1.\" 2.\" CDDL HEADER START 3.\" 4.\" The contents of this file are subject to the terms of the 5.\" Common Development and Distribution License (the "License"). 6.\" You may not use this file except in compliance with the License. 7.\" 8.\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9.\" or http://www.opensolaris.org/os/licensing. 10.\" See the License for the specific language governing permissions 11.\" and limitations under the License. 12.\" 13.\" When distributing Covered Code, include this CDDL HEADER in each 14.\" file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15.\" If applicable, add the following below this CDDL HEADER, with the 16.\" fields enclosed by brackets "[]" replaced with your own identifying 17.\" information: Portions Copyright [yyyy] [name of copyright owner] 18.\" 19.\" CDDL HEADER END 20.\" 21.\" Copyright (c) 2009 Sun Microsystems, Inc. All Rights Reserved. 22.\" Copyright 2011 Joshua M. Clulow <josh@sysmgr.org> 23.\" Copyright (c) 2011, 2019 by Delphix. All rights reserved. 24.\" Copyright (c) 2013 by Saso Kiselkov. All rights reserved. 25.\" Copyright (c) 2014, Joyent, Inc. All rights reserved. 26.\" Copyright (c) 2014 by Adam Stevko. All rights reserved. 27.\" Copyright (c) 2014 Integros [integros.com] 28.\" Copyright 2019 Richard Laager. All rights reserved. 29.\" Copyright 2018 Nexenta Systems, Inc. 30.\" Copyright 2019 Joyent, Inc. 31.\" 32.Dd April 15, 2021 33.Dt ZFS-SEND 8 34.Os 35. 36.Sh NAME 37.Nm zfs-send 38.Nd generate backup stream of ZFS dataset 39.Sh SYNOPSIS 40.Nm zfs 41.Cm send 42.Op Fl DLPRbcehnpsvw 43.Op Oo Fl I Ns | Ns Fl i Oc Ar snapshot 44.Ar snapshot 45.Nm zfs 46.Cm send 47.Op Fl DLPRcenpsvw 48.Op Fl i Ar snapshot Ns | Ns Ar bookmark 49.Ar filesystem Ns | Ns Ar volume Ns | Ns Ar snapshot 50.Nm zfs 51.Cm send 52.Fl -redact Ar redaction_bookmark 53.Op Fl DLPcenpv 54.Op Fl i Ar snapshot Ns | Ns Ar bookmark 55.Ar snapshot 56.Nm zfs 57.Cm send 58.Op Fl Penv 59.Fl t 60.Ar receive_resume_token 61.Nm zfs 62.Cm send 63.Op Fl Pnv 64.Fl S Ar filesystem 65.Nm zfs 66.Cm redact 67.Ar snapshot redaction_bookmark 68.Ar redaction_snapshot Ns … 69. 70.Sh DESCRIPTION 71.Bl -tag -width "" 72.It Xo 73.Nm zfs 74.Cm send 75.Op Fl DLPRbcehnpvw 76.Op Oo Fl I Ns | Ns Fl i Oc Ar snapshot 77.Ar snapshot 78.Xc 79Creates a stream representation of the second 80.Ar snapshot , 81which is written to standard output. 82The output can be redirected to a file or to a different system 83.Po for example, using 84.Xr ssh 1 85.Pc . 86By default, a full stream is generated. 87.Bl -tag -width "-D" 88.It Fl D , -dedup 89Deduplicated send is no longer supported. 90This flag is accepted for backwards compatibility, but a regular, 91non-deduplicated stream will be generated. 92.It Fl I Ar snapshot 93Generate a stream package that sends all intermediary snapshots from the first 94snapshot to the second snapshot. 95For example, 96.Fl I Em @a Em fs@d 97is similar to 98.Fl i Em @a Em fs@b Ns \&; Fl i Em @b Em fs@c Ns \&; Fl i Em @c Em fs@d . 99The incremental source may be specified as with the 100.Fl i 101option. 102.It Fl L , -large-block 103Generate a stream which may contain blocks larger than 128KB. 104This flag has no effect if the 105.Sy large_blocks 106pool feature is disabled, or if the 107.Sy recordsize 108property of this filesystem has never been set above 128KB. 109The receiving system must have the 110.Sy large_blocks 111pool feature enabled as well. 112See 113.Xr zpool-features 7 114for details on ZFS feature flags and the 115.Sy large_blocks 116feature. 117.It Fl P , -parsable 118Print machine-parsable verbose information about the stream package generated. 119.It Fl R , -replicate 120Generate a replication stream package, which will replicate the specified 121file system, and all descendent file systems, up to the named snapshot. 122When received, all properties, snapshots, descendent file systems, and clones 123are preserved. 124.Pp 125If the 126.Fl i 127or 128.Fl I 129flags are used in conjunction with the 130.Fl R 131flag, an incremental replication stream is generated. 132The current values of properties, and current snapshot and file system names are 133set when the stream is received. 134If the 135.Fl F 136flag is specified when this stream is received, snapshots and file systems that 137do not exist on the sending side are destroyed. 138If the 139.Fl R 140flag is used to send encrypted datasets, then 141.Fl w 142must also be specified. 143.It Fl e , -embed 144Generate a more compact stream by using 145.Sy WRITE_EMBEDDED 146records for blocks which are stored more compactly on disk by the 147.Sy embedded_data 148pool feature. 149This flag has no effect if the 150.Sy embedded_data 151feature is disabled. 152The receiving system must have the 153.Sy embedded_data 154feature enabled. 155If the 156.Sy lz4_compress 157feature is active on the sending system, then the receiving system must have 158that feature enabled as well. 159Datasets that are sent with this flag may not be 160received as an encrypted dataset, since encrypted datasets cannot use the 161.Sy embedded_data 162feature. 163See 164.Xr zpool-features 7 165for details on ZFS feature flags and the 166.Sy embedded_data 167feature. 168.It Fl b , -backup 169Sends only received property values whether or not they are overridden by local 170settings, but only if the dataset has ever been received. 171Use this option when you want 172.Nm zfs Cm receive 173to restore received properties backed up on the sent dataset and to avoid 174sending local settings that may have nothing to do with the source dataset, 175but only with how the data is backed up. 176.It Fl c , -compressed 177Generate a more compact stream by using compressed WRITE records for blocks 178which are compressed on disk and in memory 179.Po see the 180.Sy compression 181property for details 182.Pc . 183If the 184.Sy lz4_compress 185feature is active on the sending system, then the receiving system must have 186that feature enabled as well. 187If the 188.Sy large_blocks 189feature is enabled on the sending system but the 190.Fl L 191option is not supplied in conjunction with 192.Fl c , 193then the data will be decompressed before sending so it can be split into 194smaller block sizes. 195Streams sent with 196.Fl c 197will not have their data recompressed on the receiver side using 198.Fl o Sy compress Ns = Ar value . 199The data will stay compressed as it was from the sender. 200The new compression property will be set for future data. 201.It Fl w , -raw 202For encrypted datasets, send data exactly as it exists on disk. 203This allows backups to be taken even if encryption keys are not currently loaded. 204The backup may then be received on an untrusted machine since that machine will 205not have the encryption keys to read the protected data or alter it without 206being detected. 207Upon being received, the dataset will have the same encryption 208keys as it did on the send side, although the 209.Sy keylocation 210property will be defaulted to 211.Sy prompt 212if not otherwise provided. 213For unencrypted datasets, this flag will be equivalent to 214.Fl Lec . 215Note that if you do not use this flag for sending encrypted datasets, data will 216be sent unencrypted and may be re-encrypted with a different encryption key on 217the receiving system, which will disable the ability to do a raw send to that 218system for incrementals. 219.It Fl h , -holds 220Generate a stream package that includes any snapshot holds (created with the 221.Nm zfs Cm hold 222command), and indicating to 223.Nm zfs Cm receive 224that the holds be applied to the dataset on the receiving system. 225.It Fl i Ar snapshot 226Generate an incremental stream from the first 227.Ar snapshot 228.Pq the incremental source 229to the second 230.Ar snapshot 231.Pq the incremental target . 232The incremental source can be specified as the last component of the snapshot 233name 234.Po the 235.Sy @ 236character and following 237.Pc 238and it is assumed to be from the same file system as the incremental target. 239.Pp 240If the destination is a clone, the source may be the origin snapshot, which must 241be fully specified 242.Po for example, 243.Em pool/fs@origin , 244not just 245.Em @origin 246.Pc . 247.It Fl n , -dryrun 248Do a dry-run 249.Pq Qq No-op 250send. 251Do not generate any actual send data. 252This is useful in conjunction with the 253.Fl v 254or 255.Fl P 256flags to determine what data will be sent. 257In this case, the verbose output will be written to standard output 258.Po contrast with a non-dry-run, where the stream is written to standard output 259and the verbose output goes to standard error 260.Pc . 261.It Fl p , -props 262Include the dataset's properties in the stream. 263This flag is implicit when 264.Fl R 265is specified. 266The receiving system must also support this feature. 267Sends of encrypted datasets must use 268.Fl w 269when using this flag. 270.It Fl s , -skip-missing 271Allows sending a replication stream even when there are snapshots missing in the 272hierarchy. 273When a snapshot is missing, instead of throwing an error and aborting the send, 274a warning is printed to the standard error stream and the dataset to which it belongs 275and its descendents are skipped. 276This flag can only be used in conjunction with 277.Fl R . 278.It Fl v , -verbose 279Print verbose information about the stream package generated. 280This information includes a per-second report of how much data has been sent. 281.Pp 282The format of the stream is committed. 283You will be able to receive your streams on future versions of ZFS. 284.El 285.It Xo 286.Nm zfs 287.Cm send 288.Op Fl DLPRcenpvw 289.Op Fl i Ar snapshot Ns | Ns Ar bookmark 290.Ar filesystem Ns | Ns Ar volume Ns | Ns Ar snapshot 291.Xc 292Generate a send stream, which may be of a filesystem, and may be incremental 293from a bookmark. 294If the destination is a filesystem or volume, the pool must be read-only, or the 295filesystem must not be mounted. 296When the stream generated from a filesystem or volume is received, the default 297snapshot name will be 298.Qq --head-- . 299.Bl -tag -width "-L" 300.It Fl L , -large-block 301Generate a stream which may contain blocks larger than 128KB. 302This flag has no effect if the 303.Sy large_blocks 304pool feature is disabled, or if the 305.Sy recordsize 306property of this filesystem has never been set above 128KB. 307The receiving system must have the 308.Sy large_blocks 309pool feature enabled as well. 310See 311.Xr zpool-features 7 312for details on ZFS feature flags and the 313.Sy large_blocks 314feature. 315.It Fl P , -parsable 316Print machine-parsable verbose information about the stream package generated. 317.It Fl c , -compressed 318Generate a more compact stream by using compressed WRITE records for blocks 319which are compressed on disk and in memory 320.Po see the 321.Sy compression 322property for details 323.Pc . 324If the 325.Sy lz4_compress 326feature is active on the sending system, then the receiving system must have 327that feature enabled as well. 328If the 329.Sy large_blocks 330feature is enabled on the sending system but the 331.Fl L 332option is not supplied in conjunction with 333.Fl c , 334then the data will be decompressed before sending so it can be split into 335smaller block sizes. 336.It Fl w , -raw 337For encrypted datasets, send data exactly as it exists on disk. 338This allows backups to be taken even if encryption keys are not currently loaded. 339The backup may then be received on an untrusted machine since that machine will 340not have the encryption keys to read the protected data or alter it without 341being detected. 342Upon being received, the dataset will have the same encryption 343keys as it did on the send side, although the 344.Sy keylocation 345property will be defaulted to 346.Sy prompt 347if not otherwise provided. 348For unencrypted datasets, this flag will be equivalent to 349.Fl Lec . 350Note that if you do not use this flag for sending encrypted datasets, data will 351be sent unencrypted and may be re-encrypted with a different encryption key on 352the receiving system, which will disable the ability to do a raw send to that 353system for incrementals. 354.It Fl e , -embed 355Generate a more compact stream by using 356.Sy WRITE_EMBEDDED 357records for blocks which are stored more compactly on disk by the 358.Sy embedded_data 359pool feature. 360This flag has no effect if the 361.Sy embedded_data 362feature is disabled. 363The receiving system must have the 364.Sy embedded_data 365feature enabled. 366If the 367.Sy lz4_compress 368feature is active on the sending system, then the receiving system must have 369that feature enabled as well. 370Datasets that are sent with this flag may not be received as an encrypted dataset, 371since encrypted datasets cannot use the 372.Sy embedded_data 373feature. 374See 375.Xr zpool-features 7 376for details on ZFS feature flags and the 377.Sy embedded_data 378feature. 379.It Fl i Ar snapshot Ns | Ns Ar bookmark 380Generate an incremental send stream. 381The incremental source must be an earlier snapshot in the destination's history. 382It will commonly be an earlier snapshot in the destination's file system, in 383which case it can be specified as the last component of the name 384.Po the 385.Sy # 386or 387.Sy @ 388character and following 389.Pc . 390.Pp 391If the incremental target is a clone, the incremental source can be the origin 392snapshot, or an earlier snapshot in the origin's filesystem, or the origin's 393origin, etc. 394.It Fl n , -dryrun 395Do a dry-run 396.Pq Qq No-op 397send. 398Do not generate any actual send data. 399This is useful in conjunction with the 400.Fl v 401or 402.Fl P 403flags to determine what data will be sent. 404In this case, the verbose output will be written to standard output 405.Po contrast with a non-dry-run, where the stream is written to standard output 406and the verbose output goes to standard error 407.Pc . 408.It Fl v , -verbose 409Print verbose information about the stream package generated. 410This information includes a per-second report of how much data has been sent. 411.El 412.It Xo 413.Nm zfs 414.Cm send 415.Fl -redact Ar redaction_bookmark 416.Op Fl DLPcenpv 417.Op Fl i Ar snapshot Ns | Ns Ar bookmark 418.Ar snapshot 419.Xc 420Generate a redacted send stream. 421This send stream contains all blocks from the snapshot being sent that aren't 422included in the redaction list contained in the bookmark specified by the 423.Fl -redact 424(or 425.Fl d ) 426flag. 427The resulting send stream is said to be redacted with respect to the snapshots 428the bookmark specified by the 429.Fl -redact No flag was created with. 430The bookmark must have been created by running 431.Nm zfs Cm redact 432on the snapshot being sent. 433.Pp 434This feature can be used to allow clones of a filesystem to be made available on 435a remote system, in the case where their parent need not (or needs to not) be 436usable. 437For example, if a filesystem contains sensitive data, and it has clones where 438that sensitive data has been secured or replaced with dummy data, redacted sends 439can be used to replicate the secured data without replicating the original 440sensitive data, while still sharing all possible blocks. 441A snapshot that has been redacted with respect to a set of snapshots will 442contain all blocks referenced by at least one snapshot in the set, but will 443contain none of the blocks referenced by none of the snapshots in the set. 444In other words, if all snapshots in the set have modified a given block in the 445parent, that block will not be sent; but if one or more snapshots have not 446modified a block in the parent, they will still reference the parent's block, so 447that block will be sent. 448Note that only user data will be redacted. 449.Pp 450When the redacted send stream is received, we will generate a redacted 451snapshot. 452Due to the nature of redaction, a redacted dataset can only be used in the 453following ways: 454.Bl -enum -width "a." 455.It 456To receive, as a clone, an incremental send from the original snapshot to one 457of the snapshots it was redacted with respect to. 458In this case, the stream will produce a valid dataset when received because all 459blocks that were redacted in the parent are guaranteed to be present in the 460child's send stream. 461This use case will produce a normal snapshot, which can be used just like other 462snapshots. 463. 464.It 465To receive an incremental send from the original snapshot to something 466redacted with respect to a subset of the set of snapshots the initial snapshot 467was redacted with respect to. 468In this case, each block that was redacted in the original is still redacted 469(redacting with respect to additional snapshots causes less data to be redacted 470(because the snapshots define what is permitted, and everything else is 471redacted)). 472This use case will produce a new redacted snapshot. 473.It 474To receive an incremental send from a redaction bookmark of the original 475snapshot that was created when redacting with respect to a subset of the set of 476snapshots the initial snapshot was created with respect to 477anything else. 478A send stream from such a redaction bookmark will contain all of the blocks 479necessary to fill in any redacted data, should it be needed, because the sending 480system is aware of what blocks were originally redacted. 481This will either produce a normal snapshot or a redacted one, depending on 482whether the new send stream is redacted. 483.It 484To receive an incremental send from a redacted version of the initial 485snapshot that is redacted with respect to a subject of the set of snapshots the 486initial snapshot was created with respect to. 487A send stream from a compatible redacted dataset will contain all of the blocks 488necessary to fill in any redacted data. 489This will either produce a normal snapshot or a redacted one, depending on 490whether the new send stream is redacted. 491.It 492To receive a full send as a clone of the redacted snapshot. 493Since the stream is a full send, it definitionally contains all the data needed 494to create a new dataset. 495This use case will either produce a normal snapshot or a redacted one, depending 496on whether the full send stream was redacted. 497.El 498.Pp 499These restrictions are detected and enforced by 500.Nm zfs Cm receive ; 501a redacted send stream will contain the list of snapshots that the stream is 502redacted with respect to. 503These are stored with the redacted snapshot, and are used to detect and 504correctly handle the cases above. 505Note that for technical reasons, 506raw sends and redacted sends cannot be combined at this time. 507.It Xo 508.Nm zfs 509.Cm send 510.Op Fl Penv 511.Fl t 512.Ar receive_resume_token 513.Xc 514Creates a send stream which resumes an interrupted receive. 515The 516.Ar receive_resume_token 517is the value of this property on the filesystem or volume that was being 518received into. 519See the documentation for 520.Nm zfs Cm receive Fl s 521for more details. 522.It Xo 523.Nm zfs 524.Cm send 525.Op Fl Pnv 526.Op Fl i Ar snapshot Ns | Ns Ar bookmark 527.Fl S 528.Ar filesystem 529.Xc 530Generate a send stream from a dataset that has been partially received. 531.Bl -tag -width "-L" 532.It Fl S , -saved 533This flag requires that the specified filesystem previously received a resumable 534send that did not finish and was interrupted. 535In such scenarios this flag 536enables the user to send this partially received state. 537Using this flag will always use the last fully received snapshot 538as the incremental source if it exists. 539.El 540.It Xo 541.Nm zfs 542.Cm redact 543.Ar snapshot redaction_bookmark 544.Ar redaction_snapshot Ns … 545.Xc 546Generate a new redaction bookmark. 547In addition to the typical bookmark information, a redaction bookmark contains 548the list of redacted blocks and the list of redaction snapshots specified. 549The redacted blocks are blocks in the snapshot which are not referenced by any 550of the redaction snapshots. 551These blocks are found by iterating over the metadata in each redaction snapshot 552to determine what has been changed since the target snapshot. 553Redaction is designed to support redacted zfs sends; see the entry for 554.Nm zfs Cm send 555for more information on the purpose of this operation. 556If a redact operation fails partway through (due to an error or a system 557failure), the redaction can be resumed by rerunning the same command. 558.El 559.Ss Redaction 560ZFS has support for a limited version of data subsetting, in the form of 561redaction. 562Using the 563.Nm zfs Cm redact 564command, a 565.Sy redaction bookmark 566can be created that stores a list of blocks containing sensitive information. 567When provided to 568.Nm zfs Cm send , 569this causes a 570.Sy redacted send 571to occur. 572Redacted sends omit the blocks containing sensitive information, 573replacing them with REDACT records. 574When these send streams are received, a 575.Sy redacted dataset 576is created. 577A redacted dataset cannot be mounted by default, since it is incomplete. 578It can be used to receive other send streams. 579In this way datasets can be used for data backup and replication, 580with all the benefits that zfs send and receive have to offer, 581while protecting sensitive information from being 582stored on less-trusted machines or services. 583.Pp 584For the purposes of redaction, there are two steps to the process. 585A redact step, and a send/receive step. 586First, a redaction bookmark is created. 587This is done by providing the 588.Nm zfs Cm redact 589command with a parent snapshot, a bookmark to be created, and a number of 590redaction snapshots. 591These redaction snapshots must be descendants of the parent snapshot, 592and they should modify data that is considered sensitive in some way. 593Any blocks of data modified by all of the redaction snapshots will 594be listed in the redaction bookmark, because it represents the truly sensitive 595information. 596When it comes to the send step, the send process will not send 597the blocks listed in the redaction bookmark, instead replacing them with 598REDACT records. 599When received on the target system, this will create a 600redacted dataset, missing the data that corresponds to the blocks in the 601redaction bookmark on the sending system. 602The incremental send streams from 603the original parent to the redaction snapshots can then also be received on 604the target system, and this will produce a complete snapshot that can be used 605normally. 606Incrementals from one snapshot on the parent filesystem and another 607can also be done by sending from the redaction bookmark, rather than the 608snapshots themselves. 609.Pp 610In order to make the purpose of the feature more clear, an example is provided. 611Consider a zfs filesystem containing four files. 612These files represent information for an online shopping service. 613One file contains a list of usernames and passwords, another contains purchase histories, 614a third contains click tracking data, and a fourth contains user preferences. 615The owner of this data wants to make it available for their development teams to 616test against, and their market research teams to do analysis on. 617The development teams need information about user preferences and the click 618tracking data, while the market research teams need information about purchase 619histories and user preferences. 620Neither needs access to the usernames and passwords. 621However, because all of this data is stored in one ZFS filesystem, 622it must all be sent and received together. 623In addition, the owner of the data 624wants to take advantage of features like compression, checksumming, and 625snapshots, so they do want to continue to use ZFS to store and transmit their data. 626Redaction can help them do so. 627First, they would make two clones of a snapshot of the data on the source. 628In one clone, they create the setup they want their market research team to see; 629they delete the usernames and passwords file, 630and overwrite the click tracking data with dummy information. 631In another, they create the setup they want the development teams 632to see, by replacing the passwords with fake information and replacing the 633purchase histories with randomly generated ones. 634They would then create a redaction bookmark on the parent snapshot, 635using snapshots on the two clones as redaction snapshots. 636The parent can then be sent, redacted, to the target 637server where the research and development teams have access. 638Finally, incremental sends from the parent snapshot to each of the clones can be sent 639to and received on the target server; these snapshots are identical to the 640ones on the source, and are ready to be used, while the parent snapshot on the 641target contains none of the username and password data present on the source, 642because it was removed by the redacted send operation. 643. 644.Sh SEE ALSO 645.Xr zfs-bookmark 8 , 646.Xr zfs-receive 8 , 647.Xr zfs-redact 8 , 648.Xr zfs-snapshot 8 649