Just thought about a nice usecase for the ZFS retention. One important thing with ZFS retention is that there is no privilege to allow you to destroy a filesystem with retained files in it. If you really want to prevent the destruction of a pool in any case, just create a filesystem in it, put a file in it and retain it for 10 years.
root@testbed:~# zfs create -o retention.policy=mandatory tank/roadblock
root@testbed:~# mkfile 1k /tank/roadblock/roadblock
root@testbed:~# touch -R 1231235935 /tank/roadblock/roadblock
root@testbed:~# zpool destroy tank
cannot destroy 'tank': has retained filesOf course you could to the same with a filesystem you never ever want to have destroyed.
root@testbed:~# zfs create -o retention.policy=mandatory tank/database
root@testbed:~# zfs set retention.period.default=1s tank/database
root@testbed:~# mkfile 1k /tank/database/roadblock
root@testbed:~# touch -R 1231235935 /tank/database/roadblock
root@testbed:~# zfs set retention.period.max=1s tank/database
root@testbed:~# zfs destroy tank/database
cannot destroy 'tank/database': has retained filesHowever you have to be a little bit cautious, that your application isn’t triggering an accidental retain. Given the methods to trigger the retaining of a file, i don’t think it’s highly probable. But still. Thus i would suggest to minimize the impact of such an accidential triggering by having a very small default and a very low maximum retaining period.
If you don’t want to commit for 10 years (because you really can’t remove it), you could of course schedule a script to run once a month setting a retain period of a month. Or hourly with a expiry of the retainment period in 24 hours, so you can have at least a good nights sleep after you have deactivated the cron job to think about your life, the universe and the decision to destroy a pool or filesystem dataset.
Of course you can still delete the contents of the pool or datasets or destroy datasets, if they aren’t protected this way, but at least a stray destroy subcommand can’t ruin your day.
