'\" t .\" Title: ocf_heartbeat_crypt .\" Author: ClusterLabs contributors (see the resource agent source for information about individual authors) .\" Generator: DocBook XSL Stylesheets v1.79.1 .\" Date: 12/17/2020 .\" Manual: OCF resource agents .\" Source: resource-agents UNKNOWN .\" Language: English .\" .TH "OCF_HEARTBEAT_CRYPT" "7" "12/17/2020" "resource-agents UNKNOWN" "OCF resource agents" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" ocf_heartbeat_crypt \- LUKS/crypt resource agent .SH "SYNOPSIS" .HP \w'\fBcrypt\fR\ 'u \fBcrypt\fR [start | stop | monitor | meta\-data | validate\-all] .SH "DESCRIPTION" .PP This is a LUKS/crypt Resource Agent managing encrypted devices via cryptsetup(8)\&. The agent imposes limitations on device types supported: luks, luks[1\&.\&.N]\&. .SH "SUPPORTED PARAMETERS" .PP \fBencrypted_dev\fR .RS 4 Encrypted backing device, which should be defined by UUID, 36 characters including \*(Aq\-\*(Aqs as reported by blkid(8)\&. .sp Although it can be defined as a block device path (e\&.g\&. /dev/sdh), the UUID should be preferred over the block device path to allow for the unique discovery of the crypt backing device given the volatile nature of /dev entries (e\&.g\&. /dev/sdh on one node may be /dev/sdg on another)\&. .sp Only define as block device path if you know what you are doing\&. .sp (unique, required, string, no default) .RE .PP \fBcrypt_dev\fR .RS 4 Encrypted device name, no path\&. I\&.e\&. the one given in "cryptsetup open name \&.\&.\&."\&. The resulting block device path is /dev/mapper/name\&. .sp (unique, required, string, no default) .RE .PP \fBkey_file\fR .RS 4 Key file path containing the encryption passphrase (aka key; see cryptsetup(8))\&. For LUKS, the passphrase as of the key_file parameter is used to decrypt a randomly selected key when the device was created\&. .sp (required, string, no default) .RE .PP \fBcrypt_type\fR .RS 4 Encryption (device) type (e\&.g\&. "luks" or "luks2")\&. .sp This parameter affirms the encryption format as of the crypt metadata thus allowing for safety measures when starting the encrypted resource\&. .sp (required, string, no default) .RE .PP \fBforce_stop\fR .RS 4 If processes or kernel threads are using the crypt device, it cannot be stopped\&. We will try to stop processes, first by sending TERM and then, if that doesn\*(Aqt help in seconds, using KILL\&. The lsof(8) program is required to get the list of array users\&. Of course, the kernel threads cannot be stopped this way\&. If the processes are critical for data integrity, then set this parameter to false\&. Note that in that case the stop operation will fail and the node will be fenced\&. .sp (optional, boolean, default false) .RE .SH "SUPPORTED ACTIONS" .PP This resource agent supports the following actions (operations): .PP \fBstart\fR .RS 4 Starts the resource\&. Suggested minimum timeout: 20s\&. .RE .PP \fBstop\fR .RS 4 Stops the resource\&. Suggested minimum timeout: 20s\&. .RE .PP \fBmonitor\fR .RS 4 Performs a detailed status check\&. Suggested minimum timeout: 20s\&. Suggested interval: 10s\&. .RE .PP \fBmeta\-data\fR .RS 4 Retrieves resource agent metadata (internal use only)\&. Suggested minimum timeout: 5s\&. .RE .PP \fBvalidate\-all\fR .RS 4 Performs a validation of the resource configuration\&. Suggested minimum timeout: 10s\&. .RE .SH "EXAMPLE CRM SHELL" .PP The following is an example configuration for a crypt resource using the \fBcrm\fR(8) shell: .sp .if n \{\ .RS 4 .\} .nf primitive p_crypt ocf:heartbeat:crypt \e params \e encrypted_dev=\fIstring\fR \e crypt_dev=\fIstring\fR \e key_file=\fIstring\fR \e crypt_type=\fIstring\fR \e op monitor timeout="20s" interval="10s" depth="0" .fi .if n \{\ .RE .\} .SH "EXAMPLE PCS" .PP The following is an example configuration for a crypt resource using \fBpcs\fR(8) .sp .if n \{\ .RS 4 .\} .nf pcs resource create p_crypt ocf:heartbeat:crypt \e encrypted_dev=\fIstring\fR \e crypt_dev=\fIstring\fR \e key_file=\fIstring\fR \e crypt_type=\fIstring\fR \e op monitor timeout="20s" interval="10s" OCF_CHECK_LEVEL="0" .fi .if n \{\ .RE .\} .SH "SEE ALSO" .PP \m[blue]\fB\%http://clusterlabs.org/\fR\m[] .SH "AUTHOR" .PP \fBClusterLabs contributors (see the resource agent source for information about individual authors)\fR