From owner-freebsd-geom@freebsd.org Sat Nov 17 11:03:23 2018 Return-Path: Delivered-To: freebsd-geom@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 54EFF1130ADD for ; Sat, 17 Nov 2018 11:03:23 +0000 (UTC) (envelope-from nvass@gmx.com) Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "mout.gmx.net", Issuer "TeleSec ServerPass DE-2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A0F3785841 for ; Sat, 17 Nov 2018 11:03:21 +0000 (UTC) (envelope-from nvass@gmx.com) Received: from moby.local ([79.107.11.8]) by mail.gmx.com (mrgmx002 [212.227.17.184]) with ESMTPSA (Nemesis) id 0MbPPQ-1g5Cq32utY-00IphS; Sat, 17 Nov 2018 11:50:15 +0100 From: Nikos Vassiliadis Subject: Re: eli encrypted providers for zfs raidz1 To: Marco Steinbach , freebsd-geom@freebsd.org References: <20181116231809.40a8f74c@bsdbuch.c0c0.intra> Message-ID: <0824ef45-642d-d8ff-c5e6-e627f9f18e0d@gmx.com> Date: Sat, 17 Nov 2018 12:50:09 +0200 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:60.0) Gecko/20100101 Thunderbird/60.3.0 MIME-Version: 1.0 In-Reply-To: <20181116231809.40a8f74c@bsdbuch.c0c0.intra> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Provags-ID: V03:K1:5L7X0wGkS5PQ36hjctLNvQ3eZ5KiETuVvhzgtFAYtistAnm8Kuj AfJeXIdhukIhsUFhl08DSE+2A23qOYzgpiDoNXagP0BAVwq7rIZ73eHx7I6i0Pu75peNd1v dlHciVQLeZsLzH02XxUR3WmIquprBNlNpG/JveBO+WJPiwbWPjOeC1CGBaB0HnVM18e8ISP k9/m6E4LNRFRcwFfjPi7g== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V01:K0:n9MCjWyk/Ak=:bDgwcFmyH6qQ3tKb5iaNeM IPfdC1KTl6WafpsX2TJU0LmI6C6bOwe/fpJxj2BClrq1Smhz7Fm+E54HOTkEuVJoZ5+MK5gL5 vOTdI8k9UIfEcjLYMmwAZyxLNgXYMSDX5zhzAgeUMYNTS3aHNrKfJQt18AnRlC0doc9clKzie Eje48H9/G6bI5eLjC5ry1n339hnEf7UGa+W8cuFkne+1nF62g19W89k9ensDOSEZtQ8zbzJo7 j403x0Kt8XpCGq2A/Px0JRk8oVElV2slesKJ1uD5mV8xqi9smmPhP6mHotW5hkMkz16+oBwbQ KF8VV5bwuN1Z1V7mZxrzUi5ZSLnr2WrbS8vS+zE7tYdCJsmMv4Bm+5yrZRNTROwkLHAwJj9w2 o8kc/lccebToNgQiM5gzmYjaULxU2xOPhX5XR5APkqY6oiY6QCeDgvtDHft2clJAuz+WZteae nJ/c3+DIU794hLofBogKzB5uuRiUT3xS22zVIVMs4evEkq3ZpDlRmFbLBP/0lZ+XTOk/vqClK Yv7bswUGk8jUv0bw42if1KytNv3FnYfvD+/+9MyXyu1YTqV55XBSdSSw13uS0W/Zi5W+bx2jw wyOrCgYYj7x68glDeshXs3DyYHMK2hXZ0/Wbgt/9zp6UFr/95BG13GiL7eATBSZCe+lq3ueHm pDT0cMkKBSpy9+zB7bcoK736Ap5tovMkiVGqRLcy4tpZP5TjrCwPdyVlfiILBzLqUSvwid+XG yQWcMBt+dJGKcg3p9IeXJi9LEWHSlW+VyVyPsywfjJH9kYOHoHA9I31RGUqoNKdwiqn4Gg1xh EnxR6Y3U8s+W6Y0HFe8deUleYr4afr/4cO7pQ0XsRWGZ4vcLWwcRfztLkOrcUgaJLU45aTCJ4 MUXsgJYuIKRbUByanDu0hZRSFQedorXrLvQ5RbHiEsxZfPSoqJ3R7SdkmSCWNv X-Rspamd-Queue-Id: A0F3785841 X-Spamd-Result: default: False [-0.97 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:212.227.15.0/24]; FREEMAIL_FROM(0.00)[gmx.com]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[gmx.com]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MX_GOOD(-0.01)[mx00.gmx.net,mx01.gmx.net]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_SHORT(-0.52)[-0.515,0]; IP_SCORE(-0.05)[ipnet: 212.227.0.0/16(-0.56), asn: 8560(0.33), country: DE(-0.01)]; RCVD_IN_DNSWL_LOW(-0.10)[19.15.227.212.list.dnswl.org : 127.0.3.1]; R_DKIM_NA(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmx.com]; ASN(0.00)[asn:8560, ipnet:212.227.0.0/16, country:DE]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; RECEIVED_SPAMHAUS_PBL(0.00)[8.11.107.79.zen.spamhaus.org : 127.0.0.11] X-Rspamd-Server: mx1.freebsd.org X-BeenThere: freebsd-geom@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: GEOM-specific discussions and implementations List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Nov 2018 11:03:23 -0000 Hi Marco, On 11/17/18 12:18 AM, Marco Steinbach wrote: > Hi. > > I'm using 11.2-RELEASE r335510 amd64 GENERIC in an Oracle VirtualBox > setup on FreeBSD, which is what comes out of the box, when installing > 11.2 from the distribution media. > > > I'm trying to wrap my head around on how to avoid a zpool resilver on a > non-booting ZFS raidz1 of off four equally sized (GPT) partitions on > four distinct drives using eli for encyption. > > IOW: I do struggle with finding a way to attach all the > providers such, that ZFS does not initiate a resilver due to the > providers being attached sequentially. > > I've created and initialized the partitions as follows (generic > notation, comments on chosen encryption algo welome, since this > testing setup lacks AES-NI): > # gpart create -s gpt /dev/ada[2-5] > # gpart add -t freebsd-zfs /dev/ada[2-5] > # geli init -e AES-CBC -l 128 /dev/ada[2-5]p1 > > Then I attached the geli partitions like so: > # geli attach /dev/ada[2-5]p1 > > And finally created a raidz1 spanning all four partitions: > # zpool create u0001 raidz1 /dev/ada[2-5]p1.eli > > That works flawlessly. And naturally, after a reboot none of the > encrypted devices is available to the zpool then, unless I attach them. > > Doing so using geli attach requires me to attach them sequentially, > which then results in ZFS resilvering the pool. Why don't you just export the pool before shutting down? Since you already attach GELI manually, it'd make sense to import the pool manually as well. You could automate the import using devd and some scripting, that is, detect when all GELIs are there and then run zpool import. > So, here's my questions: > > 1. Is the inavoidable resilver intended behaviour based on current > implementation, or am I missing something ? It makes sense to resilver, given that ZFS will try to import the pool as soon as enough devices appear. I am not sure whether it is unavoidable though. > 2. In case I use a bootable zfsroot (cudos to allanjude@, I highly > recommend his BSDCan presentations on the matter), is there a way to > hand over the zfsroot passphrase to eli for automatically attaching > other providers ? > > Please note, that I'd like to stick as close as possible to what the > base system offers for this use-case. > > MfG CoCo > > _______________________________________________ > freebsd-geom@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-geom > To unsubscribe, send any mail to "freebsd-geom-unsubscribe@freebsd.org" >