Hacker News new | past | comments | ask | show | jobs | submit login

Also, some obscure yet very helpful ZFS feature is that all your ZFS datasets have hidden (e.g. not visible via `ls -a`) `.zfs` directory in their roots. This directory contains all snapshots of a given ZFS dataset mounted as directories.

For example, if your home is a separate dataset, then `/home/operator/.zfs/` will contain all snapshots automatically mounted for your convenience.




I have this enabled too, but httm seems like an improvement over this since there's lots of times where I need to restore something from a snapshot, but since I have to look it up based on time, there's a lot of guesswork to find the right snapshot that has what I need. This looks great since I think it lets me do lookups via file, so I can see all the snapshots available for a given file and I can instantly see what all my restore options are.


While I don't disagree this tool would be better, if you don't have that tool, I frequently used something like: ls -lart /vol/.zfs/snapshots/snap-*/file/path

Would list the files sorted by change date so then I could just easily scan through the list for the changed versions.


Exactly. You get it. If you take 100 snapshots but the file was only modified 5 times, then you see 5 file versions. No more digging through snapshots ever.


Huh, this is new to me. How does zfs handle regular directories that happen to be named .zfs?

Might this be a security issue as well? What permissions are needed to access this path? If I somehow have a webserver serving static files from a zfs dataset, might someone use this to access old or deleted files?


I imagine that you will have issues when you enable the setting to make the snapshot directory visible, or it'll behave like a folder that has things in it when you mount something onto the same place (you think you just overwrote all the files, but then you unmount the second thing and it's fine).

Looks like by default the `.zfs/snapshot` folder is owned by root, but has 777 permissions. Then inside the snapshots themselves they have the same permissions as the main pool.

Not sure if there is a way to configure permissions on it, but if security is a concern, you could leave it disabled with `snapdir=hidden`, then just set it to `visible` if you need in there. I think it's disabled by default, so if you haven't gone out of your way to turn it on you're probably good. If you want to leave it visible all the time, you probably want apparmor or something to manage access.


How do you show the .zfs directory if it ignores `ls -a`?


The whole VFS is an illusion, it's totally possible for the filesystem driver to say one thing in readdir(3) and another thing in fopen(3).


Related fun fact: if you have +x but not +r on a directory, you can traverse it (access things whose names you know), but not view its contents (`ls` won't work).


You have to go into zfs settings to enable it, I think it's something like this: `zfs set snapdir=visible poolname/dataset`

After that you can see it with `ls -la`.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: