hoakley September 20, 2019 Macs, Technology

The problem with APFS snapshots

In yesterday’s article, I showed how I was able to restore a trashed APFS volume using a snapshot. The main lesson is that, while this is superbly quick and essentially simple, only a very limited number of backup apps are currently able to make snapshots. Restoring from a snapshot is thus only normally available to those volumes which are already being backed up. This article explains why that is.

Snapshots take advantage of the way in which APFS uses its copy on write feature with changing file contents. When changed data are written out to an existing file, it’s written not to the block containing the original data, but to a different block. Not only that, but APFS only writes out as much new data as it needs to.

CoS1

Let’s say that our original document is stored in two blocks, and we make changes which affect only the contents of the second.

CoS2

Instead of APFS writing out new versions of each of those blocks, it only writes the changed block, and the new file is then composed of one new and one old block. So long as all three blocks are kept in storage, the file system can readily deliver either the original or the changed version of that file.

When a snapshot is made, a copy of the file system metadata is made, and the original storage blocks at that instant are preserved. By replacing a later set of file system metadata with the previous copy, provided the original data also remains, that volume can be returned almost instantly to the state at the time of the snapshot. In the case of MyDocument.doc in the diagrams, it would mean pointing the restored version of the file at the two original blue blocks, rather than one blue and one pink.

When you first make a snapshot, it takes up no new storage space itself, and CCC shows it as taking at zero KB. As the volume is used, and changes are made to its contents, for the snapshot to remain usable, all the old storage blocks have to be retained, as does its original metadata. The diagrams above show one document, which after its next edit requires a second storage block for the changed data. If it then undergoes more change, it may require a second storage block, having no storage in common with the original.

This is why the size occupied by a snapshot increases steadily after it is made, until ultimately it could require the same amount of storage space as if it had been a complete duplicate. If you’re working with a few GB of data on a 2 TB volume, that isn’t a problem. But if each snapshot could rise to 1 TB, and you’ve got dozens of snapshots, they could rapidly come to occupy all the free disk space, and block the file system from functioning.

Apple has come up with a portable derivative of the snapshot, the ‘delta’ or difference between snapshots, which can help reduce this problem. However, snapshots remain amazingly powerful tools with this one fatal flaw – they can readily consume all your storage.

Return for a moment to the user we want to protect from indvertently trashing the contents of an external SSD, without having to back it up. We could let them make a snapshot whenever they liked, perhaps, leaving it to them to remove old snapshots whenever they remembered. Even conscientious users would quickly find themselves running into trouble with very large old snapshots taking over their disk free space.

Users who are careful enough to keep only a minimum of recent snapshots could still lead to problems for the file system. Making a snapshot is (almost) instant enough, but removing one is much harder work. So much so that APFS has a sub-system designed to work through all the old storage blocks used by a snapshot and free them up. It’s appropriately named the Reaper.

Making snapshots is a feature which is therefore closely controlled by Apple. For a third-party developer to obtain the special entitlement to do this, they need to demonstrate that their app will not only make those snapshots – the easy part – but will maintain them automatically so that users don’t clog their storage up with old snapshots. Both Time Machine and CCC have stringent controls over how long they will keep snapshots for, and automatically remove them once they’ve expired. This explains why the command
tmutil localsnapshot
only works with volumes which are in your Time Machine backup set, and can’t be used to create arbitrary snapshots of any passing volume whenever you feel like it.

There’s no reason why snapshots can’t be used in tools which are aimed primarily at restoring volumes and their contents without making full physical backups, and for many reasons these may have a more promising future with APFS than conventional repair tools. But they will also need to perform careful housekeeping on their snapshots – and that’s the difficult part.

Further reading

Time Machine snapshots
Carbon Copy Cloner and snapshots.

15Comments

Add yours

1

EcleX on September 20, 2019 at 8:28 am

Backups are not usually updated to the latest millisecond. Thus, properly repairing the disk (read: rebuilding its directory) is usually more convenient and quicker. Besides, such utilities display where the problems are, so you can inspect them.

Restoring a full disk from a backup may be dangerous if such backup has already a corrupted directory. The result may be that some items are lost and the user may not notice that, since not even a warning is issued. Experience has taught us that.

The current problem, of course, is that no utility can rebuild the directory of APFS disks on Mac. That includes DiskWarrior (the best in the repair arsenal), TechTool Pro (second choice) and Drive Genius (third choice).

The reason is that Apple has not yet released documentation about how to write to such APFS disks, as they did about how to read them by September 2018 (after releasing macOS 10.14 Mojave; a year after releasing APFS for Mac and even before for iOS by March 2017!!!). So, time to send feedback to Apple about it:
https://www.apple.com/feedback/macos.html

LikeLiked by 1 person
- 2
  
  hoakley on September 20, 2019 at 8:46 am
  
  I don’t understand your point in the first para. Trying to rebuild a damaged directory often results in loss of data. Returning to a known good state will too, but only the changes made since that snapshot (and even those can be determined from a snapshot delta). It’s the only way to revert to a previously good state.
  This doesn’t restore anything from a backup: it restores the file system to a known previous state. fsck and Disk Utility already check snapshots to verify that they aren’t damaged, so it’s very easy if you’re trying to recover from directory damage to revert to the last undamaged state. This doesn’t involve copying any data either, so it’s non-destructive too.
  Has it occurred to you that:
  – trying to rebuild directories in APFS may not be a useful thing at all, and
  – if you were to rebuild the current directory, surely you’d also want to rebuild all those directories in your snapshots too? At any time on this Mac, I have around 24 snapshots of each of its mounted APFS volumes. Rebuilding 25 directories might get a bit tedious.
  The more that I look at snapshots, the less reason I can see for the traditional HFS+ approach to volume recovery. If you’ve got snapshots (as you will have if you use any decent backup system), then they’re far superior. For example, you can mount a snapshot and recover from it any file or folder from within that snapshot, as well as the whole volume.
  I’d also be fascinated to know the incidence of directory damage in recent versions of APFS on SSDs, compared with HFS+ on hard drives. I think there’s an order of magnitude or three difference. Why should any file system damage is directory structures when running on an SSD?
  I know, you’ll refer back to experience. Is this experience with APFS on SSDs, though? Does it take into account that APFS performs copy on write on its file system metadata, for instance?
  Howard.
  
  LikeLike
3

EcleX on September 20, 2019 at 10:30 am

What I said is for HFS+ in both mechanical rotational disks and SSD. In my experience, no data is lost rebuilding the directory of a disk with a good tool like DiskWarrior.

Of course, you can also restore from a backup, but as said the problem is that they are not usually updated to the last second and takes much longer to restore.

Concerning problems with APFS that required repair, it does happen as found on Internet. For instance, searching Google for
DiskWarrior APFS
finds hits like:

What do you use in place of DiskWarrior to repair data for APFS?
unfortunately I can’t wait for diskwarrior. i’m in need of something much sooner to repair the data on the disk for our customer
this is the error message I’m getting when trying to perform FSCK or first aid on the disk
“macbook first aid volume could not be verified completely”
https://www.ifixit.com/Answers/View/590631/What+do+you+use+in+place+of+DiskWarrior+to+repair+data+for+APFS

[Solved] Is there any tool yet that repairs APFS containers?
So it seems that something is wrong with the snapshots on the SSD of my MacBook Pro – migrated to APFS via normal upgrade going from 10.12 to 10.13. It is now on 10.14.2. (I’ve never previously needed to do a clean install.)
Disk Utility, via Recovery mode, gives me the error below. ie. It can’t fix it.
https://www.macobserver.com/community/mac-questions/is-there-any-tool-yet-that-repairs-apfs-containers

Hard drive issues with Mojave – tried using disk warrior but it gives me warning
hard drive won’t boot up. Currently running off of an OS on external drive. I need to fix the drive but nothing seems to work. Looking for options.
In the meanwhile, I’d recommend occasionally rebuilding your Time Machine drive just in case something ever goes wrong with your Mac. That way, you can easily restore the entire system via macOS Recovery when necessary.

Hard drive issues with Mojave – tried using disk warrior but it gives me warning from osx

APFS damage could happen at any time, when the Mac crashes due to software or hardware issues, and when it is shut down due to lack of electricity, either by mains failure or human stupidity (believe or not, that does happen!). In relation to the latter, previous Mac versions only turned off the display when the Mac was shut down. Since some years ago, the display turns off black (you can only see that it is not truly turned off in a dark environment!), yet the Mac is not turned off yet. When booting from an external disk, that may cause disk damage if unplugged before the Mac is really and truly off.

LikeLiked by 1 person
- 4
  
  hoakley on September 20, 2019 at 11:39 am
  
  Believe it or not, my first job as a young doctor was in brain surgery, and one of the many tragedies I had to deal with was a young girl who had banged her head when she rolled off a sofa. She died as a result. I didn’t start campaigning that all children should have to wear crash helmets when lying on sofas because of risk.
  The fact that you can find reports of people with errors in APFS says absolutely nothing about risk, but that is central to the issue here.
  We both know that HFS+ was notorious for corrupting its metadata. One major improvement which Apple introduced was journalling – it was a kludge solution which reduced data loss, but only worked when you started up. So every time an app crashed badly, we restarted our Macs, let the journal replay, and most of the time the damage was fixed.
  That is because HFS+ doesn’t use copy on write. When changes are made to the directory, they can be written over the original directory data, for example. If anything happens whilst that is being performed, that directory entry is damaged. That’s the sort of damage that DiskWarrior and other utilities repair. They can’t do so perfectly – in many cases, as with journal replay, there is some data loss as a result of the damage.
  DiskWarrior has another strength: because the directory structures in HFS+ were never intended for millions of entries, they tend to become inefficient over time. DiskWarrior rebuilds those structures, clears out the deadwood, and produces a cleaner more efficient directory.
  APFS is different here in several major respects, which you don’t seem to take into account. First, it has been designed from the outset to cope with tens of millions (and more) files, so its directory structures are maintained to remain as efficient as possible at all times. It should therefore never need to be rebuilt in the same way as HFS+.
  Another key change is copy on write. When APFS makes a change to its directory, it cannot overwrite its old data. What it does is write out the new data, and when that is complete and correct, it then makes that block the new block. This is a form of atomic saving – the data are either in one state or the other, and therefore cannot be corrupted. If disaster strikes whilst APFS is writing out the changed data, then when you start up again the original data are used. This can result in small loss of data in that the change doesn’t happen, but that is far less than when replaying the journal, for example.
  One common situation where directory damage has occurred in HFS+ in the past is when an installer goes wrong in the midst of an installation, which can leave a partial installation or update, and damage to directories and files. Those files and directories are also now written using copy on write, which prevents that type of damage from occurring.
  Not only that, by making a snapshot immediately before an installation, if the installation goes wrong, you can revert to the pre-install state. This doesn’t require any files to be copied, and takes less than a second, even if this was a major macOS update. You simply can’t do that in HFS+.
  Those are some of the things that makes APFS such a game changer. Trying to convert a tool for HFS+ to work with APFS is likely to be doomed (if nothing else, through lack of documentation), and the end result is probably going to prove of little use. APFS works completely differently, and disk utilities need to build on its strengths, not rely on the weaknesses of HFS+ in the past. It’s like building a more efficient blacksmith to cope with users changing from horse drawn carts to motor cars!
  Howard.
  
  LikeLike
5

EcleX on September 20, 2019 at 12:47 pm

Thanks for the comprehensive and informative reply. I basically agree with you. My experience is comprehensive with thousands of Macs for many years, but only with HFS+ (many Macs saved thanks to DiskWarrior!). I acknowledge that APFS is another best, being much more robust. Having said that, there are instances in which even APFS can be corrupted, as indicated in my previous message.

You said:
“So every time an app crashed badly, we restarted our Macs, let the journal replay, and most of the time the damage was fixed”.

Do you mean that after a Mac disaster (crash, forces shutdown, mains failure, stupid-user unplugging mains or external booting disk while working –yes that happens!, bad external booting disk cable connection, etc), it is better to reboot the Mac, wait a while (for instance, until Activity Monitor or MenuMeters show no significant activity) for macOS to REPAIR and then and only then run DiskWarrior and maybe Disk Utility later on (or boot in safe mode and reboot before login — is that the same as running Disk Utility?), or could it be better to run DiskWarrior FIRST? Thanks again for your great site!

LikeLiked by 1 person
- 6
  
  hoakley on September 20, 2019 at 1:14 pm
  
  No: you should have been reading MacUser!
  My standard practice in earlier OS X was whenever there was a hard crash (or panic) rather than just an app quit unexpectedly, I’d restart my Mac at the next opportunity.
  If there had been a problem with writing to the disk at the time of the crash, during the restart the volume journal would be replayed automatically to repair the damage which had been caused by the crash, and the file system was healthy again. This prevented the accumulation of small errors which steadily led to a more serious disk error and data loss. The journal replay is performed during the startup process, before login. It then avoided the need to run fsck separately, or Disk Utility, etc.
  Howard.
  
  LikeLike
  - 7
    
    yeechang on September 24, 2019 at 7:55 am
    
    For HFS+, is this journal replaying preferable to booting into single-user mode and running `fsck`? Or do they have the same outcome? And is this also true for APFS?
    
    LikeLiked by 1 person
    - 8
      
      hoakley on September 24, 2019 at 8:13 am
      
      Very good questions!
      With a journaled file system like HFS+, the journal should be allowed to replay before running fsck, I believe. That would normally happen when that file system is mounted. So if you mount the boot volume in SUM, that should bring about the replay, I think. That said, running fsck in SUM seems to be dying out anyway, and for more modern Macs isn’t feasible – I’ve got an article about this which will publish tomorrow morning.
      APFS doesn’t journal, so there’s nothing to replay for an APFS volume. If you’re going to fsck it, you can get straight on with that task.
      I hope that helps.
      Howard.
      
      LikeLike
9

EcleX on September 20, 2019 at 4:01 pm

Actually, I was subscribed to MacUser (USA) until they stop publishing it many years ago. I think that then they continued publishing it from UK. But I think that was different and I do not think that it is currently being published. Please, correct me if I am wrong.

On the other hand, I do not quite get it. Virtually all people reboot the Mac after a crash, forced shut down or similar disaster. That is the only way to keep using the Mac; booting it again. But my question was if it was better to do it (as said, what almost all people do), or run DiskWarrior first, before booting again from such disk.

LikeLiked by 1 person
- 10
  
  hoakley on September 20, 2019 at 4:13 pm
  
  Errm, MacUser (US) was a completely different title, not even published by Dennis Publishing, who published the original and wonderful MacUser from the UK. But I won’t feel too insulted as the mistake is easily made 🙂 I was, of course, referring to the real (UK) MacUser, which sadly ceased publishing around 4 years ago now, but is still greatly missed. MacFormat and Mac|Life I do recommend, in a brief commercial break.
  As a developer, I regularly crash apps, often intentionally. macOS is designed so that you can, and both the system and all other apps should carry on running just fine. It was only really poor old HFS+ that often got into a pickle, which of course it shouldn’t have. After a straight ‘unexpected quit’ (which is an app crash, of course) there’s now no good reason for restarting your Mac.
  Given that HFS+ is a journaled file system (normally), the last thing that you want to do is try to repair anything before the journal has been replayed, it that’s needed. Trying to repair a disk before you’ve let the file system commit changes which it’s wanting to do is only going to make your troubles worse. So no, restart, let any journal replay take place, then consider whether you have more damage to repair. Most of the time, you shouldn’t have. That’s what the journal is intended to do.
  Howard.
  
  LikeLike
11

EcleX on September 20, 2019 at 6:00 pm

Oops! You are right. My confusion was with Macworld, which is from USA. I was subscribed to both at the time (print editions).

On the other hand, thanks again for the information concerning rebooting for journaling. You are right! You could write a boot about all this tips!

LikeLiked by 1 person
12

Jimmy on September 21, 2019 at 6:08 pm

I’m beginning to wonder if Alsoft will ever be able to get DW 6 out the door at this point. I had a client’s MacBook Pro 2018 that had many, many snapshot errors listed while in Recovery Mode/ Desk Util… (I forget the exact error code). Manually deleting them via terminal was quite tedious & I ended up erasing & performing a restore from TM backup. What’s the bottom line here re: APFS rebuilds? Ever going to happen? Not needed? *Seems to me that once you run a time Machine backup, say on a MacBook, then you don’t for a long time (like many clients seem to do), the snapshots just build & build, locally, on the Mac…

LikeLiked by 1 person
- 13
  
  hoakley on September 21, 2019 at 6:57 pm
  
  I can’t speak for Alsoft, but I don’t think that a conventional repair tool is going to be much use with APFS, beyond what you can already do with fsck.
  I’m currently looking at what happens when you stop using Time Machine to back a volume up: if Time Machine is still running, then old snapshots do appear to be deleted on time. However, I can see that turning TM off altogether could easily leave those snapshots orphaned, and left to grow steadily in size.
  A useful tool here is Carbon Copy Cloner, which reveals all snapshots on mounted volumes, with their dates and sizes.
  Howard.
  
  LikeLike
14

Jimmy on September 22, 2019 at 1:54 am

Thanks. Good to know re: CCC. Alsoft says they’re working on (it) and DW 6 *will rebuild APFS disks… it’s been an awfully long wait, though. *Great website, by the way!

LikeLiked by 1 person
- 15
  
  hoakley on September 22, 2019 at 7:31 am
  
  Thank you.
  There are more fundamental problems here. At any time, each of my active volumes has 25 sets of file system metadata – the current set, and 24 hourly snapshots. It’s all very good rebuilding just the current metadata, but that does nothing for those snapshots, which I might need to roll back to. If any directory rebuilding tool is going to be fully functional on APFS, it therefore has to repeat the rebuild 25 times, to cover all the snapshots.
  I also have to ask why rebuilding should be necessary or beneficial. If Apple can’t implement B-trees properly in APFS, then we should all abandon hope. Why should any third-party tool need to rebuild APFS directories at all?
  Howard.
  
  LikeLike

·Comments are closed.

Share this:

Related