In Debian with systemd, I use zfs and lxc. My zfs datasets are encrypted and their keys can be loaded from a network host via my /etc/zfs/zfs-load-key.sh script. My LXC containers are started by lxc.service.
Loading the keys requires the network up and running (otherwise I get the error "no route to host") but lxc.service requires the keys to be loaded.
Sounds trivial, but isn't. I created this file /etc/systemd/system/zfs-load-keyfile@.service:
[Unit]
Description=Load %I encryption keys from network host
DefaultDependencies=no
Before=zfs-mount.service lxc.service
After=zfs-import.target network-online.target
Requires=zfs-import.target
Wants=network-online.target
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/etc/zfs/zfs-load-key.sh %I
[Install]
WantedBy=zfs-mount.service lxc.service
and enabled them via:
systemctl enable zfs-load-keyfile@tank-dataset1.service
systemctl enable zfs-load-keyfile@tank-dataset2.service
For for some reason, my LXC containers do not start because the keys were not yet loaded, ALTHOUGH I have Before=... lxc.service!
Why does this service not run at the right time, i.e. after the network is up and before lxc?
How to fix it?
