On Thu, May 21, 2009 at 01:41:55PM +0100, Paul Bradley wrote:
> I am setting up an encrypted fileserver with off-site backup, for one reason
> and another which I won't go into here for the sake of brevity, I need to
> block-level snapshot partitions, file-level snapshots as I believe are
> provided in UFS won't do since the partitions will contain large monolithic
> files filling the entire partition (which will be mounted by the users via
> loopback and dm-crypt).
>
> Hence the problem is that if one or more of these large (say 500GB)
> monoliths is mounted at the time the backup is taking place, and snapshots
> are file-level, then any change to the file will immediately trigger the OS
> to try and create a copy of a 500GB file so as to snapshot it as it has
> changed - no good to me I am afraid, changes during backups will likely be
> small (can be controlled to be no more than say 10GB of data changing, so no
> problem to allocate snapshotting space), but _MUST_ be represented at the
> block level so that I can freeze the filesystem pre-backup, then run my
> backup in parallel while the user continues to alter the monolithic file
> with impunity.
>
> Is there the capability for block-level snapshots in openBSD, if not in bare
> OBSD can I do it with another filesystem than UFS?
>
> I have heard of the HAMMER FS, it looks good if a bit new and untested,
> perhaps that does block level snapshots - however it seems a bit new and
> untested for my tastes so unless there is a better alternative I'd rather
> not go down that route.
>
> I am very keen to run OBSD on this, but if it's absolutely impractical to do
> so I'd also welcome suggestions of other ways to do this in FreeBSD.
There is no support in OpenBSD for snapshots, so that isn't going to
fly. OpenBSD does support encrypted filesystems, but then it's the
server doing the decrypting. I suppose you could create a RAID-1, break
the RAID and make a snapshot of one disk, but that's hardly a reasonable
solution.
The HAMMER filesystem does support snapshots, and I don't think it will
copy a 500GB file because someone changed a single bit. However, it is,
as you say, rather new. It's also only in DragonFlyBSD at this moment.
I don't know anything about FreeBSD's (lack of?) support for snapshots.
(Open)Solaris does have ZFS, which is supposed to be all kinds of
awesome. I know that people did try to get ZFS in FreeBSD, but I don't
know the current status of that effort.
I'm a bit puzzled by your apparent requirements, though. You seem to
feel that the file server warrants a higher level of security than the
clients (since you appear to be far more familiar with Linux than with
OpenBSD, you must have chosen to use OpenBSD there and only there for a
reason - I presume security). The clients, however, have full access to
the unencrypted filesystems while the server cannot really do anything
interesting. It could corrupt or destroy data, I suppose, but so can the
clients. You'll need good backups anyway.
Finally, it's been ages since I used Linux and I've never used dm-crypt,
but does dm-crypt actually work if you use it on top of a loopback
device on top of NFS? There appear to be a lot of possible issues there,
not all of which are obvious. (Does the NFS client cache writes? In such
a way that the encrypted filesystem may be unreadable after a crash?
What about the server?)
Of course, such Linux-specific problems are not on-topic here, and most
of us wouldn't know anything about them anyway. I would recommend that
you take a good look at such issues before going too far, though.
Joachim
