Are your destination snapshots at risk? (Including this here as well as core since it affects both)

[tnuser9999]

Please be aware if you are depending on TrueNAS Scale ZFS replication as a backup solution. I have tested and found the same vulnerability that affects core affects scale. I have not found any option that stops source rollbacks to not remove snapshots from destination as well. The native ZFS command does not do this by default, you have to use a switch to make it behave in this way.

Unveiling ZFS Replication Quirk: Your Destination Snapshots at Risk?

I'm currently testing Truenas ZFS replication as a backup solution. My aim is to ensure that ZFS snapshots are not deleted on the destination server when they are removed from the source. This is crucial to prevent potential data loss if unauthorized access occurs. In my replication...

www.truenas.com

 

[Apollo]

Could it be because snapshot lifetime is set to 1 week?

 

[tnuser9999]

Could it be because snapshot lifetime is set to 1 week?

No sadly, I have the TrueNAS destination replication configuration " Snapshot Retention Policy" set to none, which by the description does not delete any snapshots. I also do not have "replication from scratch" selected. I have no periodic snapshot task configured on the destination server.

 

[tnuser9999]

You can give it a test yourself. Setup a pull replication scenario and takes a few auto snapshots on the source. Pull replicate those to the destination server with replication settings "replication from scratch" unchecked and "snapshot retention policy" set to none. Next on source rollback a couple snapshots, then take another.

Replicate from the destination server again, you will see all the snapshots that were present on destination gone now that were removed from source during the rollback operation as well as the new snapshot that was taken. Great if you wish to keep to systems in sync, bad if you are using ZFS replication as a backup solution. If source is rollbacked, the results you would hope for in this scenario would be a replication failure, where you can investigate what went wrong, if it was an intentional rollback or not.

 

[winnielinnie]

If source is rollbacked, the results you would hope for in this scenario would be a replication failure, where you can investigate what went wrong, if it was an intentional rollback or not.

I thought there was a built in failsafe / warning? Guess not?

This would make for a good feature request. I don't see why the default behavior is to just go ahead and destroy snapshots on the destination to keep things in sync.