ZFS Errata #3
Type
- Compatibility
Severity
- Moderate
Description
- An encrypted dataset contains an on-disk format incompatibility.
Automated Response
- No automated response will be taken.
Impact
-
Encrypted datasets created before the ZFS packages were updated cannot be
mounted or opened for write. The errata impacts the ability of ZFS to correctly
perform raw sends, so this functionality has been disabled for these datasets.
Suggested Action for System Administrator
-
System administrators with affected pools will need to recreate any encrypted
datasets created before the new version of ZFS was used. This can be
accomplished by using zfs send and zfs receive. Note, however,
that backups can NOT be done with a raw zfs send -w, since this would
preserve the on-disk incompatibility. Alternatively, system administrators can
use conventional tools to back up data to new encrypted datasets. The new
version of ZFS will prevent new data from being written to the impacted datasets,
but they can still be mounted read-only.
# zpool status
pool: test
id: 1165955789558693437
state: ONLINE
status: Errata #3 detected.
action: To correct the issue backup existing encrypted datasets to new
encrypted datasets and destroy the old ones.
see: https://zfsonlinux.org/msg/ZFS-8000-ER
config:
test ONLINE
raidz1-0 ONLINE
vdev0 ONLINE
vdev1 ONLINE
vdev2 ONLINE
vdev3 ONLINE
Import the pool and backup any existing encrypted datasets to new datasets.
To ensure the new datasets are re-encrypted, be sure to receive them below an
encryption root or use zfs receive -o encryption=on, then destroy the
source dataset.
# zfs send test/crypt1@snap1 | zfs receive -o encryption=on -o keyformat=passphrase -o keylocation=file:///path/to/keyfile test/newcrypt1
# zfs send -I test/crypt1@snap1 test/crypt1@snap5 | zfs receive test/newcrypt1
# zfs destroy -R test/crypt1
New datasets can be mounted read-write and used normally. The errata will be
cleared upon reimporting the pool and the alert will only be shown again if
another dataset is found with the errata. To ensure that all datasets are
on the new version reimport the pool, load all keys, mount all encrypted
datasets, and check zpool status.
# zpool export test
# zpool import test
# zfs load-key -a
Enter passphrase for 'test/crypt1':
1 / 1 key(s) successfully loaded
# zfs mount -a
# zpool status -x
all pools are healthy
|