Your backup isn’t real until you’ve restored it. And your ZFS replication isn’t real until it survives the boring stuff: flaky links, full pools, mis-ordered snapshots, and that one person who “just renamed the dataset real quick.”
ZFS makes backup engineering feel unfairly easy—until it doesn’t. The point of this guide is to keep it in the “easy” lane: clear snapshot habits, sane send/receive patterns, and a troubleshooting playbook for when reality shows up.
The mental model: snapshots are time, send/receive is transport
ZFS backups are two mechanisms stapled together:
- Snapshots capture dataset state at a moment in time. They’re cheap (initially), fast, and consistent.
- Send/receive serializes snapshot deltas and moves them elsewhere, so you can lose a server and still keep your job.
Everything else—retention, naming, incremental replication, resume tokens, encryption, bandwidth limits—exists to make those two mechanisms behave under stress.
Snapshots aren’t copies. They’re references.
A ZFS snapshot is a read-only view of blocks. When you snapshot a dataset, ZFS doesn’t duplicate the data. It pins the blocks that are part of that point-in-time view. As the live filesystem changes, new blocks are allocated, and old blocks are kept as long as some snapshot references them.
This means:
- Creating snapshots is fast.
- Keeping lots of snapshots can be expensive if your workload churns data (VM images, databases, CI artifacts).
- Deleting snapshots can be slow if they reference a ton of unique blocks.
Send/receive is deterministic—your policies are not
zfs send produces a stream representing snapshot contents (full) or differences (incremental). zfs receive applies that stream to a target dataset.
Replication works when both sides agree on snapshot lineage. It fails when you break lineage by deleting the wrong snapshot, renaming datasets casually, or mixing “manual” and “automated” snapshot sets without rules.
One dry truth: most ZFS backup incidents are policy bugs, not ZFS bugs.
Joke #1 (short, relevant): ZFS snapshots are like time travel—easy to create, expensive to explain when you kept 9,000 of them.
Snapshot naming is not aesthetics; it’s your control plane
Decide early on a naming scheme that encodes:
- who created it (system vs human),
- purpose (hourly/daily/weekly, pre-upgrade, pre-deploy),
- time (UTC, always).
If you don’t encode this, retention and replication become a guessing game. Guessing games are fun until auditors show up.
Opinionated take: separate “backup snapshots” from “operational snapshots”
Operational snapshots (pre-upgrade, before a risky migration) are wonderful. But mixing them into your replication chain without rules will eventually break incremental send. Use distinct prefixes.
Example snapshot prefixes:
bk-hh/bk-dd/bk-wwfor scheduled backup tiersops-for human/automation workflow snapshots
The foundational rule: never run your backup target hot
If your backup pool sits at 85–95% full, you’re living on borrowed time. ZFS performance and behavior degrade as free space shrinks, and deletion becomes work. You will get slow sends, slow receives, slow snapshot deletions, and eventually replication gaps that force full sends.
Keep backup pools below ~70–80% used in steady state. Yes, finance will ask why you “wasted” disks. Explain that you’re buying predictability, not raw bytes.
One quote (paraphrased idea)
“Hope isn’t a strategy.” — paraphrased idea often attributed to operations leaders and reliability engineers
Snapshot and replication systems are where hope goes to die. Good. Build systems that don’t need it.
Interesting facts & small history you can use at work
- ZFS came out of Sun Microsystems as a “filesystem plus volume manager” design, not a bolt-on RAID tool. That’s why snapshots and replication feel native.
- Copy-on-write wasn’t invented by ZFS, but ZFS popularized an end-to-end model where the filesystem, checksums, and pooling cooperate instead of fighting.
- ZFS checksums every block and verifies on read; this is why ZFS is such a strong fit for backups. Silent corruption is the enemy that doesn’t page you.
- “RAID-Z” exists because traditional RAID controllers lie (sometimes accidentally) about write ordering and caching. ZFS wanted a software-native model.
- ZFS send streams are portable across many platforms that implement OpenZFS, which is why replication between Linux and illumos-derived systems is common.
- Resumable receive (“resume tokens”) was added because large replications die on real networks. This is one of the most practical evolutions in ZFS ops.
- Snapshots don’t freeze time for applications unless you coordinate writes. ZFS gives you crash-consistent snapshots by default; application-consistent requires extra steps.
- Dedup exists, but is rarely your friend in backup targets unless you know exactly what you’re doing. It’s a RAM-hungry optimization with sharp edges.
- Compression is usually a win for backups: fewer bytes over the wire, fewer bytes on disk, often faster overall due to less IO. It’s one of the rare “have your cake” features.
Design a ZFS backup system that survives humans
Pick a replication topology on purpose
You’ll land in one of these:
- One-to-one: production host replicates to a backup host. Simple, common, good.
- Many-to-one: multiple production hosts replicate to a central backup box. Great for operations; watch dataset naming, quotas, and pool capacity planning.
- Fan-out: replicate to a local target and then to an offsite target. This is how you get fast restores plus disaster recovery.
Opinionated recommendation: do many-to-one only if you have strong naming standards and quotas. Otherwise one team will fill the pool and everyone else will learn what “backups are down” means.
Decide what you replicate: datasets, not pools
Replicate datasets (and their children) with consistent properties. If you replicate an entire pool, you inherit every property mistake and every experiment. Datasets are your blast-radius control.
Use recursive snapshots, but don’t be sloppy
Most real services live in a tree: pool/app, pool/app/db, pool/app/logs. If you want a consistent point-in-time across that tree, you snapshot recursively with a common snapshot name. ZFS provides zfs snapshot -r and replication tools rely on this.
Make retention a policy, not a side effect
Retention is where backup systems die. You’ll create snapshots forever, replication will work beautifully, and then you’ll run out of space and start deleting things in the wrong order while production is on fire.
Pick a tiered retention that matches your business reality:
- Hourly for 24–72 hours (fast “oops” recovery)
- Daily for 14–35 days (most “we just noticed” incidents)
- Weekly for 8–12 weeks (slow-burn problems)
- Monthly for 6–18 months (compliance-ish needs)
Then implement it with automation that tags snapshots and deletes by tag/prefix. Do not delete snapshots by “oldest first” without understanding holds, clones, and replication dependencies.
Keep backup datasets read-only (on the backup side)
On the target, set the replicated datasets to read-only to prevent “quick fixes” that permanently fork your snapshot lineage.
Set:
readonly=on- optionally
canmount=offfor pure backup datasets
Encryption: decide whether to encrypt at rest, in transit, or both
SSH provides transport encryption. ZFS native encryption provides at-rest encryption. Your threat model decides.
- If you’re sending to a third-party location or removable media: native encryption matters.
- If it’s inside your own secured DC: SSH may be “enough,” but auditors may disagree.
One practical warning: encrypted datasets complicate replication if you don’t plan key loading and property inheritance. Test restores. Always.
Prefer incremental replication, but budget for full sends
Incrementals are efficient and fast. They also depend on shared snapshot history. If that history is broken, you either:
- recreate a common base snapshot (sometimes possible), or
- do a full send (sometimes painful).
Plan for occasional full sends by ensuring you can tolerate the bandwidth and storage impact, or by keeping longer base snapshots so you have more options.
Practical tasks (commands + outputs + decisions)
These are the tasks I actually run when building or debugging ZFS backup replication. Each includes a command, typical output, and what decision you make from it.
Task 1: Identify pools and basic health
cr0x@server:~$ zpool status
pool: tank
state: ONLINE
scan: scrub repaired 0B in 02:11:18 with 0 errors on Sun Dec 22 03:10:42 2025
config:
NAME STATE READ WRITE CKSUM
tank ONLINE 0 0 0
raidz1-0 ONLINE 0 0 0
sda ONLINE 0 0 0
sdb ONLINE 0 0 0
sdc ONLINE 0 0 0
errors: No known data errors
What it means: Pool is online, no IO errors, recent scrub clean.
Decision: If you see DEGRADED, checksum errors, or scrubs failing, fix storage health before tuning replication. Replication can’t outrun bad disks.
Task 2: Check pool capacity (the silent killer)
cr0x@server:~$ zfs list -o name,used,avail,refer,mountpoint -t filesystem tank
NAME USED AVAIL REFER MOUNTPOINT
tank 6.12T 1.45T 192K /tank
What it means: Only 1.45T available. Depending on pool size, that might be uncomfortably tight.
Decision: If the pool is above ~80% used, start planning retention changes or capacity expansion. Expect snapshot deletes and receives to slow down.
Task 3: Inspect datasets and snapshot counts (spot runaway retention)
cr0x@server:~$ zfs list -t all -r tank/prod -o name,used,refer,creation | head
NAME USED REFER CREATION
tank/prod 820G 96K Sun Dec 1 10:02 2025
tank/prod@bk-dd-2025-12-01 2.1G 96K Sun Dec 1 23:00 2025
tank/prod@bk-dd-2025-12-02 2.4G 96K Mon Dec 2 23:00 2025
tank/prod@bk-dd-2025-12-03 1.9G 96K Tue Dec 3 23:00 2025
What it means: You see snapshots and their space impact (USED). USED is space unique to the snapshot versus the live dataset.
Decision: If snapshot USED is large and growing, your workload churns data. Tighten retention or split high-churn datasets (like VM images) into separate trees.
Task 4: Create consistent recursive snapshots with one name
cr0x@server:~$ zfs snapshot -r tank/prod@bk-hh-2025-12-25T0200Z
What it means: Every child dataset under tank/prod gets a snapshot with the exact same name, enabling consistent replication.
Decision: If you can’t snapshot recursively because your tree is messy, that’s a structural problem. Fix dataset layout; don’t “just snapshot what matters” and hope.
Task 5: Verify snapshot existence across the tree
cr0x@server:~$ zfs list -t snapshot -r tank/prod -o name | grep bk-hh-2025-12-25T0200Z | head
tank/prod@bk-hh-2025-12-25T0200Z
tank/prod/db@bk-hh-2025-12-25T0200Z
tank/prod/web@bk-hh-2025-12-25T0200Z
tank/prod/logs@bk-hh-2025-12-25T0200Z
What it means: Snapshot is present where you expect it.
Decision: If any child is missing the snapshot, replication with -R won’t behave as expected. Fix snapshot creation automation.
Task 6: Do a first full replication (with properties) to initialize backup
cr0x@server:~$ zfs send -R tank/prod@bk-dd-2025-12-25 | ssh backup1 'zfs receive -u backup/prod'
What it means: -R includes descendant datasets and properties; -u avoids mounting on receive.
Decision: Use -u for backup targets, then explicitly mount only when restoring. If the receive fails, check dataset existence, pool space, and permissions first.
Task 7: Incremental replication between two snapshots
cr0x@server:~$ zfs send -R -i tank/prod@bk-dd-2025-12-24 tank/prod@bk-dd-2025-12-25 | ssh backup1 'zfs receive -u backup/prod'
What it means: Send only changes from the 24th snapshot to the 25th snapshot.
Decision: If this errors with “incremental source does not exist,” your snapshot lineage diverged. Don’t paper over it—identify what was deleted/renamed and why.
Task 8: Use “replication streams” with forced rollback (carefully)
cr0x@server:~$ zfs send -R -i tank/prod@bk-dd-2025-12-24 tank/prod@bk-dd-2025-12-25 | ssh backup1 'zfs receive -u -F backup/prod'
What it means: -F forces the receiver to roll back to the most recent snapshot that matches the incoming stream, discarding newer local changes.
Decision: Use -F on backup targets only if you enforce readonly=on and you understand you’re discarding any local modifications (which you shouldn’t have anyway).
Task 9: Check and set read-only on replicated datasets
cr0x@server:~$ ssh backup1 'zfs get -H -o name,property,value readonly backup/prod'
backup/prod readonly off
What it means: Target dataset is writable. That’s an invitation for trouble.
Decision: Turn it on:
cr0x@server:~$ ssh backup1 'zfs set readonly=on backup/prod'
Task 10: Diagnose “why is my send slow” (CPU vs disk vs network)
cr0x@server:~$ zfs send -nPv tank/prod@bk-dd-2025-12-25
full send of tank/prod@bk-dd-2025-12-25 estimated size is 812G
size 812G
What it means: Dry run (-n) with progress/verbose gives you an estimate. If you’re pushing 800G over a 1Gb link, it’s going to be a long afternoon.
Decision: If estimated size is large unexpectedly, check whether you accidentally lost the incremental base snapshot or you’re sending a dataset with massive churn.
Task 11: Monitor receive progress and detect stalls
cr0x@server:~$ ssh backup1 'zpool iostat -v tank 5 2'
capacity operations bandwidth
pool alloc free read write read write
-------------------------- ----- ----- ----- ----- ----- -----
tank 6.12T 1.45T 12 205 8.1M 112M
raidz1-0 6.12T 1.45T 12 205 8.1M 112M
sda - - 4 68 2.7M 38.0M
sdb - - 3 69 2.4M 37.1M
sdc - - 5 68 3.0M 36.9M
-------------------------- ----- ----- ----- ----- ----- -----
What it means: Receive is writing ~112MB/s to the pool. That’s healthy for many HDD arrays.
Decision: If writes drop to near-zero but the send is still running, check network, SSH backpressure, and whether the pool is near-full or heavily fragmented.
Task 12: Handle an interrupted receive using resume tokens
cr0x@server:~$ ssh backup1 'zfs get -H -o name,property,value receive_resume_token backup/prod'
backup/prod receive_resume_token 1-fd1b6a8c9d-118-789c...
What it means: The receive was interrupted and left a resume token.
Decision: Resume it instead of starting over:
cr0x@server:~$ zfs send -t 1-fd1b6a8c9d-118-789c... | ssh backup1 'zfs receive -u backup/prod'
Task 13: Confirm snapshot lineage on source and target (avoid broken incrementals)
cr0x@server:~$ zfs list -t snapshot -o name -s creation -r tank/prod | tail -5
tank/prod@bk-dd-2025-12-21
tank/prod@bk-dd-2025-12-22
tank/prod@bk-dd-2025-12-23
tank/prod@bk-dd-2025-12-24
tank/prod@bk-dd-2025-12-25
cr0x@server:~$ ssh backup1 'zfs list -t snapshot -o name -s creation -r backup/prod | tail -5'
backup/prod@bk-dd-2025-12-21
backup/prod@bk-dd-2025-12-22
backup/prod@bk-dd-2025-12-23
backup/prod@bk-dd-2025-12-24
backup/prod@bk-dd-2025-12-25
What it means: Target has the same snapshots. Incrementals should work.
Decision: If target is missing a middle snapshot, stop and fix that chain. Don’t keep “incremental-ing” and hope; you’ll paint yourself into a corner.
Task 14: Check dataset properties that affect backups (compression, recordsize, atime)
cr0x@server:~$ zfs get -o name,property,value -s local,default compression,recordsize,atime tank/prod
NAME PROPERTY VALUE
tank/prod compression zstd
tank/prod recordsize 128K
tank/prod atime off
What it means: Reasonable defaults for many server workloads: compression on, atime off.
Decision: If compression is off, consider turning it on before you scale replication. If recordsize is wildly mismatched to workload (e.g., 1M for databases), you may be amplifying churn and backup deltas.
Task 15: Validate you can restore (mount a received snapshot read-only)
cr0x@server:~$ ssh backup1 'zfs clone backup/prod@bk-dd-2025-12-25 backup/restore-test && zfs set readonly=on backup/restore-test && zfs mount backup/restore-test && ls -la /backup/restore-test | head'
total 12
drwxr-xr-x 3 root root 3 Dec 25 02:10 .
drwxr-xr-x 5 root root 5 Dec 25 02:10 ..
drwx------ 12 root root 12 Dec 25 02:00 data
What it means: You can access the restored content. Cloning is fast because it’s CoW.
Decision: If restore tests fail, your backups are decorative. Fix restore procedures and access controls now, not during an incident.
Task 16: Find large snapshot space consumers (what’s keeping space pinned)
cr0x@server:~$ zfs list -t snapshot -o name,used -s used -r tank/prod | tail -5
tank/prod@bk-dd-2025-11-29 48.2G
tank/prod@bk-dd-2025-11-30 51.7G
tank/prod@bk-dd-2025-12-01 55.3G
tank/prod@bk-dd-2025-12-02 62.9G
tank/prod@bk-dd-2025-12-03 73.4G
What it means: Some days pin far more unique data. That often correlates to workload events (reindex, VM template update, log rotation gone wrong).
Decision: If a specific dataset is always the culprit, isolate it and set a different retention tier. One size fits nobody.
Three corporate mini-stories from the trenches
1) Incident caused by a wrong assumption: “Snapshots are basically free, right?”
At a mid-sized company, a team ran ZFS on a storage host backing VM disks. They were proud of their snapshotting: hourly snapshots for two weeks, daily for three months. Nobody asked how much data churned; they just assumed CoW equals magic.
The workload was mostly Windows VMs with frequent patch cycles, plus a CI system that rebuilt images often. Churn was violent. Snapshots weren’t copying data, but they were pinning old blocks at a rate that made the pool look like it was eating itself.
The first symptom was subtle: replication started taking longer. Then snapshot deletion started taking hours. Then a receive failed because the target pool didn’t have enough contiguous space for metadata allocations. The production pool hit a level of fullness where latency became a personality trait.
They tried to fix it by deleting snapshots aggressively—oldest first—during business hours. That made IO worse because snapshot deletion is real work. Suddenly, VMs were slow, the help desk had feelings, and the storage team was on a conference call with five managers asking if “we can just reboot the SAN.”
The fix wasn’t clever. They reduced snapshot frequency for VM disks, split high-churn datasets (CI artifacts) into their own tree with shorter retention, and enforced pool free-space targets. They also scheduled snapshot deletes during off-peak windows and tracked snapshot USED. The assumption changed: snapshots are cheap to create, not cheap to keep.
2) Optimization that backfired: “Let’s enable dedup on the backup target”
Another organization had a big backup server and a lot of similar datasets. Someone got excited about dedup. In theory, dedup on the backup target could reduce storage consumption dramatically because “so many files are the same across servers.”
They enabled dedup=on on the backup datasets right before onboarding a new fleet. Replication still “worked,” and the initial storage graphs looked great. Everybody smiled. Finance smiled too, which is how you know it’s dangerous.
Within weeks, the backup system became unpredictable. Receives were spiky. Latency would explode during heavy ingest. Sometimes snapshot deletions would crawl. The dedup table wanted RAM, then wanted more RAM, then started using disk in ways that made everything worse. They’d built a system where the slow path became the normal path.
The backfire was operational: restores were slower and less reliable, which defeated the purpose of having backups. They ended up migrating new incoming datasets to non-dedup trees, planning a careful evacuation of dedup’d datasets, and setting strict performance SLOs for backup restores. Lesson learned: dedup is not a free lunch; it’s a mortgage.
3) Boring but correct practice that saved the day: “Monthly restore drills”
A regulated business did something almost offensively unsexy: once a month, they performed a restore drill. Not a tabletop exercise. An actual restore to a scratch environment. They validated filesystem contents, permissions, and a handful of application-level checks.
It was bureaucratic. It consumed time. Engineers rolled their eyes. But the team made it automated enough that it wasn’t a hero project. They cloned a received snapshot, mounted it read-only, ran checks, then destroyed the clone.
One month, the drill failed. The data restored, but the app-level check reported inconsistency. It turned out the database snapshots were crash-consistent but not application-consistent. They weren’t coordinating with the DB’s backup mode. Nobody noticed because “ZFS snapshots are consistent.” Consistent, yes. Application-consistent, no.
Because it was a drill, it was a ticket, not an incident. They updated their snapshot process: use DB-native mechanisms (or coordinated fsfreeze/backup mode) before taking snapshots. When they later had a real production corruption event, the restore worked cleanly. The boring practice paid for itself in one day, which is a great ROI if you enjoy sleeping.
Joke #2 (short, relevant): Backup drills are like flossing—annoying until you skip them and pay in blood.
Fast diagnosis playbook: find the bottleneck quickly
When replication is slow or failing, you want signal fast. Not a three-hour archaeology dig through logs.
First: is this a pool health/capacity problem?
- Source pool:
zpool statusclean? Any checksum errors? Scrub history sane? - Target pool: enough free space? Not near-full? Any resilver in progress?
If a pool is degraded or full, stop blaming the network. Storage always collects its debt.
Second: is the send stream the size you think it is?
- Run
zfs send -nPv ...to estimate stream size. - If incremental size is huge, you likely lost the incremental base snapshot or your workload churned hard.
Third: is the bottleneck network, CPU, or disk?
- Network: are you saturating the link? Are there retransmits? (Use your usual network tooling; on many systems you can inspect interface errors and throughput.)
- Disk:
zpool iostat -v 5shows real-time read/write bandwidth and ops. - CPU: compression/encryption can be CPU-limited. If send is compressing heavily or SSH ciphers are expensive, you’ll see it.
Fourth: are you stuck on snapshot deletion or holds?
- Snapshot deletion can block space recovery and make receives fail.
- Holds can prevent snapshot deletion and quietly break retention.
Fifth: did an interrupted receive leave a resume token?
- Check
receive_resume_tokenon the target dataset. - Resume with
zfs send -tinstead of re-sending.
Fast diagnosis is about eliminating categories. Don’t tune compression when the pool is 97% full. Don’t add disks when the base snapshot was deleted.
Common mistakes: symptoms → root cause → fix
1) Incremental send fails: “incremental source … does not exist”
Symptoms: Your script worked yesterday. Today it errors during zfs send -i.
Root cause: The “from” snapshot was deleted on source or target, or the dataset lineage diverged (local changes on target, or receiving into a different dataset path).
Fix: Compare snapshot lists on both sides; re-establish a common base snapshot. If you can’t, do a full send (plan for downtime/impact), then tighten retention rules to preserve base snapshots until replicated.
2) Receives suddenly slow down to a crawl
Symptoms: Replication throughput drops; zfs receive barely writes; IO latency climbs.
Root cause: Target pool too full, heavy fragmentation, ongoing resilver/scrub, or dedup table pressure. Sometimes it’s also tiny record sizes causing metadata churn.
Fix: Check pool usage and ongoing scans. Stop the bleeding: free space, add capacity, or reduce ingest rate. If you enabled dedup, reconsider your life choices and plan a migration.
3) “cannot receive: destination has snapshots” / “destination is busy”
Symptoms: Receive complains about existing snapshots or mismatched snapshots on the target.
Root cause: Someone created or deleted snapshots on the target, or you’re receiving into the wrong dataset path.
Fix: Enforce readonly=on and restrict who can administer the backup pool. Use zfs receive -F only if you are sure you can roll back target state safely.
4) You delete snapshots, but space doesn’t come back
Symptoms: You destroy old snapshots, yet zfs list shows little space freed.
Root cause: Data is referenced by clones, holds, or other snapshots; also possible that the live dataset is the primary space consumer.
Fix: Look for clones and holds. Remove holds if appropriate. Identify clones and either promote them or destroy them after validating they’re not needed.
5) Backup dataset contains “unexpected” properties or mount behavior
Symptoms: Received datasets mount automatically, or properties like compression don’t match expectation.
Root cause: Using zfs send/receive with replication flags and inherited properties without a target-side policy.
Fix: Receive with -u and set target policies explicitly: readonly=on, canmount=off, mountpoints controlled. Decide whether to preserve or override properties.
6) Encrypted replication fails or yields unusable restores
Symptoms: Receive completes, but dataset won’t mount; keys unavailable; restores are blocked.
Root cause: Key management wasn’t designed. Replication moved encrypted datasets without ensuring key load procedures on the restore environment.
Fix: Document and test key loading. Ensure your restore runbook includes key retrieval and verification. Run restore drills that include encryption.
7) “It replicated, but the app restore is broken”
Symptoms: Files are there; application reports corruption/inconsistency.
Root cause: Crash-consistent snapshots used for apps that require coordinated snapshots (databases, some mail systems, etc.).
Fix: Use application-level backup hooks: DB backup mode, filesystem freeze mechanisms where appropriate, or replicate logical backups into ZFS datasets.
Checklists / step-by-step plan
Step-by-step: set up clean replication from scratch
- Create source dataset layout so the “thing you restore” is a dataset tree, not random directories.
- Pick snapshot naming (UTC, tier prefix) and write it down. Humans will follow the path you pave.
- Enable sane properties on source:
compression=zstdfor most workloads;atime=off. - Take initial recursive snapshot with a base name you’ll keep for a while.
- Initialize replication with a full
zfs send -Rto the backup target withzfs receive -u. - Lock down backup target: set
readonly=on, considercanmount=off, restrict admin access. - Automate incremental replication using the same snapshot naming scheme and explicit “from”/“to” snapshots.
- Implement retention by tiers; delete snapshots by prefix and age.
- Add monitoring: pool capacity, replication lag (latest snapshot replicated), scrub status, and receive failures.
- Run restore drills monthly (at least): clone, mount, validate, destroy.
Checklist: before you enable “clever” features
- Dedup: do you have RAM budget and have you tested worst-case ingest and restore?
- Native encryption: do you have key management and restore procedures tested?
- Huge recordsize tweaks: do you understand how it impacts churn and incremental size?
- Compression changes: did you benchmark CPU headroom and verify replication speed?
- Multiple replication targets: do you have naming conventions and quota enforcement?
Checklist: restoring under pressure
- Identify the dataset and snapshot time. Don’t guess; check the snapshot list.
- Clone the snapshot to a restore dataset (fast, minimal risk).
- Mount read-only first; validate content and ownership.
- For applications: run the app-specific recovery/validation steps.
- Only then copy data back or promote/rename as needed.
- Document what snapshot was used and why. Future-you will ask.
FAQ
1) Are ZFS snapshots “backups”?
No. Snapshots on the same pool protect against accidental deletes and bad deploys. They do not protect against pool loss, fire, theft, or admin mistakes. Replicate them elsewhere.
2) Should I snapshot hourly everywhere?
Only if the workload and retention make sense. High-churn datasets will punish you. Start with hourly for short windows and daily for longer, then tune based on snapshot USED growth.
3) What’s the difference between crash-consistent and application-consistent snapshots?
Crash-consistent is like pulling the power plug: filesystem is consistent, but apps may need recovery. Application-consistent means the app cooperated (flush, freeze, backup mode), so restores are cleaner.
4) When should I use zfs receive -F?
On a backup target that is meant to be an exact replica, and only when you’re comfortable rolling back the target to match the incoming stream. If your target is writable or used for other purposes, -F is a foot-gun.
5) Why does deleting snapshots sometimes take forever?
Because ZFS has to free referenced blocks and update metadata. If the snapshot references lots of unique blocks (high churn) or the pool is under pressure, deletion can be slow. Schedule deletes off-peak and keep pools from running hot.
6) Can I replicate encrypted datasets safely?
Yes, but “safely” includes key management and restore drills. If keys aren’t available in an incident, your backups are encrypted paperweights.
7) Is replication a replacement for traditional backup software?
Sometimes. Replication is excellent for fast restores and DR of filesystem state. But you may still need separate tooling for long-term archives, cross-platform restores, and application-aware backups. Don’t force one tool to be your entire strategy.
8) How do I avoid broken incremental chains?
Use consistent snapshot names, don’t manually delete replication base snapshots until you confirm they’re replicated, keep target datasets read-only, and monitor “last replicated snapshot” per dataset.
9) Should I replicate the whole pool with -R?
Replicate the dataset tree you actually need to restore. Whole-pool replication tends to grow into an uncontrolled dumping ground with properties and experiments you didn’t mean to preserve.
10) What’s the safest way to test restores without impacting production?
On the backup host, clone a received snapshot into a temporary dataset, mount it read-only, validate, then destroy the clone. Clones are cheap and reversible.
Conclusion: next steps that actually move the needle
If you want “without tears,” stop chasing cleverness and start enforcing boring correctness:
- Standardize snapshot naming (prefix + UTC timestamp) and separate backup vs operational snapshots.
- Initialize replication cleanly with a full
zfs send -R, then incremental sends only when snapshot lineage is verified. - Lock down the backup target:
readonly=on, receive with-u, restrict admin access. - Monitor pool capacity and keep it below the danger zone; don’t run backup storage hot.
- Schedule restore drills and treat failures as product bugs, not personal failures.
ZFS gives you powerful primitives. Your job is to keep them pointed in the right direction—away from your foot, and toward a restore that works on the first try.