 > Here is the issue: >=20 > #> uname -a > FreeBSD 9.0-RELEASE #0 amd64 >=20 > for /dev/ada2 I do: >=20 > #> geli init -K /path/key -s 4096 -a hmac/sha256 -e aes-xts /dev/ada2 > Enter new passphrase: > Reenter new passphrase: ZFS already provides checksums, so why do you want to use checksums for geli as well? In my opinion "-a hmac/sha256" doesn't add any protection in your case, while reducing the space that is available for ZFS and wasting cpu cycles. I'm not aware of any problem that can be detected by geli's integrity checks but wouldn't be detected by ZFS anyway. ZFS checksums actually offer better protection, as geli only checksums single sectors. > Metadata backup can be found in /var/backups/ada2.eli and > can be restored with the following command: >=20 > # geli restore /var/backups/ada2.eli /dev/ada2 >=20 >=20 > #> geli attach -k /path/key /dev/ada2 >=20 > now I have .eli device >=20 > #> ls -al /dev/*eli > lrwxr-xr-x 1 root wheel 8 Aug 16 15:43 /dev/ad14.eli -> ada2= .eli > crw-r----- 1 root operator 0, 99 Aug 16 15:43 /dev/ada2.eli >=20 > now I am trying to create zfs on it: >=20 > > zpool create geliz /dev/ada2.eli > cannot create 'geliz': one or more devices is currently unavailable >=20 > `zpool create -f ...' gave the same result and in messages I have plenty > rows like these: >=20 > cat /var/log/messages > ... > GEOM_ELI: ada2.eli: 131072 bytes corrupted at offset 444539600896. > GEOM_ELI: ada2.eli: 131072 bytes corrupted at offset 444539863040. > GEOM_ELI: ada2.eli: 8192 bytes corrupted at offset 270336. > GEOM_ELI: ada2.eli: 8192 bytes corrupted at offset 444539609088. > GEOM_ELI: ada2.eli: 8192 bytes corrupted at offset 444539871232. > GEOM_ELI: ada2.eli: 4096 bytes corrupted at offset 444540313600. > GEOM_ELI: ada2.eli: 8192 bytes corrupted at offset 65536. > GEOM_ELI: ada2.eli: 8192 bytes corrupted at offset 8192. > GEOM_ELI: ada2.eli: 8192 bytes corrupted at offset 0. > GEOM_ELI: ada2.eli: 8192 bytes corrupted at offset 262144. > ... Quoting geli(8): | DATA AUTHENTICATION | [..] | It is recommended to write to the whole provider before first use, in | order to make sure that all sectors and their corresponding checksums are | properly initialized into a consistent state. One can safely ignore data | authentication errors that occur immediately after the first time a | provider is attached and before it is initialized in this way. > but after=20 > #> dd if=3D/dev/random of=3D/dev/ada2.eli bs=3D10m count=3D10 > 10+0 records in > 10+0 records out > 104857600 bytes transferred in 7.124000 secs (14718922 bytes/sec) >=20 > I was able to do it! Because this forced geli to create the checksums for the first 100m. Using /dev/zero as source should have worked the same. > #> zpool create geliz /dev/ada2.eli >=20 > pool was successfully created=20 >=20 > but pool status looks weird for me: >=20 > #> zpool status geliz > pool: geliz > state: ONLINE > status: One or more devices has experienced an unrecoverable error. An > attempt was made to correct the error. Applications are unaffect= ed. > action: Determine if the device needs to be replaced, and clear the errors > using 'zpool clear' or replace the device with 'zpool replace'. > see: http://www.sun.com/msg/ZFS-8000-9P > scan: none requested > config: >=20 > NAME STATE READ WRITE CKSUM > geliz ONLINE 0 0 0 > ada2.eli ONLINE 10 0 0 >=20 > errors: No known data errors >=20 > after `zscub' and `zpool clear' I have clean pool: >=20 > #> zpool status geliz > pool: geliz > state: ONLINE > scan: scrub repaired 0 in 0h0m with 0 errors on Thu Aug 16 16:36:44 2012 > config: >=20 > NAME STATE READ WRITE CKSUM > geliz ONLINE 0 0 0 > ada2.eli ONLINE 0 0 0 >=20 > errors: No known data errors I assume this is the result of not forcing geli to generate the checksums for the whole provider as described in the man page. Fabian --Sig_/JtMKgxnF8HmUGIITc6GY6Fo Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAlAzw/IACgkQBYqIVf93VJ24bQCfWJgiathMk/WYuawZLqOlN8Uv eyEAn2fqN4oq4JcRUhLmq2aKh74ENc9w =TfIC -----END PGP SIGNATURE----- --Sig_/JtMKgxnF8HmUGIITc6GY6Fo-- From owner-freebsd-geom@FreeBSD.ORG Tue Aug 21 17:45:15 2012 Return-Path: Delivered-To: freebsd-geom@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 052A31065673; Tue, 21 Aug 2012 17:45:15 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) by mx1.freebsd.org (Postfix) with ESMTP id DA4368FC18; Tue, 21 Aug 2012 17:45:14 +0000 (UTC) Received: from epsilon.delphij.net (drawbridge.ixsystems.com [206.40.55.65]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by anubis.delphij.net (Postfix) with ESMTPSA id 61D21173BA; Tue, 21 Aug 2012 10:45:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=delphij.net; s=anubis; t=1345571114; bh=lYfyxspiFKQTOJUncZZH42DYLP3uPcBzRKjMXvjTPLY=; h=Date:From:Reply-To:To:CC:Subject:References:In-Reply-To; b=aWL1aXLowkF7X5EJAyghYEQHC7xPP67CpDSl/8tmOdMBUXP9OnVtWXmr8E/onUEY3 XQ6fULr6H8ZhNtOetNdPJqdYc8JxnnA1cTTgR9mWxkEa3p8H8VlW2bJUcM4kldEUOs yBIRaQnGiX2nTRe0FX6YnQTlwrI9x6XWurL8Iuik= Message-ID: <5033C929.7020707@delphij.net> Date: Tue, 21 Aug 2012 10:45:13 -0700 From: Xin Li Organization: The freeBSD Project User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:10.0.6esrpre) Gecko/20120727 Thunderbird/10.0.6 MIME-Version: 1.0 To: Zeus Panchenko References: <20120821190742.54449@relay.ibs.dn.ua> In-Reply-To: <20120821190742.54449@relay.ibs.dn.ua> X-Enigmail-Version: 1.4.3 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-fs@FreeBSD.ORG, freebsd-geom@FreeBSD.ORG Subject: Re: `zpool create' fails on geli ... X-BeenThere: freebsd-geom@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: GEOM-specific discussions and implementations List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Aug 2012 17:45:15 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi, On 08/21/12 09:07, Zeus Panchenko wrote: > hi all, > > SYNOPSIS: `zpool create poolname device.eli' available on .eli > device only after dd some random data to .eli first > > I am trying to get ZFS on GELI disk ... > > Here is the issue: > > #> geli init -K /path/key -s 4096 -a hmac/sha256 -e aes-xts > /dev/ada2 Enter new passphrase: Reenter new passphrase: [...] > #> geli attach -k /path/key /dev/ada2 Normally you will want to fill the device with random data before using. Note that you have specified -a, which makes geli to do checksum authentication, that's not needed because ZFS have built-in end-to-end checksums already. > now I have .eli device > > #> ls -al /dev/*eli lrwxr-xr-x 1 root wheel 8 Aug 16 > 15:43 /dev/ad14.eli -> ada2.eli crw-r----- 1 root operator 0, > 99 Aug 16 15:43 /dev/ada2.eli > > now I am trying to create zfs on it: > >> zpool create geliz /dev/ada2.eli > cannot create 'geliz': one or more devices is currently > unavailable > > `zpool create -f ...' gave the same result and in messages I have > plenty rows like these: These are expected behavior. > cat /var/log/messages ... GEOM_ELI: ada2.eli: 131072 bytes > corrupted at offset 444539600896. GEOM_ELI: ada2.eli: 131072 bytes > corrupted at offset 444539863040. [...] > ... > > but after #> dd if=/dev/random of=/dev/ada2.eli bs=10m count=10 > 10+0 records in 10+0 records out 104857600 bytes transferred in > 7.124000 secs (14718922 bytes/sec) > > I was able to do it! > > #> zpool create geliz /dev/ada2.eli > > pool was successfully created > > but pool status looks weird for me: > > #> zpool status geliz pool: geliz state: ONLINE status: One or more > devices has experienced an unrecoverable error. An attempt was > made to correct the error. Applications are unaffected. action: > Determine if the device needs to be replaced, and clear the errors > using 'zpool clear' or replace the device with 'zpool replace'. > see: http://www.sun.com/msg/ZFS-8000-9P scan: none requested > config: > > NAME STATE READ WRITE CKSUM geliz ONLINE 0 > 0 0 ada2.eli ONLINE 10 0 0 > > errors: No known data errors > > after `zscub' and `zpool clear' I have clean pool: Did you see any GELI checksum errors when having this? > #> zpool status geliz pool: geliz state: ONLINE scan: scrub > repaired 0 in 0h0m with 0 errors on Thu Aug 16 16:36:44 2012 > config: > > NAME STATE READ WRITE CKSUM geliz ONLINE 0 > 0 0 ada2.eli ONLINE 0 0 0 > > errors: No known data errors > > > QUESTION: > > 1. Am I correct to think I really have correct ZFS over GELI set? > > 2. Why it was needed to dd? What am I missing here, please? My suggestions: 1. Don't use -a, it's a waste of CPU cycle (and disk space) to do checksums twice -- this won't give more redundancy or more chances to recover data in case of a hardware failure. 2. Do use dd to initialize the GELI device before use. There are several benefits of doing this -- the most important two are -- it wipes existing, possibly sensitive data, and make it harder for attackers to tell where is the important data. Cheers, - -- Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJQM8kpAAoJEG80Jeu8UPuzeOAH/i2kG/jN3j58wTe/gG2teKoM 08xy+Lv9lhljihJkUhRx1hAPtYdK1oMKVg7mnQbohSRzjGGqBRnT25ZUD8kbusmW ULDOmSBbnraStNQbBSpnyik/y2trzfne9YzjhH4aB1CKVJ2X4cHTaJIaGv9iQqI3 S8QjEpKCDcpKlEyGlhJ9TPaCqyzpJbw6p5TDGoVEsq9YIiE7BAbrjfw5Pe87HKK0 BAsLqmJYmQSjjLp/g4FK5vjr/zVpGgPcwP7oD0iSXCX7UI7M/Rhj8Rqyai1cv2/g ES7uhpy5ifAUalcuJjIFqox7QC5h2uT0e5/DPNttmXfL1d0yb3FdLPgWkV0GDF0= =v/ZJ -----END PGP SIGNATURE----- From owner-freebsd-geom@FreeBSD.ORG Wed Aug 22 10:24:42 2012 Return-Path: Delivered-To: freebsd-geom@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C651C106564A; Wed, 22 Aug 2012 10:24:42 +0000 (UTC) (envelope-from zeus@ibs.dn.ua) Received: from relay.ibs.dn.ua (relay.ibs.dn.ua [91.216.196.25]) by mx1.freebsd.org (Postfix) with ESMTP id 3ECD88FC16; Wed, 22 Aug 2012 10:24:41 +0000 (UTC) Received: from ibs.dn.ua (relay.ibs.dn.ua [91.216.196.25]) by relay.ibs.dn.ua with ESMTP id q7MAOewi024866; Wed, 22 Aug 2012 13:24:40 +0300 (EEST) Message-ID: <20120822132440.24864@relay.ibs.dn.ua> Date: Wed, 22 Aug 2012 13:24:40 +0300 From: Zeus Panchenko To: In-reply-to: Your message of Tue, 21 Aug 2012 20:28:22 +0300 References: <20120821190742.54449@relay.ibs.dn.ua> Organization: I.B.S. LLC X-Mailer: MH-E 8.2; GNU Mailutils 2.99.97; GNU Emacs 23.4.1 X-Face: &sReWXo3Iwtqql1[My(t1Gkx; y?KF@KF`4X+'9Cs@PtK^y%}^.>Mtbpyz6U=,Op:KPOT.uG )Nvx`=er!l?WASh7KeaGhga"1[&yz$_7ir'cVp7o%CGbJ/V)j/=]vzvvcqcZkf; JDurQG6wTg+?/xA go`}1.Ze//K; Fk&/&OoHd'[b7iGt2UO>o(YskCT[_D)kh4!yY'<&:yt+zM=A`@`~9U+P[qS:f; #9z~ Or/Bo#N-'S'!'[3Wog'ADkyMqmGDvga?WW)qd=?)`Y&k=o}>!ST\ Cc: freebsd-fs@freebsd.org Subject: Re: `zpool create' fails on geli ... X-BeenThere: freebsd-geom@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Zeus Panchenko List-Id: GEOM-specific discussions and implementations List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Aug 2012 10:24:42 -0000 thanks much to all for help now everything is clear to me and works fine! resume: if geli was initialized with `-a' than we need to fill whole of it to initialize checksums what will make it possible to `zpool create ...' something like this: geli init -K /path/key -s 4096 -a hmac/sha256 -e aes-xts /dev/adaX geli attach -k /path/key /dev/adaX dd if=/dev/zero of=/dev/adaX.eli bs=10m zpool create geliz /dev/adaX.eli but it's better to geli init -K /path/key -s 4096 -e aes-xts /dev/adaX geli attach -k /path/key /dev/adaX zpool create geliz /dev/adaX.eli since `geli -a ...' in this case, is a waste of CPU cycles and disk space. -- Zeus V. Panchenko jid:zeus@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET) From owner-freebsd-geom@FreeBSD.ORG Wed Aug 22 10:37:25 2012 Return-Path: Delivered-To: freebsd-geom@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 331BE106564A; Wed, 22 Aug 2012 10:37:25 +0000 (UTC) (envelope-from freebsd-listen@fabiankeil.de) Received: from smtprelay05.ispgateway.de (smtprelay05.ispgateway.de [80.67.31.93]) by mx1.freebsd.org (Postfix) with ESMTP id DF4058FC0C; Wed, 22 Aug 2012 10:37:24 +0000 (UTC) Received: from [78.35.161.203] (helo=fabiankeil.de) by smtprelay05.ispgateway.de with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.68) (envelope-from ) id 1T48IP-0005BN-Jj; Wed, 22 Aug 2012 12:36:21 +0200 Date: Wed, 22 Aug 2012 12:35:35 +0200 From: Fabian Keil To: Zeus Panchenko Message-ID: <20120822123535.0385f118@fabiankeil.de> In-Reply-To: <20120822132440.24864@relay.ibs.dn.ua> References: <20120821190742.54449@relay.ibs.dn.ua> <20120822132440.24864@relay.ibs.dn.ua> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=PGP-SHA1; boundary="Sig_/kJkciffGM_NNTo9UO5IPhjx"; protocol="application/pgp-signature" X-Df-Sender: Nzc1MDY3 Cc: freebsd-fs@freebsd.org, freebsd-geom@freebsd.org Subject: Re: `zpool create' fails on geli ... X-BeenThere: freebsd-geom@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-fs@freebsd.org List-Id: GEOM-specific discussions and implementations List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Aug 2012 10:37:25 -0000 --Sig_/kJkciffGM_NNTo9UO5IPhjx Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Zeus Panchenko wrote: > resume: >=20 > if geli was initialized with `-a' than we need to fill whole of it to > initialize checksums what will make it possible to `zpool create ...' >=20 > something like this: >=20 > geli init -K /path/key -s 4096 -a hmac/sha256 -e aes-xts /dev/adaX > geli attach -k /path/key /dev/adaX > dd if=3D/dev/zero of=3D/dev/adaX.eli bs=3D10m > zpool create geliz /dev/adaX.eli >=20 > but it's better to >=20 > geli init -K /path/key -s 4096 -e aes-xts /dev/adaX Does your disk actually use 4k sectors? Otherwise it's not clear to me that "-s 4096" makes sense when using ZFS. I'm not claiming that it's obviously wrong, but I'm not aware of any benchmarks that show that it's better than the default in any way. Fabian --Sig_/kJkciffGM_NNTo9UO5IPhjx Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAlA0tfwACgkQBYqIVf93VJ3mVQCfQfr3BFdUnZMasKy9sKm/P8+z m2gAn34Gf4XRNA81kDj5cWGRBeFefwbS =w8A5 -----END PGP SIGNATURE----- --Sig_/kJkciffGM_NNTo9UO5IPhjx-- From owner-freebsd-geom@FreeBSD.ORG Wed Aug 22 13:29:08 2012 Return-Path: Delivered-To: freebsd-geom@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 013B31065673; Wed, 22 Aug 2012 13:29:08 +0000 (UTC) (envelope-from fj@wonko.batmule.dk) Received: from wonko.batmule.dk (wonko.batmule.dk [IPv6:2a02:9d0:3020:1::2]) by mx1.freebsd.org (Postfix) with ESMTP id 82FEB8FC0C; Wed, 22 Aug 2012 13:29:07 +0000 (UTC) Received: by wonko.batmule.dk (Postfix, from userid 1001) id CE98914675; Wed, 22 Aug 2012 15:29:05 +0200 (CEST) Date: Wed, 22 Aug 2012 15:29:05 +0200 From: Flemming Jacobsen To: freebsd-fs@freebsd.org Message-ID: <20120822132905.GA53612@wonko.batmule.dk> References: <20120821190742.54449@relay.ibs.dn.ua> <20120822132440.24864@relay.ibs.dn.ua> <20120822123535.0385f118@fabiankeil.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20120822123535.0385f118@fabiankeil.de> User-Agent: Mutt/1.4.2.3i X-Operating-System: FreeBSD 9.1-PRERELEASE amd64 X-PGPkey: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDCC399C7 Cc: freebsd-geom@freebsd.org Subject: Re: `zpool create' fails on geli ... X-BeenThere: freebsd-geom@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: GEOM-specific discussions and implementations List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Aug 2012 13:29:08 -0000 Fabian Keil wrote: > Zeus Panchenko wrote: > > geli init -K /path/key -s 4096 -e aes-xts /dev/adaX > > Does your disk actually use 4k sectors? Otherwise it's not clear > to me that "-s 4096" makes sense when using ZFS. > > I'm not claiming that it's obviously wrong, but I'm not aware of > any benchmarks that show that it's better than the default in > any way. It is my understanding that creating a 4K setup will prepare you for the day when your replacement drive is a 4K one. No benefit today, but also no real performance hit. And we avoid a real performance hit later. If I am mistaken, then I wold love to hear about it. Regards, Flemming -- Flemming Jacobsen Email: fj@batmule.dk "I don't need The Media to tell me that I should be outraged about a brutal murder. All I need is to be informed that it has happened, and I'll form my own opinion about it." -- The_Morlock (http://slashdot.org/comments.pl?sid=00%2F02%2F21%2F1125208) From owner-freebsd-geom@FreeBSD.ORG Fri Aug 24 11:17:15 2012 Return-Path: Delivered-To: freebsd-geom@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9EEB61065674 for ; Fri, 24 Aug 2012 11:17:15 +0000 (UTC) (envelope-from brouci.tykadylko@seznam.cz) Received: from mxl1.seznam.cz (mxl1.seznam.cz [77.75.72.44]) by mx1.freebsd.org (Postfix) with ESMTP id 256068FC20 for ; Fri, 24 Aug 2012 11:17:14 +0000 (UTC) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=seznam.cz; h=To:Date:From:Received:Subject:Content-Transfer-Encoding:Content-Type:Mime-Version:Message-Id:X-Country:X-Abuse:X-Seznam-User; b=CHWkmfvbUKHwBRLCsKJpupqqZYy9P8ZKF/MWpl+7Yjxnhx49EbnJNjmCOzQeo7UBp r6idG0LvnK5VnEmv7dR7n88FP0sxXbUSOg8EPDmUsLApyIvrb1XpzzY49H8qnkOZOdp Kn0d3X/DEYohqXaSpqnPLvq1cY5EnYXFp+funS0= To: freebsd-geom@freebsd.org Date: Fri, 24 Aug 2012 13:16:14 +0200 (CEST) From: =?us-ascii?Q?brouci=20tykadylko?= Received: from ( [90.177.52.100]) by email.seznam.cz (Email.Seznam.cz) with HTTP for brouci.tykadylko@seznam.cz; Fri, 24 Aug 2012 13:16:13 +0200 (CEST) Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii" Mime-Version: 1.0 Message-Id: <3065.175.369-8674-1053163704-1345806974@seznam.cz> X-Country: CZ X-Abuse: abuse@seznam.cz X-Seznam-User: brouci.tykadylko@seznam.cz Subject: geli remote password entering X-BeenThere: freebsd-geom@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: GEOM-specific discussions and implementations List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Aug 2012 11:17:15 -0000 Thinking about encrypting everything except /boot by geli(+zfs). Since server is remote, there is a problem with entering the key after restart. There is a possibility of KVM at datacenter, but I don't want to bother with it upon every reboot, and not speaking about possibility of remote interception. My idea so far is to use RAMdisk image with bare ssh like DropBear (like here: http://www.webgroup.ch/linuxtag2006/Paper.pdf), but i still didn't try. Dream solution is a bootloader with a ssh interface, but I didn't hear about any for fBSD. Did any of you try something similar? Or do you have any other idea? thanks Brouci From owner-freebsd-geom@FreeBSD.ORG Fri Aug 24 18:37:51 2012 Return-Path: Delivered-To: freebsd-geom@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 91051106564A for ; Fri, 24 Aug 2012 18:37:51 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) by mx1.freebsd.org (Postfix) with ESMTP id 720558FC08 for ; Fri, 24 Aug 2012 18:37:51 +0000 (UTC) Received: from epsilon.delphij.net (drawbridge.ixsystems.com [206.40.55.65]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by anubis.delphij.net (Postfix) with ESMTPSA id 443031D1DC; Fri, 24 Aug 2012 11:37:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=delphij.net; s=anubis; t=1345833471; bh=E2stDQ9vs6By0vHLojsiq6nnIqdna8gPAb5ua8UteWU=; h=Date:From:Reply-To:To:CC:Subject:References:In-Reply-To; b=ac/OLZrPnwbgKGLJtjeLW1LZ8g8rW9OUHBr7/nsocnMSUhU7/Sl8BiayQ/1PjxExM Xla73HAMGqGUT0VWoUtJeOqBp/PKBDZcX73VmrxwpqdBnip6ylSCES2gKbUyz+R6Zt Vrns8bYwcs/fXGma8wlFnr+Dg/sMAiSbvyOa0cAk= Message-ID: <5037C9FE.2030800@delphij.net> Date: Fri, 24 Aug 2012 11:37:50 -0700 From: Xin Li Organization: The freeBSD Project User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:10.0.6esrpre) Gecko/20120727 Thunderbird/10.0.6 MIME-Version: 1.0 To: brouci tykadylko References: <3065.175.369-8674-1053163704-1345806974@seznam.cz> In-Reply-To: <3065.175.369-8674-1053163704-1345806974@seznam.cz> X-Enigmail-Version: 1.4.3 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-geom@freebsd.org Subject: Re: geli remote password entering X-BeenThere: freebsd-geom@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: GEOM-specific discussions and implementations List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Aug 2012 18:37:51 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 08/24/12 04:16, brouci tykadylko wrote: > Thinking about encrypting everything except /boot by geli(+zfs). > Since server is remote, there is a problem with entering the key > after restart. There is a possibility of KVM at datacenter, but I > don't want to bother with it upon every reboot, and not speaking > about possibility of remote interception. My idea so far is to use > RAMdisk image with bare ssh like DropBear (like here: > http://www.webgroup.ch/linuxtag2006/Paper.pdf), but i still didn't > try. Dream solution is a bootloader with a ssh interface, but I > didn't hear about any for fBSD. Did any of you try something > similar? Or do you have any other idea? I have posted something with similar idea here: http://lists.freebsd.org/pipermail/freebsd-security/2012-August/006547.html But this is different -- you can't have only /boot unencrypted because it requires / and /usr be available at very early boot time. Personally I'm not quite concerned with / unencrypted -- you could reveal /etc/master.passwd in the worst case but sensitive data can be stored in encrypted partitions. Cheers, - -- Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJQN8n+AAoJEG80Jeu8UPuztuUIAMMw3uQokMU59hEopWgqMnk/ BOJUT5XstwmGJ+FRcvgG3gcVGMzyC9qhCqeSIGGGP88k1riZjKmmmgLJ2k/YjtNt SlEojdj8py7r/ZzvpHK8HykA33V+F7LSxubtH+xZaWLcXyRXSOCsvVY+Xu/7jDPu 0oRYR2uAPnEqYoqPDVm7DZovL8T2HAf3cEDy1ZbaWl5tlkFejhgoCO9s2FY87ktU /K2TlZM7ksTndzCYJLW5BIan2On25IUW9QQyL61kRGsSbn10JzWI96wDO6xpwkra GDgnvXVQ2GqSviy1iSF3JJfMG43PnRQ20Eg2XikXmtCzTSx+MSSeVt282RuFyi4= =ENh1 -----END PGP SIGNATURE----- From owner-freebsd-geom@FreeBSD.ORG Sat Aug 25 09:12:08 2012 Return-Path: Delivered-To: freebsd-geom@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 98AE9106564A for ; Sat, 25 Aug 2012 09:12:08 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) by mx1.freebsd.org (Postfix) with ESMTP id 7A2298FC19 for ; Sat, 25 Aug 2012 09:12:05 +0000 (UTC) Received: from Xins-MacBook-Pro.local (unknown [IPv6:2001:470:83bf:0:eca8:7a9e:2c34:c1ec]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by anubis.delphij.net (Postfix) with ESMTPSA id 185821D9FF; Sat, 25 Aug 2012 02:12:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=delphij.net; s=anubis; t=1345885925; bh=Kgfmhuw5DjN5q4hMFDfAzhnV31r8Z1c1w8uy9lq2KO0=; h=Date:From:Reply-To:To:CC:Subject:References:In-Reply-To; b=zdBhyeEhmFa6qxfUm2QE7i67oAOoEaVblMWf3rY0fjFyYPGyh0jnsuNXe52rwPkKH 2Kq+ZukyW1ip//G1GQecmKTaLVN9lHFZOBNupedviEEeXIdBL/xW0zuzZaBA+sVIgo c3gvauCeNDRMa6/19J3obEnCTrLkqrnWgFwr4ekk= Message-ID: <503896E1.9000203@delphij.net> Date: Sat, 25 Aug 2012 02:12:01 -0700 From: Xin Li Organization: The FreeBSD Project User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:14.0) Gecko/20120713 Thunderbird/14.0 MIME-Version: 1.0 To: brouci tykadylko References: <3094.176.373-2311-1566486531-1345882861@seznam.cz> In-Reply-To: <3094.176.373-2311-1566486531-1345882861@seznam.cz> X-Enigmail-Version: 1.4.3 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: d@delphij.net, freebsd-geom@FreeBSD.org Subject: Re: geli remote password entering X-BeenThere: freebsd-geom@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: GEOM-specific discussions and implementations List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Aug 2012 09:12:08 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 8/25/12 1:21 AM, brouci tykadylko wrote: > Useful idea, but in this stage it's quite to late for real > paranoic. If you consider logfiles as sensitive data. There are some problems with my approach but I'm not particularly concerned with logfiles. This really depending on how you store /var. It is still possible to mount it after geli initialization and no, there is no such thing 'logfile' since syslogd is not started at that point. Moreover I'd say if you really worry about logfile, it should not be stored locally but to a dedicated remote log server which have its logon interface locked down inside a VLAN, and the system should have only append access to that server and nothing else. > Linux obviously CAN do that. It has some early_ssh, bropbeard ssh > daemon loaded from initramdisk for purpose of entering password > for LUKS. Well, this *is* early_ssh -- similar idea but without a duplicated copy of sshd, etc. where you have two daemons and two files to worry about. Of course, the current version does not do logs but it's possible to do it locally or remotely with very simple tweaks by starting syslogd with a alternative boot-only configuration profile. It would be interesting to implement initrd alike feature in FreeBSD, however, but it's not totally impossible to do similar thing "right now"-ish by using a mdroot while having it chroot into the new / with devfs and friends mounted, it's like a kluge but still do-able. > Still didn't find any satisfactory solution for FreeBSD. > > >> ------------ Pôvodná správa ------------ Od: Xin Li >> Predmet: Re: geli remote password entering >> Dátum: 24.8.2012 20:44:56 >> ---------------------------------------- > On 08/24/12 04:16, brouci tykadylko wrote: >>>> Thinking about encrypting everything except /boot by >>>> geli(+zfs). Since server is remote, there is a problem with >>>> entering the key after restart. There is a possibility of >>>> KVM at datacenter, but I don't want to bother with it upon >>>> every reboot, and not speaking about possibility of remote >>>> interception. My idea so far is to use RAMdisk image with >>>> bare ssh like DropBear (like here: >>>> http://www.webgroup.ch/linuxtag2006/Paper.pdf), but i still >>>> didn't try. Dream solution is a bootloader with a ssh >>>> interface, but I didn't hear about any for fBSD. Did any of >>>> you try something similar? Or do you have any other idea? > > I have posted something with similar idea here: > > http://lists.freebsd.org/pipermail/freebsd-security/2012-August/006547.html > > > But this is different -- you can't have only /boot unencrypted > because it requires / and /usr be available at very early boot > time. Personally I'm not quite concerned with / unencrypted -- you > could reveal /etc/master.passwd in the worst case but sensitive > data can be stored in encrypted partitions. > > Cheers, >> >> >> -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) iQEcBAEBCAAGBQJQOJbhAAoJEG80Jeu8UPuz1K4IALOLWSDHgOnOr0ei738yzmA4 tIjNnpdtt2yOG4bjXfyfZbN10i4DqJ6vb5rHuHkfSzWVMl+1ITacmC4zPnKT5SdZ 3j6E8t1EqJPLABYgzdiASgG2h2xyYBC7gGp3Q/wDQwuIXMRwVpQHpz1jW9qYDOjO cXzurms3r3THhtsLNq3wGoKKLKL72db7zylygjCQSF+OlQsAWU2mgeip7HKenMJY OYRkxQi4vIKWpaDW40NaLiOcljzpT2BlyxamP/CVgj7gYIjc+390dBX/Dq8CnZ/b AJUD6i6fULsfUc4iMgyJbr5JKWe1TVStCbGceN9+Gtqfp8wKhFr0mkHeiJbeLB4= =TBcX -----END PGP SIGNATURE----- From owner-freebsd-geom@FreeBSD.ORG Sat Aug 25 10:38:30 2012 Return-Path: Delivered-To: freebsd-geom@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2556D10656D0; Sat, 25 Aug 2012 10:38:30 +0000 (UTC) (envelope-from thomas@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id EC97C8FC12; Sat, 25 Aug 2012 10:38:29 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q7PAcTpx086165; Sat, 25 Aug 2012 10:38:29 GMT (envelope-from thomas@freefall.freebsd.org) Received: (from thomas@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q7PAcTVi086159; Sat, 25 Aug 2012 10:38:29 GMT (envelope-from thomas) Date: Sat, 25 Aug 2012 10:38:29 GMT Message-Id: <201208251038.q7PAcTVi086159@freefall.freebsd.org> To: thomas@cuivre.fr.eu.org, thomas@FreeBSD.org, freebsd-geom@FreeBSD.org, thomas@FreeBSD.org From: thomas@FreeBSD.org Cc: Subject: Re: kern/170379: [geom] geom_multipath: rotate only considers last 2 valid providers X-BeenThere: freebsd-geom@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: GEOM-specific discussions and implementations List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Aug 2012 10:38:30 -0000 Synopsis: [geom] geom_multipath: rotate only considers last 2 valid providers State-Changed-From-To: open->closed State-Changed-By: thomas State-Changed-When: Sat Aug 25 10:37:30 UTC 2012 State-Changed-Why: Fixed in rev. 239673 Responsible-Changed-From-To: freebsd-geom->thomas Responsible-Changed-By: thomas Responsible-Changed-When: Sat Aug 25 10:37:30 UTC 2012 Responsible-Changed-Why: I'll take this one over. http://www.freebsd.org/cgi/query-pr.cgi?pr=170379 From owner-freebsd-geom@FreeBSD.ORG Sat Aug 25 11:48:20 2012 Return-Path: Delivered-To: freebsd-geom@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 41DE2106566B for ; Sat, 25 Aug 2012 11:48:20 +0000 (UTC) (envelope-from brouci.tykadylko@seznam.cz) Received: from mxl1.seznam.cz (mxl1.seznam.cz [77.75.72.44]) by mx1.freebsd.org (Postfix) with ESMTP id 7E2B18FC19 for ; Sat, 25 Aug 2012 11:48:18 +0000 (UTC) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=seznam.cz; h=In-Reply-To:Received:Date:To:From:Subject:Mime-Version:Message-Id:Content-Transfer-Encoding:Content-Type:X-Country:X-Abuse:X-Seznam-User; b=S/hjdV++CvO8OAshGjn3919WEEQi/wKe7Y4rRTTZMVfP1OG8nhX94Ww7kEDJVi8Wp g+p42jJNeC6P41FKvlgDLd78ef2Duzkdg0FEWbHzw2pRp4pzRkoceNYt8cd+gc8pRux 1Luqi8wtgcsYBuF3xQfMfNV+3R7IMNM3hJA+L3A= In-Reply-To: <503896E1.9000203@delphij.net> Received: from 100.52.broadband10.iol.cz (100.52.broadband10.iol.cz [90.177.52.100]) by email.seznam.cz (Email.Seznam.cz) with HTTP for brouci.tykadylko@seznam.cz; Sat, 25 Aug 2012 13:27:30 +0200 (CEST) Date: Sat, 25 Aug 2012 13:47:59 +0200 (CEST) To: d@delphij.net, freebsd-geom@freebsd.org From: =?us-ascii?Q?brouci=20tykadylko?= Mime-Version: 1.0 Message-Id: <3111.173.372-12526-80734053-1345895279@seznam.cz> Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" X-Country: -- X-Abuse: abuse@seznam.cz X-Seznam-User: brouci.tykadylko@seznam.cz Cc: Subject: Re: geli remote password entering - md approach X-BeenThere: freebsd-geom@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: GEOM-specific discussions and implementations List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Aug 2012 11:48:20 -0000 > ------------ P=C3=B4vodn=C3=A1 spr=C3=A1va ------------ > Od: Xin Li > Predmet: Re: geli remote password entering > D=C3=A1tum: 25.8.2012 11:19:54 > ---------------------------------------- > It would be interesting to implement initrd alike feature in FreeBSD,= > however, but it's not totally impossible to do similar thing "right > now"-ish by using a mdroot while having it chroot into the new / with= > devfs and friends mounted, it's like a kluge but still do-able. When / is encrypted, I still have /sbin/init on encrypted partition. At= least in my current setup, when unencrypted is only /boot. Geli device= s are mounted by kernel as defined in loader.conf: geom_eli_load=3D"YES" geom_label_load=3D"YES" geom_mirror_load=3D"YES" geom_part_gpt_load=3D"YES" zfs_load=3D"YES" geli_ad4p4_keyfile0_load=3D"YES" geli_ad4p4_keyfile0_type=3D"ad4p4:geli_keyfile0" geli_ad4p4_keyfile0_name=3D"/boot/keys/boot.key" geli_ad6p4_keyfile0_load=3D"YES" geli_ad6p4_keyfile0_type=3D"ad6p4:geli_keyfile0" geli_ad6p4_keyfile0_name=3D"/boot/keys/boot.key" vfs.root.mountfrom=3D"zfs:system" If I understand it right, the md-approach would be: 0) prepare mfsroot image with kernel + zfs & geli modules and staticaly= linked dropbear (for example with http://mfsbsd.vx.sk/) 1) load mfsroot from loader.conf 2) execute kernel from mfsroot 3) execute dropbear and wait for login and geli mount done by hand (may= be similary to your rc script - dropbear can hold it's own network conf= ig) - and maybe even SCP-in the keys for both partitions, so I don't ne= ed to keep them in unencrypted /boot 4) mount the new root from encrypted filesystem 5) chroot to new root 6) execute init from encrypted root right? i'm not the sort of hacker able to modify the kernel code, so this is a= t the edge of my kung-fu.