So, when I do:

# zfs create -o encryption=on -o checksum=off -o keyformat=passphrase -V 4G 

I get this panic:

> ::status
debugging crash dump ./vmcore.9 (64-bit) from 00-0c-29-5d-4c-f7
operating system: 5.11 joyent_20170807T220431Z (i86pc)
image uuid: (not set)
panic message: assertion failed: spa_do_crypt_abd(B_TRUE, spa, 
zio->io_bookmark.zb_objset, bp, zio->io_txg, psize, zio->io_abd, eabd, iv, mac, 
salt, &no_crypt) == 0 (0x5 == 0x0), file: ../../common/fs/zfs/zio.c, line: 3558
dump content: kernel pages only
> $C
ffffff000f613900 vpanic()
ffffff000f613950 0xfffffffffba7bfad()
ffffff000f613a40 zio_encrypt+0x5cf(ffffff0378abd7d0)
ffffff000f613a70 zio_execute+0x7f(ffffff0378abd7d0)
ffffff000f613b30 taskq_thread+0x2d0(ffffff0377006a20)
ffffff000f613b40 thread_start+8()

Happy to provide the dump for further debugging, or look more into it if you 
want. I'm guessing that this is probably not going to work, and should be 
blocked off as a combination of properties (i.e. refuse to set encryption=on 
with checksum=off). I guess this also means that having a dump zvol be inside 
an encrypted pool is not going to work.

So.. anyone have any ideas about what do about dump zvols on an encrypted pool? 
I'm trying to think through how we can use this at Joyent, where we only have 
one pool on the system and our dump and swap need to go on it -- since we can't 
make encrypted clones of an unencrypted dataset, and can't have some things 
unencrypted under an encrypted sub-tree, it would make the most sense I think 
to add encryption at the top of the pool (so all our existing code bits that do 
clones of datasets underneath that continue to work). But then we have the 
problem of what to do about the dump zvol. Would it be possible to allow 
unencrypted children of an encrypted dataset at some point in the future? I 
must admit I haven't understood the design well enough yet to tell that for 
myself, sorry.

I've also noticed some odd rendering issues looking at the new man pages. Might 
be a mis-merge on my part, I'll follow up on them later.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
Powered by Topicbox:

Reply via email to