Features/SystemRollbackWithBtrfs

= System Rollback With Btrfs =

Summary
If a user has chosen to use Btrfs on one or more partitions, this feature will:


 * 1) automatically create new disk snapshots before each yum transaction
 * 2) enable the user to change which snapshot will be next booted into, if desired
 * 3) enable the user to manually create a new snapshot, if desired

All of the above will require superuser privileges.

Owner

 * Name: Chris Ball, Josef Bacik
 * email: cjb@laptop.org, josef@redhat.com

Current status

 * Targeted release: Fedora 13
 * Last updated: 2010-04-01
 * Percentage of completion: 100%


 * Kernel patches for listing subvols and setting default subvolumes are in Linus' tree and the F13 kernel now
 * Josef's yum plugin has been merged
 * Palimpsest code is not finished, and will be deferred until F14.
 * Bugs for UI changes: https://bugzilla.gnome.org/show_bug.cgi?id=608204, http://bugs.freedesktop.org/show_bug.cgi?id=26258

Detailed Description
Btrfs is capable of creating lightweight filesystem snapshots that can be mounted (and booted into) selectively. The created snapshots are copy-on-write snapshots, so there is no file duplication overhead involved for files that do not change between snapshots.

It's important to note that these snapshots are whole-filesystem snapshots -- while we propose to create a new snapshot each time a yum transaction happens, that doesn't mean reverting to an earlier snapshot will only revert the files changed by yum! The entire root filesystem will be reverted, including users' home directories if they are on btrfs. (Because of this, a user may decide to keep /home on a separate, non-btrfs partition where it is unaffected by rollbacks they decide to initiate.)

A "rollback" to an older snapshot is not destructive to data. It switches to an earlier snapshot, and later snapshots are still available afterwards. We allow the user to choose which snapshot will be mounted next, and making that choice does not affect or destroy any other snapshots.

We are not proposing Btrfs to be the default filesystem for Fedora 13; this feature would only be present on installs where Btrfs has been optionally chosen for at least one filesystem.

Benefit to Fedora
There are several interesting use cases for this feature:


 * Aaron is a developer whose laptop tracks Rawhide daily. There will be days where Rawhide is not bootable/usable, though.  When Rawhide breaks, automated snapshots allow Aaron to easily revert to the previous day's filesystem until Rawhide's known-working again.
 * Barbara wishes to bisect a mysterious bug that appears to have crept in on one of her recent Rawhide updates. Performing the full-system bisection is made easier by binary searching the snapshots on her disk, to narrow down responsibility for the bug to a small list of modified packages and their versions.
 * Christine wishes to create weekly snapshots by hand in case she later wants to have access to older versions of the files she's been working on.
 * Donald has, independent of yum/rpm, somehow hosed his system and doesn't know how to recover it. He'd like to revert back to the last snapshot that was made.

Of these, the ability for our developers to feel comfortable tracking Rawhide without fear of an unusable install seems to have the most immediate utility to Fedora.

Scope
We propose to create:


 * (deferred) a new "btrfs" section in gnome-disk-utility/Palimpsest. When a btrfs filesystem is highlighted, the user is shown a drop-down menu that allows choosing the snapshot that will be used the next time the filesystem is mounted, and a separate text box and "create" button for creating a new snapshot immediately.  (cjb)
 * (finished) a yum plugin to create a timestamped snapshot just before starting each yum transaction. (josef, skvidal)
 * (deferred) a patch to grub1 -- on top of the already existing patch to support btrfs in grub1 -- to allow selecting between snapshots of the boot partition.
 * (finished) a patch to btrfs to set an fs-specific option of which snapshot should be the next "default" to boot. This avoids having the control panel need to modify either the grub config or /etc/fstab; instead it would just set a filesystem property with btrfsctl(1).

How To Test
The test plan will look something like:


 * Make your root filesystem be on btrfs. This can be by selecting it in the installer, or running the btrfs migration tool from ext3 or ext4.  Make sure to have a backup first!
 * Boot into the new btrfs system, and perform a "yum install". Does palimpsest show that a new snapshot was created?  Does it allow you to set that snapshot as active for the next book without any errors?
 * When you reboot, verify that the application you successfully yum-installed is no longer present on the system.
 * Switch back to the latest "default" snapshot and reboot. Test that the yum-installed app is present once more.
 * Try creating a snapshot by hand using palimpsest, and set it as active for the next boot. Before rebooting, touch a file in the root directory of the filesystem.  After you reboot, it should be gone.

User Experience
There will be new options available if your disk contains btrfs filesystems and you run palimpsest. If there is a mounted btrfs partition, palimpsest will offer a selection of old snapshots to use at next mount, and offer the creation of new ones. If there are no btrfs mounts, the UI will be entirely unchanged.

If the grub subfeature is completed, and a user has chosen to use btrfs as their boot filesystem, users will see a list of date/timestamps corresponding to snapshots that they can select from by interrupting grub at boot-time.

Dependencies
All of the support needed for btrfs snapshots should be already present in the kernel. The patch to support btrfs in grub has not been committed to grub1 so far (although we note that Gentoo already carries it locally). We would have to persuade the Fedora Grub maintainer(s) to adopt the patch for the grub subfeature to be completed.

Contingency Plan
None necessary, revert if not completed.

Documentation
Here is generic documentation on btrfs snapshots:


 * http://blogs.igalia.com/aperez/2008/06/more-btrfs-goodness-snapshots/
 * http://btrfs.wiki.kernel.org/index.php/Getting_started

There will be significant documentation work needed to explain the following about this feature:


 * While the snapshots are automatically created as part of yum transactions, they are full disk snapshots, not merely snapshots of the package changes.
 * Rolling back to an earlier snapshot is not destructive. You can go back to the most recent version of the filesystem again afterwards using the same tool you used to switch to the earlier one.

Release Notes

 * Users of the experimental btrfs filesystem in Fedora 13 benefit from automatic filesystem snapshots each time the yum package manager performs an installation or upgrade, and from a user interface to allow switching between snapshots.

Comments and Discussion

 * See Talk:Features/SystemRollbackWithBtrfs