Experienced ZFS user converting to Qubes

nealr · December 5, 2023, 10:17am

I have been using Linux since Redhat 3.03 and I’ve periodically looked at Qubes since version 2.0. The combination of the advances in the OS and what I’m doing work wise make now seem like the right time to shift at least some of what I do with a mix of Ubuntu, VirtualBox, and Proxmox to Qubes.

I have two workstations in my office, both HP Z420s. The production machine has Ubuntu Budgie 22.04 and an Nvidia GTX 1060. It has a slightly less capable sibling with a Radeon RX460 that just got Qubes 4.1.2 installed this morning. I was excited to see that Authy, Maltego, and Signal were easily installed, and I did a clumsy but tolerable OpenVPN setup. This is enough that some of what is in VirtualBox can be moved to Qubes.

I have been looking here and Googling, what I see thus far is that Qubes does not yet do what I’d want in terms of storage. The systems I have get data center grade SSDs with ext4 for startup, with partition space left free for ZFS cache duties, and I run pairs of NAS drives for storage. Since ZFS doesn’t care if a cache drive craters I’ve been running consumer grade PCIe NVMe storage in some systems.

My desktop has a Seagate Nytro SATA system drive that will take three drive writes per day, an HP Z-Turbo PCIe card is handling caching, there are a mirrored pair of 1TB WD Red 2.5" NAS drives that are VMs + /home, and I just swapped out a 4TB IronWolf for a 2.5" Barracuda 5TB. I don’t mind the single consumer 5TB in this role since what’s on it is replicated in a couple places, cool and quiet were the key drives for choosing it. Worst case I would be annoyed for a day or two waiting for a replacement drive.

Is my norm of a stout boot drive and a pair of NAS drives for the important stuff something that’s already documented and I’ve just not found it? Or am I going to be replacing 4.1.2 with 4.2.0rc5 and writing a howto once I’m happy with my setup?

And if ZFS is really so new for Qubes that it’s only just appearing in 4.2, I suspect the management rituals to take advantage of it are also not mature. I’m quite comfortable mirroring drives, adding/removing cache and log volumes, moving drives between systems, and I love the snapshot function. I have some badly behaved stuff I have to support and the lightning quick snapshot/rollback of ZFS permits me to just wade in swinging on a VM, knowing putting it back to original condition will only take a few seconds.

If there is some secret garden of ZFS wisdom, I would love to have the link to it. If this does not yet exist, that would also be useful knowledge to have.

apparatus · December 5, 2023, 10:32am

You can check @Rudd-O’s notes:

nealr · December 5, 2023, 12:33pm

After much digging around on here, I found the ZFS install formula on @Rudd-O 's site.

But I see other things here indicating ZFS isn’t included in 4.2, and overall it doesn’t look as baked in as ZFS support is for Proxmox - in that environment you can just add a ZFS pool, then point, click, and stuff will move out of LVM and into ZFS.

I see mention of BTRFS, which I’ve not used at all - it’s in Promox, but labeled something like “technology preview”.

The manner in which I use ZFS with VirtualBox VMs is as a security blanket - it’s a snap to roll back to a VM to a known good state. I think Qubes already has built in rituals for this. The other things I value are the ability to mirror drives and the cache functions. Pairs of large, helium filled NAS drives feel like flash if you dedicate 1% to 2% of their size in SSD cache space.

Given the Qubes focus on security through virtualization, rather than trying to shore up security after virtualizing, which is the norm with Proxmox and VirtualBox, I probably have some wants that originate in my service provider engineer background that are not needs for the Qubes user base overall.

Even so, the system is SO much smoother than the last time I tried to use it. I may end up with a quick change drive bay in my backup workstation so I can switch hit between Proxmox and Qubes as needed.

nealr · December 5, 2023, 12:35pm

haha whoops, I found it on my own, then focused enough to read your post and link. I plead late night and poking around here using one hand while fooling with my name Qubes install with the other

apparatus · December 5, 2023, 1:15pm

There seems to be a licensing problem:

github.com/QubesOS/qubes-issues

Switch default pool from LVM to BTRFS-Reflink

opened 09:46AM - 22 Mar 21 UTC

DemiMarie

T: enhancement P: default C: storage

**The problem you're addressing (if any)** In R4.0, the default install uses …LVM thin pools. However, LVM appears to be optimized for servers, which results in several shortcomings: - Space exhaustion is handled poorly, requiring manual recovery. This recovery may sometimes fail. - It is not possible to shrink a thin pool. - Thin pools slow down system startup and shutdown. Additionally, LVM thin pools do not support checksums. This can be achieved via dm-integrity, but that does not support TRIM. **Describe the solution you'd like** I propose that R4.1 use BTRFS+reflinks by default. This is a proposal ― it is by no means finalized. **Where is the value to a user, and who might that user be?** BTRFS has checksums by default, and has full support for TRIM. It is also possible to shrink a BTRFS pool without a full backup+restore. BTRFS does not slow down system startup and shutdown, and does not corrupt data if metadata space is exhausted. When combined with LUKS, BTRFS checksumming provides authentication: it is not possible to tamper with the on-disk data (except by rolling back to a previous version) without invalidating the checksum. Therefore, this is a first step towards untrusted storage domains. Furthermore, BTRFS is the default in Fedora 33 and openSUSE. Finally, with BTRFS, VM images are just ordinary disk files, and the storage pool the same as the dom0 filesystem. This means that issues like #6297 are impossible. **Describe alternatives you've considered** None that are currently practical. bcachefs and ZFS are long-term potential alternatives, but the latter would need to be distributed as source and the former is not production-ready yet. **Additional context** I have had to recover manually from LVM thin pool problems (failure to activate, IIRC) on more than one occasion. Additionally, the only supported interface to LVM is the CLI, which is rather clumsy. The LVM pool requires nearly twice the amount of code as the BTRFS pool, for example. **Relevant [documentation](https://www.qubes-os.org/doc/) you've consulted** `man lvm` **Related, [non-duplicate](https://www.qubes-os.org/doc/reporting-bugs/#new-issues-should-not-be-duplicates-of-existing-issues) issues** #5053 #6297 #6184 #3244 (really a kernel bug) #5826 #3230 ― since reflink files are ordinary disk files we could just rename them without needing a copy #3964 everything in https://github.com/QubesOS/qubes-issues/search?q=lvm+thin+pool&state=open&type=issues

apparatus · December 5, 2023, 1:30pm

github.com/QubesOS/qubes-core-admin

(WiP) zfs pool draft

QubesOS:master ← cfcs:zfs_pool

opened 10:27AM - 28 Oct 19 UTC

cfcs

+1757 -6

This PR aims to introduce two new `qvm-pool` pool modules with this interface: …```shell [user@dom0 ~]$ qvm-pool --help-drivers DRIVER OPTIONS zfs_encrypted zpool_name, ask_password_domain, unload_timeout zfs_zvol block_devices ``` - `zfs_zvol` which implements VM storage as ZFS `zvol` volumes. In the current implementation it also deals with `zpool` creation on each `block_devices` parameter since that was the easiest way to get started from a clean slate when testing. If there are valid use-case arguments for splitting that off to a third module that could be done (i.e. if anyone thinks that it would be useful to implement a `zvol` pool on top of an existing dataset). - `zfs_encryption` which largely inherits from `zfs_zvol`, but on top of encrypted datasets inside `zpool_name` that acts as "encryption key groups." The keys are optionally unloaded after a pool inactivity timeout (`unload_timeout`). The keys are loaded by passing a raw file descriptor to an invocation of `zfs load-key {dataset}` from QRexec service `qubes.AskPassword` in a target domain. When used, this results in datasets and zvols in this form: ```shell $ zfs list -o name,type,encryption qbs/encryption/qbsdev filesystem aes-256-gcm qbs/encryption/qbsdev/import filesystem aes-256-gcm qbs/encryption/qbsdev/import/zfsdev filesystem aes-256-gcm qbs/encryption/qbsdev/vm filesystem aes-256-gcm qbs/encryption/qbsdev/vm/zfsdev filesystem aes-256-gcm qbs/encryption/qbsdev/vm/zfsdev/private volume aes-256-gcm qbs/encryption/qbsdev/vm/zfsdev/volatile volume aes-256-gcm qbs/vm filesystem none qbs/vm/plainbrowser filesystem none qbs/vm/plainbrowser/private volume none qbs/vm/plainbrowser/volatile volume none ``` Adding those was a matter of: ```shell $ qvm-pool -a qbs zfs_zvol -o 'block_devices=/dev/loopMYFILE' $ qvm-pool -a qbsdev zfs_encrypted -o 'zpool_name=qbs' ``` For the purpose of key entry I am currently using this implementation of `/etc/qubes-rpc/qubes.AskPassword` in the `ask_password_domain`, which should probably be reworked (remember to `chmod +x`): ```sh #!/bin/sh read -r -N 100 -s -t 5 subject # TODO why does this not work, does it need to strip newline? # might be fixed now, according to @marmarek's suggestion in comment below: # [ "${subject}" = "${subject//[^-/_a-z:A-Z0-9]}" ] || exit 1 export DISPLAY="${DISPLAY:-:0}" zenity --forms \ --text "${QREXEC_REMOTE_DOMAIN}:qubes.AskPassword" \ --add-password "Password for ${subject//[^a-zA-Z]}" 2>>/tmp/askpw.log ``` This requires having ZFS installed from `zfs-on-linux` with the `pyzfs3` module built. To get that going (in addition to their instructions) I needed: ```shell sudo qubes-dom0-update kernel-devel git sysstat bc python3-devel ./autogen.sh && \ ./configure --with-config=srpm --enable-pyzfs && \ make -j3 pkg-utils rpm-dkms && \ sudo dnf install ./libuutil1-0.8.0-1.qbs4.0.x86_64.rpm \ ./libzfs2-0.8.0-1.qbs4.0.x86_64.rpm \ ./libnvpair1-0.8.0-1.qbs4.0.x86_64.rpm \ ./python3-pyzfs-0.8.0-1.qbs4.0.noarch.rpm \ ./zfs-0.8.0-1.qbs4.0.x86_64.rpm # not sure if we need these: sudo dnf install ./libzpool2-0.8.0-1.qbs4.0.x86_64 \ ./libzfs2-devel-0.8.0-1.qbs4.0.x86_64.rpm # install DKMS kernel module, this will take a while since it needs # to compile a module for each dom0 kernel currently installed. # may want to bring down the number of kernels: # rpm -qa kernel # sudo dnf remove kernel-4.14.74-1.pvops.qubes.x86_64 # pay attention that we want the "noarch" and not the "src" rpm: sudo dnf install ./zfs-dkms-0.8.0-1.qbs4.0.noarch.rpm ``` This is merely a draft, as witnessed by the many `TODO` comments, but it does "work," and I thought it might be useful to place here for review, and in case someone wants to collaborate on this with me. **NOTABLY:** - all the volume `_import` functions are probably horribly broken - the size reporting does not seem 100% accurate / implemented for all cases - currently no snapshotting takes place, even though there is some scaffolding in place for that - the "default" options for zpools/zvols/datasets are not uniformly applied - the suggestions for updates to the documentation are probably not 100% correct either ping: - @Rudd-O who also seems to dabble in Qubes + ZFS - @tykling who provided invaluable help deciphering ZFS options, and might have further suggestions - @marmarek who provided a ton of help and suggestions re: the inner workings of Qubes and `qubes-core-admin`

qubist · December 5, 2023, 1:57pm

This says:

Yes, that’s right — a ZFS-backed qube storage driver will be available in Qubes OS 4.2 as a storage option for Qubes OS qubes.

nealr · December 5, 2023, 2:16pm

Read the whole thread, cringing all the way, because it’s an interesting problem and stirs the compulsive system tuner in me. If I wade in, I’d be replicating things being done by others who are much more qualified than I, at the price of less attention on things that won’t get done in this world unless I do them.

I’m going to go have a look at what’s going on with Proxmox and supported file systems. I like the idea of ZFS everywhere, but if both Proxmox and Qubes have solid support for BTRFS, it may be worth climbing the learning curve.

Western Digital Red 1TB NVMe are $85 on Amazon. This may become a problem even I can afford to simply throw money at if data center grade storage is really that cheap.

nealr · December 5, 2023, 2:31pm

for @Rudd-O I think might need a correction:

zpool create laptop /dev/disk/by-id/dm-uuid-*-luks-blkid -s UUID -o value /dev/sdb3`

Is there a reason this command does not have -o ashift=12 included?

nealr · December 5, 2023, 2:41pm

It’s late, I’m tired, but didn’t want to walk away without closing the loop on some things while they’re still top of mind for me.

What I see from @Rudd-O looks like using ZFS as a full featured file system.

What I saw in the developer chatter thread on Github seemed to be focused on using ZFS zvols, the virtual block device feature. If ZFS is used purely in that fashion, wouldn’t the zvol require something like LVM layered over it in order to be used? And if that’s the case, what benefit is there in doing that rather than just giving LVM the bare partition?

I’ve used zvols for the sake of building contraptions - like exploring Ceph without dedicating physical hardware to the process. I can’t envision a production use for zvols, not with any of the systems I use.

qubist · December 22, 2023, 10:55am

So, now that 4.2 is out, is ZFS a thing? I don’t see it mentioned anywhere in the release notes.

nealr · December 22, 2023, 2:06pm

There isn’t any ZFS in the base 4.2.0 but there are good instructions from @Rudd-O on how to do it.

I anticipate having to steer others using Qubes, so I’ve not done that yet, since it’s a bit involved. BTRFS will suffice for the moment.

augsch · December 22, 2023, 2:56pm

I think the actual ZFS pool driver is included in 4.2.0:
https://github.com/QubesOS/qubes-core-admin/pull/522
What @apparatus posted is a legacy pr and is substituted by pr #522.

And core-admin has included the ZFS driver since 4.2.7 :core-admin v4.2.7 (r4.2) · Issue #3643 · QubesOS/updates-status · GitHub

qubist · December 24, 2023, 7:07pm

Does this mean we should wait for 4.2.7 and not expect it in 4.2.0?

nealr · December 24, 2023, 7:18pm

The 4.2.7 is an internal version number for one tool, and not the full release ID, yes?

BTRFS has proven a tolerable alternative thus far for a single drive system. I have some equipment coming out of service that’s going to permit me to build a Qubes box with a boot SSD and a pair of 1TB spindles. We’ll see how that goes …

augsch · December 25, 2023, 2:23am

Yes, that’s right.

qubist · December 25, 2023, 9:54am

This thread is about experienced ZFS user converting to Qubes. I have zero experience with ZFS. I have read nice things about it, as well as some worrying ones in regards to significant SSD write amplification (additional links in the article itself):

Being experienced in all that, what would you say about it?

Eli · December 25, 2023, 11:33am

I think the best is to avoid ZFS on root. Put the ZFS pool on a separate disk, pass through that drive to a VM and mount it there. Any issues?

By the way, it’s a long shot, but can you pass through different ZFS data sets in a separate drive to different VMs? How about partitioning a separate drive and passing through different partitions containing different ZFS pools to different VMs?

nealr · December 26, 2023, 1:15pm

That’s correct. I avoid consumer grade SSDs, I trashed some Samsung stuff before I switched to Seagate Nytro with three drive writes per day capability. They no longer make the small SATA drives I favored. I think the future for me will be Seagate IronWolf NVMe SSDs, but they’re limited to 0.7 DWPD. Even so, should be OK, I got out of the ArangoDB/Elasticsearch business when the free Twitter API died, and that’s where the bulk of the usage arose.

qubist · December 26, 2023, 2:43pm

Thanks for the feedback.