-
Notifications
You must be signed in to change notification settings - Fork 125
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: added additional zfs services to support encrypted volumes #400
base: main
Are you sure you want to change the base?
Conversation
I would really love to land some support for mounting/volumes in Talos 1.7 to avoid such workaround if possible. |
Okay if you bring native support for that in 1.7 I am totally fine… if not please consider merging this workaround. |
@smira I played arround with zfs a bit. Zfs encryption in talos is tricky at the moment:
I think there should be some tests and documentation for zfs usage to make this usable without these issues, |
Hi there! I wonder if we could provide some help or human bandwidth to make progress and clear the path forward as much as possible on that matter ? @smira following on what you said in june :
So I suppose in a post Talos 1.9 world, this means extending/enriching [VolumeConfig] (https://www.talos.dev/v1.9/reference/configuration/block/volumeconfig) but I guess this is no small task.. 😅 Maybe the solution proposed in this PR would not be such a bad temporary workaround until you got this figured out in a generic way in the volume management system ? Or even a simpler variation of it, only issuing a Also, I think this "only deal with the root pool" strategy should make all the issue raised by @runningman84 in #400 (comment) void. This key-loading step could be conditioned to the detection of encrypted zpool (easy to do with zfs and zpool binary). Maybe not be such a bad temporary workaround until you got this figured in a generic way in the volume management system ? We could work on a new PR and stress-test this a bit if that make sense ? |
I contributed a service for the zfs extension (#513) which is included in Talos 1.9. This service runs |
We don't have any bandwidth at the moment to work on ZFS yet, the Volume Management work is still ongoing. |
@jfroy woah I totally missed that! Super cool thanks a lot! :-) |
This should work fine but I am not sure if the dependencies work that way. Please review...
With this config zfs filesystems with encrypted volumes and local keys (for example stored in /var) will be auto mounted.
This is an example from my test system: