Project

General

Profile

Bug #23444

Unable to Import zpool on any 9.x version after using them on 10.x.x

Added by Woody Johnson over 3 years ago. Updated almost 3 years ago.

Status:
Resolved
Priority:
Expected
Assignee:
Bartosz Prokop
Category:
OS
Target version:
Seen in:
Severity:
New
Reason for Closing:
Reason for Blocked:
Needs QA:
Yes
Needs Doc:
Yes
Needs Merging:
Yes
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:

Intel Core i3-2120
Supermicro X9SCA
Crucial 8GB Single DDR3 ECC

ChangeLog Required:
No

Description

Once we got the news that 10 was basically dead in the water, I tried rolling back my boot environment to 9.10. That failed and I couldn't get freenas to boot back up. Eventually I got tired of it and I flashed a clean install of 9.10 on the usb and I can get it to boot up clean. Upon trying to restore my encrypted volumes with their keys and passphrases, I get the disks failed to attach error. I tried different variations of 9 with the same result. So I loaded back up 10 and restored my config and all, and I can unlock them just fine, but anything on 9 will not let them attach. I didn't upgrade the volumes or anything.

get_volume_keys.py (492 Bytes) get_volume_keys.py Anonymous, 05/16/2017 09:51 AM
directory_getkeys.PNG (41.8 KB) directory_getkeys.PNG Directory View Woody Johnson, 05/16/2017 10:45 AM
cli_getkeys.PNG (37.8 KB) cli_getkeys.PNG CLI View Woody Johnson, 05/16/2017 10:45 AM
get_volume_keys.py (526 Bytes) get_volume_keys.py Anonymous, 05/16/2017 12:56 PM
bug.jpg (185 KB) bug.jpg this is how i ran the script file Pierre Chateau, 06/07/2017 05:59 AM
11158
11159
11381

History

#1 Avatar?id=14398&size=24x24 Updated by Kris Moore over 3 years ago

  • Assignee changed from Sean Fagan to Suraj Ravichandran
  • Priority changed from No priority to Important

Suraj,

Can you investigate why this doesn't work? Looks like there is an issue on the forums as well:

https://forums.freenas.org/index.php?threads/corral-to-9-10-master.53719/

#2 Updated by Sean Fagan over 3 years ago

The zpools got upgraded 9.10 nightlies should be able to handle it, as I recall.

#3 Updated by Eric Loewenthal over 3 years ago

Non-encrypted pools import fine. Corral only added the sha512 and skein feature flags.

#4 Updated by Suraj Ravichandran over 3 years ago

  • Status changed from Unscreened to 15
  • Target version set to 11.0

This is not really my area of expertise (i.e. import of encrypted volumes) but I shall give it a fair go.

Question, the keys and passphrases that you are using to import this encrypted volume back into 9 are those the ones that you downloaded from corral or are those the ones you had from your previous 9.10 boot?

#5 Updated by JD AD over 3 years ago

I'm in the same boat. I tested it with both (keys from corral and 9.10), which unfortunately did not work.

#6 Updated by Woody Johnson over 3 years ago

Suraj Ravichandran wrote:

This is not really my area of expertise (i.e. import of encrypted volumes) but I shall give it a fair go.

Question, the keys and passphrases that you are using to import this encrypted volume back into 9 are those the ones that you downloaded from corral or are those the ones you had from your previous 9.10 boot?

I tried the 9 first. After several tries with the different versions, I went and got the corral ones. Then once those didn't work several times on different versions, I changed the passphrase on the volumes using corral and got new key files and tried those on 9 as well.

#7 Updated by Suraj Ravichandran over 3 years ago

  • Status changed from 15 to Investigation
  • Priority changed from Important to Expected

@Woody Johnson, ok I will have to try to reproduce this myself.

Let me do that and get back to you.

I might not get to this by the end of the week (since I am trying to resolve my other tickets and get ramped up on the new UI stuff)

Bumping the priority from Important to Expected since I already see 3 people on this.

#8 Updated by Pierre Chateau over 3 years ago

Sean Fagan wrote:

The zpools got upgraded 9.10 nightlies should be able to handle it, as I recall.

I tried down grading FreeNAS-Corral-10.0.5 to FreeNAS-9.10-MASTER-201704190613-1ba77e4 and I never got FreeNAS to boot up. it just infinite loop because of some configuration error. I also tried installing FreeNAS-9.10-MASTER-201704190613-1ba77e4 fresh and that worked! but, I cant import my pools since the 9.10 config ofcoz dont have the info from my previous corral version and the Database formats are different, my sql vs json. So still stuck here. cant go to 9.10 Nightly because of encrypted volumes.

btw I also did a factory reset on corral before trying to go to FreeNAS-9.10-MASTER-201704190613-1ba77e4, same problem as before. infinite loop.

#9 Updated by Woody Johnson over 3 years ago

Suraj Ravichandran wrote:

@Woody Johnson, ok I will have to try to reproduce this myself.

Let me do that and get back to you.

I might not get to this by the end of the week (since I am trying to resolve my other tickets and get ramped up on the new UI stuff)

Bumping the priority from Important to Expected since I already see 3 people on this.

Ok, thanks. Yeah I thought it was just me, but it looks like everyone here is having the same issue. I also had that same problem as Pierre Chateau when I tried to fall back to 9...it just loops at an error. We definitely have some sort of bug going on with both the fall back and the zpool importing.

To replicate it I would try creating your volumes (encrypted) in 9.10 and then do the upgrade to 10 (not sure if that's possible anymore). Unlock them there. Probably restart to make sure it's all doing what it is supposed to be doing. Unlock them. Downgrade to 9.10 and see if it works.

#11 Updated by Vaibhav Chauhan over 3 years ago

I will branch tonight for FreeNAS-11, can you tell me whats the status of the ticket?

#12 Updated by Suraj Ravichandran over 3 years ago

This will not happen tonight, but lets keep this for 11.0 till I can rule it out for sure

#13 Updated by Woody Johnson over 3 years ago

Suraj Ravichandran wrote:

This will not happen tonight, but lets keep this for 11.0 till I can rule it out for sure

Is there any update on this issue?

#14 Updated by JD AD over 3 years ago

Any progress?

#15 Updated by Suraj Ravichandran over 3 years ago

  • Assignee changed from Suraj Ravichandran to Anonymous

I apologize for the delay in addressing this ticket.

I am heading on my vacation day after, and have other higher priority tickets in my queue right now.

If I may request, Bartosz please take a look at this, as you too are aware of Corral's workings and can easily reproduce this and work a way out.

If this does not seem like something suitable of your time and efforts please hand it back to me.

Thanks

#16 Updated by Suraj Ravichandran over 3 years ago

  • Status changed from Investigation to Unscreened

#17 Updated by Amir Yalon over 3 years ago

As a user affected by this issue, I would be content enough with just a workaround to get me through to importing the encrypted and upgraded volume into Freenas 11, even if it involves using obscure command-line incantations.

I can mound my volume in Freenas Corral and export the encryption key in the GUI. What I get is a Base64-encoded blob and a textual token (“password”). When trying to import the volume in Freenas 11, I get asked to upload a file and type a passphrase, but obviously they are not the same thing as was exported by Corral.

What I need to know is either (1) how to convert the Base64-encoded blob and textual token into the correct format expected by Freenas 11, or (2) how to export the key in Corral’s root shell straight to the format expected by Freenas 11.

This can probably accomplished with a simple shell or Python script. Any help would be appreciated.

#18 Updated by Woody Johnson over 3 years ago

Honestly, I'm the same way. I just need a method to get back into either 9 or 11 so I can get back on a supported path.

Amir Yalon wrote:

As a user affected by this issue, I would be content enough with just a workaround to get me through to importing the encrypted and upgraded volume into Freenas 11, even if it involves using obscure command-line incantations.

I can mound my volume in Freenas Corral and export the encryption key in the GUI. What I get is a Base64-encoded blob and a textual token (“password”). When trying to import the volume in Freenas 11, I get asked to upload a file and type a passphrase, but obviously they are not the same thing as was exported by Corral.

What I need to know is either (1) how to convert the Base64-encoded blob and textual token into the correct format expected by Freenas 11, or (2) how to export the key in Corral’s root shell straight to the format expected by Freenas 11.

This can probably accomplished with a simple shell or Python script. Any help would be appreciated.

#19 Updated by Anonymous over 3 years ago

  • Status changed from Unscreened to Screened

#20 Updated by Anonymous over 3 years ago

I've created a simple script that allows to extract needed keys from the Corral config database.
The output generated with the volume key export in Corral is basically an additionally encrypted GELI metadata backup, not the keys that are required by the FN9/11.

I've created encrypted pools and imported them to the FN11 nightly without problems.

This is how it should be used:

[root@freenas] ~# python3 get_volume_keys.py
Keyfile uuid:f835792d-3a44-11e7-9b12-000c2939b58f created
Keyfile uuid:f93697ea-3a44-11e7-9b12-000c2939b58f created
Keyfile uuid:f72b81df-3a47-11e7-9b12-000c2939b58f created
Keyfile uuid:f802d29e-3a47-11e7-9b12-000c2939b58f created

It creates keyfiles for all encrypted partitions in the directory where the script is located.
After that you should follow the official FreeNas documentation (8.1.6.1. Importing an Encrypted Pool).

I'm looking forward to some feedback,

Bartosz

#21 Updated by Woody Johnson over 3 years ago

11158
11159

So I ran that and it seems to have generated the files, but they all have different file names. How do we know which to use for the different volumes? Also the names you see in the CLI vs. what I see in the actual directory via windows is different.

Bartosz Prokop wrote:

I've created a simple script that allows to extract needed keys from the Corral config database.
The output generated with the volume key export in Corral is basically an additionally encrypted GELI metadata backup, not the keys that are required by the FN9/11.

I've created encrypted pools and imported them to the FN11 nightly without problems.

This is how it should be used:
[...]

It creates keyfiles for all encrypted partitions in the directory where the script is located.
After that you should follow the official FreeNas documentation (8.1.6.1. Importing an Encrypted Pool).

I'm looking forward to some feedback,

Bartosz

#22 Updated by Woody Johnson over 3 years ago

Just in case you need that information...I have 4 volumes (2 drives, 4 drives, 4 drives, 6 drives)

#23 Updated by Amir Yalon over 3 years ago

  • Seen in changed from 9.10.2-U2 to 11.0-RC

Bartosz Prokop wrote:

It creates keyfiles for all encrypted partitions in the directory where the script is located.
After that you should follow the official FreeNas documentation (8.1.6.1. Importing an Encrypted Pool).

I'm looking forward to some feedback,

I’ve successfully imported my pool; thanks!

@Woody Johnson: I ran `md256sum *` on the files, and they were all the same. I just ignored their names, picked one of them and used it to decrypt all disks on volume import.

#24 Updated by Amir Yalon over 3 years ago

Woody Johnson wrote:

Just in case you need that information...I have 4 volumes (2 drives, 4 drives, 4 drives, 6 drives)

Sorry, I wrote my previous reply under the wrong assumption, that you only have one volume.

After running the script, you would see 4 different keys in 16 files. The file names should help you identify which key belongs to which disk, but if you can’t work the filenames issue out, identify the different keys with `sha256sum *`, keep only 4 unique files (one for each volume), and then use some trial and error to decrypt each volume in turn.

#25 Updated by Woody Johnson over 3 years ago

That did the trick. I just used winmd5 to do the same. You can easily see the volumes that way. I'll give the upgrade a try later this evening.

Amir Yalon wrote:

@Woody Johnson: I ran `md256sum *` on the files, and they were all the same. I just ignored their names, picked one of them and used it to decrypt all disks on volume import.

#26 Updated by Anonymous over 3 years ago

The issue with keyfiles having strange names under the Windows is probably related to the fact that I've used a colon within the filename. Corrected script updated.

When it comes to the keyfiles naming convention I need to look at the Corral code again; I thought that partition UUID is enough.

Thanks for a feedback,

Bartosz

#27 Updated by Woody Johnson over 3 years ago

The old script did fine after I ran all the items through winmd5. I got everything imported on the newest nightly of FreeNAS 11. Unless there are others who need a better way to do, I consider this issue resolved since it got my volumes moved over. I really appreciate the work on this.

Bartosz Prokop wrote:

The issue with keyfiles having strange names under the Windows is probably related to the fact that I've used a colon within the filename. Corrected script updated.

When it comes to the keyfiles naming convention I need to look at the Corral code again; I thought that partition UUID is enough.

Thanks for a feedback,

Bartosz

#28 Avatar?id=14398&size=24x24 Updated by Kris Moore over 3 years ago

  • Status changed from Screened to Resolved
  • Target version changed from 11.0 to N/A

#29 Updated by Pierre Chateau over 3 years ago

I ran the script on FreeNAS corral (ssh into freenas) but nothing happens! Am i supposed to run the script on another version of FreeNAS ?

Woody Johnson wrote:

The old script did fine after I ran all the items through winmd5. I got everything imported on the newest nightly of FreeNAS 11. Unless there are others who need a better way to do, I consider this issue resolved since it got my volumes moved over. I really appreciate the work on this.

Bartosz Prokop wrote:

The issue with keyfiles having strange names under the Windows is probably related to the fact that I've used a colon within the filename. Corrected script updated.

When it comes to the keyfiles naming convention I need to look at the Corral code again; I thought that partition UUID is enough.

Thanks for a feedback,

Bartosz

#30 Updated by Woody Johnson over 3 years ago

It should spit out the keys into the folder where you ran it. Did you place the script in a location on the freenas box where you can extract the key files? You are right to run it on freenas corral. That's what it was written for (to get from the new corral codebase, back to 9 or 11). Importing into 11 worked for me after I got the keys.

Pierre Chateau wrote:

I ran the script on FreeNAS corral (ssh into freenas) but nothing happens! Am i supposed to run the script on another version of FreeNAS ?

Woody Johnson wrote:

The old script did fine after I ran all the items through winmd5. I got everything imported on the newest nightly of FreeNAS 11. Unless there are others who need a better way to do, I consider this issue resolved since it got my volumes moved over. I really appreciate the work on this.

Bartosz Prokop wrote:

The issue with keyfiles having strange names under the Windows is probably related to the fact that I've used a colon within the filename. Corrected script updated.

When it comes to the keyfiles naming convention I need to look at the Corral code again; I thought that partition UUID is enough.

Thanks for a feedback,

Bartosz

#31 Updated by Pierre Chateau over 3 years ago

11381

here is some system info
unix::/system>version
Property Description Value
freenas_version FreeNAS version FreeNAS-Corral-10.0.2
system_version System version FreeBSD freenas.local 11.0-STABLE FreeBSD 11.0-STABLE #6 r313908+3dc09ad131e(secret_stable): Sun Mar 19 00:03:14 PDT 2017
:/usr/home/nightlies/build/_BE/objs/usr/home/nightlies/build/_BE/os/sys/FreeNAS.amd64 amd64

Woody Johnson wrote:

It should spit out the keys into the folder where you ran it. Did you place the script in a location on the freenas box where you can extract the key files? You are right to run it on freenas corral. That's what it was written for (to get from the new corral codebase, back to 9 or 11). Importing into 11 worked for me after I got the keys.

Pierre Chateau wrote:

I ran the script on FreeNAS corral (ssh into freenas) but nothing happens! Am i supposed to run the script on another version of FreeNAS ?

Woody Johnson wrote:

The old script did fine after I ran all the items through winmd5. I got everything imported on the newest nightly of FreeNAS 11. Unless there are others who need a better way to do, I consider this issue resolved since it got my volumes moved over. I really appreciate the work on this.

Bartosz Prokop wrote:

The issue with keyfiles having strange names under the Windows is probably related to the fact that I've used a colon within the filename. Corrected script updated.

When it comes to the keyfiles naming convention I need to look at the Corral code again; I thought that partition UUID is enough.

Thanks for a feedback,

Bartosz

#32 Updated by Pierre Chateau over 3 years ago

I got it working! I had to rekey my drives and then run the script :)

Pierre Chateau wrote:

I ran the script on FreeNAS corral (ssh into freenas) but nothing happens! Am i supposed to run the script on another version of FreeNAS ?

Woody Johnson wrote:

The old script did fine after I ran all the items through winmd5. I got everything imported on the newest nightly of FreeNAS 11. Unless there are others who need a better way to do, I consider this issue resolved since it got my volumes moved over. I really appreciate the work on this.

Bartosz Prokop wrote:

The issue with keyfiles having strange names under the Windows is probably related to the fact that I've used a colon within the filename. Corrected script updated.

When it comes to the keyfiles naming convention I need to look at the Corral code again; I thought that partition UUID is enough.

Thanks for a feedback,

Bartosz

#33 Updated by Dru Lavigne almost 3 years ago

  • Assignee set to Bartosz Prokop
  • Seen in changed from 11.0-RC to 9.10-RELEASE

Also available in: Atom PDF