Restore a LXC Container from a non encrypt ZFS dataset to a encrypt dataset

Support and Help
1

Hello everyone, I hope you are all well.
Well, I’m working on a project for a company that aims to improve security on its servers internally. Therefore, it uses a lot with LXC containers supported by ZFS Datasets.
I need to know if there is any possibility of transferring LXC containers from unencrypted datasets to encrypted datasets without the containers losing their functionality and in the easiest way possible.
Guys, is there any way to perform this action.
I’ve already tried with Rsync but every time I initialize the copy inside it gives an error showing the impossibility of migrating encrypted datasets to non-encrypted ones and vice versa.

Has anyone managed to perform this type of migration???

Need your help guys.

2

Not yet, but I’m smack in the middle now of giving it a go.

Not what you had hoped for but I’ll get the ball rolling here. (Give me a couple of hours please)

But I would have to think that “zfs send --raw.” would be needed.
From the Man page

-w, --raw
             For  encrypted  datasets,  send data exactly as it exists on disk.
             This allows backups to be taken even if encryption  keys  are  not
             currently loaded.  The backup may then be received on an untrusted
             machine  since  that  machine will not have the encryption keys to
             read the protected data or alter it without being detected.   Upon
             being  received, the dataset will have the same encryption keys as
             it did on the send side, although the keylocation property will be
             defaulted to prompt if not otherwise  provided.   For  unencrypted
             datasets,  this flag will be equivalent to -Lec.  Note that if you
             do not use this flag for sending encrypted datasets, data will  be
             sent  unencrypted and may be re-encrypted with a different encryp‐
             tion key on the receiving system, which will disable  the  ability
             to do a raw send to that system for incrementals.

In the meantime anyone else can jump in.

3

Sorry I did not get around to my promise, I’m currently on 25.04 Development and updates have me in a bad state ATM

Currently waiting on a fiix to apparmor.

4

I would surely want to test it first, but I don’t use any LXC containers. I need to learn it, just can’t think of a service to use it for… perhaps a conversation I’ll start someday to get some ideas, but I digress…

From a zfs standpoint. I am thinking that using zfs receive would better allow for the transfer of unencrypted data to an encrypted dataset if the -x is used, so as to not send the encryption property that exists at source currently.

Did some reading here:
https://openzfs.github.io/openzfs-docs/man/master/8/zfs-receive.8.html

5

To send an LXC container to an encrypted ZFS drive, you can follow these steps:

  1. Create a ZFS storage pool with encryption. Use a passphrase as the key format. For example:
lxc storage create zfsencrypted zfs source=rpool/lxd_encrypted --target

This command creates a storage pool named zfsencrypted using an encrypted ZFS dataset.

  1. Ensure the ZFS dataset has the appropriate permissions to allow container access. You may need to adjust ZFS settings, such as setting acltype to posixacl for POSIX ACL support, which enables the use of setfacl and getfacl commands.

  2. Adjust the container’s configuration to use the encrypted storage pool. This involves setting up the necessary mount points and permissions within the container’s configuration file.

  3. Use zfs send and zfs receive commands to migrate the container to the encrypted ZFS dataset. For example:

zfs send tank/containers/my-container | zfs receive zfsencrypted/containers/my-container

Just be sure to use the correct naming for pools.

1 Like