Date: Sun, 30 May 2010 13:09:56 -0700 (PDT) From: Matthew Dillon <dillon@apollo.backplane.com> To: FreeBSD-STABLE Mailing List <freebsd-stable@freebsd.org> Subject: Re: Make ZFS auto-destroy snapshots when the out of space? Message-ID: <201005302009.o4UK9u9R002477@apollo.backplane.com> References: <4C017419.9010909@strauser.com> <AANLkTimcL9N4oaz9m4YrQuH2nYweOx0-o4drz3buzqGv@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
It is actually a security issue to automatically destroy snapshots based on whether a filesystem is full, even automatically generated snapshots. Since one usually implements snapshots to perform a function you wish to rely on, such as to retain backups of historical data for auditing or other purposes, you do not want an attacker to be able to indirectly destroy snapshots simply by filling up the filesystem. Instead what you want to do is to treat both the automatic and the manual snapshots as an integrated part of the filesystem's operation. Just as we have to deal with a nominal non-snapshotted filesystem-full condition today we also want to treat a filesystem with multiple snapshots in the same vein. So, for example, you might administratively desire 60 1-day snapshots plus 10 minute snapshots for the most recent 3 days to be retained at all times. The automatic maintainance of the snapshots would then administratively delete snapshots over 60 days old and prune to a coarser grain past 3 days. The use of snapshots on modern filesystem capable of managing large numbers of snapshots relatively pain-free, particularly on large storage systems and/or on modern multi-terrabyte HDs, requires a bit of a change in thinking. You have to stop thinking of the snapshots as optional and start thinking of them as mandatory. When snapshot availability is an assumed condition and not an exceptional or special-case condition it opens up a whole new arena in how filesystems can be managed, backed-up, audited, and used in every-day work. Once your thinking processes change you'll never go back to non-snapshotted or nontrivially-snapshotted filesystems. And you will certainly not want to allow a filesystem being mistakenly filled up to destroy your precious snapshots :-) -Matt
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201005302009.o4UK9u9R002477>