OpenZFS - HackMD

# OpenZFS OpenZFS is an open-source storage platform. * Protection against data corruption. Integrity checking for both data and metadata. * Continuous integrity verification and automatic “self-healing” repair * Hardware-accelerated native encryption * Support for high storage capacities — up to 256 trillion yobibytes. The kmod packages are "kABI-tracking" and the drivers they provide will work across all Enterprise Linux (EL) kernel releases, meaning there is no need to reinstall them upon each kernel update. We will use OpenZFS for: * Configuring RAID6 which is called RAIDZ2 in terms of ZFS. * For enabling encryption. Related Links: [ZFS Encryption](https://docs.oracle.com/cd/E26502_01/html/E29007/gkkih.html#:~:text=ZFS%20encryption%20is%20integrated%20with,of%20encrypting%20specific%20file%20systems.) [Checking ZFS File System Integrity ](https://docs.oracle.com/cd/E18752_01/html/819-5461/gbbwa.html)[ZFS CheatSheet](https://www.thegeekdiary.com/solaris-zfs-command-line-reference-cheat-sheet/) # Downloading and Setting up OpenZFS Download the RPM and enable kmod: ``` sudo dnf install https://zfsonlinux.org/epel/zfs-release-2-2$(rpm --eval "%{dist}").noarch.rpm sudo dnf config-manager --disable zfs sudo dnf config-manager --enable zfs-kmod ``` Install ZFS: ``` sudo dnf install zfs ``` Now, as we have installed ZFS, we can generate an encryption key, which will be used to encrypt the disks during ZFS pool creation. ### Generate Encryption Key The following command will create a key in the specified directory: ``` openssl rand -hex 32 | sudo tee -a path-to-file ``` ### RAIDZ2 In ZFS, RAID6 is reffered to as RAIDZ2. It provides double parity RAID. Which means it can recover from 2 disks failure at a time without loss of any data. #### 1- Using disk name tags: To create a pool named datapool with RAIDZ2 and 8 disks: ``` sudo zpool create \ -o ashift=12 \ -o feature@encryption=enabled \ -O encryption=on \ -O keylocation=file:////etc/zfs/.zfs.hex \ -O keyformat=hex \ datapool raidz2 sda sdb sdc sdd sde sdf sdg sdh ``` ``` sudo /sbin/modprobe zfs sudo zpool status -x ``` #### 2- Using disk serial numbers: For this, first we will need to find the serial no.s of the disks: ``` ls -la /dev/disk/by-id/ ``` Now, create the pool using serial numbers instead of using names of the disks: ``` sudo zpool create \ -o ashift=12 \ -o feature@encryption=enabled \ -O encryption=on \ -O keylocation=file:////etc/zfs/.zfs.hex \ -O keyformat=hex \ storage raidz2 \ ata-Samsung_SSD_860_EVO_1TB_S3Z9NY0M837129Z \ ata-Samsung_SSD_860_EVO_1TB_S4CSNX0N830946X \ ata-Samsung_SSD_860_EVO_1TB_S4X6NF0N902269A \ ata-Samsung_SSD_860_EVO_1TB_S4CSNX0N830938J \ ata-Samsung_SSD_860_EVO_1TB_S4CSNX0N832251A \ ata-Samsung_SSD_860_EVO_1TB_S4CSNX0N830937N \ ata-Samsung_SSD_870_EVO_1TB_S6PUNM0T421355J \ ata-Samsung_SSD_870_EVO_1TB_S6PUNM0T421352W ``` Configure filesystem on the pool: ``` sudo zfs create datapool/fs # create filesystem on the disk ``` To verify that encryption is enabled on the pool: ``` sudo zfs get encryption datapool ``` To add spare disk to the pool: ``` zpool add datapool spare sde ``` To destroy a pool: ``` #Unmount sudo umount -f /datapool sudo zpool destroy datapool ``` To replace a disk: ``` #Replace sudo zpool offline datapool sda sudo zpool replace sda sde ``` Enable autoreplace, so if any disk fails it will be replaced by any spare disk in the pool: ``` sudo zpool get autoreplace datapool sudo zpool set autoreplace=on datapool ``` Automatically expand pool when new disk is added: ``` sudo zpool set autoexpand=on datapool zpool get autoexpand datapool ``` To check keystatus: ``` sudo zfs get keystatus storage ``` ### Unload Encryption Key: First we need to unmount the pool from the mountpoint and then unload encryption key: ``` sudo zfs unmount datapool/fs sudo zfs unmount datapool sudo zfs unload-key -r datapool sudo zfs get keystatus datapool # will return `unavailable` #still metadata available zfs list -r datapool #zfs load-key sudo zfs load-key -r datapool ``` ### OpenZFS Decrypt on boot: ``` sudo tee /etc/systemd/system/zfs-load-key.service <<EOF [Unit] Description=Load encryption keys DefaultDependencies=no After=zfs-import.target Before=zfs-mount.service [Service] Type=oneshot RemainAfterExit=yes ExecStart=/sbin/zfs load-key -a StandardInput=tty-force [Install] WantedBy=zfs-mount.service EOF sudo systemctl daemon-reload sudo systemctl enable zfs-load-key ```