zfskeys: Support autoloading of keys stored on ZFS

The zfskeys service script starts before the zfs service script, so that dataset decryption keys are available when `zfs mount -a` is run. One of the potential edge cases of this design is that if a key is stored on ZFS it won't be loaded until `zfs mount -a` is issued. In order to address that let's try to load the additional keys and mount related ZFS datasets after the zfs script finishes its standard mounting procedure. PR: 262468 Reported by: Graham Perrin <grahamperrin@gmail.com> Reviewed by: allanjude Approved by: allanjude (src) Fixes: 33ff39796f Add zfskeys rc.d script for auto-loading encryption keys MFC after: 3 days Sponsored by: Modirum Sponsored by: Klara Inc. Differential Revision: https://reviews.freebsd.org/D34601
2022-03-18 13:35:16 +01:00 · 2022-03-18 13:35:16 +01:00 · 97aeda2243
commit 97aeda2243
parent 5c6935a645
1 changed files with 12 additions and 0 deletions
--- a/libexec/rc/rc.d/zfs
+++ b/libexec/rc/rc.d/zfs
@ -13,6 +13,7 @@ name="zfs"
 desc="Mount and share ZFS datasets"
 rcvar="zfs_enable"
 start_cmd="zfs_start"
+start_postcmd="zfs_poststart"
 stop_cmd="zfs_stop"
 required_modules="zfs"

@ -41,6 +42,17 @@ zfs_start()
 	fi
 }

+zfs_poststart()
+{
+	# Some of the keys to decrypt datasets are potentially stored on ZFS
+	# datasets that just got mounted. Let's try to load those keys and
+	# mount the datasets.
+	if checkyesno zfskeys_enable; then
+		/etc/rc.d/zfskeys start
+		zfs_start
+	fi
+}
+
 zfs_stop_jail()
 {
 	if [ `$SYSCTL_N security.jail.mount_allowed` -eq 1 ]; then