* [pbs-devel] [PATCH v3 proxmox-backup 1/2] docs: add security implications of prune and change detection mode
@ 2024-11-14 15:15 Christian Ebner
2024-11-14 15:15 ` [pbs-devel] [PATCH v3 proxmox-backup 2/2] docs: deduplicate background details for garbage collection Christian Ebner
0 siblings, 1 reply; 2+ messages in thread
From: Christian Ebner @ 2024-11-14 15:15 UTC (permalink / raw)
To: pbs-devel
Users should be made aware that the data stored in chunks outlives
the backup snapshots on pruning and that backups created using the
change-detection-mode set to metadata might reference chunks
containing files which have vanished since the previous backup, but
might still be accessible when access to the chunks raw data is
possible (client or server side).
Reviewed-by: Gabriel Goller <g.goller@proxmox.com>
Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
---
changes since version 2:
- s/Further/Moreover/ for second sentence starting with Further
- fix formatting for metadata by using double backticks
- Improve text flow based on suggestions
docs/maintenance.rst | 30 ++++++++++++++++++++++++++++--
1 file changed, 28 insertions(+), 2 deletions(-)
diff --git a/docs/maintenance.rst b/docs/maintenance.rst
index 4bb135e4e..601756246 100644
--- a/docs/maintenance.rst
+++ b/docs/maintenance.rst
@@ -6,8 +6,34 @@ Maintenance Tasks
Pruning
-------
-Prune lets you specify which backup snapshots you want to keep.
-The following retention options are available:
+Prune lets you specify which backup snapshots you want to keep, removing others.
+When pruning a snapshot, only the snapshot metadata (manifest, indices, blobs,
+log and notes) is removed. The chunks containing the actual backup data and
+previously referenced by the pruned snapshot, have to be removed by a garbage
+collection run.
+
+.. Caution:: Take into consideration that sensitive information stored in a
+ given data chunk will outlive pruned snapshots and remain present in the
+ datastore as long as referenced by at least one backup snapshot. Further,
+ *even* if no snapshot references a given chunk, it will remain present until
+ removed by the garbage collection.
+
+ Moreover, file-level backups created using the change detection mode
+ ``metadata`` can reference backup chunks containing files which have vanished
+ since the previous backup. These files might still be accessible by reading
+ the chunks raw data (client or server side).
+
+ To remove chunks containing sensitive data, prune any snapshot made while the
+ data was part of the backup input and run a garbage collection. Further, if
+ using file-based backups with change detection mode ``metadata``,
+ additionally prune all snapshots since the sensitive data was no longer part
+ of the backup input and run a garbage collection.
+
+ The no longer referenced chunks will then be marked for deletion on the next
+ garbage collection run and removed by a subsequent run after the grace
+ period.
+
+The following retention options are available for pruning:
``keep-last <N>``
Keep the last ``<N>`` backup snapshots.
--
2.39.5
_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
^ permalink raw reply [flat|nested] 2+ messages in thread
* [pbs-devel] [PATCH v3 proxmox-backup 2/2] docs: deduplicate background details for garbage collection
2024-11-14 15:15 [pbs-devel] [PATCH v3 proxmox-backup 1/2] docs: add security implications of prune and change detection mode Christian Ebner
@ 2024-11-14 15:15 ` Christian Ebner
0 siblings, 0 replies; 2+ messages in thread
From: Christian Ebner @ 2024-11-14 15:15 UTC (permalink / raw)
To: pbs-devel
Currently, common details regarding garbage collection are documented
in the backup client and the maintenance task. Deduplicate this
information by moving the details to the background section of the
maintenance task and reference that section in the backup client
part.
Reviewed-by: Gabriel Goller <g.goller@proxmox.com>
Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
---
changes since version 2:
- s/can consider/considers/
- s/safeley/safely/
docs/backup-client.rst | 28 ++++++++++++----------------
docs/maintenance.rst | 38 +++++++++++++++++++++++++++-----------
2 files changed, 39 insertions(+), 27 deletions(-)
diff --git a/docs/backup-client.rst b/docs/backup-client.rst
index e56e0625b..892be11d9 100644
--- a/docs/backup-client.rst
+++ b/docs/backup-client.rst
@@ -789,29 +789,25 @@ Garbage Collection
------------------
The ``prune`` command removes only the backup index files, not the data
-from the datastore. This task is left to the garbage collection
-command. It is recommended to carry out garbage collection on a regular basis.
+from the datastore. Deletion of unused backup data from the datastore is done by
+:ref:`garbage collection<_maintenance_gc>`. It is therefore recommended to
+schedule garbage collection tasks on a regular basis. The working principle of
+garbage collection is described in more details in the related :ref:`background
+section <gc_background>`.
-The garbage collection works in two phases. In the first phase, all
-data blocks that are still in use are marked. In the second phase,
-unused data blocks are removed.
+To start garbage collection from the client side, run the following command:
+
+.. code-block:: console
+
+ # proxmox-backup-client garbage-collect
.. note:: This command needs to read all existing backup index files
and touches the complete chunk-store. This can take a long time
depending on the number of chunks and the speed of the underlying
disks.
-.. note:: The garbage collection will only remove chunks that haven't been used
- for at least one day (exactly 24h 5m). This grace period is necessary because
- chunks in use are marked by touching the chunk which updates the ``atime``
- (access time) property. Filesystems are mounted with the ``relatime`` option
- by default. This results in a better performance by only updating the
- ``atime`` property if the last access has been at least 24 hours ago. The
- downside is that touching a chunk within these 24 hours will not always
- update its ``atime`` property.
-
- Chunks in the grace period will be logged at the end of the garbage
- collection task as *Pending removals*.
+The progress of the garbage collection will be displayed as shown in the example
+below:
.. code-block:: console
diff --git a/docs/maintenance.rst b/docs/maintenance.rst
index 601756246..a64769138 100644
--- a/docs/maintenance.rst
+++ b/docs/maintenance.rst
@@ -197,6 +197,8 @@ It's recommended to setup a schedule to ensure that unused space is cleaned up
periodically. For most setups a weekly schedule provides a good interval to
start.
+.. _gc_background:
+
GC Background
^^^^^^^^^^^^^
@@ -222,17 +224,31 @@ datastore or interfering with other backups.
The garbage collection (GC) process is performed per datastore and is split
into two phases:
-- Phase one: Mark
- All index files are read, and the access time of the referred chunk files is
- updated.
-
-- Phase two: Sweep
- The task iterates over all chunks, checks their file access time, and if it
- is older than the cutoff time (i.e., the time when GC started, plus some
- headroom for safety and Linux file system behavior), the task knows that the
- chunk was neither referred to in any backup index nor part of any currently
- running backup that has no index to scan for. As such, the chunk can be
- safely deleted.
+- Phase one (Mark):
+
+ All index files are read, and the access time (``atime``) of the referenced
+ chunk files is updated.
+
+- Phase two (Sweep):
+
+ The task iterates over all chunks and checks their file access time against a
+ cutoff time. The cutoff time is given by either the oldest backup writer
+ instance, if present, or 24 hours and 5 minutes after the start of garbage
+ collection.
+
+ Garbage collection considers chunk files with access time older than the
+ cutoff time to be neither referenced by any backup snapshot's index, nor part
+ of any currently running backup job. Therefore, these chunks can safely be
+ deleted.
+
+ Chunks within the grace period will not be deleted and logged at the end of
+ the garbage collection task as *Pending removals*.
+
+.. note:: The grace period for backup chunk removal is not arbitrary, but stems
+ from the fact that filesystems are typically mounted with the ``relatime``
+ option by default. This results in better performance by only updating the
+ ``atime`` property if a file has been modified since the last access or the
+ last access has been at least 24 hours ago.
Manually Starting GC
^^^^^^^^^^^^^^^^^^^^
--
2.39.5
_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2024-11-14 15:16 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-11-14 15:15 [pbs-devel] [PATCH v3 proxmox-backup 1/2] docs: add security implications of prune and change detection mode Christian Ebner
2024-11-14 15:15 ` [pbs-devel] [PATCH v3 proxmox-backup 2/2] docs: deduplicate background details for garbage collection Christian Ebner
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox