Snapshot retention for remotely replicated dataset

[echelon5]

Let's say FreeNAS A recursively replicates to FreeNAS B with "Delete Stale Snapshots on Remote System" option on, with a retention of 4 weeks. On FreeNAS B I setup a snapshot task for the same dataset with an 8 week retention period. Will FreeNAS B keep the snapshots for 8 weeks?

I'm asking this for my backup strategy. Let's say FreeNAS A is compromised. An attacker can delete everything on a dataset and send the empty snapshots to FreeNAS B. I assume with the question above I'd be safe from such scenario.

 

[blanchet]

If you enable Delete Stale Snapshots on Remote System, FreeNAS_A will destroy on FreeNAS_B any snapshots that is not present on FreeNAS_A, including the periodic snapshot created by FreeNAS_B on FreeNAS_B.

But, you can use zfs hold on FreeNAS B to protect some snapshots against deletion.

See this topic for more details.

 

[echelon5]

If you enable Delete Stale Snapshots on Remote System, FreeNAS_A will destroy on FreeNAS_B any snapshots that is not present on FreeNAS_A, including the periodic snapshot created by FreeNAS_B on FreeNAS_B.

But, you can use zfs hold on FreeNAS B to protect some snapshots against deletion.

See this topic for more details.

Thanks! Your post answers my question, but it means I can't solve my problem yet. I avoid doing anything outside the GUI since I'm not experienced with scripting.

 

[Johnny Fartpants]

It's a good question and as you may have noticed from the linked threads that @blanchet supplied one I've raised before.

Personally I'd like to see iX incorporate some sort of fail-safe to make it impossible to delete a dataset on FreeNAS_A along with FreeNAS_B without some sort of second verification process ideally on FreeNAS_B.

Perhaps an option that deletes stale snapshots on the remote system but not the dataset itself. If that means it has to leave all be the latest snapshot after the primary dataset has been deleted then so be it.

 

[dlavigne]

Personally I'd like to see iX incorporate some sort of fail-safe to make it impossible to delete a dataset on FreeNAS_A along with FreeNAS_B without some sort of second verification process ideally on FreeNAS_B.

If you make a feature request at bugs.ixsystems.com, post the issue number here.

 

[Johnny Fartpants]

https://jira.ixsystems.com/browse/NAS-103890

 

[echelon5]

https://jira.ixsystems.com/browse/NAS-103890

Cool! It is indeed in the Beta release notes: "Configurable snapshot retention on the remote side." This was the missing piece to my backup strategy.

 

[echelon5]

I've been exploring the new replication options in 11.3. As far as I can tell, the Sender still has complete control over the Destination system.

Let's say I've set a Snapshot Retention Policy of 1 month on Sender. An attacker gains control of Sender, deletes all data, creates an empty snapshot and sets the retention to "Same as source". I expect the next run to delete all previous snapshots and data.

Is my assessment correct? Did anyone test this scenario?

 

[Johnny Fartpants]

I haven't tested this yet but I hope you're wrong