Am 12.12.2012 12:49, schrieb Felix Frank:
Hi,
On 12/12/2012 12:30 PM, Andreas Heinlein wrote:
Hello,
I am currently planning a migration of a one-machine setups to a
two-machine-cluster. Part of it will be migrating existing data to DRBD,
and I hope you can help me with this.
The current storage layout looks like this:
ext4 -> LVM -> LUKS/dm_crypt -> mdadm raid -> sda2/sdb2
That is, we have a software raid (level 5), which is encrypted using
LUKS. The encrypted device is PV for the LVM, which has one VG and
multiple ext4 formatted LVs.
Sorry, I know this isn't the issue at hand but - RAID5? With two disks?
It's sort of begging the question ;-)
Whoops... forgot sdc2, of course :-)
I'd like to add DRBD like this:
ext4 -> LVM -> LUKS/dm_crypt -> DRBD -> mdadm raid -> sda2/sdb2
My primary goal is to let only one machine do the encryption (which will
be a new machine with AESNI) and then have DRDB distribute that
encrypted data to two machines.
That sounds quite reasonable to me.
Is this possible, and how would I go about migrating the existing setup
without losing any data? As I understand it, you would have to create a
DRBD device with /dev/md0 as lower-level device on each machine. Then
you would have to change the LUKS setup to open /dev/drbd0 as encrypted
device; from then on the LVM layer should see no difference, since it is
still using /dev/mapper/<crypted_volume> as PV, right?
What about metadata in this setup? Where would/could DRBD store it in
this case? Do some of DRBDs features like checksum-based replication
make sense in such a setup?
Metadata is a good keyword here. You may just want to take the easy path
and find an external meta disk (e.g. another partition on sda or sdb or
both or whetver :-)
That way you're free of the hassle of arranging internal metadata in a
way that won't compromise your encrypted volume.
I think it would be possible to create a new mdraid with sda3/sdab3/sdc3
to hold the metadata on both ends.
I'm not familiar with checksum-based replication. Is that a thing? Are
you not confusing it with checksum based syncing?
If it *is* a thing, I sort of doubt you'd be gaining much, because I
imagine that encrypted block storage is prone to relatively large
changes on disk. But I may be completely off track there.
Yes, I confused something here. Forget about this one...
Seeing as performance is obviously not an issue at all in your setup, I
disbelieve that you will have to be especially careful about your DRBD
setup.
Well, depends on what you call 'performance'. How'd you get this idea?
I'd like to be at least able to saturate a 1GBit/s link with this setup,
which software-encryption on the current machine definitely does not.
Thanks for your help!
Andreas
_______________________________________________
drbd-user mailing list
[email protected]
http://lists.linbit.com/mailman/listinfo/drbd-user
