zfs: load keys for encrypted datasets during pool import #1384
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
I haven't added tests yet because I'm not sure how you would like me to do that -- should we have just one specific test for this behaviour or run all of the ZFS-related tests on both an encrypted and unencrypted dataset? Also let me know if you think just doing |
stgraber
requested changes
Nov 18, 2024
There was a problem hiding this comment.
Logic looks good to me.
For testing, the easiest would be a system tests which only runs under INCUS_BACKEND=zfs and proceeds to manually create a test loop backed test zpool with encryption, then restarts the test Incus instance to make sure it gets unlocked properly.
|
|
|
@stgraber Ah, so you would prefer if the import failed? I assumed you'd prefer a warning (hence all of the logic for figuring out which datasets have non- |
|
A storage pool failing to start should have it go into a failed state that gets retried so we should be okay with it failing to mount. |
|
@stgraber Okay, EDIT: I think doing |
cyphar
force-pushed
the
zfs-loadkeys
branch
3 times, most recently
from
df712a0 to
ec1b82d
Compare
cyphar
force-pushed
the
zfs-loadkeys
branch
3 times, most recently
from
a533cb2 to
93f8d3a
Compare
Signed-off-by: Stéphane Graber <[email protected]>
If a user has set up their own zpools and given them to us to manage, it's possible they've configured ZFS-native encryption. For the most part, this works completely transparently to us. However, because we manually do zpool-import and zpool-export during startup and shutdown of Incus, ZFS datasets with keys will have their keys unloaded during shutdown and then the keys are not automatically loaded on startup. This results in containers being unable to start on startup because all IOs are blocked indefinitely until the dataset keys are loaded manually by the admin -- even if the admin has configured automatic key loading on their system! The simplest solution would be to pass -l to zfs-import (which causes ZFS to auto-import all keys for all datasets in the pool). However, it is slightly nicer to do a separate zfs-load-key so that we can unmount the pool if the key import fails (zfs-import will leave the pool imported but without keys loaded). If the user has configured keylocation=prompt (or otherwise misconfigured the encryption settings for their pool), the command will fail and the pool import will fail loudly (rather than silently failing in the form of an imported pool that is not usable as a filesystem). Signed-off-by: Aleksa Sarai <[email protected]>
This primarily ensures that we correctly load the dataset keys when importing a pool, and if we can't import the dataset that the storage pool is correctly tagged as UNAVAILABLE. Signed-off-by: Aleksa Sarai <[email protected]>
stgraber
force-pushed
the
zfs-loadkeys
branch
from
93f8d3a to
9a9c8f7
Compare
stgraber
approved these changes
Nov 22, 2024
tmeijn
pushed a commit
to tmeijn/dotfiles
that referenced
this pull request
Dec 13, 2024
This MR contains the following updates: | Package | Update | Change | |---|---|---| | [lxc/incus](https://github.com/lxc/incus) | minor | `v6.7.0` -> `v6.8.0` | MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot). **Proposed changes to behavior should be submitted there as MRs.** --- ### Release Notes <details> <summary>lxc/incus (lxc/incus)</summary> ### [`v6.8.0`](https://github.com/lxc/incus/releases/tag/v6.8.0): Incus 6.8 [Compare Source](lxc/incus@v6.7.0...v6.8.0) #### What's Changed - exec: Consume websocket pings for stderr by [@​stefanor](https://github.com/stefanor) in lxc/incus#1380 - incus-simplestreams: Add prune command by [@​presztak](https://github.com/presztak) in lxc/incus#1381 - internal/instance: Fix validation of volatile.cpu.nodes by [@​stgraber](https://github.com/stgraber) in lxc/incus#1394 - Add a function to clone map and use it where appropriate by [@​montag451](https://github.com/montag451) in lxc/incus#1397 - cgo/process_utils: fix 32bit builds by [@​brauner](https://github.com/brauner) in lxc/incus#1398 - Start using goimports by [@​stgraber](https://github.com/stgraber) in lxc/incus#1399 - instance/config: Mark user keys as live updatable by [@​stgraber](https://github.com/stgraber) in lxc/incus#1404 - incus/internal/server/instance/drivers/: Fix incorrect Vars file mapping in edk2 driver by [@​cmspam](https://github.com/cmspam) in lxc/incus#1406 - zfs: load keys for encrypted datasets during pool import by [@​cyphar](https://github.com/cyphar) in lxc/incus#1384 - incusd/instance: Lock image access by [@​stgraber](https://github.com/stgraber) in lxc/incus#1408 - incus/image: Make use of server-side alias handling by [@​stgraber](https://github.com/stgraber) in lxc/incus#1409 - incusd/cluster: Validate cluster HTTPS address on join too by [@​stgraber](https://github.com/stgraber) in lxc/incus#1411 - Remove metadata info from space usage calculation by [@​presztak](https://github.com/presztak) in lxc/incus#1417 - Add ability to set the initial owner of a custom volume by [@​presztak](https://github.com/presztak) in lxc/incus#1415 - Allow local live-migration between storage pools by [@​presztak](https://github.com/presztak) in lxc/incus#1410 - incus: Add aliases completion by [@​montag451](https://github.com/montag451) in lxc/incus#1385 - golangci: Add local prefixes for goimports by [@​breml](https://github.com/breml) in lxc/incus#1401 - client: invalidate simple streams cache by [@​breml](https://github.com/breml) in lxc/incus#1424 - incusd/instances_post: Fix cluster internal migrations by [@​stgraber](https://github.com/stgraber) in lxc/incus#1427 - Fix DHCP client keeping container up by [@​stgraber](https://github.com/stgraber) in lxc/incus#1430 - Add support for VGA console screenshots by [@​breml](https://github.com/breml) in lxc/incus#1431 - Add --reuse to incus image import by [@​presztak](https://github.com/presztak) in lxc/incus#1428 - Fix random ETag values due to map ordering by [@​stgraber](https://github.com/stgraber) in lxc/incus#1432 - incusd/task: Fix wait group logic (more entries than running tasks) by [@​stgraber](https://github.com/stgraber) in lxc/incus#1433 - Allow setting aliases during raw image upload by [@​stgraber](https://github.com/stgraber) in lxc/incus#1434 - Fixes an issue when copying a custom volume using the `--refresh` flag by [@​presztak](https://github.com/presztak) in lxc/incus#1437 - Openfga improvements by [@​stgraber](https://github.com/stgraber) in lxc/incus#1435 - doc/instance/properties: Add missing instance properties by [@​stgraber](https://github.com/stgraber) in lxc/incus#1439 - incusd/daemon_storage: Ensure corect symlinks for images/backups by [@​stgraber](https://github.com/stgraber) in lxc/incus#1441 - incusd/storage/lvm: Handle newer LVM by [@​stgraber](https://github.com/stgraber) in lxc/incus#1442 - Tweak rendering of manpage in doc by [@​stgraber](https://github.com/stgraber) in lxc/incus#1443 - incusd/storage/lvm: Require 512-bytes physical block size for VM images by [@​stgraber](https://github.com/stgraber) in lxc/incus#1444 - incusd: Fill ExpiryDate and remove LastUsedDate in volumeSnapshotToProtobuf by [@​presztak](https://github.com/presztak) in lxc/incus#1448 - incusd/device/tpm: Wait for swtpm to be ready by [@​stgraber](https://github.com/stgraber) in lxc/incus#1447 - incus: Improve completion for `file push` and `file pull` by [@​montag451](https://github.com/montag451) in lxc/incus#1445 - incusd/auth/tls: Restrict config access to non-admin by [@​stgraber](https://github.com/stgraber) in lxc/incus#1451 - incusd/storage: Handle default disk size in GetInstanceUsage by [@​stgraber](https://github.com/stgraber) in lxc/incus#1452 - incus: Improve completion for some file sub-commmands by [@​montag451](https://github.com/montag451) in lxc/incus#1453 - incus: Fix completion for `profile copy` by [@​montag451](https://github.com/montag451) in lxc/incus#1454 - incus: Add completion for `image alias` subcommands by [@​montag451](https://github.com/montag451) in lxc/incus#1457 - doc/installing: Update Fedora instructions by [@​stgraber](https://github.com/stgraber) in lxc/incus#1456 - Fix gap in validation of pre-existing certificates when switching to PKI mode by [@​stgraber](https://github.com/stgraber) in lxc/incus#1458 - doc/network_forwards: Split configuration into own table by [@​stgraber](https://github.com/stgraber) in lxc/incus#1460 - chore: Happy path on the left, early return by [@​breml](https://github.com/breml) in lxc/incus#1461 - incus: Fix completion for `image alias create` by [@​montag451](https://github.com/montag451) in lxc/incus#1459 - incus/top: Ignore CPU idle time by [@​stgraber](https://github.com/stgraber) in lxc/incus#1462 - incus: Display the alias expansion when execution of an alias fails by [@​montag451](https://github.com/montag451) in lxc/incus#1464 - lint: disallow restricted licenses in go-licenses by [@​breml](https://github.com/breml) in lxc/incus#1466 - chore: code structure, Go identifier shaddowing by [@​breml](https://github.com/breml) in lxc/incus#1465 - incus: Fix alias arguments handling by [@​montag451](https://github.com/montag451) in lxc/incus#1463 - incus/file/push Use SFTP client instead of file API by [@​HassanAlsamahi](https://github.com/HassanAlsamahi) in lxc/incus#1468 - Fix TPM fd leaks and OpenFGA patching issue by [@​stgraber](https://github.com/stgraber) in lxc/incus#1469 - Clarify device override syntax by [@​stgraber](https://github.com/stgraber) in lxc/incus#1471 - incusd/auth/openfga: refresh model before applying patches by [@​stgraber](https://github.com/stgraber) in lxc/incus#1472 - Add authorization scriptlet by [@​bensmrs](https://github.com/bensmrs) in lxc/incus#1412 - doc: add openSUSE installation instructions by [@​cyphar](https://github.com/cyphar) in lxc/incus#1475 - OCI image debugging improvements by [@​danbiagini](https://github.com/danbiagini) in lxc/incus#1478 - Add function checks to scriptlet validation by [@​bensmrs](https://github.com/bensmrs) in lxc/incus#1484 - incus/project: Fix handling of default (unset) project in `get-current` by [@​irhndt](https://github.com/irhndt) in lxc/incus#1476 - Translations update from Hosted Weblate by [@​weblate](https://github.com/weblate) in lxc/incus#1492 - Add `--force` flag to the console command by [@​presztak](https://github.com/presztak) in lxc/incus#1491 - Accept io.Writer in RenderTable by [@​breml](https://github.com/breml) in lxc/incus#1490 - doc/network_bridge: Fix missing escaping around variable by [@​irhndt](https://github.com/irhndt) in lxc/incus#1493 - incusd/cluster: Skip project restrictions during join by [@​stgraber](https://github.com/stgraber) in lxc/incus#1497 - incusd/instance/lxc: Skip instances without idmap allocation yet by [@​stgraber](https://github.com/stgraber) in lxc/incus#1495 - incusd/storage/drivers/common: Truncate/Discard ahead of sparse write by [@​stgraber](https://github.com/stgraber) in lxc/incus#1496 - Add AskPassword/AskPasswordOnce to Asker by [@​breml](https://github.com/breml) in lxc/incus#1499 - Add additional check to Cancel method for ConsoleShow operation by [@​presztak](https://github.com/presztak) in lxc/incus#1500 - Improve console disconnections by [@​stgraber](https://github.com/stgraber) in lxc/incus#1501 - Fix duplicate OVN load-balancer entries by [@​stgraber](https://github.com/stgraber) in lxc/incus#1502 - Improve SFTP performance by [@​stgraber](https://github.com/stgraber) in lxc/incus#1503 - incusd/instance_post: Expand profiles in scriptlet context by [@​stgraber](https://github.com/stgraber) in lxc/incus#1504 #### New Contributors - [@​stefanor](https://github.com/stefanor) made their first contribution in lxc/incus#1380 - [@​brauner](https://github.com/brauner) made their first contribution in lxc/incus#1398 - [@​cyphar](https://github.com/cyphar) made their first contribution in lxc/incus#1384 - [@​breml](https://github.com/breml) made their first contribution in lxc/incus#1401 - [@​danbiagini](https://github.com/danbiagini) made their first contribution in lxc/incus#1478 - [@​irhndt](https://github.com/irhndt) made their first contribution in lxc/incus#1476 **Full Changelog**: lxc/incus@v6.7.0...v6.8.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this MR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box --- This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS42Mi42IiwidXBkYXRlZEluVmVyIjoiMzkuNjIuNiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiUmVub3ZhdGUgQm90Il19-->
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
If a user has set up their own zpools and given them to us to manage,
it's possible they've configured ZFS-native encryption. For the most
part, this works completely transparently to us. However, because we
manually do zpool-import and zpool-export during startup and shutdown of
Incus, ZFS datasets with keys will have their keys unloaded during
shutdown and then the keys are not automatically loaded on startup. This
results in containers being unable to start on startup because all IOs
are blocked indefinitely until the dataset keys are loaded manually by
the admin -- even if the admin has configured automatic key loading on
their system!
The simplest solution would be to pass -l to zfs-import (which causes
ZFS to auto-import all keys for all datasets in the pool). However, it
is slightly nicer to do a separate zfs-load-key so that we can unmount
the pool if the key import fails (zfs-import will leave the pool
imported but without keys loaded).
If the user has configured keylocation=prompt (or otherwise
misconfigured the encryption settings for their pool), the command will
fail and the pool import will fail loudly (rather than silently failing
in the form of an imported pool that is not usable as a filesystem).
Signed-off-by: Aleksa Sarai [email protected]