Allow receiver to override encryption properties in case of replication

Currently, the receiver fails to override the encryption
property for the plain replicated dataset with the error:
"cannot receive incremental stream: encryption property
'encryption' cannot be set for incremental streams.". The
problem is resolved by allowing the receiver to override
the encryption property for plain replicated send.

Reviewed-by: Ryan Moeller <ryan@iXsystems.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Ameer Hamza <ahamza@ixsystems.com>
Closes #14253
Closes #13533

diff --git a/lib/libzfs/libzfs_sendrecv.c b/lib/libzfs/libzfs_sendrecv.c
index ac1834733cee5893b9256b904fb9b8f7002c3812..c79c636e16dbf5606e0c0cc49818784f5d795fd4 100644 (file)
--- a/lib/libzfs/libzfs_sendrecv.c
+++ b/lib/libzfs/libzfs_sendrecv.c
@@ -4150,6 +4150,15 @@ zfs_setup_cmdline_props(libzfs_handle_t *hdl, zfs_type_t type,
                        goto error;
                }
 
+               /*
+                * For plain replicated send, we can ignore encryption
+                * properties other than first stream
+                */
+               if ((zfs_prop_encryption_key_param(prop) || prop ==
+                   ZFS_PROP_ENCRYPTION) && !newfs && recursive && !raw) {
+                       continue;
+               }
+
                /* incremental streams can only exclude encryption properties */
                if ((zfs_prop_encryption_key_param(prop) ||
                    prop == ZFS_PROP_ENCRYPTION) && !newfs &&
@@ -4251,7 +4260,8 @@ zfs_setup_cmdline_props(libzfs_handle_t *hdl, zfs_type_t type,
                if (cp != NULL)
                        *cp = '\0';
 
-               if (!raw && zfs_crypto_create(hdl, namebuf, voprops, NULL,
+               if (!raw && !(!newfs && recursive) &&
+                   zfs_crypto_create(hdl, namebuf, voprops, NULL,
                    B_FALSE, wkeydata_out, wkeylen_out) != 0) {
                        fnvlist_free(voprops);
                        ret = zfs_error(hdl, EZFS_CRYPTOFAILED, errbuf);

diff --git a/tests/zfs-tests/tests/functional/cli_root/zfs_receive/zfs_receive_to_encrypted.ksh b/tests/zfs-tests/tests/functional/cli_root/zfs_receive/zfs_receive_to_encrypted.ksh
index 8bd9a685495096bbc0e237b2bc45b9c6b8c1299c..7e12d30d0e7e94302c6f9bbb05b6c29dc348defb 100755 (executable)
--- a/tests/zfs-tests/tests/functional/cli_root/zfs_receive/zfs_receive_to_encrypted.ksh
+++ b/tests/zfs-tests/tests/functional/cli_root/zfs_receive/zfs_receive_to_encrypted.ksh
@@ -41,6 +41,9 @@ verify_runnable "both"
 
 function cleanup
 {
+       datasetexists $TESTPOOL/encrypted && \
+               destroy_dataset $TESTPOOL/encrypted -r
+
        snapexists $snap && destroy_dataset $snap -f
        snapexists $snap2 && destroy_dataset $snap2 -f
 
@@ -97,4 +100,15 @@ log_note "Verifying ZFS will not receive to an encrypted child when the" \
        "parent key is unloaded"
 log_mustnot eval "zfs send $snap | zfs receive $TESTPOOL/$TESTFS1/c4"
 
+# Verify that replication can override encryption properties
+log_note "Verifying replication can override encryption properties for plain dataset"
+typeset key_location="/$TESTPOOL/pkey1"
+log_must eval "echo $passphrase > $key_location"
+log_must eval "zfs send -R $snap2 | zfs recv -s -F -o encryption=on" \
+       "-o keyformat=passphrase -o keylocation=file://$key_location" \
+       "-o mountpoint=none $TESTPOOL/encrypted"
+log_must test "$(get_prop 'encryption' $TESTPOOL/encrypted)" != "off"
+log_must test "$(get_prop 'keyformat' $TESTPOOL/encrypted)" == "passphrase"
+log_must test "$(get_prop 'keylocation' $TESTPOOL/encrypted)" == "file://$key_location"
+
 log_pass "ZFS can receive encrypted filesystems into child dataset"