Hello, Setup: - I installed a freebsd in a vmware from using "auto zfs root" option. - The zroot pool is located on /dev/da0p4.eli after installation. - Rebooting works, even if keyboardlayout during boot is US not selected... (this is a simple setting..) Symptom: Restoring a metadata from file is rejected by geli Procedure to reproduce this: root# geli backup /dev/da0p4 /root/backupme root# geli restore /root/backupme /dev/da0p4 geli: Cannot write metadata to /dev/da0p4: Operation not permitted Some tests I did: a) file backupme is existing and has size 512byte... For testing I tried to restore it to the created blockdevice da0p4.eli. The application rejects due to size, what makes sense as this is the inner container, not the partition itself. => file seems to contain valid data b) I tried to force restoring to /dev/da0p4, even if partition was never modified.. same result: Operation not permitted... The zpool was not exported, nor the cryptodevice detached as it is the rootpool. However it is never mentioned that restore works only in detached, offline blockdevices... it is just a block of data at the end with same masterpwd... Regards Marc
Are you trying to restore the meta data while the provider is attached? By default this is not allowed. If you absolutely want to do it, you can set the "allow foot shooting" bit. For details see geom(4). fk@r500 ~ $sudo geli attach /dev/md0 Enter passphrase: fk@r500 ~ $sudo geli restore /var/backups/md0.eli /dev/md0 geli: Cannot write metadata to /dev/md0: Operation not permitted. fk@r500 ~ $sudo sysctl kern.geom.debugflags=16 kern.geom.debugflags: 0 -> 16 fk@r500 ~ $sudo geli restore /var/backups/md0.eli /dev/md0 fk@r500 ~ $sudo sysctl kern.geom.debugflags=0 kern.geom.debugflags: 16 -> 0
Yes and this I would regard as default because standing in an open door while changing the lock is what people do... nobody would close the door to install a new lock to get this thrill while not beeing sure if he will sees other side again. Its a data block at the end of a device no on the fly transcrypting... Even if not possible I would welcome a more meaningful error message: "Cannot perform action, cryptoprovider is still attached. Detach provider or set "ffot shoot bit" ;o)"