Any options on crypt+zfs ?

Andriy Bakay andriy at irbisnet.com
Tue Apr 17 01:44:02 UTC 2012


On 2012-04-16, at 13:32 , Nenhum_de_Nos wrote:

> hail,
> 
> I have a soekris running an atom and 2GB RAM and ZFS using 7 drives, small capacity though, to
> test and study if I can make my home server this box and this way. It will be a simple server,
> three users tops.
> 
> I followed the handbook and made the geli step on the disks:
> 
> Geom name: label/zfs1.eli
> State: ACTIVE
> EncryptionAlgorithm: AES-XTS
> KeyLength: 128
> Crypto: software
> UsedKey: 0
> Flags: NONE
> KeysAllocated: 38
> KeysTotal: 38
> Providers:
> 1. Name: label/zfs1.eli
>   Mediasize: 160041881600 (149G)
>   Sectorsize: 4096
>   Mode: r1w1e1
> Consumers:
> 1. Name: label/zfs1
>   Mediasize: 160041885184 (149G)
>   Sectorsize: 512
>   Mode: r1w1e1
> 
> 
> all disks are this way (just 4 disks are on geli zfs).
> 
> would it be faster, if I had geli over zfs, and not the other way (as is now) ?
> 
> my performance is too low (I know the hardware is not that much, but I compared it to a friend's
> arm based AP-Router gadget and my setup is when much equal. I have 1.6 GHz Atom and 2GB ram, he
> has not half this ... I know can't compare arm and x86 clock for clock ...)
> 
> I'll try to run geli on single disk, to see how much ZFS is impacting on performance, but, is
> there any other way around ? All I want is RAID5, and FreeBSD has not developed RAID5 from GEOM
> (AFAIK) since a long time. ZFS is the way people go in recent years.
> 
> suggestions are welcome, just want to upgrade my old 8.0 BETA3 using geom mirror/stripe to a newer
> approach that would be supported by FreeBSD.
> 
> I have an external enclosure for 4 SATA disks (port multiplier included) using 4 disks, another
> port multiplier 5x1 using now 3 disks, and:
> 
> ahci1 at pci0:13:0:0:	class=0x010601 card=0x10601b21 chip=0x06121b21 rev=0x01 hdr=0x00
>    vendor     = 'ASMedia Technology Inc.'
>    class      = mass storage
>    subclass   = SATA
> 
> with two eSATA to the Port Multipliers.
> 
> thanks,
> 
> matheus
> 
> machine:
> ACPI Error: A valid RSDP was not found (20110527/tbxfroot-237)
> Copyright (c) 1992-2012 The FreeBSD Project.
> Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
> 	The Regents of the University of California. All rights reserved.
> FreeBSD is a registered trademark of The FreeBSD Foundation.
> FreeBSD 9.0-RELEASE #0: Wed Apr 11 13:04:15 BRT 2012
>    root at macgyver:/usr/obj/usr/src/sys/net6501-amd64 amd64
> ACPI Error: A valid RSDP was not found (20110527/tbxfroot-237)
> CPU: Genuine Intel(R) CPU        @ 1.60GHz (1600.04-MHz K8-class CPU)
>  Origin = "GenuineIntel"  Id = 0x20661  Family = 6  Model = 26  Stepping = 1
>  Features=0xbfe9fbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CLFLUSH,DTS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE>
>  Features2=0x40e3bd<SSE3,DTES64,MON,DS_CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE>
>  AMD Features=0x20100800<SYSCALL,NX,LM>
>  AMD Features2=0x1<LAHF>
>  TSC: P-state invariant, performance statistics
> real memory  = 2147352576 (2047 MB)
> avail memory = 2046488576 (1951 MB)
> MPTable: <Soekris  net6501     >
> Event timer "LAPIC" quality 400
> FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs
> FreeBSD/SMP: 1 package(s) x 1 core(s) x 2 HTT threads
> cpu0 (BSP): APIC ID:  0
> cpu1 (AP/HT): APIC ID:  1
> ioapic0: Assuming intbase of 0
> ioapic0 <Version 2.0> irqs 0-23 on motherboard
> kbd0 at kbdmux0
> ACPI Error: A valid RSDP was not found (20110527/tbxfroot-237)
> ACPI: Table initialisation failed: AE_NOT_FOUND
> ACPI: Try disabling either ACPI or apic support.
> cryptosoft0: <software crypto> on motherboard
> 
> -- 
> We will call you Cygnus,
> The God of balance you shall be
> 
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
> 
> http://en.wikipedia.org/wiki/Posting_style
> _______________________________________________
> freebsd-stable at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"

The ideal solution will be ZFS with crypto support, but unfortunately this is only available on Oracle Sun 5.11 for now.

The GELI is very good, but it is mostly for single device/file image encryption. Each new GELI device in the ZFS mirror/RAIDZ configuration will add extra overhead.

GELI on top of ZFS volume/file-backed will be even worse.

You could consider PEFS from ports on top of any ZFS pool. PEFS is a kernel level stacked cryptographic filesystem for FreeBSD:

http://www.freshports.org/sysutils/pefs-kmod/
http://wiki.freebsd.org/PEFS
https://github.com/glk/pefs

P.S. ZFS RAIDZ1/RAIDZ2 pool is more sophisticated solution than RAID5/RAID6.



More information about the freebsd-stable mailing list