anezmorv
April 30th, 2022, 11:46 PM
Click this link to go to the "solution": https://ubuntuforums.org/showthread.php?t=2474486&p=14095592#post14095592
TL,DR:
The goal: build an encrypted file server + VM host.
Purchased all new hardware
Installed Ubuntu Server 22.04 LTS without FDE
Setup VirtualBox + Windows 10 guest VM
Everything worked as expected
Wiped system
Reinstalled Ubuntu Server 22.04 LTS with FDE through dm-crypt/LUKS
System stability went straight to hell
Spent several days googling / tweaking settings
Gave up, reinstalled Ubuntu without FDE
Everything works as expected (except lack of encryption)
Abandoned project
Update
The same problem happens with Ubuntu 20: FDE w/ dm-crypt, transfer a large file, kcryptd workers hit 99% IO load, transfer dies / OS locks up
This is not a virtualbox problem, the Ubuntu 20 system did not have virtualbox installed
Swapping the SSD for an known-working and reliable spinning hard disk had no effect, problem persists
Intro
Yes, I am aware that this is a massive wall of text. If this was a single easy problem then I would've found my answer on google or stack overflow and been on my way. Complex, fiddly issues tend to not be associated with quick and easy diagnosis.
Somehow I traced all of my problems back to the LUKS / dm-crypt FDE option that I enabled during setup. I wrote out this brain dump in case someone wants to see a full description of exactly what happened.
Also, if you found this thread on the 8th page of Google results at 3AM on a Monday, staring into the mute remains for some key, some solution to your plight, you should know right now that I have no solution for you. I ultimately gave up. Fighting these problems took too much time and I had to abandon the project. I couldn't build the system I wanted to build with full-disk encryption on Ubuntu Server 22.04.
I'm posting this thread for two reasons:
A sign post / hint guide for the next poor user who suddenly finds themselves dealing with some of the same problems
Maybe someone else in the forum can offer some insight for a real solution.
Hardware:
AMD Ryzen 5 5600
ASRock B550 Steel Legend
NEMEX 32GB DDR4-3200 PC4-25600 ECC unbuffered DIMM
Corsair 850W PSU
Kingston 120GB A400 SATA SSD
Ubuntu Server 22.04 LTS with full-disk encryption (enabled during installation)
My laundry list of issues:
My Windows guest running under VirtualBox 6.1 won't stay up for more than a few seconds before crashing / BSODing / rebooting.
The Ubuntu host hangs while shutting down for reboot. the chassis reset button has no effect in this state.
Incoming SSH file transfers will move ~5GB and then just stop dead at 0 bytes/second.
I had one kernel panic.
Hardware Testing / Temporary System Setup
This is what I did after receiving all of the new hardware.
First, SSD testing. I attached the new Kingston SSD to another PC and ran a destructive badblocks test. badblocks reported no errors. smartctl also reported no errors.
Second, RAM testing. I assembled the system described above, including the Kingston SSD. I then ran MemTest86+ from a boot disk for about 2 days and saw no issues there either.
Third, CPU/RAM/OS combo testing. I installed Ubuntu Server 22.04 without FDE enabled just so I could test the hardware. I ran Prime95 for a week and saw no errors. edac-util reported no ECC errors either.
I installed VirtualBox 6.1 straight from the default Ubuntu package repo (I did not download the .deb from Oracle). I moved a ~30GB Windows VM over SSH file transfer to the new box and booted it as a headless VM. I was able to connect to the Windows guest VM over Remote Desktop without issue. The VM ran Prime95 overnight without any issues.
At this point everything seemed perfect. I was ready to tear the system down and build it up for "production".
The Troubles Begin - Setup
I booted from a GParted boot disk and deleted all partitions from the SSD. I ran dd to zero out the first ~10GB of the disk to ensure that all remnants of the test OS were completely gone. Then I booted from the same Ubuntu 22.04 LTS DVD that I had used to install the system the first time.
During installation, on the "Guided storage configuration" page, I chose:
Use an entire disk
Set up this disk as an LVM group
Encrypt the LVM group with LUKS
Then I set the password. On the next screen I had to adjust the encrypted OS partition size to *actually* use the entire disk (it only wanted to use 58G out of the available ~107GB), and then I let the installer fly.
I wasn't worried about the incorrect partition size since I'd seen that before when doing LUKS on Ubuntu 20. Kinda annoying it's still an issue with the latest installer, though.
The Troubles Begin - Broken SSH Transfers
On next boot I entered my LUKS password and the OS started as expected. I got my SSH key setup again, and then started moving the ~30GB Windows VM over to the freshly installed system.
WinSCP moved about 5GB and stopped. Then it froze. Then it dropped the connection. Hmm, weird. Maybe it's an issue with my main Windows desktop. I rebooted it and tried again. Same problem. I rebooted my network switch. Same problem. Tried different ports on the switch for both the Linux and Windows desktop. Same problem.
***. SSH transfers were working flawlessly 20 minutes ago on the non-FDE Ubuntu installation on exactly the same hardware.
Running iotop I saw that at the beginning of the SSH transfer the disk was writing at ~110MB/sec, which meant the gigabit connection was maxed out. Then disk throughput would drop to zero but a bunch of the kcryptd workers would be slamming the disk at 99% IO load. This went on long enough to stall and eventually kill the SSH file transfer.
Also, while these kcryptd workers were busy going nuts on the disk, terminal echo still worked but nothing else did. ls -la froze, htop froze, screen froze. Basically anything that touched the disk just stopped dead until the kcryptd workers got out of the way.
I found these two Stack Exchange threads:
https://serverfault.com/questions/1012566/luks-high-transfer-rates-followed-by-high-io-wait
https://askubuntu.com/questions/918580/how-do-i-troubleshoot-a-disk-io-performance-issue-possibly-related-to-dm-crypt-l
Specifically this thread, which provided what I thought was a solution:
https://askubuntu.com/questions/918580/how-do-i-troubleshoot-a-disk-io-performance-issue-possibly-related-to-dm-crypt-l/1363929#1363929
And so I ran this command:
cryptsetup --allow-discards --perf-no_read_workqueue --perf-no_write_workqueue --persistent refresh <name of my disk>
Then rebooted. SSH transfers suddenly started working again.
The Troubles Continue - Broken VirtualBox Guests
I got the Windows guest VM moved over and installed VirtualBox 6.1. I opened up the GUI through Xserver forwarding over SSH and registered the VM. Then I told it to start, but accidentally clicked "Start" instead of "Start Headless".
The VM booted up, showed the Windows logo, got to the login screen, and then flashed blue and restarted. Okay fine, maybe the VM didn't like running with Xserver over SSH. Understandable. I killed the VM and restarted headless. This time I made it to the desktop through Remote Desktop but after about 10 seconds the connection dropped.
The VirtualBox log said the VM had a "critical error" and automatically restarted it. I reconnected to the VM display and caught a BSOD in the middle of a dump. "SYSTEM THREAD EXCEPTION NOT HANDLED" in ntfs.sys. Okay... something is really wrong here.
The VM never booted again after that. The Windows logo would come up for just a second and then the VM would reboot itself.
I nuked the VM and transferred it over again. Then I ran b3sum on the VM files to confirm that they had transferred correctly from the source. The hashes matched, so no corruption there. I re-registered the VM and tried again. Same problem, boots and runs for few seconds, crashes hard and eventually destroys itself after a few boot loops.
Well. That's discouraging.
Fine, whatever. Maybe it's just Windows being Windows. I decided to rebuild the Windows VM directly on the Ubuntu server. I copied the ISO over, setup a blank VM, started it up, got into the Windows installer, setup partitions, files were copying... bam, another error. "Windows cannot install required files." I checked the ISO hash with b3sum, so the installation media was good. A fresh VM failing during Windows installation? This had to be a problem with the host.
I dug all over the VirtualBox forums and ticket lists looking for anything to go on. A lot of users have had issues mixing up paravirtualization acceleration between hyper-V and KVM and then trashing their VMs. But that didn't fit here - the same Windows VM had been working just fine on the non-FDE Ubuntu 22 system I was running barely an hour before. And how could VirtualBox basic default settings be wrong on a new VM?
Bad RAM? I ran memtest86+ again overnight. No errors reported.
The Troubles Continue - Reboot... doesn't
Over the course of dealing with the broken VMs I rebooted the system several times. I did the same way I've done it for years:
sudo reboot
SSH would drop and the monitor would flash a bunch of scrolling text and then turn off. All of this is expected. Except, the PC itself would not reboot. Lights will stay on, fans will stay on, but the UEFI splash screen would never come up.
In a bizarre turn of events, even pushing the chassis reset button had no effect. I had to hold the power button down to forcefully turn the system off. (And yes, the reset button is wired correctly, I tested that.)
I didn't spend any time digging into this problem, so I have no clues to offer.
Final Troubles - kernel panic
During one of my reboot / forced power off / boot cycles, shortly after unlocking the disk for boot, the system halted with kernel panic before it hit the login prompt. At this point I was so frustrated that I just yelled "Of course! Why not kernel panic? Might as well just catch fire too!" and immediately hit the power switch. I should have taken a moment to record exactly what caused the kernel panic, but didn't.
Giving Up
I had spent about a week chasing clues and vestiges of solutions on google, reading 8+ year old forum threads, translating trouble tickets written in Russian / Japanese / whatever, but there was no golden solution that pointed to a root cause for my VM crash issue. And the system itself seemed to be getting less stable with every boot. The reboot hang was seldom at first, but was now happening on every reboot, apt started complaining about broken packages, eventually the network connection stopped coming up on boot. Every bit of it smelled like a bad CPU, bad RAM, a bad disk, or all of the above.
The original test system worked PERFECTLY. Absolutely no problems at all. The "production" system had only one thing different... it used full disk encryption through dm-crypt / LUKS, as offered by the Ubuntu Server 22.04 LTS installer.
But there was no way it could be dm-crypt. I'd been using it for years on older Ubuntu installations. The last mutterings of dm-crypt data corruption bugs happened in 2006. Freaking Amazon uses it for their cloud infrastructure. It could not. Possibly. Be. dm-crypt.
Or could it?
Having nothing to lose at that point, I wiped the SSD and loaded up the Ubuntu installer again, this time reinstalling the entire system without FDE. VirtualBox installed, Windows VM copied over, let's go.
...and it worked perfectly fine. In fact I've been running Prime95 in the Windows VM since getting everything reinstalled again (about 4 hours now) and it hasn't had any hiccups. Compare that to the FDE installation where things were going wrong within a minute of logging in for the first time.
That was all the evidence I needed to point my finger at dm-crypt, or the integration thereof in Ubuntu 22.
Conclusions
I, uh. Er. I guess dm-crypt is broken? Somehow? Maybe? Something to do with trim settings that cause the SSD to blow up sectors that are actually in use?
I don't know what else to say about this. I'm not a kernel developer. I'm not even really a tech person. I just use Linux where I feel like it's the right tool for the job. In this case I was trying to build an encrypted file server - something I have done several times before on Ubuntu 18 and 20 - and dm-crypt on Ubuntu 22 was absolutely not having it.
Installing Ubuntu 20 or older isn't an option since the older kernels don't know how to read from my ECC controller, apparently.
Anyway if you read this far, thanks. This was a chore to type out and probably even worse to read.
To those looking for a solution to the same problem - good luck. May you succeed where I failed.
To those who wish to offer advice or help - I'll check the thread regularly for a few days to answer any questions.
TL,DR:
The goal: build an encrypted file server + VM host.
Purchased all new hardware
Installed Ubuntu Server 22.04 LTS without FDE
Setup VirtualBox + Windows 10 guest VM
Everything worked as expected
Wiped system
Reinstalled Ubuntu Server 22.04 LTS with FDE through dm-crypt/LUKS
System stability went straight to hell
Spent several days googling / tweaking settings
Gave up, reinstalled Ubuntu without FDE
Everything works as expected (except lack of encryption)
Abandoned project
Update
The same problem happens with Ubuntu 20: FDE w/ dm-crypt, transfer a large file, kcryptd workers hit 99% IO load, transfer dies / OS locks up
This is not a virtualbox problem, the Ubuntu 20 system did not have virtualbox installed
Swapping the SSD for an known-working and reliable spinning hard disk had no effect, problem persists
Intro
Yes, I am aware that this is a massive wall of text. If this was a single easy problem then I would've found my answer on google or stack overflow and been on my way. Complex, fiddly issues tend to not be associated with quick and easy diagnosis.
Somehow I traced all of my problems back to the LUKS / dm-crypt FDE option that I enabled during setup. I wrote out this brain dump in case someone wants to see a full description of exactly what happened.
Also, if you found this thread on the 8th page of Google results at 3AM on a Monday, staring into the mute remains for some key, some solution to your plight, you should know right now that I have no solution for you. I ultimately gave up. Fighting these problems took too much time and I had to abandon the project. I couldn't build the system I wanted to build with full-disk encryption on Ubuntu Server 22.04.
I'm posting this thread for two reasons:
A sign post / hint guide for the next poor user who suddenly finds themselves dealing with some of the same problems
Maybe someone else in the forum can offer some insight for a real solution.
Hardware:
AMD Ryzen 5 5600
ASRock B550 Steel Legend
NEMEX 32GB DDR4-3200 PC4-25600 ECC unbuffered DIMM
Corsair 850W PSU
Kingston 120GB A400 SATA SSD
Ubuntu Server 22.04 LTS with full-disk encryption (enabled during installation)
My laundry list of issues:
My Windows guest running under VirtualBox 6.1 won't stay up for more than a few seconds before crashing / BSODing / rebooting.
The Ubuntu host hangs while shutting down for reboot. the chassis reset button has no effect in this state.
Incoming SSH file transfers will move ~5GB and then just stop dead at 0 bytes/second.
I had one kernel panic.
Hardware Testing / Temporary System Setup
This is what I did after receiving all of the new hardware.
First, SSD testing. I attached the new Kingston SSD to another PC and ran a destructive badblocks test. badblocks reported no errors. smartctl also reported no errors.
Second, RAM testing. I assembled the system described above, including the Kingston SSD. I then ran MemTest86+ from a boot disk for about 2 days and saw no issues there either.
Third, CPU/RAM/OS combo testing. I installed Ubuntu Server 22.04 without FDE enabled just so I could test the hardware. I ran Prime95 for a week and saw no errors. edac-util reported no ECC errors either.
I installed VirtualBox 6.1 straight from the default Ubuntu package repo (I did not download the .deb from Oracle). I moved a ~30GB Windows VM over SSH file transfer to the new box and booted it as a headless VM. I was able to connect to the Windows guest VM over Remote Desktop without issue. The VM ran Prime95 overnight without any issues.
At this point everything seemed perfect. I was ready to tear the system down and build it up for "production".
The Troubles Begin - Setup
I booted from a GParted boot disk and deleted all partitions from the SSD. I ran dd to zero out the first ~10GB of the disk to ensure that all remnants of the test OS were completely gone. Then I booted from the same Ubuntu 22.04 LTS DVD that I had used to install the system the first time.
During installation, on the "Guided storage configuration" page, I chose:
Use an entire disk
Set up this disk as an LVM group
Encrypt the LVM group with LUKS
Then I set the password. On the next screen I had to adjust the encrypted OS partition size to *actually* use the entire disk (it only wanted to use 58G out of the available ~107GB), and then I let the installer fly.
I wasn't worried about the incorrect partition size since I'd seen that before when doing LUKS on Ubuntu 20. Kinda annoying it's still an issue with the latest installer, though.
The Troubles Begin - Broken SSH Transfers
On next boot I entered my LUKS password and the OS started as expected. I got my SSH key setup again, and then started moving the ~30GB Windows VM over to the freshly installed system.
WinSCP moved about 5GB and stopped. Then it froze. Then it dropped the connection. Hmm, weird. Maybe it's an issue with my main Windows desktop. I rebooted it and tried again. Same problem. I rebooted my network switch. Same problem. Tried different ports on the switch for both the Linux and Windows desktop. Same problem.
***. SSH transfers were working flawlessly 20 minutes ago on the non-FDE Ubuntu installation on exactly the same hardware.
Running iotop I saw that at the beginning of the SSH transfer the disk was writing at ~110MB/sec, which meant the gigabit connection was maxed out. Then disk throughput would drop to zero but a bunch of the kcryptd workers would be slamming the disk at 99% IO load. This went on long enough to stall and eventually kill the SSH file transfer.
Also, while these kcryptd workers were busy going nuts on the disk, terminal echo still worked but nothing else did. ls -la froze, htop froze, screen froze. Basically anything that touched the disk just stopped dead until the kcryptd workers got out of the way.
I found these two Stack Exchange threads:
https://serverfault.com/questions/1012566/luks-high-transfer-rates-followed-by-high-io-wait
https://askubuntu.com/questions/918580/how-do-i-troubleshoot-a-disk-io-performance-issue-possibly-related-to-dm-crypt-l
Specifically this thread, which provided what I thought was a solution:
https://askubuntu.com/questions/918580/how-do-i-troubleshoot-a-disk-io-performance-issue-possibly-related-to-dm-crypt-l/1363929#1363929
And so I ran this command:
cryptsetup --allow-discards --perf-no_read_workqueue --perf-no_write_workqueue --persistent refresh <name of my disk>
Then rebooted. SSH transfers suddenly started working again.
The Troubles Continue - Broken VirtualBox Guests
I got the Windows guest VM moved over and installed VirtualBox 6.1. I opened up the GUI through Xserver forwarding over SSH and registered the VM. Then I told it to start, but accidentally clicked "Start" instead of "Start Headless".
The VM booted up, showed the Windows logo, got to the login screen, and then flashed blue and restarted. Okay fine, maybe the VM didn't like running with Xserver over SSH. Understandable. I killed the VM and restarted headless. This time I made it to the desktop through Remote Desktop but after about 10 seconds the connection dropped.
The VirtualBox log said the VM had a "critical error" and automatically restarted it. I reconnected to the VM display and caught a BSOD in the middle of a dump. "SYSTEM THREAD EXCEPTION NOT HANDLED" in ntfs.sys. Okay... something is really wrong here.
The VM never booted again after that. The Windows logo would come up for just a second and then the VM would reboot itself.
I nuked the VM and transferred it over again. Then I ran b3sum on the VM files to confirm that they had transferred correctly from the source. The hashes matched, so no corruption there. I re-registered the VM and tried again. Same problem, boots and runs for few seconds, crashes hard and eventually destroys itself after a few boot loops.
Well. That's discouraging.
Fine, whatever. Maybe it's just Windows being Windows. I decided to rebuild the Windows VM directly on the Ubuntu server. I copied the ISO over, setup a blank VM, started it up, got into the Windows installer, setup partitions, files were copying... bam, another error. "Windows cannot install required files." I checked the ISO hash with b3sum, so the installation media was good. A fresh VM failing during Windows installation? This had to be a problem with the host.
I dug all over the VirtualBox forums and ticket lists looking for anything to go on. A lot of users have had issues mixing up paravirtualization acceleration between hyper-V and KVM and then trashing their VMs. But that didn't fit here - the same Windows VM had been working just fine on the non-FDE Ubuntu 22 system I was running barely an hour before. And how could VirtualBox basic default settings be wrong on a new VM?
Bad RAM? I ran memtest86+ again overnight. No errors reported.
The Troubles Continue - Reboot... doesn't
Over the course of dealing with the broken VMs I rebooted the system several times. I did the same way I've done it for years:
sudo reboot
SSH would drop and the monitor would flash a bunch of scrolling text and then turn off. All of this is expected. Except, the PC itself would not reboot. Lights will stay on, fans will stay on, but the UEFI splash screen would never come up.
In a bizarre turn of events, even pushing the chassis reset button had no effect. I had to hold the power button down to forcefully turn the system off. (And yes, the reset button is wired correctly, I tested that.)
I didn't spend any time digging into this problem, so I have no clues to offer.
Final Troubles - kernel panic
During one of my reboot / forced power off / boot cycles, shortly after unlocking the disk for boot, the system halted with kernel panic before it hit the login prompt. At this point I was so frustrated that I just yelled "Of course! Why not kernel panic? Might as well just catch fire too!" and immediately hit the power switch. I should have taken a moment to record exactly what caused the kernel panic, but didn't.
Giving Up
I had spent about a week chasing clues and vestiges of solutions on google, reading 8+ year old forum threads, translating trouble tickets written in Russian / Japanese / whatever, but there was no golden solution that pointed to a root cause for my VM crash issue. And the system itself seemed to be getting less stable with every boot. The reboot hang was seldom at first, but was now happening on every reboot, apt started complaining about broken packages, eventually the network connection stopped coming up on boot. Every bit of it smelled like a bad CPU, bad RAM, a bad disk, or all of the above.
The original test system worked PERFECTLY. Absolutely no problems at all. The "production" system had only one thing different... it used full disk encryption through dm-crypt / LUKS, as offered by the Ubuntu Server 22.04 LTS installer.
But there was no way it could be dm-crypt. I'd been using it for years on older Ubuntu installations. The last mutterings of dm-crypt data corruption bugs happened in 2006. Freaking Amazon uses it for their cloud infrastructure. It could not. Possibly. Be. dm-crypt.
Or could it?
Having nothing to lose at that point, I wiped the SSD and loaded up the Ubuntu installer again, this time reinstalling the entire system without FDE. VirtualBox installed, Windows VM copied over, let's go.
...and it worked perfectly fine. In fact I've been running Prime95 in the Windows VM since getting everything reinstalled again (about 4 hours now) and it hasn't had any hiccups. Compare that to the FDE installation where things were going wrong within a minute of logging in for the first time.
That was all the evidence I needed to point my finger at dm-crypt, or the integration thereof in Ubuntu 22.
Conclusions
I, uh. Er. I guess dm-crypt is broken? Somehow? Maybe? Something to do with trim settings that cause the SSD to blow up sectors that are actually in use?
I don't know what else to say about this. I'm not a kernel developer. I'm not even really a tech person. I just use Linux where I feel like it's the right tool for the job. In this case I was trying to build an encrypted file server - something I have done several times before on Ubuntu 18 and 20 - and dm-crypt on Ubuntu 22 was absolutely not having it.
Installing Ubuntu 20 or older isn't an option since the older kernels don't know how to read from my ECC controller, apparently.
Anyway if you read this far, thanks. This was a chore to type out and probably even worse to read.
To those looking for a solution to the same problem - good luck. May you succeed where I failed.
To those who wish to offer advice or help - I'll check the thread regularly for a few days to answer any questions.