From owner-freebsd-stable@freebsd.org  Fri Jun 16 08:26:43 2017
Return-Path: <owner-freebsd-stable@freebsd.org>
Delivered-To: freebsd-stable@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 00CC1BFA1C1
 for <freebsd-stable@mailman.ysv.freebsd.org>;
 Fri, 16 Jun 2017 08:26:43 +0000 (UTC) (envelope-from se@freebsd.org)
Received: from mailout07.t-online.de (mailout07.t-online.de [194.25.134.83])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mailout00.t-online.de",
 Issuer "TeleSec ServerPass DE-2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id BA62075D4D
 for <freebsd-stable@freebsd.org>; Fri, 16 Jun 2017 08:26:42 +0000 (UTC)
 (envelope-from se@freebsd.org)
Received: from fwd09.aul.t-online.de (fwd09.aul.t-online.de [172.20.27.151])
 by mailout07.t-online.de (Postfix) with SMTP id CC9274215944
 for <freebsd-stable@freebsd.org>; Fri, 16 Jun 2017 10:26:33 +0200 (CEST)
Received: from Stefans-MBP-2.fritz.box
 (XHnDmEZAghXRyoCPGH-Ld8fvGbdL0pcPPG1az1oHZdmu1KAwufB9L8NREkjb+2wQLm@[84.154.108.252])
 by fwd09.t-online.de
 with (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384 encrypted)
 esmtp id 1dLmaO-1ypuXQ0; Fri, 16 Jun 2017 10:26:32 +0200
To: FreeBSD Stable <freebsd-stable@freebsd.org>
From: Stefan Esser <se@freebsd.org>
Subject: GELI: Regression between STABLE-10 and STABLE-11?
Message-ID: <cbc0b32f-98ab-ee1b-d11d-865fdb9aa2cf@freebsd.org>
Date: Fri, 16 Jun 2017 10:26:31 +0200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0)
 Gecko/20100101 Thunderbird/52.2.0
MIME-Version: 1.0
Content-Type: text/plain; charset=windows-1252
Content-Language: en-GB
Content-Transfer-Encoding: 7bit
X-ID: XHnDmEZAghXRyoCPGH-Ld8fvGbdL0pcPPG1az1oHZdmu1KAwufB9L8NREkjb+2wQLm
X-TOI-MSGID: dbc9940d-dd6d-4388-a6ea-decf8aa09529
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-stable>, 
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable/>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Jun 2017 08:26:43 -0000

Hi all,

I'm administrating an SVN server for a small company, which is used
to archive work results, but also customer contracts and information
received under NDA.

The system uses pure ZFS (root on ZFS) and part of the "data" pool
is a ZVOL that is used as a GELI provider to hold the confidential
data.

I just tried to upgrade this system to STABLE-11 (or rather 11-BETA1)
and found, that I could not attach the GELI protected partition with:

# geli attach -d -k /root/MY_GELI_KEYFILE /dev/zvol/data/geli.vol

The command failed with "invalid password" (or along that line, sorry
for not writing the exact text down).

The system was running with consistent STABLE-11 kernel and world,
and there was no sign of any other problem.

I performed a roll-back to STABLE-10 and could attach the GELI
partition without any problem with the key-file and password that
had failed under STABLE-11.

This problem is not critical for me (I can create an encrypted backup
of the encrypted data and restore that into a GELI partition created
under STABLE-11), but it might be a general problem - that's why I'm
reporting this failure ...


Some more details:

$ uname -a
FreeBSD XXX.com 10.3-STABLE FreeBSD 10.3-STABLE #0 r318284: Mon May 15
11:58:47 CEST 2017     root@s...  amd64

The (abridged) ZFS pool status is:

$ zpool status
  pool: sys
config:

	NAME              STATE     READ WRITE CKSUM
	sys               ONLINE       0     0     0
	  mirror-0        ONLINE       0     0     0
	    gpt/System-1  ONLINE       0     0     0
	    gpt/System-2  ONLINE       0     0     0

  pool: data
config:
	NAME            STATE     READ WRITE CKSUM
	data            ONLINE       0     0     0
	  mirror-0      ONLINE       0     0     0
	    gpt/Data-1  ONLINE       0     0     0
	    gpt/Data-2  ONLINE       0     0     0

  pool: crypto
config:
	NAME                      STATE     READ WRITE CKSUM
	crypto                    ONLINE       0     0     0
	  zvol/data/geli.vol.eli  ONLINE       0     0     0

$ zfs list -t volume
NAME            USED  AVAIL  REFER  MOUNTPOINT
data/geli.vol  94.5G  78.5G  37.9G  -

I know about the problem of ZFS on ZFS and this will be fixed (I'm
going to convert the file-system in the ZVOL to UFS), but it was a
valid setup when the server was installed a number of years ago.
(And I use "vfs.zfs.vol.recursive=1" as a work-around to disable
the safe-guard that has been implemented to prevent ZFS on ZPOOL.)

I'm able to work around the problem, since the amount of data in the
encrypted partition is small and I wanted to transfer it into an UFS
file-system on a GELI partition, anyway.

Since I had only reserved a short maintenance window for the attempted
upgrade, I could not perform many tests and I lost all logs during the
rollback to STABLE-10. (I had not considered, this could be a problem
that might affect others, at that time.)

Regards, STefan