DOKK / manpages / debian 12 / resource-agents / ocf_heartbeat_crypt.7.en
OCF_HEARTBEAT_CRYPT(7) OCF resource agents OCF_HEARTBEAT_CRYPT(7)

ocf_heartbeat_crypt - LUKS/crypt resource agent

crypt [start | stop | monitor | meta-data | validate-all]

This is a LUKS/crypt Resource Agent managing encrypted devices via cryptsetup(8). The agent imposes limitations on device types supported: luks, luks[1..N].

encrypted_dev

Encrypted backing device, which should be defined by UUID, 36 characters including '-'s as reported by blkid(8).

Although it can be defined as a block device path (e.g. /dev/sdh), the UUID should be preferred over the block device path to allow for the unique discovery of the crypt backing device given the volatile nature of /dev entries (e.g. /dev/sdh on one node may be /dev/sdg on another).

Only define as block device path if you know what you are doing.

(unique, required, string, no default)

crypt_dev

Encrypted device name, no path. I.e. the one given in "cryptsetup open name ...". The resulting block device path is /dev/mapper/name.

(unique, required, string, no default)

key_file

Key file path containing the encryption passphrase (aka key; see cryptsetup(8)). For LUKS, the passphrase as of the key_file parameter is used to decrypt a randomly selected key when the device was created.

(required, string, no default)

crypt_type

Encryption (device) type (e.g. "luks" or "luks2").

This parameter affirms the encryption format as of the crypt metadata thus allowing for safety measures when starting the encrypted resource.

(required, string, no default)

force_stop

If processes or kernel threads are using the crypt device, it cannot be stopped. We will try to stop processes, first by sending TERM and then, if that doesn't help in seconds, using KILL. The lsof(8) program is required to get the list of array users. Of course, the kernel threads cannot be stopped this way. If the processes are critical for data integrity, then set this parameter to false. Note that in that case the stop operation will fail and the node will be fenced.

(optional, boolean, default false)

This resource agent supports the following actions (operations):

start

Starts the resource. Suggested minimum timeout: 20s.

stop

Stops the resource. Suggested minimum timeout: 20s.

monitor

Performs a detailed status check. Suggested minimum timeout: 20s. Suggested interval: 10s.

meta-data

Retrieves resource agent metadata (internal use only). Suggested minimum timeout: 5s.

validate-all

Performs a validation of the resource configuration. Suggested minimum timeout: 10s.

The following is an example configuration for a crypt resource using the crm(8) shell:

primitive p_crypt ocf:heartbeat:crypt \


  params \


    encrypted_dev=string \


    crypt_dev=string \


    key_file=string \


    crypt_type=string \


  op monitor timeout="20s" interval="10s" depth="0"

The following is an example configuration for a crypt resource using pcs(8)

pcs resource create p_crypt ocf:heartbeat:crypt \


  encrypted_dev=string \


  crypt_dev=string \


  key_file=string \


  crypt_type=string \


  op monitor timeout="20s" interval="10s" OCF_CHECK_LEVEL="0"

http://clusterlabs.org/

ClusterLabs contributors (see the resource agent source for information about individual authors)

04/13/2023 resource-agents 4.12.0-2