Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Creating a thick jail on a ZFS encrypted dataset fails #839

Open
vegged opened this issue Feb 11, 2025 · 1 comment
Open

[BUG] Creating a thick jail on a ZFS encrypted dataset fails #839

vegged opened this issue Feb 11, 2025 · 1 comment
Labels
bug Something isn't working

Comments

@vegged
Copy link

vegged commented Feb 11, 2025
edited
Loading

Whenever bastille_zfs_prefix is set to a dataset using zfs native encryption, attempting to create a thick jail fails:

# bastille create -T testjail 14.2-RELEASE 10.0.0.1/24 bge0
Valid: (10.0.0.1/24).
Valid: (bge0).

Creating a thickjail. This may take a while...

cannot send zroot/encrypted/bastille/releases/14.2-RELEASE@bastille-2025-02-10-213329: encrypted dataset zroot/encrypted/bastille/releases/14.2-RELEASE may not be sent with properties without the raw flag
warning: cannot send 'zroot/encrypted/bastille/releases/14.2-RELEASE@bastille-2025-02-10-213329': backup failed
cannot receive: failed to read from stream
cannot open 'zroot/encrypted/bastille/jails/testjail/root': dataset does not exist
cannot open 'zroot/encrypted/bastille/jails/testjail/root': dataset does not exist
cannot open 'zroot/encrypted/bastille/jails/testjail/root': dataset does not exist
Deleting Jail: testjail.
cannot unmount '/srv/enc/bastille/jails/testjail': pool or dataset is busy
rm: /srv/enc/bastille/jails/testjail: Device busy

Failed release base replication. Please retry create!

Output by Bastille 0.13.20250126 (installed via pkg) on FreeBSD 14.2-RELEASE-p1.

In order to reproduce the bug:

  • create an encrypted dataset with zfs:
# zfs create -o encryption="on" \
             -o keyformat="passphrase" \
             -o keylocation="prompt" \
             -o mountpoint="/srv/enc" \
             zroot/encrypted
  • create a nested bastille dataset underneath:
# zfs create -o atime="off" \
             -o compression="lz4" \
             -o mountpoint="/srv/enc/bastille" \
             zroot/encrypted/bastille
  • check that the child dataset has inherited the encryption properties of the parent:
# zfs list -r -o name,encryption,encryptionroot zroot/encrypted
NAME                                      ENCRYPTION   ENCROOT
zroot/encrypted                           aes-256-gcm  zroot/encrypted
zroot/encrypted/bastille                  aes-256-gcm  zroot/encrypted
  • update /usr/local/etc/bastille/bastille.conf accordingly;
sysrc -f /usr/local/etc/bastille/bastille.conf bastille_prefix="/srv/enc/bastille"
sysrc -f /usr/local/etc/bastille/bastille.conf bastille_zfs_zpool="zroot"
sysrc -f /usr/local/etc/bastille/bastille.conf bastille_zfs_prefix="encrypted/bastille"
  • bastille bootstrap 14.2-RELEASE update && bastille create -T testjail 14.2-RELEASE 10.0.0.1/24 bge0

I see that the issue was mentioned in #375 some years back. Thanks a bunch to whoever looks into this!
@vegged vegged added the bug Something isn't working label Feb 11, 2025
@tschettervictor tschettervictor mentioned this issue Feb 11, 2025
Open
@tschettervictor
Copy link
Collaborator

#840

Can you test?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vegged @tschettervictor