Before using retention, you should know about some As soon as you activate some features of file retention in ZFS there is no way back. Other commands may not work as expected.
- Most important and so i’m repeating it here: Mandatory retention is a commitment. There is no privilege to allow detroying a pool or a zfs filesytem with a single retained file, if you are using mandatory retention. This is the reason why i used zpools in a file for my example. Of course you could just swipe the disks. But exporting the pool and removing the files was just more elegant.
- It’s already in the main blog entry, too: But you can’t change the retention policy.
root@testbed:~# zfs create -o retention.policy=mandatory tank/tohuwabohu
root@testbed:~# zfs set retention.policy=privileged tank/tohuwabohu
Cannot set property for 'tank/tohuwabohu': 'retention.policy' is readonly
root@testbed:~# zfs create -o retention.policy=privileged tank/tohuwabohu
root@testbed:~# zfs set retention.policy=mandatory tank/tohuwabohu
Cannot set property for 'tank/tohuwabohu': 'retention.policy' is readonly- You can’t do a
zfs rollbackon a file system with a mandatory retention policy. Even when there is no retained file in it. Keep this in mind, when you are using a retained file to stop you from accidentially deleting a zfs filesystem.
root@testbed:~# zfs create -o retention.policy=mandatory tank/tohuwabohu
root@testbed:~# zfs set retention.period.default=180s tank/tohuwabohu
root@testbed:~# touch /tank/tohuwabohu/tuesday
root@testbed:~# touch /tank/tohuwabohu/wednesday
root@testbed:~# zfs snapshot tank/tohuwabohu@wednesday
root@testbed:~# touch /tank/tohuwabohu/thursday
root@testbed:~# zfs rollback tank/tohuwabohu@wednesday
cannot rollback 'tank/tohuwabohu': rollback of a mandatory retention dataset not allowed- However on a file system with the
privilegedretention policy, this is possible. Even with a retained file in it.
root@testbed:~# zfs create -o retention.policy=privileged tank/tohuwabohu
root@testbed:~# zfs set retention.period.default=180s tank/tohuwabohu
root@testbed:~# touch /tank/tohuwabohu/tuesday
root@testbed:~# touch /tank/tohuwabohu/wednesday
root@testbed:~# zfs snapshot tank/tohuwabohu@wednesday
root@testbed:~# touch -R /tank/tohuwabohu/thursday
root@testbed:~# zfs rollback tank/tohuwabohu@wednesday- You can’t increase the grace period (the since the last write to trigger auto-retention)
root@testbed:~# zfs set retention.period.grace=180s tank/tohuwabohu
root@testbed:~# zfs set retention.period.grace=181s tank/tohuwabohu
Cannot set property for 'tank/tohuwabohu': once enabled, retention grace period cannot be increased- However you can decrease it
root@testbed:~# zfs set retention.period.grace=179s tank/tohuwabohu- After cloning a filesystem, the file retention is still in action.
root@testbed:~# touch -R /tank/tohuwabohu/test
root@testbed:~# zfs snapshot tank/tohuwabohu@test
root@testbed:~# zfs clone tank/tohuwabohu@test tank/narf
root@testbed:~# cd /tank/narf
root@testbed:/tank/narf# zfs get retention tank/narf
NAME PROPERTY VALUE SOURCE
tank/narf retention.period.* ... -
tank/narf retention.policy mandatory -
tank/narf retention.policy.* ... -
tank/narf retention.status.* ... -
root@testbed:/tank/narf# ls
test thursday tuesday wednesday
root@testbed:/tank/narf# rm test
rm: test not removed: Insufficient privileges- You can only move a directory if it’s empty
root@testbed:/tank/tohuwabohu# mv dir1 dir2
mv: cannot rename dir1 to dir2: Insufficient privileges
root@testbed:/tank/tohuwabohu# cd dir1
root@testbed:/tank/tohuwabohu/dir1# ls
file1
root@testbed:/tank/tohuwabohu/dir1# rm file1
root@testbed:/tank/tohuwabohu/dir1# cd ..
root@testbed:/tank/tohuwabohu# mv dir1 dir2
mv: cannot rename dir1 to dir2: Insufficient privileges- Over the retention period users allowed to access the files may change, for example by retirements. So you may have to change the ACL. Or you want to run a new application under a different username with the data. You can allow the system to change the ACL of a retained file. As long as you don’t try to allow writes, of course.
root@testbed:/tank/tohuwabohu# mkfile 1k narf1
root@testbed:/tank/tohuwabohu# touch -R narf1
root@testbed:/tank/tohuwabohu# chmod A+user:junior:r:allow narf1
chmod: ERROR: Failed to set ACL: Insufficient privileges: narf1
root@testbed:/tank/tohuwabohu# zfs set retention.policy.changeacl=on tank/tohuwabohu
root@testbed:/tank/tohuwabohu# chmod A+user:junior:r:allow narf1
root@testbed:/tank/tohuwabohu# chmod A+user:junior:rw:allow narf1
chmod: ERROR: Failed to set ACL: Insufficient privileges: narf1
