Hi,
I came across the problem, that migration and replication does not work if the disk(s) are on a encrypted ZFS storage - which is not well documented by the way.
The problem arose since the ZFS export function in pve-storage use the -R option of zfs send and this option does not work with encrypted datasets unless you use -w as well. Since this is no option because we cannot transfer the data encrypted, since the target pool has a different encryption key etc., the question is why use -R in the first place?
Some discussion about the features of -R
After all this discussions I just tried it by patching /usr/share/perl5/PVE/Storage/ZFSPoolPlugin.pm
746,752c746
< my $cmd = ['zfs', 'send'];
< my $encrypted = $class->zfs_get_properties($scfg, 'encryption', "$scfg->{pool}/$dataset");
< if ($encrypted !~ m/^off$/) {
< push @$cmd, '-v';
< } else {
< push @$cmd, '-Rpv';
< }
---
> my $cmd = ['zfs', 'send', '-Rpv'];
This patch checks if the dataset is encrypted and omits -R and -p option during zfs send if so. This leads to an unencrypted stream of data, which is totally fine since our target pool will be encrypted as well.
I just tried this patch with hot and cold migration, replication, with snapshot etc. and everything works like a charm.
Question is: Do I miss something or is it possible to consider this patch be included?
I also opened an issue on github (https://github.com/proxmox/pve-storage/issues/10), but since this forum has a greater audience I repost it here.
regards
stefan
I came across the problem, that migration and replication does not work if the disk(s) are on a encrypted ZFS storage - which is not well documented by the way.
The problem arose since the ZFS export function in pve-storage use the -R option of zfs send and this option does not work with encrypted datasets unless you use -w as well. Since this is no option because we cannot transfer the data encrypted, since the target pool has a different encryption key etc., the question is why use -R in the first place?
Some discussion about the features of -R
- Dataset properties are implicit included if using -R. But which dataset property of an ZVOL needs to be synced? Assuming my cluster members are identical configured, I see no need to copy properties.
- All decent file systems are copied it using -R. Can a ZVOL of a vm-disk have decent file systems in proxmox? I don't think so.
- Clones are also preserved it sending a dataset/snapshot with -R. Maybe this could be a pitfall.
After all this discussions I just tried it by patching /usr/share/perl5/PVE/Storage/ZFSPoolPlugin.pm
746,752c746
< my $cmd = ['zfs', 'send'];
< my $encrypted = $class->zfs_get_properties($scfg, 'encryption', "$scfg->{pool}/$dataset");
< if ($encrypted !~ m/^off$/) {
< push @$cmd, '-v';
< } else {
< push @$cmd, '-Rpv';
< }
---
> my $cmd = ['zfs', 'send', '-Rpv'];
This patch checks if the dataset is encrypted and omits -R and -p option during zfs send if so. This leads to an unencrypted stream of data, which is totally fine since our target pool will be encrypted as well.
I just tried this patch with hot and cold migration, replication, with snapshot etc. and everything works like a charm.
Question is: Do I miss something or is it possible to consider this patch be included?
I also opened an issue on github (https://github.com/proxmox/pve-storage/issues/10), but since this forum has a greater audience I repost it here.
regards
stefan