Make ZFS auto-destroy snapshots when the out of space?
Matthew Dillon
dillon at apollo.backplane.com
Sun May 30 20:09:57 UTC 2010
It is actually a security issue to automatically destroy snapshots based
on whether a filesystem is full, even automatically generated snapshots.
Since one usually implements snapshots to perform a function you wish
to rely on, such as to retain backups of historical data for auditing
or other purposes, you do not want an attacker to be able to indirectly
destroy snapshots simply by filling up the filesystem.
Instead what you want to do is to treat both the automatic and the manual
snapshots as an integrated part of the filesystem's operation. Just as
we have to deal with a nominal non-snapshotted filesystem-full condition
today we also want to treat a filesystem with multiple snapshots in the
same vein. So, for example, you might administratively desire 60 1-day
snapshots plus 10 minute snapshots for the most recent 3 days to be
retained at all times. The automatic maintainance of the snapshots
would then administratively delete snapshots over 60 days old and prune
to a coarser grain past 3 days.
The use of snapshots on modern filesystem capable of managing large
numbers of snapshots relatively pain-free, particularly on large storage
systems and/or on modern multi-terrabyte HDs, requires a bit of a change
in thinking. You have to stop thinking of the snapshots as optional and
start thinking of them as mandatory.
When snapshot availability is an assumed condition and not an
exceptional or special-case condition it opens up a whole new arena
in how filesystems can be managed, backed-up, audited, and used in
every-day work. Once your thinking processes change you'll never
go back to non-snapshotted or nontrivially-snapshotted filesystems.
And you will certainly not want to allow a filesystem being mistakenly
filled up to destroy your precious snapshots :-)
-Matt
More information about the freebsd-stable
mailing list