ZFS 0.8 new features in proxmox

[harvie]

ZFS 0.8 has two interesting features that can be beneficial to proxmox.

1.) Quotas to limit number of inodes ("zfs dnode accounting") per dataset (i think it's already in ZFS 0.7 tree, but not sure)
operations on large quantity of small files can cause one container to affect another container on same pool. i guess it would be sensible to provide some generous dnode quota by default. if user has some special case that needs extreme number of small files (which should not be common practice) it should be possible to increase this quota for individual CT.

2.) Encryption per dataset
I think it would be cool if we could have encrypted linux containers that would refuse to start until somebody logs in and enters encryption passphrase that will popup when starting CT through web UI or SSH. That way each CT user could enter passphrase for his own CTs without assistance of proxmox host admin.

This would be much more user friendly than typical setup with passphrase entry dialog in initramfs.
This is not in ZFS 0.7, so we have to wait until 0.8 will be stable enough for PVE production, but i think it's opportunity right here. It should be quite easy to implement. Just provide simple UI to enter passphrase and check if dataset was "decrypted" before starting the CT. I guess this can be easily released at the same day the ZFS 0.8 makes it to PVE.

 

[harvie]

dnode accounting seems to work on proxmox with zfs 0.7:

# zfs userspace tank
TYPE NAME USED QUOTA OBJUSED OBJQUOTA
POSIX User root 2K none - -

at least i believe the unset "objquota" is the thing we are looking for.

 

[fabian]

both space and object count quotas are available in 0.7 (just enable them on the dataset). encryption is still a far way off (as is 0.8 - 0.7. was release not that long ago ).

 

[harvie]

i know it's in zfs, but proxmox can only set space quotas, not object count. i want proxmox to set it for me.

 

[fabian]

i know it's in zfs, but proxmox can only set space quotas, not object count. i want proxmox to set it for me.

sorry, but IMHO this is too storage specific to be exposed via the guest configuration.

 

[puertorico]

@fabian , Do you have any estimation on when native zfs encryption does land in proxmox ?
what exact version of zfs is this in ?

 

[fabian]

there is no upstream ZFS release which contains the encrpytion patches yet, so it will still take quite a while I am afraid.

 

[fireon]

there is no upstream ZFS release which contains the encrpytion patches yet, so it will still take quite a while I am afraid.

Status? Need this for new DSGVO

 

[fabian]

Status? Need this for new DSGVO

no change on the ZFS side so far. you can always encrypt whole pools on the lower layer by using LUKS-encrypted vdevs, or data inside sensitive guests (again, using LUKS/..., or application-specific encryption).

 

[mac.linux.free]

Status? Need this for new DSGVO

another one who´s getting into panic? ... and did not understand gdpr fully?

 

[fireon]

another one who´s getting into panic? ... and did not understand gdpr fully?

No panic, but customer request.

 

[fireon]

by using LUKS-encrypted vdevs, or data inside sensitive guests (again, using LUKS/...

Yes I know that.

 

[mac.linux.free]

No panic, but customer request.

I see. I´m always using LUKS inside the VM.

 

[iBot]

Hi there !

@fabian are there any release dates for zfs 0.8 integration ? Or is there any development/nightly version with zfs encryption features enabled ?

regards

 

[tom]

no, zfs 0.8 is not even released (https://zfsonlinux.org/)

 

[iBot]

thanks tom, I know that.
Well, we are using zfs 0.7.9 compiled from the source with encryption enabled and have some issues to replicate/move virtual machines to another node.
I just was thinking if there is some dev release with basic zfs encryption support, or an adapted toolset for encrypted zfs filesystems.

 

[fireon]

zfs encryption

Yes, that would be fine

 

[fabian]

thanks tom, I know that.
Well, we are using zfs 0.7.9 compiled from the source with encryption enabled and have some issues to replicate/move virtual machines to another node.
I just was thinking if there is some dev release with basic zfs encryption support, or an adapted toolset for encrypted zfs filesystems.

no there is not (and there will not be until 0.8 is released upstream).

there also is no "compile 0.7.9 with encryption enabled", the changes related to encryption are massive and not backportable like that (are you sure you are not just running master? the version in master is 0.7.0 + some git-derived string ..).

 

[mdbraber]

There's currently a Release Candidate for ZFS including the Encryption-at-Rest features: 0.8.0-rc1 (as a new user I can't post links yet). Would it be possible to (manually) use ZFS 0.8.0-RC1 with Proxmox?

 

[iBot]

Well you can compile it from the git source an install it on your proxmox machine. I have done that on our pve cluster.
But you will have some issues due to pve does not support it, yet. Most of the issues are setup via gui, viewing zfs status , setup replication, or migration.And you will have to deal with key generation, handling by yourself.

Best thing to do is waiting for an official pve release with zfs encryption enabled.