Date: Sat, 17 Nov 2018 21:59:09 +0100 From: Marco Steinbach <coco@executive-computing.de> To: freebsd-geom@freebsd.org Subject: Re: eli encrypted providers for zfs raidz1 Message-ID: <20181117215909.44f056a6@bsdbuch.c0c0.intra> In-Reply-To: <0824ef45-642d-d8ff-c5e6-e627f9f18e0d@gmx.com> References: <20181116231809.40a8f74c@bsdbuch.c0c0.intra> <0824ef45-642d-d8ff-c5e6-e627f9f18e0d@gmx.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 17 Nov 2018 12:50:09 +0200 Nikos Vassiliadis <nvass@gmx.com> wrote: > Hi Marco, > > On 11/17/18 12:18 AM, Marco Steinbach wrote: > > Hi. > > > > I'm using 11.2-RELEASE r335510 amd64 GENERIC in an Oracle VirtualBox > > setup on FreeBSD, which is what comes out of the box, when > > installing 11.2 from the distribution media. > > > > > > I'm trying to wrap my head around on how to avoid a zpool resilver > > on a non-booting ZFS raidz1 of off four equally sized (GPT) > > partitions on four distinct drives using eli for encyption. > > > > IOW: I do struggle with finding a way to attach all the > > providers such, that ZFS does not initiate a resilver due to the > > providers being attached sequentially. > > > > I've created and initialized the partitions as follows (generic > > notation, comments on chosen encryption algo welome, since this > > testing setup lacks AES-NI): > > # gpart create -s gpt /dev/ada[2-5] > > # gpart add -t freebsd-zfs /dev/ada[2-5] > > # geli init -e AES-CBC -l 128 /dev/ada[2-5]p1 > > > > Then I attached the geli partitions like so: > > # geli attach /dev/ada[2-5]p1 > > > > And finally created a raidz1 spanning all four partitions: > > # zpool create u0001 raidz1 /dev/ada[2-5]p1.eli > > > > That works flawlessly. And naturally, after a reboot none of the > > encrypted devices is available to the zpool then, unless I attach > > them. > > > > Doing so using geli attach requires me to attach them sequentially, > > which then results in ZFS resilvering the pool. > > > Why don't you just export the pool before shutting down? Since > you already attach GELI manually, it'd make sense to import the pool > manually as well. This solution never occured to me -- you are right :) > You could automate the import using devd and some scripting, that is, > detect when all GELIs are there and then run zpool import. > > > > So, here's my questions: > > > > 1. Is the inavoidable resilver intended behaviour based on current > > implementation, or am I missing something ? > > It makes sense to resilver, given that ZFS will try to import the pool > as soon as enough devices appear. I am not sure whether it is > unavoidable though. As per your suggestion, exporting the pool during shutdown would avoid this altogether. I just tried Bens suggestions, and they work like a charm in 11.2 and 12-RC1 -- ridding me of any manual intervention apart from entering the passphrase, just relying on the base systems capabilities. Exactly what I was looking for :) Thanks again for your thoughts. > > 2. In case I use a bootable zfsroot (cudos to allanjude@, I > > highly recommend his BSDCan presentations on the matter), is > > there a way to hand over the zfsroot passphrase to eli for > > automatically attaching other providers ? > > > > Please note, that I'd like to stick as close as possible to what the > > base system offers for this use-case. > > > > MfG CoCo > > MfG CoCo
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20181117215909.44f056a6>