NetApp Community Update
This site will enter Read Only mode on July 23 as we prepare to move to a new platform. You will still be able to view content, but posting and replying will be temporarily disabled.
We're excited to launch our new Community experience on July 30 and more information will follow soon.
Stay connected during the transition - Join our Discord community today.

Network and Storage Protocols

Can we disable access to files in snapshots?

sschmitt
9,271 Views

Hi,

a customers is asking to disable access to files or delete files in snapshots.

What I know, this is not possible at all.

Any expert expertise on this?

Disable snapdir is not an option.

Can we use fpolicy to change ACLs in snapshots?

Thx

8 REPLIES 8

eric_barlier
9,271 Views

Hi Stefan,

are you looking for this:

options cifs.show_snapshot off

https://now.netapp.com/Knowledgebase/solutionarea.asp?id=kb5754

You cannot delete files from snapshots, snapshots are READ ONLY. You can only copy a file from a snapshot and then put it

where you want, provided you have got access to this.

I think setting the option above will sort you out.

Let us know how it goes.

Eric

adamfox
9,271 Views

That option will hide the ~snapshot directory, but it will still be available if people explicitly ask for it.

There is no way short of nosnapdir to eliminate access to snapshots..that's what nosnapdir is for.  You can't change the permissions in a snapshot as that would defeat the purpose of the snapshot.

amiller_1
9,271 Views

I must admit I'm curious....why is nosnapdir not an option? (as Adam noted, that does look to address what you want)

sschmitt
9,271 Views

nosnapdir is a possible solution, but not for the customer.

He wants to be able to access snapshot directory for restores. Only a few files should be blocked/deleted.

I know this is a strange question.... but deep in my mind I hoped someone knows a better solution

eric_barlier
9,271 Views

is combining fpolicy and nosnapdir close better or same? Obviously fpolicy is enforced on the active file system in first instance so probably not..

Eric

adamfox
9,271 Views

Unfortunately, modifying or deleting files in a snapshot violate the whole point of the snapshot which is to have a unchangeable point-in-time copy of the volume.

But thinking a little outside the box, you could turn on nosnapdir, then instead of presenting snapshots for restores, you could spin off FlexClones which are read/write and therefore could be modified.  It may be possible to write a script that spins off a clone, makes the modifications you want, then shares out the clone read-only.  Restore would have to be done from the cloned volume instead of .snapshot, but the presented clone(s) could be based on the same snapshots (or a subset of them).

That may be reaching a bit and is, IMHO, a bit of an ugly kludge, but it might solve their specific problem.

amiller_1
9,271 Views

Ditto basically....this is all I could come up with as well (you beat me to posting it ).

If you're going to that level though, disabling nosnapdir, grabbing the file, enabling nosnapdir may make as much (or more) sense.

sschmitt
9,271 Views

This request came from their internal revision department.

They fixed it within the virus scanning engine.... If someone wants to access a "secret" file, which should not be there, they mark it as "dirty". So nobody can access it.

But thanks for the cool alternate answers here!

Public