diff options
| author | Ameer Hamza <ahamza@ixsystems.com> | 2022-12-01 20:29:49 +0000 |
|---|---|---|
| committer | Brian Behlendorf <behlendorf1@llnl.gov> | 2023-01-05 19:10:04 +0000 |
| commit | d0f350c96232b64f78dd5cc3934117784e2f2228 (patch) | |
| tree | 43b735396896aea33c9e68115501859a4ac69605 | |
| parent | 2f2d6bece8526c144f34d891fff376c80494bae0 (diff) | |
| download | src-d0f350c96232b64f78dd5cc3934117784e2f2228.tar.gz src-d0f350c96232b64f78dd5cc3934117784e2f2228.zip | |
Allow receiver to override encryption properties in case of replication
Currently, the receiver fails to override the encryption
property for the plain replicated dataset with the error:
"cannot receive incremental stream: encryption property
'encryption' cannot be set for incremental streams.". The
problem is resolved by allowing the receiver to override
the encryption property for plain replicated send.
Signed-off-by: Ameer Hamza <ahamza@ixsystems.com>
| -rw-r--r-- | lib/libzfs/libzfs_sendrecv.c | 12 | ||||
| -rwxr-xr-x | tests/zfs-tests/tests/functional/cli_root/zfs_receive/zfs_receive_to_encrypted.ksh | 14 |
2 files changed, 25 insertions, 1 deletions
diff --git a/lib/libzfs/libzfs_sendrecv.c b/lib/libzfs/libzfs_sendrecv.c index 0dbd98b2bedd..6a53571e3a87 100644 --- a/lib/libzfs/libzfs_sendrecv.c +++ b/lib/libzfs/libzfs_sendrecv.c @@ -3966,6 +3966,15 @@ zfs_setup_cmdline_props(libzfs_handle_t *hdl, zfs_type_t type, goto error; } + /* + * For plain replicated send, we can ignore encryption + * properties other than first stream + */ + if ((zfs_prop_encryption_key_param(prop) || prop == + ZFS_PROP_ENCRYPTION) && !newfs && recursive && !raw) { + continue; + } + /* incremental streams can only exclude encryption properties */ if ((zfs_prop_encryption_key_param(prop) || prop == ZFS_PROP_ENCRYPTION) && !newfs && @@ -4065,7 +4074,8 @@ zfs_setup_cmdline_props(libzfs_handle_t *hdl, zfs_type_t type, if (cp != NULL) *cp = '\0'; - if (!raw && zfs_crypto_create(hdl, namebuf, voprops, NULL, + if (!raw && !(!newfs && recursive) && + zfs_crypto_create(hdl, namebuf, voprops, NULL, B_FALSE, wkeydata_out, wkeylen_out) != 0) { fnvlist_free(voprops); ret = zfs_error(hdl, EZFS_CRYPTOFAILED, errbuf); diff --git a/tests/zfs-tests/tests/functional/cli_root/zfs_receive/zfs_receive_to_encrypted.ksh b/tests/zfs-tests/tests/functional/cli_root/zfs_receive/zfs_receive_to_encrypted.ksh index 8bd9a6854950..7e12d30d0e7e 100755 --- a/tests/zfs-tests/tests/functional/cli_root/zfs_receive/zfs_receive_to_encrypted.ksh +++ b/tests/zfs-tests/tests/functional/cli_root/zfs_receive/zfs_receive_to_encrypted.ksh @@ -41,6 +41,9 @@ verify_runnable "both" function cleanup { + datasetexists $TESTPOOL/encrypted && \ + destroy_dataset $TESTPOOL/encrypted -r + snapexists $snap && destroy_dataset $snap -f snapexists $snap2 && destroy_dataset $snap2 -f @@ -97,4 +100,15 @@ log_note "Verifying ZFS will not receive to an encrypted child when the" \ "parent key is unloaded" log_mustnot eval "zfs send $snap | zfs receive $TESTPOOL/$TESTFS1/c4" +# Verify that replication can override encryption properties +log_note "Verifying replication can override encryption properties for plain dataset" +typeset key_location="/$TESTPOOL/pkey1" +log_must eval "echo $passphrase > $key_location" +log_must eval "zfs send -R $snap2 | zfs recv -s -F -o encryption=on" \ + "-o keyformat=passphrase -o keylocation=file://$key_location" \ + "-o mountpoint=none $TESTPOOL/encrypted" +log_must test "$(get_prop 'encryption' $TESTPOOL/encrypted)" != "off" +log_must test "$(get_prop 'keyformat' $TESTPOOL/encrypted)" == "passphrase" +log_must test "$(get_prop 'keylocation' $TESTPOOL/encrypted)" == "file://$key_location" + log_pass "ZFS can receive encrypted filesystems into child dataset" |