1OCF_HEARTBEAT_CRYPT(7) OCF resource agents OCF_HEARTBEAT_CRYPT(7)
2
3
4
6 ocf_heartbeat_crypt - LUKS/crypt resource agent
7
9 crypt [start | stop | monitor | meta-data | validate-all]
10
12 This is a LUKS/crypt Resource Agent managing encrypted devices via
13 cryptsetup(8). The agent imposes limitations on device types supported:
14 luks, luks[1..N].
15
17 encrypted_dev
18 Encrypted backing device, which should be defined by UUID, 36
19 characters including '-'s as reported by blkid(8).
20
21 Although it can be defined as a block device path (e.g. /dev/sdh),
22 the UUID should be preferred over the block device path to allow
23 for the unique discovery of the crypt backing device given the
24 volatile nature of /dev entries (e.g. /dev/sdh on one node may be
25 /dev/sdg on another).
26
27 Only define as block device path if you know what you are doing.
28
29 (unique, required, string, no default)
30
31 crypt_dev
32 Encrypted device name, no path. I.e. the one given in "cryptsetup
33 open name ...". The resulting block device path is
34 /dev/mapper/name.
35
36 (unique, required, string, no default)
37
38 key_file
39 Key file path containing the encryption passphrase (aka key; see
40 cryptsetup(8)). For LUKS, the passphrase as of the key_file
41 parameter is used to decrypt a randomly selected key when the
42 device was created.
43
44 (required, string, no default)
45
46 crypt_type
47 Encryption (device) type (e.g. "luks" or "luks2").
48
49 This parameter affirms the encryption format as of the crypt
50 metadata thus allowing for safety measures when starting the
51 encrypted resource.
52
53 (required, string, no default)
54
55 force_stop
56 If processes or kernel threads are using the crypt device, it
57 cannot be stopped. We will try to stop processes, first by sending
58 TERM and then, if that doesn't help in seconds, using KILL. The
59 lsof(8) program is required to get the list of array users. Of
60 course, the kernel threads cannot be stopped this way. If the
61 processes are critical for data integrity, then set this parameter
62 to false. Note that in that case the stop operation will fail and
63 the node will be fenced.
64
65 (optional, boolean, default false)
66
68 This resource agent supports the following actions (operations):
69
70 start
71 Starts the resource. Suggested minimum timeout: 20s.
72
73 stop
74 Stops the resource. Suggested minimum timeout: 20s.
75
76 monitor
77 Performs a detailed status check. Suggested minimum timeout: 20s.
78 Suggested interval: 10s.
79
80 meta-data
81 Retrieves resource agent metadata (internal use only). Suggested
82 minimum timeout: 5s.
83
84 validate-all
85 Performs a validation of the resource configuration. Suggested
86 minimum timeout: 10s.
87
89 The following is an example configuration for a crypt resource using
90 the crm(8) shell:
91
92 primitive p_crypt ocf:heartbeat:crypt \
93 params \
94 encrypted_dev=string \
95 crypt_dev=string \
96 key_file=string \
97 crypt_type=string \
98 op monitor timeout="20s" interval="10s" depth="0"
99
101 The following is an example configuration for a crypt resource using
102 pcs(8)
103
104 pcs resource create p_crypt ocf:heartbeat:crypt \
105 encrypted_dev=string \
106 crypt_dev=string \
107 key_file=string \
108 crypt_type=string \
109 op monitor timeout="20s" interval="10s" OCF_CHECK_LEVEL="0"
110
112 http://clusterlabs.org/
113
115 ClusterLabs contributors (see the resource agent source for information
116 about individual authors)
117
118
119
120resource-agents UNKNOWN 03/25/2021 OCF_HEARTBEAT_CRYPT(7)