[pve-devel] The problem with offline encrypted zfs volumes

[Fabian Grünbichler]

On Tue, Jul 23, 2019 at 04:47:13PM +0200, Stephan Leemburg wrote:
> Hi All,
> 
> I have been using proxmox with offline encrypted volumes, based upon luks
> encryption, for quite some time now.
> 
> Happy to see that ZFS native encryption is now available, I run into a (for
> me well-known) issue while upgrading.
> 
> With the CT and VM pool entirely located on offline encrypted ZFS (be it
> luks or native) would actually require a systemd 'intermediate' target.
> 
> So that the sys admin can log in, make the storage available and then
> 'isolate' the normal operation.
> 
> If not, and I experienced that many times, proxmox goes and creates
> directories where the ZFS pool is meant to be mounted and things break when
> the zpool becomes available.

this sounds like you have a directory storage configured (backed by
ZFS?) and not set the "is_mountpoint" option accordingly.

possibly you'd also want some sort of additional dependency in
pve-storage.target to delay startup of PVE services until the unlocking
+ pool import + dataset mounting has happened (regular, unencrypted ZFS
pools should already be ordered correctly, so if your unlocking happens
before the various zfs services and targets are started/reached, that
should already be covered:

pve-guests -> pveproxy -> pve-storage.target/basic.target

should make sure that all standard mounts etc. are available before
guests started on boot get started.

> Obviously, I can write such a systemd configuration. But would such a
> configuration then be accepted within the Proxmox tree?
> 
> Or are there better solutions for this issue?
> 
> Kind regards,
> 
> Stephan
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel