Regarding disk encryption, there are basically two approaches now. One is tcplay(8), which is a TrueCrypt compatible BSD-licensed solution, but fairly experimental.
The more stable/well tested solution is the GPL-licensed cryptsetup(8), which is the same as on Linux. Both use dm_target_crypt underneath and both are fully supported for cryptdisks(8), crypttab(5) and mkinitrd(8). Using the initrd approach you can encrypt your / with any of the above approaches, but /boot needs to be unencrypted. HTH, Alex Hornung On 03/10/11 08:15, Zenny wrote: > Thank you Justin for a comprehensive reply. Appreciate it! > > I shall check with the vkernel stuffs to limit resources for jails > (seems like a sharp learning curve ;-) ) > > Since you stated that 4 drives are overkill, does hammer allow > create a pool like in ZFS of two master drives and two slave drives > with remote machine which works exactly as a failover + load > balancing (as in the case of DRBD in Linux or HAST in the coming > FreeBSD-9). > > Where exactly can find the detailed document for scripting for a > streaming the HAMMER data to the remote machines? > > As I stated earlier, I want: > > /boot in CF or SanDisk > / in HDD and other data > swapcahce in SSD or in HAMMER / > > in order to separate data from the operating system. But I could > not find documents for manual installation mode to meet my > requirements. Let me know if there are any. Thanks! > > On Sun, Oct 2, 2011 at 11:50 PM, Justin Sherrill > <[email protected] <mailto:[email protected]>> wrote: > > I'm not sure about the jails. They I think work the same on > DragonFly, though the resource limits aren't there. You could > potentially use virtual kernels to get a similar effect. See the > vkernel man page for that. > > You should be able to set up the root and other volumes normally. 4 > hard drives may be overkill - you can stream from master to slave > volumes in Hammer, for which 2 drives will work. If you want more > duplication, hardware RAID may be a good idea; people have been trying > out Areca cards with success recently. > > AES256 is supported, or at least I see the tcplay(8) man page has an > example using it. I haven't used disk encryption enough to know it > well. > > You can use Hammer to stream data to other machines, and then in the > event of something going wrong, promote the slave drive in the > surviving unit to master. This would require some scripting or manual > intervention; this isn't covered with an automatic mechanism. > > On Sun, Oct 2, 2011 at 5:50 AM, Zenny <[email protected] > <mailto:[email protected]>> wrote: > > Hi: > > > > I am pretty new to Dragonfly or BSD world. HammerFS seems to be very > > innovative. Thanks to Matt and team for their hard work. > > > > I would like to do something with Hammer+UFS like the following, > > inspired by Paul's work > > (http://www.psconsult.nl/talks/NLLGG-BSDdag-Servers/), but could not > > figure out exactly: > > > > 1) Creation of a server with a jail with minimal downtime as offered > > by nanobsd scripts in FreeBSD. Two failover kernels. Is there such > > scripts for DragonflyBSD? > > > > 2) I want to have the minimal boot (ro UFS) and configurations like > > that of the nanobsd image on a compact flash while the entire root and > > data in an array of HDDs (at least 4) with of course an SSD for > > swapcache. The latter could be Hammer to avoid softraid. > > > > 3) All HDDs should be encrypted with AES256 (I could not find whether > > DragonflyBSD supports that), and accessible either in the /boot of CF > > or somewhere else (could be ssh tunneled from another network). > > > > 4) I could not figure out the features of jail available for > > DragonflyBSD. FreeBSD-9-CURRENT has the resource containers > > (http://wiki.freebsd.org/Hierarchical_Resource_Limits). Are they > > applicable in DragonflyBSD's case. > > > > 5) Is there any way that the two similar servers in two different > > locations can securely mirror for failover as well as load-balancing? > > > > Appreciate your thoughtful inputs! Apology in advance if my post above > > appears to be pretty naive. Thanks in advance to the entire DF > > community and developers! > > > > zenny > > > >
