mirror of
https://git.proxmox.com/git/mirror_zfs.git
synced 2025-01-13 19:50:25 +03:00
Allow receiver to override encryption properties in case of replication
Currently, the receiver fails to override the encryption property for the plain replicated dataset with the error: "cannot receive incremental stream: encryption property 'encryption' cannot be set for incremental streams.". The problem is resolved by allowing the receiver to override the encryption property for plain replicated send. Reviewed-by: Ryan Moeller <ryan@iXsystems.com> Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov> Signed-off-by: Ameer Hamza <ahamza@ixsystems.com> Closes #14253 Closes #13533
This commit is contained in:
parent
3236c0b891
commit
9be34ec99e
@ -4150,6 +4150,15 @@ zfs_setup_cmdline_props(libzfs_handle_t *hdl, zfs_type_t type,
|
|||||||
goto error;
|
goto error;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* For plain replicated send, we can ignore encryption
|
||||||
|
* properties other than first stream
|
||||||
|
*/
|
||||||
|
if ((zfs_prop_encryption_key_param(prop) || prop ==
|
||||||
|
ZFS_PROP_ENCRYPTION) && !newfs && recursive && !raw) {
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
/* incremental streams can only exclude encryption properties */
|
/* incremental streams can only exclude encryption properties */
|
||||||
if ((zfs_prop_encryption_key_param(prop) ||
|
if ((zfs_prop_encryption_key_param(prop) ||
|
||||||
prop == ZFS_PROP_ENCRYPTION) && !newfs &&
|
prop == ZFS_PROP_ENCRYPTION) && !newfs &&
|
||||||
@ -4251,7 +4260,8 @@ zfs_setup_cmdline_props(libzfs_handle_t *hdl, zfs_type_t type,
|
|||||||
if (cp != NULL)
|
if (cp != NULL)
|
||||||
*cp = '\0';
|
*cp = '\0';
|
||||||
|
|
||||||
if (!raw && zfs_crypto_create(hdl, namebuf, voprops, NULL,
|
if (!raw && !(!newfs && recursive) &&
|
||||||
|
zfs_crypto_create(hdl, namebuf, voprops, NULL,
|
||||||
B_FALSE, wkeydata_out, wkeylen_out) != 0) {
|
B_FALSE, wkeydata_out, wkeylen_out) != 0) {
|
||||||
fnvlist_free(voprops);
|
fnvlist_free(voprops);
|
||||||
ret = zfs_error(hdl, EZFS_CRYPTOFAILED, errbuf);
|
ret = zfs_error(hdl, EZFS_CRYPTOFAILED, errbuf);
|
||||||
|
@ -41,6 +41,9 @@ verify_runnable "both"
|
|||||||
|
|
||||||
function cleanup
|
function cleanup
|
||||||
{
|
{
|
||||||
|
datasetexists $TESTPOOL/encrypted && \
|
||||||
|
destroy_dataset $TESTPOOL/encrypted -r
|
||||||
|
|
||||||
snapexists $snap && destroy_dataset $snap -f
|
snapexists $snap && destroy_dataset $snap -f
|
||||||
snapexists $snap2 && destroy_dataset $snap2 -f
|
snapexists $snap2 && destroy_dataset $snap2 -f
|
||||||
|
|
||||||
@ -97,4 +100,15 @@ log_note "Verifying ZFS will not receive to an encrypted child when the" \
|
|||||||
"parent key is unloaded"
|
"parent key is unloaded"
|
||||||
log_mustnot eval "zfs send $snap | zfs receive $TESTPOOL/$TESTFS1/c4"
|
log_mustnot eval "zfs send $snap | zfs receive $TESTPOOL/$TESTFS1/c4"
|
||||||
|
|
||||||
|
# Verify that replication can override encryption properties
|
||||||
|
log_note "Verifying replication can override encryption properties for plain dataset"
|
||||||
|
typeset key_location="/$TESTPOOL/pkey1"
|
||||||
|
log_must eval "echo $passphrase > $key_location"
|
||||||
|
log_must eval "zfs send -R $snap2 | zfs recv -s -F -o encryption=on" \
|
||||||
|
"-o keyformat=passphrase -o keylocation=file://$key_location" \
|
||||||
|
"-o mountpoint=none $TESTPOOL/encrypted"
|
||||||
|
log_must test "$(get_prop 'encryption' $TESTPOOL/encrypted)" != "off"
|
||||||
|
log_must test "$(get_prop 'keyformat' $TESTPOOL/encrypted)" == "passphrase"
|
||||||
|
log_must test "$(get_prop 'keylocation' $TESTPOOL/encrypted)" == "file://$key_location"
|
||||||
|
|
||||||
log_pass "ZFS can receive encrypted filesystems into child dataset"
|
log_pass "ZFS can receive encrypted filesystems into child dataset"
|
||||||
|
Loading…
Reference in New Issue
Block a user