Note: "permalinks" may not be as permanent as we would like,
direct links of old sources may well be a few messages off.
On 2010-03-04 16:55, Lars Ellenberg wrote: > On Mon, Mar 01, 2010 at 01:16:52PM +0100, Christian Iversen wrote: >> On 2010-02-27 18:57, Dawid Marcin Grzesiak wrote: >>> Hi, >>> >>> I just wonder if I can use DRBD to asynchronously mirror two block >>> devices locally. >>> >>> For example I want to have a primary (dedicated, so quite secure) server >>> and on the other hand secondary (VPS, so quite insecure). >>> >>> I want to mirror block devices, but I want to keep it encrypted on VPS, >>> but not on dedicated server. >>> >>> Sure I can set encrypted partition up on VPS and share it via DRBD, but >>> then the encryption key will need to be entered and will be stored in >>> the RAM on VPS. >>> >>> Better is to map plain block device from secondary server on the primary >>> server, setup the encrypted partition there (thus encryption key never >>> leave the primary server) and then setup data mirroring locally. >>> >>> I imagine that it is possible with NBD and RAID, but: >>> 1. I'm worrying if NBD network protocol is stable enough. >>> 2. This will be synchronized mirroring. >>> 3. What about resynch? Is it have intelligent algorithm to make it fast >>> and save bandwidth? >>> >>> Is it possible with DRBD? >> >> In a sense, yes. >> >> You can set up the VPS to export your block device with iSCSI. >> >> Then use an iSCSI-client on your server, to import your block device >> into your local (primary) servers namespace. There, you use >> cryptsetup with LUKS to give access to the decrypted block device. >> >> Then just use DRBD between "/dev/localdisk" and >> "/dev/decrypted-remote-disk". >> >> This should work fine, albeit probably slowly. >> >> If you don't know iSCSI, it's kind of like NBD but 100 times better :) > > Others would put this the other way around. > Probably a matter of preference, requirements and environment. Well, maybe. I've tried both, and for our uses, iSCSI fit much better. > Also, DRBD is for replication between two nodes, > not for replication between two block devies on the same node. Agreed :) > So if that is what you are up to, you rather want to > look at sofware raid more closely again. > man mdadm, specifically: bitmap, write-mostly, write-behind ... Well, true. And I agree it's an odd use case. There could be some advantages to using local/local DRBD though. Namely, it would be very easy to switch to the classic local/remote DRBD, or even a crazy remote/remote over double iSCSI. Who knows? I thought it sounded like a fun idea to try. > Yes, we are not only about DRBD. > We know some other stuff as well ;-) > Just use the right tool for the job. Indeed, always useful advise :) P.S: Have you thought about setting a Reply-To-header? I'm almost responding to the auther every time. -- Med venlig hilsen Christian Iversen