Ubuntu Manpage: ocf_heartbeat_crypt - LUKS/crypt resource agent

Provided by: resource-agents-extra_4.13.0-1ubuntu4_amd64

NAME

       ocf_heartbeat_crypt - LUKS/crypt resource agent

SYNOPSIS


       crypt [start | stop | monitor | meta-data | validate-all]

DESCRIPTION

       This is a LUKS/crypt Resource Agent managing encrypted devices via cryptsetup(8). The agent imposes
       limitations on device types supported: luks, luks[1..N].

SUPPORTED PARAMETERS

encrypted_dev
Encrypted backing device, which should be defined by UUID, 36 characters including '-'s as reported
by blkid(8).

Although it can be defined as a block device path (e.g. /dev/sdh), the UUID should be preferred over
the block device path to allow for the unique discovery of the crypt backing device given the
volatile nature of /dev entries (e.g. /dev/sdh on one node may be /dev/sdg on another).

Only define as block device path if you know what you are doing.

(unique, required, string, no default)

crypt_dev
Encrypted device name, no path. I.e. the one given in "cryptsetup open name ...". The resulting block
device path is /dev/mapper/name.

(unique, required, string, no default)

key_file
Key file path containing the encryption passphrase (aka key; see cryptsetup(8)). For LUKS, the
passphrase as of the key_file parameter is used to decrypt a randomly selected key when the device
was created.

(required, string, no default)

crypt_type
Encryption (device) type (e.g. "luks" or "luks2").

This parameter affirms the encryption format as of the crypt metadata thus allowing for safety
measures when starting the encrypted resource.

(required, string, no default)

force_stop
If processes or kernel threads are using the crypt device, it cannot be stopped. We will try to stop
processes, first by sending TERM and then, if that doesn't help in seconds, using KILL. The lsof(8)
program is required to get the list of array users. Of course, the kernel threads cannot be stopped
this way. If the processes are critical for data integrity, then set this parameter to false. Note
that in that case the stop operation will fail and the node will be fenced.

(optional, boolean, default false)

SUPPORTED ACTIONS

       This resource agent supports the following actions (operations):

       start
           Starts the resource. Suggested minimum timeout: 20s.

       stop
           Stops the resource. Suggested minimum timeout: 20s.

       monitor
           Performs a detailed status check. Suggested minimum timeout: 20s. Suggested interval: 10s.

       meta-data
           Retrieves resource agent metadata (internal use only). Suggested minimum timeout: 5s.

       validate-all
           Performs a validation of the resource configuration. Suggested minimum timeout: 10s.

EXAMPLE CRM SHELL

       The following is an example configuration for a crypt resource using the crm(8) shell:

           primitive p_crypt ocf:heartbeat:crypt \
             params \
               encrypted_dev=string \
               crypt_dev=string \
               key_file=string \
               crypt_type=string \
             op monitor timeout="20s" interval="10s" depth="0"

EXAMPLE PCS

       The following is an example configuration for a crypt resource using pcs(8)

           pcs resource create p_crypt ocf:heartbeat:crypt \
             encrypted_dev=string \
             crypt_dev=string \
             key_file=string \
             crypt_type=string \
             op monitor timeout="20s" interval="10s" OCF_CHECK_LEVEL="0"

AUTHOR

       ClusterLabs contributors (see the resource agent source for information about individual authors)

resource-agents 4.13.0-1ubuntu                     04/01/2024                             OCF_HEARTBEAT_CRYPT(7)