[pkg-cryptsetup-devel] Bug#419571: cryptsetup: another usecase: boot from lvm on md on (multiple) dm-crypt

Christian Pernegger pernegger at gmail.com
Wed Oct 21 10:24:02 UTC 2009 

Package: cryptsetup
Version: 2:1.0.6-7
Followup-For: Bug #419571


I have another usecase for this wishlist item, one that'll hopefully
expedite its implementation :-)

Current mainstream CPUs seem to be able to do ~100MiB/s per core in 
aes-cbc-essiv:sha256 mode, assuming a 256 bit key. Since dm-crypt uses
at most one thread per mapping this constitutes an upper bound on the
performance of any one mapping.
One could say that this is enough for most applications but the
problem is, it only works as long as the underlying disk is
significantly slower. If the disk can serve requests faster than
dm-crypt can process them, and multiple processes/threads want to do
I/O simultaneously, performance goes down the drain. Throughput is
still fine but even a single streaming write will monopolize I/O for
tens of seconds at a time, making the system unusable, especially if
the root partition is on the same mapping.
No, changing I/O schedulers does nothing.

Nowadays that condition holds for any RAID arrays (my use case) but
even single disks are fast enough to possibly be affected (anything
SCSI, the VelociRaptor, newer 1TB+ disks on their outer tracks, ...)

The established workaround for md raid5 at least seems to be to
dm-crypt the component disks, raid those and (optionally) put lvm on
top. Backwards as it sounds it actually works. Even though one is
writing the data out n/(n-1) times and read-modify-write gets really
ugly it still eliminates the starvation issues and gives a nice read
performance boost to boot.

Sadly initramfs-tools' initrd will not boot from such a setup (can't
find root partition), though I can boot just fine from the busybox
prompt.
The main problem seems to be that the scripts will only activate one
mapping at most, another is that cryptroot wants to run after mdadm.

Thanks for reading,

Chris



-- System Information:
Debian Release: 5.0.3
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.30-bpo.2-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_AT.UTF-8, LC_CTYPE=de_AT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages cryptsetup depends on:
ii  dmsetup                      2:1.02.27-4 The Linux Kernel Device Mapper use
ii  libc6                        2.7-18      GNU C Library: Shared libraries
ii  libdevmapper1.02.1           2:1.02.27-4 The Linux Kernel Device Mapper use
ii  libpopt0                     1.14-4      lib for parsing cmdline parameters
ii  libuuid1                     1.41.3-1    universally unique id library

cryptsetup recommends no packages.

Versions of packages cryptsetup suggests:
pn  dosfstools                <none>         (no description available)
ii  initramfs-tools [linux-in 0.92o          tools for generating an initramfs
ii  udev                      0.125-7+lenny3 /dev/ and hotplug management daemo

-- no debconf information

More information about the pkg-cryptsetup-devel mailing list