Why I'm not interested in rolling back to snapshots of Linux root filesystems
One perpetual appeal of about advanced filesystems like btrfs and ZFS is the idea of making a snapshot of your root filesystem, trying an upgrade, and then reverting to the snapshot if you feel that things have gone wrong. In my entry yesterday on why I use ext4 for my root filesystems, I mentioned that I didn't expect doing this to work as well as you'd like, and Aristotle Pagaltzis expressed interest in an elaboration of this. Well, never let it be said that I don't take requests.
(I covered some of the general ground in an old entry on rollbacks versus downgrades, but today I'll be more specific.)
The first problem is that Linux doesn't separate out the different
types of things that are in /var
; it contains a mess of program data,
user data, and logs. You must roll back anything containing program
data along with /usr
, because your upgrade may have done things like
changed the database format or updated your package database. But this
will lose the new log data in /var/log
(and perhaps elsewhere) and
perhaps user data in /var/mail
and anywhere else it may be lurking.
(For example, you might have mail flowing through your system under
/var/spool
. If you sent an email message but it hasn't been fully
delivered yet, you don't really want it to vanish in a rollback.)
Then there is the problem of /etc
, which contains a mixture of
manually maintained files, manually updated package files, automatically
maintained state files, and automatically updated package files.
Much like /var
, you must roll back /etc
along with /usr
and
that will cost you anything you've done by hand since the upgrade,
or any state updates for things that live outside of the root
filesystem.
(In some environments, state files are potentially significant. For
example, ZFS normally maintains state information about your active
pools in /etc/zfs/zpool.cache
.)
On Linux, rolling back the roof filesystem basically requires a reboot, making it a relatively high impact operation on top of everything else. Some of this is simply the general problem that running programs will no longer have the right versions of shared libraries, configuration files, databases, and so on in the filesystem. Some of this is because the Linux kernel contains internal data structures for active files (and known files more generally) that it doesn't entirely expect to be yanked out from underneath it.
These problems are all magnified if you don't notice problems right away, and if you make routine use of the system before noticing problems. The longer the post-snapshot system is running in normal use, the more user data, changes, and running programs you will have accumulated. The more things that have accumulated, the more disruptive any rollback will be.
Given that you're balancing the disruption, loss, and risks of a rollback against the disruption, loss, and risks of whatever is wrong after the upgrade, it may not take too long before the second option is less disruptive. A related issue is that if you can solve your problems by reinstall back to an older version of one or more packages, it's basically guaranteed to be less disruptive than a root filesystem rollback. This means that root filesystem rollbacks are only worth while in situations with a lot of changes all at once that you can't feasibly roll back, like distribution version upgrades. These are the situations where maintaining a snapshot takes the most amount of disk space, since so much changes.
(In addition, pragmatically things don't go majorly wrong with major upgrades all that often, especially if you wait a while before doing them to let other people discover the significant issues. And remember to read the upgrade notes.)
A very carefully managed system can avoid all of these problems. If you've move all user data into a separate filesystem, change the system through automation (also stored in a separate filesystem), push logs to a separate area, do significant testing after an upgrade before putting things in production, and can reboot with low impact, rollbacks could work great. But this is not very much like typical Linux desktop systems; it's more like a "cattle" style cloud server. Very little in a typical Fedora, Debian, or Ubuntu system will help you naturally manage it this way.
(There are other situations where rollbacks are potentially useful. For example, if you have a test system with no user data, no important logs, and no particular manually maintained changes that you frequently try out chancy updates on. If everything on the system is basically expendable anyway, reverting to a snapshot is potentially the fastest way to return it to service.)
Sidebar: Snapshots by themselves can be valuable
A snapshot by itself provides you an immediate, readily accessible
backup of the state of things before you made the change. This can
be useful and sometimes quite valuable in ordinary package updates.
For example, if you upgrade a package and the package updates the
format of its database in /var
so that you can't revert back to
an older package version, a snapshot potentially lets you fish out
the old pre-upgrade database and drop it into place to go with the
older package version.
|
|