Site Navigation

Date:      Wed, 01 Oct 2014 17:19:37 -0500
From:      Karl Denninger <karl@denninger.net>
To:        freebsd-stable@freebsd.org
Subject:   Re: Encrypted (GELI) root on ZFS troubles
Message-ID:  <542C7DF9.3060404@denninger.net>
In-Reply-To: <542C7903.3010906@denninger.net>
References:  <542C71C9.1050907@denninger.net> <542C7794.8040502@FreeBSD.org> <542C7903.3010906@denninger.net>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

[-- Attachment #1 --]
On 10/1/2014 4:58 PM, Karl Denninger wrote:
> On 10/1/2014 4:52 PM, Andriy Gapon wrote:
>> On 02/10/2014 00:27, Karl Denninger wrote:
>>> So here's the fun part of what I'm trying to do (and getting frustrated
>>> with)
>>>
>>> I have set up a GPT disk with the following setup:
>>>
>>> =>       34  625142381  da2  GPT  (298G)
>>>          34          6       - free -  (3.0K)
>>>          40       1024    1  freebsd-boot  (512K)
>>>        1064    4194304    2  freebsd-zfs  [bootme]  (2.0G)
>>>     4195368  134217728    3  freebsd-swap  (64G)
>>>   138413096  486729312    4  freebsd-zfs  (232G)
>>>   625142408          7       - free -  (3.5K)
>>>
>>> Then on freebsd-boot I have written the bootloaders.
>>>
>>> The "bootme" filesystem has *only* the /boot directory copied over from
>>> the rest of the system's root directory (that is, the kernel, loadables,
>>> /boot/loader.conf, etc); that pool is called "zboot"
>>>
>>> Partition 4 has the label "root0" on it, and thus shows up in /dev/gpt. 
>>> I have initialized that with geli, set the boot option flag (that is,
>>> prompt on boot) and created a pool called "root" on the resulting .eli
>>> device and then put the system on that.  That's all ok.
>>>
>>> Finally, I set the bootfs on that latter pool.  There is no bootfs set
>>> on /zboot:
>>>
>>> # zpool get bootfs zboot
>>> NAME   PROPERTY  VALUE   SOURCE
>>> zboot  bootfs    -       default
>>>
>>> It is set on the root pool to the proper filesystem:
>>>
>>> # zpool get bootfs root
>>> NAME  PROPERTY  VALUE              SOURCE
>>> root  bootfs    root/R/10.1-CLEAN  local
>>>
>>> The problem is that when the system boots geli "finds" the raw device
>>> (in this case /dev/da0p4), prompts for the password and attaches there
>>> instead of in /dev/gpt.  The gpt label is missing --- and equally bad
>>> the "root" pool does not appear to import at boot time either.
>>>
>>> As a result the system tries to mount root from /zboot (even though it's
>>> not been told to, and HAS been told where to mount off the root pool),
>> As far as *I* can see, you have not told the kernel what your root fs should be,
>> so it is using a default root filesystem which the same filesystem from where
>> the kernel itself was loaded.
>>
>>> but there's no init in there (or anything else other than the boot
>>> filesystem itself) and as a result I get an immediate panic.
>>>
> Various wikis on setting this up have strongly suggested that
> /boot/loader.conf no longer needs to have the root filesystem declared
> explicitly as it is able to locate it via looking in the pool metadata. 
> Is this wrong in this specific case?
>
> (Not a huge deal if so, but it's not at all clear that's true -- and it
> doesn't do anything for the issue of geli grabbing the base device
> rather than the /dev/gpt one.)
>
Ah, the kernel will not cross a zpool to look for bootfs; if it's not
set on the pool it comes from it will not look further.  Setting it
explicitly in /boot/loader.conf worked.

-- 
Karl Denninger
karl@denninger.net <mailto:karl@denninger.net>
/The Market Ticker/

[-- Attachment #2 --]
0�	*�H��

��0�

10	+0�	*�H��


��O0�K0�3�

0
	*�H��


0��10	UUS10UFlorida10U	Niceville10U
Cuda Systems LLC10UCuda Systems LLC CA1/0-	*�H��

	
 customer-service@cudasystems.net0
130824190344Z
180823190344Z0[10	UUS10UFlorida10UKarl Denninger1!0	*�H��

	
karl@denninger.net0�"0
	*�H��



�0�
�
��b����i՞�]�����MN�Կ���aw�x�?�`�)'�Ҵ�cWg�R@
Bl��Wh+	�u}ApdC���FJV�й���~�FOL��}��EW�^��bچY��p3�K&��ׂ��(R�
��l�xڝ.x��z?�����6��&n�s��J���+1v�9v/�(kq�Īp[�v�jc�K%f�ϻe���?iq]z����������
��lyzF��O'�ppdX//��Lw(���3����������J���IA�*��S�#�����՟��H��[f|CGqJK�o��oy��.oE�����u�Ow$��/��섀$삻J���9b�����������|����AP~8�]D1������Y�I<"�"�"Y^��T�2�iQ�2����b��	yH���)��]�	Ƶ�0y$�_N6X���q�M�C �9�՘	����X�gώj��G�T�P"�#��n���ˋ"B�k��1

���0��0	U00	`�H
��B

�0U�0,	`�H
��B

OpenSSL Generated Certificate0U|8�������˴�d�[2�0U#0�]��Af�4U3�x��&^"408	`�H
��B
+)https://cudasystems.net:11443/revoked.crl0
	*�H��


�

gB���wH]����j�\�x�`(�&��g���W�3��2�"��Uf^�.��^Iϱ�
�k!�DQ��Ag{(�w������/��)\N��'[��oRW���@��C���HO���>��)X��r�TNɘ��!�u`��xt5(��=f\-l3��<����@C��6��mn��hv�#����#�����1Ń�b�H�͍���_N�q
a�ʷ?rk���$^�9�TI�a�!�k����h��,D���-ct��1�
0�

0��0��10	UUS10UFlorida10U	Niceville10U
Cuda Systems LLC10UCuda Systems LLC CA1/0-	*�H��

	
 customer-service@cudasystems.net
0	+��;0	*�H��

	1	*�H��


0	*�H��

	1
141001221937Z0#	*�H��

	1����F�̓����[>5�p�B0l	*�H��

	1_0]0	`�H
e
*0	`�H
e
0
*�H��
0*�H��
�0
*�H��

@0+0
*�H��

(0��	+

�71��0��0��10	UUS10UFlorida10U	Niceville10U
Cuda Systems LLC10UCuda Systems LLC CA1/0-	*�H��

	
 customer-service@cudasystems.net
0��*�H��

	1�����0��10	UUS10UFlorida10U	Niceville10U
Cuda Systems LLC10UCuda Systems LLC CA1/0-	*�H��

	
 customer-service@cudasystems.net
0
	*�H��



�a����RS���kV�I�h�UU�1�ˬ:�ט{rg��V��N��+p�Tt���MHMႻ����Ne>j��x�˫�'�}�����j�����F>��4���,�+�4Ȝ�h��)���Ac(�_�:����[�&��4p�<#x]5�ƛy�;�2�����Z�[�ޒ*� $t�l|����b�Ѵ��2��J��C<S,Bs�ࠦ�0�͙U���!�l"S�
�w]i�8Zk���Ț)P�jHVMs	n��N@?��X�2K8��a��~d��=(H�R4d,�fYMy%�,r�q
�� �l��4C�'��
�א���{�p��T���(��1]�G�2ܸr�C$�;��'�':�c�}��f��H���PC�4#���5bϩՍS�B�=M�^QVg��$*�U
IO�u��y(?d�79;�l��|�2�<�d-`��7�IQ$��X�E��-�"{Pp��!�.��j�N�֞ϧ��/Fb��LJ�9�h��V��ˋ�'2���<���3

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?542C7DF9.3060404>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact