zfskeys: Support autoloading of keys stored on ZFS
The zfskeys service script starts before the zfs service script, so that
dataset decryption keys are available when `zfs mount -a` is run. One of
the potential edge cases of this design is that if a key is stored on
ZFS it won't be loaded until `zfs mount -a` is issued.
In order to address that let's try to load the additional keys and mount
related ZFS datasets after the zfs script finishes its standard mounting
procedure.
PR: 262468
Reported by: Graham Perrin <grahamperrin@gmail.com>
Reviewed by: allanjude
Approved by: allanjude (src)
Fixes: 33ff39796f
Add zfskeys rc.d script for auto-loading encryption keys
MFC after: 3 days
Sponsored by: Modirum
Sponsored by: Klara Inc.
Differential Revision: https://reviews.freebsd.org/D34601
This commit is contained in:
parent
5c6935a645
commit
97aeda2243
@ -13,6 +13,7 @@ name="zfs"
|
||||
desc="Mount and share ZFS datasets"
|
||||
rcvar="zfs_enable"
|
||||
start_cmd="zfs_start"
|
||||
start_postcmd="zfs_poststart"
|
||||
stop_cmd="zfs_stop"
|
||||
required_modules="zfs"
|
||||
|
||||
@ -41,6 +42,17 @@ zfs_start()
|
||||
fi
|
||||
}
|
||||
|
||||
zfs_poststart()
|
||||
{
|
||||
# Some of the keys to decrypt datasets are potentially stored on ZFS
|
||||
# datasets that just got mounted. Let's try to load those keys and
|
||||
# mount the datasets.
|
||||
if checkyesno zfskeys_enable; then
|
||||
/etc/rc.d/zfskeys start
|
||||
zfs_start
|
||||
fi
|
||||
}
|
||||
|
||||
zfs_stop_jail()
|
||||
{
|
||||
if [ `$SYSCTL_N security.jail.mount_allowed` -eq 1 ]; then
|
||||
|
Loading…
Reference in New Issue
Block a user