On 2010-03-04 16:55, Lars Ellenberg wrote:
On Mon, Mar 01, 2010 at 01:16:52PM +0100, Christian Iversen wrote:
On 2010-02-27 18:57, Dawid Marcin Grzesiak wrote:
Hi,
I just wonder if I can use DRBD to asynchronously mirror two block
devices locally.
For example I want to have a primary (dedicated, so quite secure) server
and on the other hand secondary (VPS, so quite insecure).
I want to mirror block devices, but I want to keep it encrypted on VPS,
but not on dedicated server.
Sure I can set encrypted partition up on VPS and share it via DRBD, but
then the encryption key will need to be entered and will be stored in
the RAM on VPS.
Better is to map plain block device from secondary server on the primary
server, setup the encrypted partition there (thus encryption key never
leave the primary server) and then setup data mirroring locally.
I imagine that it is possible with NBD and RAID, but:
1. I'm worrying if NBD network protocol is stable enough.
2. This will be synchronized mirroring.
3. What about resynch? Is it have intelligent algorithm to make it fast
and save bandwidth?
Is it possible with DRBD?
In a sense, yes.
You can set up the VPS to export your block device with iSCSI.
Then use an iSCSI-client on your server, to import your block device
into your local (primary) servers namespace. There, you use
cryptsetup with LUKS to give access to the decrypted block device.
Then just use DRBD between "/dev/localdisk" and
"/dev/decrypted-remote-disk".
This should work fine, albeit probably slowly.
If you don't know iSCSI, it's kind of like NBD but 100 times better :)
Others would put this the other way around.
Probably a matter of preference, requirements and environment.
Well, maybe. I've tried both, and for our uses, iSCSI fit much better.
Also, DRBD is for replication between two nodes,
not for replication between two block devies on the same node.
Agreed :)
So if that is what you are up to, you rather want to
look at sofware raid more closely again.
man mdadm, specifically: bitmap, write-mostly, write-behind ...
Well, true. And I agree it's an odd use case.
There could be some advantages to using local/local DRBD though. Namely,
it would be very easy to switch to the classic local/remote DRBD, or
even a crazy remote/remote over double iSCSI. Who knows? I thought it
sounded like a fun idea to try.
Yes, we are not only about DRBD.
We know some other stuff as well ;-)
Just use the right tool for the job.
Indeed, always useful advise :)
P.S: Have you thought about setting a Reply-To-header? I'm almost
responding to the auther every time.
--
Med venlig hilsen
Christian Iversen
_______________________________________________
drbd-user mailing list
[email protected]
http://lists.linbit.com/mailman/listinfo/drbd-user
