Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 18 Mar 2022 13:55:38 GMT
From:      Mateusz Piotrowski <0mp@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
Subject:   git: 97aeda224356 - main - zfskeys: Support autoloading of keys stored on ZFS
Message-ID:  <202203181355.22IDtc03044048@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch main has been updated by 0mp (doc, ports committer):

URL: https://cgit.FreeBSD.org/src/commit/?id=97aeda2243568b386d792514996a06daec55eece

commit 97aeda2243568b386d792514996a06daec55eece
Author:     Mateusz Piotrowski <0mp@FreeBSD.org>
AuthorDate: 2022-03-18 12:35:16 +0000
Commit:     Mateusz Piotrowski <0mp@FreeBSD.org>
CommitDate: 2022-03-18 13:53:52 +0000

    zfskeys: Support autoloading of keys stored on ZFS
    
    The zfskeys service script starts before the zfs service script, so that
    dataset decryption keys are available when `zfs mount -a` is run. One of
    the potential edge cases of this design is that if a key is stored on
    ZFS it won't be loaded until `zfs mount -a` is issued.
    
    In order to address that let's try to load the additional keys and mount
    related ZFS datasets after the zfs script finishes its standard mounting
    procedure.
    
    PR:             262468
    Reported by:    Graham Perrin <grahamperrin@gmail.com>
    Reviewed by:    allanjude
    Approved by:    allanjude (src)
    Fixes:  33ff39796ffe Add zfskeys rc.d script for auto-loading encryption keys
    MFC after:      3 days
    Sponsored by:   Modirum
    Sponsored by:   Klara Inc.
    Differential Revision: https://reviews.freebsd.org/D34601
---
 libexec/rc/rc.d/zfs | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/libexec/rc/rc.d/zfs b/libexec/rc/rc.d/zfs
index 2d35f9b54642..dbc82f82c65b 100755
--- a/libexec/rc/rc.d/zfs
+++ b/libexec/rc/rc.d/zfs
@@ -13,6 +13,7 @@ name="zfs"
 desc="Mount and share ZFS datasets"
 rcvar="zfs_enable"
 start_cmd="zfs_start"
+start_postcmd="zfs_poststart"
 stop_cmd="zfs_stop"
 required_modules="zfs"
 
@@ -41,6 +42,17 @@ zfs_start()
 	fi
 }
 
+zfs_poststart()
+{
+	# Some of the keys to decrypt datasets are potentially stored on ZFS
+	# datasets that just got mounted. Let's try to load those keys and
+	# mount the datasets.
+	if checkyesno zfskeys_enable; then
+		/etc/rc.d/zfskeys start
+		zfs_start
+	fi
+}
+
 zfs_stop_jail()
 {
 	if [ `$SYSCTL_N security.jail.mount_allowed` -eq 1 ]; then

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202203181355.22IDtc03044048>