1.\" 2.\" CDDL HEADER START 3.\" 4.\" The contents of this file are subject to the terms of the 5.\" Common Development and Distribution License (the "License"). 6.\" You may not use this file except in compliance with the License. 7.\" 8.\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9.\" or http://www.opensolaris.org/os/licensing. 10.\" See the License for the specific language governing permissions 11.\" and limitations under the License. 12.\" 13.\" When distributing Covered Code, include this CDDL HEADER in each 14.\" file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15.\" If applicable, add the following below this CDDL HEADER, with the 16.\" fields enclosed by brackets "[]" replaced with your own identifying 17.\" information: Portions Copyright [yyyy] [name of copyright owner] 18.\" 19.\" CDDL HEADER END 20.\" 21.\" 22.\" Copyright (c) 2009 Sun Microsystems, Inc. All Rights Reserved. 23.\" Copyright 2011 Joshua M. Clulow <josh@sysmgr.org> 24.\" Copyright (c) 2011, 2019 by Delphix. All rights reserved. 25.\" Copyright (c) 2013 by Saso Kiselkov. All rights reserved. 26.\" Copyright (c) 2014, Joyent, Inc. All rights reserved. 27.\" Copyright (c) 2014 by Adam Stevko. All rights reserved. 28.\" Copyright (c) 2014 Integros [integros.com] 29.\" Copyright 2019 Richard Laager. All rights reserved. 30.\" Copyright 2018 Nexenta Systems, Inc. 31.\" Copyright 2019 Joyent, Inc. 32.\" 33.Dd June 30, 2019 34.Dt ZFS-SEND 8 35.Os 36.Sh NAME 37.Nm zfs-send 38.Nd Generate a send stream, which may be of a filesystem, and may be incremental from a bookmark. 39.Sh SYNOPSIS 40.Nm zfs 41.Cm send 42.Op Fl DLPRbcehnpvw 43.Op Oo Fl I Ns | Ns Fl i Oc Ar snapshot 44.Ar snapshot 45.Nm zfs 46.Cm send 47.Op Fl DLPRcenpvw 48.Op Fl i Ar snapshot Ns | Ns Ar bookmark 49.Ar filesystem Ns | Ns Ar volume Ns | Ns Ar snapshot 50.Nm zfs 51.Cm send 52.Fl -redact Ar redaction_bookmark 53.Op Fl DLPcenpv 54.br 55.Op Fl i Ar snapshot Ns | Ns Ar bookmark 56.Ar snapshot 57.Nm zfs 58.Cm send 59.Op Fl Penv 60.Fl t 61.Ar receive_resume_token 62.Nm zfs 63.Cm send 64.Op Fl Pnv 65.Fl S Ar filesystem 66.Nm zfs 67.Cm redact 68.Ar snapshot redaction_bookmark 69.Ar redaction_snapshot Ns ... 70.Sh DESCRIPTION 71.Bl -tag -width "" 72.It Xo 73.Nm zfs 74.Cm send 75.Op Fl DLPRbcehnpvw 76.Op Oo Fl I Ns | Ns Fl i Oc Ar snapshot 77.Ar snapshot 78.Xc 79Creates a stream representation of the second 80.Ar snapshot , 81which is written to standard output. 82The output can be redirected to a file or to a different system 83.Po for example, using 84.Xr ssh 1 85.Pc . 86By default, a full stream is generated. 87.Bl -tag -width "-D" 88.It Fl D, -dedup 89Deduplicated send is no longer supported. 90This flag is accepted for backwards compatibility, but a regular, 91non-deduplicated stream will be generated. 92.It Fl I Ar snapshot 93Generate a stream package that sends all intermediary snapshots from the first 94snapshot to the second snapshot. 95For example, 96.Fl I Em @a Em fs@d 97is similar to 98.Fl i Em @a Em fs@b Ns \&; Fl i Em @b Em fs@c Ns \&; Fl i Em @c Em fs@d . 99The incremental source may be specified as with the 100.Fl i 101option. 102.It Fl L, -large-block 103Generate a stream which may contain blocks larger than 128KB. 104This flag has no effect if the 105.Sy large_blocks 106pool feature is disabled, or if the 107.Sy recordsize 108property of this filesystem has never been set above 128KB. 109The receiving system must have the 110.Sy large_blocks 111pool feature enabled as well. 112See 113.Xr zpool-features 5 114for details on ZFS feature flags and the 115.Sy large_blocks 116feature. 117.It Fl P, -parsable 118Print machine-parsable verbose information about the stream package generated. 119.It Fl R, -replicate 120Generate a replication stream package, which will replicate the specified 121file system, and all descendent file systems, up to the named snapshot. 122When received, all properties, snapshots, descendent file systems, and clones 123are preserved. 124.Pp 125If the 126.Fl i 127or 128.Fl I 129flags are used in conjunction with the 130.Fl R 131flag, an incremental replication stream is generated. 132The current values of properties, and current snapshot and file system names are 133set when the stream is received. 134If the 135.Fl F 136flag is specified when this stream is received, snapshots and file systems that 137do not exist on the sending side are destroyed. If the 138.Fl R 139flag is used to send encrypted datasets, then 140.Fl w 141must also be specified. 142.It Fl e, -embed 143Generate a more compact stream by using 144.Sy WRITE_EMBEDDED 145records for blocks which are stored more compactly on disk by the 146.Sy embedded_data 147pool feature. 148This flag has no effect if the 149.Sy embedded_data 150feature is disabled. 151The receiving system must have the 152.Sy embedded_data 153feature enabled. 154If the 155.Sy lz4_compress 156feature is active on the sending system, then the receiving system must have 157that feature enabled as well. Datasets that are sent with this flag may not be 158received as an encrypted dataset, since encrypted datasets cannot use the 159.Sy embedded_data 160feature. 161See 162.Xr zpool-features 5 163for details on ZFS feature flags and the 164.Sy embedded_data 165feature. 166.It Fl b, -backup 167Sends only received property values whether or not they are overridden by local 168settings, but only if the dataset has ever been received. Use this option when 169you want 170.Nm zfs Cm receive 171to restore received properties backed up on the sent dataset and to avoid 172sending local settings that may have nothing to do with the source dataset, 173but only with how the data is backed up. 174.It Fl c, -compressed 175Generate a more compact stream by using compressed WRITE records for blocks 176which are compressed on disk and in memory 177.Po see the 178.Sy compression 179property for details 180.Pc . 181If the 182.Sy lz4_compress 183feature is active on the sending system, then the receiving system must have 184that feature enabled as well. 185If the 186.Sy large_blocks 187feature is enabled on the sending system but the 188.Fl L 189option is not supplied in conjunction with 190.Fl c , 191then the data will be decompressed before sending so it can be split into 192smaller block sizes. Streams sent with 193.Fl c 194will not have their data recompressed on the receiver side using 195.Fl o compress=value. 196The data will stay compressed as it was from the sender. The new compression 197property will be set for future data. 198.It Fl w, -raw 199For encrypted datasets, send data exactly as it exists on disk. This allows 200backups to be taken even if encryption keys are not currently loaded. The 201backup may then be received on an untrusted machine since that machine will 202not have the encryption keys to read the protected data or alter it without 203being detected. Upon being received, the dataset will have the same encryption 204keys as it did on the send side, although the 205.Sy keylocation 206property will be defaulted to 207.Sy prompt 208if not otherwise provided. For unencrypted datasets, this flag will be 209equivalent to 210.Fl Lec . 211Note that if you do not use this flag for sending encrypted datasets, data will 212be sent unencrypted and may be re-encrypted with a different encryption key on 213the receiving system, which will disable the ability to do a raw send to that 214system for incrementals. 215.It Fl h, -holds 216Generate a stream package that includes any snapshot holds (created with the 217.Sy zfs hold 218command), and indicating to 219.Sy zfs receive 220that the holds be applied to the dataset on the receiving system. 221.It Fl i Ar snapshot 222Generate an incremental stream from the first 223.Ar snapshot 224.Pq the incremental source 225to the second 226.Ar snapshot 227.Pq the incremental target . 228The incremental source can be specified as the last component of the snapshot 229name 230.Po the 231.Sy @ 232character and following 233.Pc 234and it is assumed to be from the same file system as the incremental target. 235.Pp 236If the destination is a clone, the source may be the origin snapshot, which must 237be fully specified 238.Po for example, 239.Em pool/fs@origin , 240not just 241.Em @origin 242.Pc . 243.It Fl n, -dryrun 244Do a dry-run 245.Pq Qq No-op 246send. 247Do not generate any actual send data. 248This is useful in conjunction with the 249.Fl v 250or 251.Fl P 252flags to determine what data will be sent. 253In this case, the verbose output will be written to standard output 254.Po contrast with a non-dry-run, where the stream is written to standard output 255and the verbose output goes to standard error 256.Pc . 257.It Fl p, -props 258Include the dataset's properties in the stream. 259This flag is implicit when 260.Fl R 261is specified. 262The receiving system must also support this feature. Sends of encrypted datasets 263must use 264.Fl w 265when using this flag. 266.It Fl v, -verbose 267Print verbose information about the stream package generated. 268This information includes a per-second report of how much data has been sent. 269.Pp 270The format of the stream is committed. 271You will be able to receive your streams on future versions of ZFS. 272.El 273.It Xo 274.Nm zfs 275.Cm send 276.Op Fl DLPRcenpvw 277.Op Fl i Ar snapshot Ns | Ns Ar bookmark 278.Ar filesystem Ns | Ns Ar volume Ns | Ns Ar snapshot 279.Xc 280Generate a send stream, which may be of a filesystem, and may be incremental 281from a bookmark. 282If the destination is a filesystem or volume, the pool must be read-only, or the 283filesystem must not be mounted. 284When the stream generated from a filesystem or volume is received, the default 285snapshot name will be 286.Qq --head-- . 287.Bl -tag -width "-L" 288.It Fl L, -large-block 289Generate a stream which may contain blocks larger than 128KB. 290This flag has no effect if the 291.Sy large_blocks 292pool feature is disabled, or if the 293.Sy recordsize 294property of this filesystem has never been set above 128KB. 295The receiving system must have the 296.Sy large_blocks 297pool feature enabled as well. 298See 299.Xr zpool-features 5 300for details on ZFS feature flags and the 301.Sy large_blocks 302feature. 303.It Fl P, -parsable 304Print machine-parsable verbose information about the stream package generated. 305.It Fl c, -compressed 306Generate a more compact stream by using compressed WRITE records for blocks 307which are compressed on disk and in memory 308.Po see the 309.Sy compression 310property for details 311.Pc . 312If the 313.Sy lz4_compress 314feature is active on the sending system, then the receiving system must have 315that feature enabled as well. 316If the 317.Sy large_blocks 318feature is enabled on the sending system but the 319.Fl L 320option is not supplied in conjunction with 321.Fl c , 322then the data will be decompressed before sending so it can be split into 323smaller block sizes. 324.It Fl w, -raw 325For encrypted datasets, send data exactly as it exists on disk. This allows 326backups to be taken even if encryption keys are not currently loaded. The 327backup may then be received on an untrusted machine since that machine will 328not have the encryption keys to read the protected data or alter it without 329being detected. Upon being received, the dataset will have the same encryption 330keys as it did on the send side, although the 331.Sy keylocation 332property will be defaulted to 333.Sy prompt 334if not otherwise provided. For unencrypted datasets, this flag will be 335equivalent to 336.Fl Lec . 337Note that if you do not use this flag for sending encrypted datasets, data will 338be sent unencrypted and may be re-encrypted with a different encryption key on 339the receiving system, which will disable the ability to do a raw send to that 340system for incrementals. 341.It Fl e, -embed 342Generate a more compact stream by using 343.Sy WRITE_EMBEDDED 344records for blocks which are stored more compactly on disk by the 345.Sy embedded_data 346pool feature. 347This flag has no effect if the 348.Sy embedded_data 349feature is disabled. 350The receiving system must have the 351.Sy embedded_data 352feature enabled. 353If the 354.Sy lz4_compress 355feature is active on the sending system, then the receiving system must have 356that feature enabled as well. Datasets that are sent with this flag may not be 357received as an encrypted dataset, since encrypted datasets cannot use the 358.Sy embedded_data 359feature. 360See 361.Xr zpool-features 5 362for details on ZFS feature flags and the 363.Sy embedded_data 364feature. 365.It Fl i Ar snapshot Ns | Ns Ar bookmark 366Generate an incremental send stream. 367The incremental source must be an earlier snapshot in the destination's history. 368It will commonly be an earlier snapshot in the destination's file system, in 369which case it can be specified as the last component of the name 370.Po the 371.Sy # 372or 373.Sy @ 374character and following 375.Pc . 376.Pp 377If the incremental target is a clone, the incremental source can be the origin 378snapshot, or an earlier snapshot in the origin's filesystem, or the origin's 379origin, etc. 380.It Fl n, -dryrun 381Do a dry-run 382.Pq Qq No-op 383send. 384Do not generate any actual send data. 385This is useful in conjunction with the 386.Fl v 387or 388.Fl P 389flags to determine what data will be sent. 390In this case, the verbose output will be written to standard output 391.Po contrast with a non-dry-run, where the stream is written to standard output 392and the verbose output goes to standard error 393.Pc . 394.It Fl v, -verbose 395Print verbose information about the stream package generated. 396This information includes a per-second report of how much data has been sent. 397.El 398.It Xo 399.Nm zfs 400.Cm send 401.Fl -redact Ar redaction_bookmark 402.Op Fl DLPcenpv 403.br 404.Op Fl i Ar snapshot Ns | Ns Ar bookmark 405.Ar snapshot 406.Xc 407Generate a redacted send stream. 408This send stream contains all blocks from the snapshot being sent that aren't 409included in the redaction list contained in the bookmark specified by the 410.Fl -redact 411(or 412.Fl -d 413) flag. 414The resulting send stream is said to be redacted with respect to the snapshots 415the bookmark specified by the 416.Fl -redact No flag was created with. 417The bookmark must have been created by running 418.Sy zfs redact 419on the snapshot being sent. 420.sp 421This feature can be used to allow clones of a filesystem to be made available on 422a remote system, in the case where their parent need not (or needs to not) be 423usable. 424For example, if a filesystem contains sensitive data, and it has clones where 425that sensitive data has been secured or replaced with dummy data, redacted sends 426can be used to replicate the secured data without replicating the original 427sensitive data, while still sharing all possible blocks. 428A snapshot that has been redacted with respect to a set of snapshots will 429contain all blocks referenced by at least one snapshot in the set, but will 430contain none of the blocks referenced by none of the snapshots in the set. 431In other words, if all snapshots in the set have modified a given block in the 432parent, that block will not be sent; but if one or more snapshots have not 433modified a block in the parent, they will still reference the parent's block, so 434that block will be sent. 435Note that only user data will be redacted. 436.sp 437When the redacted send stream is received, we will generate a redacted 438snapshot. 439Due to the nature of redaction, a redacted dataset can only be used in the 440following ways: 441.sp 4421. To receive, as a clone, an incremental send from the original snapshot to one 443of the snapshots it was redacted with respect to. 444In this case, the stream will produce a valid dataset when received because all 445blocks that were redacted in the parent are guaranteed to be present in the 446child's send stream. 447This use case will produce a normal snapshot, which can be used just like other 448snapshots. 449.sp 4502. To receive an incremental send from the original snapshot to something 451redacted with respect to a subset of the set of snapshots the initial snapshot 452was redacted with respect to. 453In this case, each block that was redacted in the original is still redacted 454(redacting with respect to additional snapshots causes less data to be redacted 455(because the snapshots define what is permitted, and everything else is 456redacted)). 457This use case will produce a new redacted snapshot. 458.sp 4593. To receive an incremental send from a redaction bookmark of the original 460snapshot that was created when redacting with respect to a subset of the set of 461snapshots the initial snapshot was created with respect to 462anything else. 463A send stream from such a redaction bookmark will contain all of the blocks 464necessary to fill in any redacted data, should it be needed, because the sending 465system is aware of what blocks were originally redacted. 466This will either produce a normal snapshot or a redacted one, depending on 467whether the new send stream is redacted. 468.sp 4694. To receive an incremental send from a redacted version of the initial 470snapshot that is redacted with respect to a subject of the set of snapshots the 471initial snapshot was created with respect to. 472A send stream from a compatible redacted dataset will contain all of the blocks 473necessary to fill in any redacted data. 474This will either produce a normal snapshot or a redacted one, depending on 475whether the new send stream is redacted. 476.sp 4775. To receive a full send as a clone of the redacted snapshot. 478Since the stream is a full send, it definitionally contains all the data needed 479to create a new dataset. 480This use case will either produce a normal snapshot or a redacted one, depending 481on whether the full send stream was redacted. 482.sp 483These restrictions are detected and enforced by \fBzfs receive\fR; a 484redacted send stream will contain the list of snapshots that the stream is 485redacted with respect to. 486These are stored with the redacted snapshot, and are used to detect and 487correctly handle the cases above. Note that for technical reasons, raw sends 488and redacted sends cannot be combined at this time. 489.It Xo 490.Nm zfs 491.Cm send 492.Op Fl Penv 493.Fl t 494.Ar receive_resume_token 495.Xc 496Creates a send stream which resumes an interrupted receive. 497The 498.Ar receive_resume_token 499is the value of this property on the filesystem or volume that was being 500received into. 501See the documentation for 502.Sy zfs receive -s 503for more details. 504.It Xo 505.Nm zfs 506.Cm send 507.Op Fl Pnv 508.Op Fl i Ar snapshot Ns | Ns Ar bookmark 509.Fl S 510.Ar filesystem 511.Xc 512Generate a send stream from a dataset that has been partially received. 513.Bl -tag -width "-L" 514.It Fl S, -saved 515This flag requires that the specified filesystem previously received a resumable 516send that did not finish and was interrupted. In such scenarios this flag 517enables the user to send this partially received state. Using this flag will 518always use the last fully received snapshot as the incremental source if it 519exists. 520.El 521.It Xo 522.Nm zfs 523.Cm redact 524.Ar snapshot redaction_bookmark 525.Ar redaction_snapshot Ns ... 526.Xc 527Generate a new redaction bookmark. 528In addition to the typical bookmark information, a redaction bookmark contains 529the list of redacted blocks and the list of redaction snapshots specified. 530The redacted blocks are blocks in the snapshot which are not referenced by any 531of the redaction snapshots. 532These blocks are found by iterating over the metadata in each redaction snapshot 533to determine what has been changed since the target snapshot. 534Redaction is designed to support redacted zfs sends; see the entry for 535.Sy zfs send 536for more information on the purpose of this operation. 537If a redact operation fails partway through (due to an error or a system 538failure), the redaction can be resumed by rerunning the same command. 539.El 540.Ss Redaction 541ZFS has support for a limited version of data subsetting, in the form of 542redaction. Using the 543.Sy zfs redact 544command, a 545.Sy redaction bookmark 546can be created that stores a list of blocks containing sensitive information. When 547provided to 548.Sy zfs 549.Sy send , 550this causes a 551.Sy redacted send 552to occur. Redacted sends omit the blocks containing sensitive information, 553replacing them with REDACT records. When these send streams are received, a 554.Sy redacted dataset 555is created. A redacted dataset cannot be mounted by default, since it is 556incomplete. It can be used to receive other send streams. In this way datasets 557can be used for data backup and replication, with all the benefits that zfs send 558and receive have to offer, while protecting sensitive information from being 559stored on less-trusted machines or services. 560.Pp 561For the purposes of redaction, there are two steps to the process. A redact 562step, and a send/receive step. First, a redaction bookmark is created. This is 563done by providing the 564.Sy zfs redact 565command with a parent snapshot, a bookmark to be created, and a number of 566redaction snapshots. These redaction snapshots must be descendants of the 567parent snapshot, and they should modify data that is considered sensitive in 568some way. Any blocks of data modified by all of the redaction snapshots will 569be listed in the redaction bookmark, because it represents the truly sensitive 570information. When it comes to the send step, the send process will not send 571the blocks listed in the redaction bookmark, instead replacing them with 572REDACT records. When received on the target system, this will create a 573redacted dataset, missing the data that corresponds to the blocks in the 574redaction bookmark on the sending system. The incremental send streams from 575the original parent to the redaction snapshots can then also be received on 576the target system, and this will produce a complete snapshot that can be used 577normally. Incrementals from one snapshot on the parent filesystem and another 578can also be done by sending from the redaction bookmark, rather than the 579snapshots themselves. 580.Pp 581In order to make the purpose of the feature more clear, an example is 582provided. Consider a zfs filesystem containing four files. These files 583represent information for an online shopping service. One file contains a list 584of usernames and passwords, another contains purchase histories, a third 585contains click tracking data, and a fourth contains user preferences. The 586owner of this data wants to make it available for their development teams to 587test against, and their market research teams to do analysis on. The 588development teams need information about user preferences and the click 589tracking data, while the market research teams need information about purchase 590histories and user preferences. Neither needs access to the usernames and 591passwords. However, because all of this data is stored in one ZFS filesystem, 592it must all be sent and received together. In addition, the owner of the data 593wants to take advantage of features like compression, checksumming, and 594snapshots, so they do want to continue to use ZFS to store and transmit their 595data. Redaction can help them do so. First, they would make two clones of a 596snapshot of the data on the source. In one clone, they create the setup they 597want their market research team to see; they delete the usernames and 598passwords file, and overwrite the click tracking data with dummy 599information. In another, they create the setup they want the development teams 600to see, by replacing the passwords with fake information and replacing the 601purchase histories with randomly generated ones. They would then create a 602redaction bookmark on the parent snapshot, using snapshots on the two clones 603as redaction snapshots. The parent can then be sent, redacted, to the target 604server where the research and development teams have access. Finally, 605incremental sends from the parent snapshot to each of the clones can be send 606to and received on the target server; these snapshots are identical to the 607ones on the source, and are ready to be used, while the parent snapshot on the 608target contains none of the username and password data present on the source, 609because it was removed by the redacted send operation. 610.Sh SEE ALSO 611.Xr zfs-bookmark 8 , 612.Xr zfs-receive 8 , 613.Xr zfs-redact 8 , 614.Xr zfs-snapshot 8 615