-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
zfs receive -F cannot be used to destroy an encrypted filesystem #6793
Comments
Unfortunately this is a design limitation for now and I don't really know of a way to fix it. Management for it will probably have to be added to znapzend. For developers, the problem comes from the way that the
Technically it is possible to make this work if both of these datasets use the same key. However, I talked with @ahrens about it a bit and we decided that it would be too confusing from a user interface perspective to make a command that works in only a few cases based on hidden properties. I don't really have a good way to fix this so well leave it as an open issue for now, but I think for the time being it might be best if znapzend was able to work around this. |
Thanks for the feedback. I asked for znapzend if there's a way to not enforce the -F option. In my case as it should act only for backup, the sent snapshots shouldn't need a since they're not in use... P.S.: Encryption so far works well. |
So how do I migrate a luks encrypted zpool to a native encrypted zpool if I cant use the
What would be the substitute for the If I run it without the
|
This issue isn't about the -R flag. It's about -F. You should be able to accomplish this by creating an encrypted root dataset and then receiving your -R stream below it. This will cause all datasets to inherit their wrapping keys from the original encrypted root. Afterwards, you can use zfs rename and zfs change-key to restructure the datasets however you wish Soon I will be making a pull request to support doing things like |
You are right. I typed
I'm sorry. How do I do this? Do you mean creating a unencrypted vdev like |
@tristan-k no. You must create an encrypted dataset and then receive the stream below it. The encrypted dataset can be at the pool level or any other level you like. For instance:
The |
@tcaputi @sjau thanks for clearly explaining the design decision which was made here. I've marked this bug as documentation for future reference, and am closing the issue. |
@tcaputi Thanks for your help. I followed your suggestion but I'm still unable to send the snapshot. I will get:
If I do create the dataset it will complain again about:
I'm puzzled. |
I apologize. I don't usually use the Right now the only way to do this is to manually iterate through all of the datasets in your pool and send them without using Sorry for the misunderstanding. I'll try to remember to make a post here when the PR is made. |
Any news on the issue? |
Sorry for the delay. I have been busy trying to finish #6864 but I should be done with that soon. Afterwards I will be working on this. |
@tcaputi just take your time :) |
@tcaputi No reason for apologizing. Just wanted to check in. Take your time. Thanks! |
Also cannot use -e to send with embedded_data |
@prometheanfire Encrypted datasets cannot use the |
It may be nice to note it is all (I imagined something like what you said was the case). Man page didn't say it in the send/recv sections is all (but does in the encryption section). |
I don't know if there is an easier way, but the only solution I could figure out to send all snapshots when migrating an unencrypted to encrypted dataset was:
|
Tom, How's the patch for |
My apologies. I have been very busy with a few other projects. This is next on my list and I am hoping to have a PR out by the end of next week. |
I'm sorry for pestering but has this been fixed in the latest release? |
Encryption is not currently in any release at all. The patch is just about ready. There is one small problem that I haven't been able to solve for a few weeks but at this point I should probably just disable it and get the rest pushed up. Unfortunately I am on vacation now and so it will have to wait until a week from now. |
Btw. is there ETA for encryption in the release channel? Again sorry for bothering. I wish you a relaxing vacation. |
@tcaputi Any luck getting that last part polished up? |
The bug I was working on at the time was reslved a long time ago. This issue, however, is still not resolved (and I unfortunately I don't really see a good a way to make it work). To describe the problem in a little more detail, the issue has to do with key management. When you do Perhaps there are some things we could do about this, but it just hasn't been a huge priority (as far as I know). We could try to change the code so tat datasets that are being received don't have to follow the same rules as other datasets. I'd need to spend more time looking into it. We could also potentially change the receive code so that In the meantime you can workaround this issue simply by doing:
If you want to guarantee that you can keep your datasets if the receive fails you can instead do:
Hope that helps. |
Any plans to fix this issue anytime soon? |
Still hitting this and deleting the ds before receiving did not change the situation. I'll just recreate the receiving pool as unencrypted before sending an encrypted ds, but this does seem like an unnecessary hiccup to hit. This seems super basic... How are people with zfs root backups supposed to restore them without doing some acrobatics? That functionality seems fundamental. |
System information
Describe the problem you're observing
Using an encrypted dataset with several child sets on my notebook and homeserver. I wanted to setup automatic snapshot backup services to my homeset using znapzend.
However it complains about:
cannot receive new filesystem stream: zfs receive -F cannot be used to destroy an encrypted filesystem
Describe how to reproduce the problem
I setup the rules for the first dataset for testing:
and then I run
znapzend --runonce=tank/encZFS/VMs -d --autoCreation
Include any warning/errors/backtraces from the system logs
That's the log output I got:
The text was updated successfully, but these errors were encountered: