`zpool create' fails on geli ...
Xin Li
delphij at delphij.net
Tue Aug 21 17:45:15 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi,
On 08/21/12 09:07, Zeus Panchenko wrote:
> hi all,
>
> SYNOPSIS: `zpool create poolname device.eli' available on .eli
> device only after dd some random data to .eli first
>
> I am trying to get ZFS on GELI disk ...
>
> Here is the issue:
>
> #> geli init -K /path/key -s 4096 -a hmac/sha256 -e aes-xts
> /dev/ada2 Enter new passphrase: Reenter new passphrase:
[...]
> #> geli attach -k /path/key /dev/ada2
Normally you will want to fill the device with random data before
using. Note that you have specified -a, which makes geli to do
checksum authentication, that's not needed because ZFS have built-in
end-to-end checksums already.
> now I have .eli device
>
> #> ls -al /dev/*eli lrwxr-xr-x 1 root wheel 8 Aug 16
> 15:43 /dev/ad14.eli -> ada2.eli crw-r----- 1 root operator 0,
> 99 Aug 16 15:43 /dev/ada2.eli
>
> now I am trying to create zfs on it:
>
>> zpool create geliz /dev/ada2.eli
> cannot create 'geliz': one or more devices is currently
> unavailable
>
> `zpool create -f ...' gave the same result and in messages I have
> plenty rows like these:
These are expected behavior.
> cat /var/log/messages ... GEOM_ELI: ada2.eli: 131072 bytes
> corrupted at offset 444539600896. GEOM_ELI: ada2.eli: 131072 bytes
> corrupted at offset 444539863040.
[...]
> ...
>
> but after #> dd if=/dev/random of=/dev/ada2.eli bs=10m count=10
> 10+0 records in 10+0 records out 104857600 bytes transferred in
> 7.124000 secs (14718922 bytes/sec)
>
> I was able to do it!
>
> #> zpool create geliz /dev/ada2.eli
>
> pool was successfully created
>
> but pool status looks weird for me:
>
> #> zpool status geliz pool: geliz state: ONLINE status: One or more
> devices has experienced an unrecoverable error. An attempt was
> made to correct the error. Applications are unaffected. action:
> Determine if the device needs to be replaced, and clear the errors
> using 'zpool clear' or replace the device with 'zpool replace'.
> see: http://www.sun.com/msg/ZFS-8000-9P scan: none requested
> config:
>
> NAME STATE READ WRITE CKSUM geliz ONLINE 0
> 0 0 ada2.eli ONLINE 10 0 0
>
> errors: No known data errors
>
> after `zscub' and `zpool clear' I have clean pool:
Did you see any GELI checksum errors when having this?
> #> zpool status geliz pool: geliz state: ONLINE scan: scrub
> repaired 0 in 0h0m with 0 errors on Thu Aug 16 16:36:44 2012
> config:
>
> NAME STATE READ WRITE CKSUM geliz ONLINE 0
> 0 0 ada2.eli ONLINE 0 0 0
>
> errors: No known data errors
>
>
> QUESTION:
>
> 1. Am I correct to think I really have correct ZFS over GELI set?
>
> 2. Why it was needed to dd? What am I missing here, please?
My suggestions:
1. Don't use -a, it's a waste of CPU cycle (and disk space) to do
checksums twice -- this won't give more redundancy or more chances to
recover data in case of a hardware failure.
2. Do use dd to initialize the GELI device before use. There are
several benefits of doing this -- the most important two are -- it
wipes existing, possibly sensitive data, and make it harder for
attackers to tell where is the important data.
Cheers,
- --
Xin LI <delphij at delphij.net> https://www.delphij.net/
FreeBSD - The Power to Serve! Live free or die
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBCAAGBQJQM8kpAAoJEG80Jeu8UPuzeOAH/i2kG/jN3j58wTe/gG2teKoM
08xy+Lv9lhljihJkUhRx1hAPtYdK1oMKVg7mnQbohSRzjGGqBRnT25ZUD8kbusmW
ULDOmSBbnraStNQbBSpnyik/y2trzfne9YzjhH4aB1CKVJ2X4cHTaJIaGv9iQqI3
S8QjEpKCDcpKlEyGlhJ9TPaCqyzpJbw6p5TDGoVEsq9YIiE7BAbrjfw5Pe87HKK0
BAsLqmJYmQSjjLp/g4FK5vjr/zVpGgPcwP7oD0iSXCX7UI7M/Rhj8Rqyai1cv2/g
ES7uhpy5ifAUalcuJjIFqox7QC5h2uT0e5/DPNttmXfL1d0yb3FdLPgWkV0GDF0=
=v/ZJ
-----END PGP SIGNATURE-----
More information about the freebsd-fs
mailing list