Volume recovery using an APFS snapshot

Many of us have been using APFS for two years now, since its was first made the default file system for SSDs in High Sierra. Yet one topic keeps cropping up: the lack of third-party repair and maintenance tools. Although some now claim to be able to perform limited tasks, there’s no doubt that HFS+ is fully supported, and with APFS you’re essentially reliant on Apple’s Disk Utility and fsck.

The great majority of everyday repair and recovery tasks are at the volume level. Whether a user has just trashed most of their files inadvertently, or an installer has gone badly wrong, it’s generally the volume which needs attention. Although there’s no reason to doubt the efficacy of Disk Utility and fsck for tackling directory errors – which seem to be exceedingly rare on SSDs – they’re not designed to recover contents beyond that. APFS does, though, have a new feature which should be ideal: (local) snapshots.

I’ll look in more detail at how snapshots work in the next article. For now, consider them to be an image of the APFS file system on that volume at a particular moment in time, together with the blocks of storage which make up the data. Once that snapshot has been made, the file system keeps old storage blocks which contain data that has been deleted or replaced. This allows you to restore almost instantly the state of the file system and all its storage at the moment that snapshot was made.

Assume then that a user had just made snapshot of a volume, then decided to trash some folders. They made a mistake, trashed the contents of the whole volume, and now want to restore it using that snapshot. So long as they have left the volume with its snapshot, this should be possible in the twinkling of an eye. And I happened to have a brand new 2 TB SSD on which to try this out.

The first problem you face is making a snapshot, as there’s no app or command tool which will take an arbitrary APFS volume and make a snapshot of it. The reasons for this are complex, and currently Apple only allows specially-approved backup apps such as its own Time Machine, Mike Bombich’s Carbon Copy Cloner, and SuperDuper! this privilege. I will explain the reasoning behind this in the next article; it appears bizarre, but turns out to be good sense after all.

Cursory reading of the documentation for tmutil might suggest that all you need do is type in the command
tmutil localsnapshot
but that only works for volumes which are already part of your Time Machine backup set. I didn’t want to make this 2 TB external SSD clutter up my backups, so had to remove it from Time Machine’s exclude list, type the command to generate a complete set of snapshots across all volumes in the backup list, then quickly add the volume back to the exclude list. This triggered another Time Machine backup, because of the change in the exclude list, of course.

You can then check that the snapshot has been made using a command like
tmutil listlocalsnapshots /Volumes/myVolume
Before making the snapshot, this returned an empty list, but now there were two entries in it made by Time Machine.

I then trashed the entire contents of that volume, and emptied the trash. I could perhaps have used Time Machine to recover items from the snapshots, but chose to use Carbon Copy Cloner (CCC) for its more powerful and flexible controls over restoring from snapshots.

Selecting that volume in CCC, I now turned its own snapshot feature on, and checked that the two snapshots I had already made were listed, as shown. The app conveniently offers a button from which to restore from either of the existing snapshots.

Don’t be put off here by the sizes reported for those snapshots: zero KB is normal and correct for a freshly-made snapshot when all that’s happened since is the deletion of files.

Clicking on the Restore button brought up a new Task, in which I set all files, totalling 716 MB, to be copied from that snapshot to the same volume.

I then clicked on the Clone button, and in less than 6 seconds the volume was fully restored from the snapshot.

CCC then made its own two snapshots, which it added to the list.

You can also view those in Terminal, using a command of the form
tmutil listlocalsnapshots /Volumes/myVolume
which now returned a list of the two snapshots made by Time Machine, and the two made during the restore by CCC:
com.apple.TimeMachine.2019-09-17-200751 com.apple.TimeMachine.2019-09-17-200810 com.bombich.ccc.safetynet.[UUID].2019-09-17-202401 com.bombich.ccc.[UUID].2019-09-17-202408

I’m happy that I’ve demonstrated that snapshots can be used as a tool to almost instantly restore an APFS volume which has had its entire contents trashed – provided that the volume and its snapshots are still intact. Not only that, but the same snapshot could have been recovered several hours or days later, after extensive changes had been made to the volume contents. This is impossible in HFS+ without restoring contents from a formal backup or clone.

As far as I am aware, though, apart from those specific backup apps, no software tools exist to use snapshots for restoring APFS volumes. Making a snapshot in the first place, without putting a volume into a backup regime, is impossible. The reason for this is the fatal flaw in snapshots, which I will describe tomorrow.

10Comments

Add yours

1

EcleX on September 19, 2019 at 2:29 pm

What does “adi” mean in ” /Users/Shared/adi”? Thanks.

LikeLiked by 1 person
- 2
  
  hoakley on September 19, 2019 at 2:49 pm
  
  I have no idea: I didn’t add that, and that folder is hidden. Maybe ‘Apple Diagnostic Information’ as a wild guess?
  Howard.
  
  LikeLike
  - 3
    
    lestertwice on September 19, 2019 at 5:18 pm
    
    I realized only recently the existence of this folder. It seems to be related to App Store and iBooks Store:
    https://www.galvanist.com/posts/2013-11-07-userssharedadi/
    
    LikeLiked by 1 person
    - 4
      
      hoakley on September 19, 2019 at 6:41 pm
      
      Thanks.
      Yes, it’s also related to fpsd, and its service adid is run by user _fpsd. They seem to be iTunes and Apple DRM related.
      It’s a good thing that Apple documents all this so thoroughly so we’d never mistake these for malware.
      Howard.
      
      LikeLike
- 5
  
  EcleX on September 19, 2019 at 4:59 pm
  
  But I thought that you knew everything…
  
  🙂
  
  Could it be malware? I guess not, but just in case. You never know…
  
  LikeLiked by 1 person
6

Mr Claude Binovsky on September 25, 2019 at 1:58 pm

Hello,

Congratulations for Eclecticlight and a big thank to you for the pleasure of reading you every day.

My little restoration experience from a snapshot in the last few days

The situation. Installation of 10.14 Mojave on a 10.12 Sierra on an old MBA 11″ of 2012. Pre-cleaning of the Sierra with DiskWarrior, then installation of Mojave. Everything went very well. Additional update of Mojave 10.14.6 and…… Safari 13! Everything went well too.

But a few moments after, the user has resumed his machine, he informs me to stop receiving mail from his gmail mailboxes. A quick search reports a bug. With safari 13, it is impossible to connect to Google to validate the use of the account on Mail.

Safari 12.1.2 cannot be restored via Time Machine because Safari cannot be deleted. Attempt to recover the correct version from a boot with another disk and copy the application directly into the folder, but at boot time, the lock is still there.

I then tried to do a restoration via the snapshot of the system with Carbon Copy Cloner. The restoration went well, but the restart revealed malfunctions, unable to use screen sharing for example. I wanted to restore an older snapshot, just after the system installation and before the update, but it was gone.

I quickly deduce that the restoration of the system’s snapshots, with CCC, is not perfect. Maybe it is necessary to restore CCC snapshots with CCC?

Finally, the solution to recover the relationship between Mail and Safari 12.1.2 was to reinstall Mojave, then redo the updates, but not Safari.

This text was typed (a little fast) in French and translated by DeepL!

LikeLiked by 1 person
- 7
  
  hoakley on September 25, 2019 at 3:20 pm
  
  Thank you.
  Yes, anything installed by an Apple installer or updater gets complicated, which is why I avoided the area here. Time Machine is supposed to be able to deal with that, but only I think when you run the restore from Recovery Mode. It’s only going to get more complicated in Catalina too, with its read-only System volume.
  I’m hoping that Safari 13.0.1 might have addressed this issue with Gmail?
  Howard.
  
  LikeLike
  - 8
    
    Binovsky Claude on September 25, 2019 at 5:19 pm
    
    No ! Safari 13.0.1 did not address this issue.
    But this work with Catalina !
    
    LikeLiked by 1 person
9

ffuchs on September 29, 2019 at 8:40 am

@Binovsky Claude – macOS 10.14.6 Supplemental Update 2 solved this problem, now you can setup gmail-accounts with safari 13.0.1 again, cheers ferdinand

LikeLiked by 1 person
- 10
  
  Binovsky Claude on September 29, 2019 at 12:44 pm
  
  Yes. I saw it :0)
  Thanks
  
  LikeLiked by 1 person

Share this:

Related