1.\" 2.\" CDDL HEADER START 3.\" 4.\" The contents of this file are subject to the terms of the 5.\" Common Development and Distribution License (the "License"). 6.\" You may not use this file except in compliance with the License. 7.\" 8.\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9.\" or http://www.opensolaris.org/os/licensing. 10.\" See the License for the specific language governing permissions 11.\" and limitations under the License. 12.\" 13.\" When distributing Covered Code, include this CDDL HEADER in each 14.\" file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15.\" If applicable, add the following below this CDDL HEADER, with the 16.\" fields enclosed by brackets "[]" replaced with your own identifying 17.\" information: Portions Copyright [yyyy] [name of copyright owner] 18.\" 19.\" CDDL HEADER END 20.\" 21.\" 22.\" Copyright (c) 2009 Sun Microsystems, Inc. All Rights Reserved. 23.\" Copyright 2011 Joshua M. Clulow <josh@sysmgr.org> 24.\" Copyright (c) 2011, 2019 by Delphix. All rights reserved. 25.\" Copyright (c) 2013 by Saso Kiselkov. All rights reserved. 26.\" Copyright (c) 2014, Joyent, Inc. All rights reserved. 27.\" Copyright (c) 2014 by Adam Stevko. All rights reserved. 28.\" Copyright (c) 2014 Integros [integros.com] 29.\" Copyright 2019 Richard Laager. All rights reserved. 30.\" Copyright 2018 Nexenta Systems, Inc. 31.\" Copyright 2019 Joyent, Inc. 32.\" 33.Dd June 30, 2019 34.Dt ZFS-SEND 8 35.Os 36.Sh NAME 37.Nm zfs Ns Pf - Cm send 38.Nd Generate a send stream, which may be of a filesystem, and may be incremental from a bookmark. 39.Sh SYNOPSIS 40.Nm 41.Cm send 42.Op Fl DLPRbcehnpvw 43.Op Oo Fl I Ns | Ns Fl i Oc Ar snapshot 44.Ar snapshot 45.Nm 46.Cm send 47.Op Fl DLPRcenpvw 48.Op Fl i Ar snapshot Ns | Ns Ar bookmark 49.Ar filesystem Ns | Ns Ar volume Ns | Ns Ar snapshot 50.Nm 51.Cm send 52.Fl -redact Ar redaction_bookmark 53.Op Fl DLPcenpv 54.br 55.Op Fl i Ar snapshot Ns | Ns Ar bookmark 56.Ar snapshot 57.Nm 58.Cm send 59.Op Fl Penv 60.Fl t 61.Ar receive_resume_token 62.Nm 63.Cm send 64.Op Fl Pnv 65.Fl S Ar filesystem 66.Nm 67.Cm redact 68.Ar snapshot redaction_bookmark 69.Ar redaction_snapshot Ns ... 70.Sh DESCRIPTION 71.Bl -tag -width "" 72.It Xo 73.Nm 74.Cm send 75.Op Fl DLPRbcehnpvw 76.Op Oo Fl I Ns | Ns Fl i Oc Ar snapshot 77.Ar snapshot 78.Xc 79Creates a stream representation of the second 80.Ar snapshot , 81which is written to standard output. 82The output can be redirected to a file or to a different system 83.Po for example, using 84.Xr ssh 1 85.Pc . 86By default, a full stream is generated. 87.Bl -tag -width "-D" 88.It Fl D, -dedup 89Deduplicated send is no longer supported. 90This flag is accepted for backwards compatibility, but a regular, 91non-deduplicated stream will be generated. 92.It Fl I Ar snapshot 93Generate a stream package that sends all intermediary snapshots from the first 94snapshot to the second snapshot. 95For example, 96.Fl I Em @a Em fs@d 97is similar to 98.Fl i Em @a Em fs@b Ns \&; Fl i Em @b Em fs@c Ns \&; Fl i Em @c Em fs@d . 99The incremental source may be specified as with the 100.Fl i 101option. 102.It Fl L, -large-block 103Generate a stream which may contain blocks larger than 128KB. 104This flag has no effect if the 105.Sy large_blocks 106pool feature is disabled, or if the 107.Sy recordsize 108property of this filesystem has never been set above 128KB. 109The receiving system must have the 110.Sy large_blocks 111pool feature enabled as well. 112See 113.Xr zpool-features 5 114for details on ZFS feature flags and the 115.Sy large_blocks 116feature. 117.It Fl P, -parsable 118Print machine-parsable verbose information about the stream package generated. 119.It Fl R, -replicate 120Generate a replication stream package, which will replicate the specified 121file system, and all descendent file systems, up to the named snapshot. 122When received, all properties, snapshots, descendent file systems, and clones 123are preserved. 124.Pp 125If the 126.Fl i 127or 128.Fl I 129flags are used in conjunction with the 130.Fl R 131flag, an incremental replication stream is generated. 132The current values of properties, and current snapshot and file system names are 133set when the stream is received. 134If the 135.Fl F 136flag is specified when this stream is received, snapshots and file systems that 137do not exist on the sending side are destroyed. If the 138.Fl R 139flag is used to send encrypted datasets, then 140.Fl w 141must also be specified. 142.It Fl e, -embed 143Generate a more compact stream by using 144.Sy WRITE_EMBEDDED 145records for blocks which are stored more compactly on disk by the 146.Sy embedded_data 147pool feature. 148This flag has no effect if the 149.Sy embedded_data 150feature is disabled. 151The receiving system must have the 152.Sy embedded_data 153feature enabled. 154If the 155.Sy lz4_compress 156feature is active on the sending system, then the receiving system must have 157that feature enabled as well. Datasets that are sent with this flag may not be 158received as an encrypted dataset, since encrypted datasets cannot use the 159.Sy embedded_data 160feature. 161See 162.Xr zpool-features 5 163for details on ZFS feature flags and the 164.Sy embedded_data 165feature. 166.It Fl b, -backup 167Sends only received property values whether or not they are overridden by local 168settings, but only if the dataset has ever been received. Use this option when 169you want 170.Nm zfs Cm receive 171to restore received properties backed up on the sent dataset and to avoid 172sending local settings that may have nothing to do with the source dataset, 173but only with how the data is backed up. 174.It Fl c, -compressed 175Generate a more compact stream by using compressed WRITE records for blocks 176which are compressed on disk and in memory 177.Po see the 178.Sy compression 179property for details 180.Pc . 181If the 182.Sy lz4_compress 183feature is active on the sending system, then the receiving system must have 184that feature enabled as well. 185If the 186.Sy large_blocks 187feature is enabled on the sending system but the 188.Fl L 189option is not supplied in conjunction with 190.Fl c , 191then the data will be decompressed before sending so it can be split into 192smaller block sizes. 193.It Fl w, -raw 194For encrypted datasets, send data exactly as it exists on disk. This allows 195backups to be taken even if encryption keys are not currently loaded. The 196backup may then be received on an untrusted machine since that machine will 197not have the encryption keys to read the protected data or alter it without 198being detected. Upon being received, the dataset will have the same encryption 199keys as it did on the send side, although the 200.Sy keylocation 201property will be defaulted to 202.Sy prompt 203if not otherwise provided. For unencrypted datasets, this flag will be 204equivalent to 205.Fl Lec . 206Note that if you do not use this flag for sending encrypted datasets, data will 207be sent unencrypted and may be re-encrypted with a different encryption key on 208the receiving system, which will disable the ability to do a raw send to that 209system for incrementals. 210.It Fl h, -holds 211Generate a stream package that includes any snapshot holds (created with the 212.Sy zfs hold 213command), and indicating to 214.Sy zfs receive 215that the holds be applied to the dataset on the receiving system. 216.It Fl i Ar snapshot 217Generate an incremental stream from the first 218.Ar snapshot 219.Pq the incremental source 220to the second 221.Ar snapshot 222.Pq the incremental target . 223The incremental source can be specified as the last component of the snapshot 224name 225.Po the 226.Sy @ 227character and following 228.Pc 229and it is assumed to be from the same file system as the incremental target. 230.Pp 231If the destination is a clone, the source may be the origin snapshot, which must 232be fully specified 233.Po for example, 234.Em pool/fs@origin , 235not just 236.Em @origin 237.Pc . 238.It Fl n, -dryrun 239Do a dry-run 240.Pq Qq No-op 241send. 242Do not generate any actual send data. 243This is useful in conjunction with the 244.Fl v 245or 246.Fl P 247flags to determine what data will be sent. 248In this case, the verbose output will be written to standard output 249.Po contrast with a non-dry-run, where the stream is written to standard output 250and the verbose output goes to standard error 251.Pc . 252.It Fl p, -props 253Include the dataset's properties in the stream. 254This flag is implicit when 255.Fl R 256is specified. 257The receiving system must also support this feature. Sends of encrypted datasets 258must use 259.Fl w 260when using this flag. 261.It Fl v, -verbose 262Print verbose information about the stream package generated. 263This information includes a per-second report of how much data has been sent. 264.Pp 265The format of the stream is committed. 266You will be able to receive your streams on future versions of ZFS. 267.El 268.It Xo 269.Nm 270.Cm send 271.Op Fl DLPRcenpvw 272.Op Fl i Ar snapshot Ns | Ns Ar bookmark 273.Ar filesystem Ns | Ns Ar volume Ns | Ns Ar snapshot 274.Xc 275Generate a send stream, which may be of a filesystem, and may be incremental 276from a bookmark. 277If the destination is a filesystem or volume, the pool must be read-only, or the 278filesystem must not be mounted. 279When the stream generated from a filesystem or volume is received, the default 280snapshot name will be 281.Qq --head-- . 282.Bl -tag -width "-L" 283.It Fl L, -large-block 284Generate a stream which may contain blocks larger than 128KB. 285This flag has no effect if the 286.Sy large_blocks 287pool feature is disabled, or if the 288.Sy recordsize 289property of this filesystem has never been set above 128KB. 290The receiving system must have the 291.Sy large_blocks 292pool feature enabled as well. 293See 294.Xr zpool-features 5 295for details on ZFS feature flags and the 296.Sy large_blocks 297feature. 298.It Fl P, -parsable 299Print machine-parsable verbose information about the stream package generated. 300.It Fl c, -compressed 301Generate a more compact stream by using compressed WRITE records for blocks 302which are compressed on disk and in memory 303.Po see the 304.Sy compression 305property for details 306.Pc . 307If the 308.Sy lz4_compress 309feature is active on the sending system, then the receiving system must have 310that feature enabled as well. 311If the 312.Sy large_blocks 313feature is enabled on the sending system but the 314.Fl L 315option is not supplied in conjunction with 316.Fl c , 317then the data will be decompressed before sending so it can be split into 318smaller block sizes. 319.It Fl w, -raw 320For encrypted datasets, send data exactly as it exists on disk. This allows 321backups to be taken even if encryption keys are not currently loaded. The 322backup may then be received on an untrusted machine since that machine will 323not have the encryption keys to read the protected data or alter it without 324being detected. Upon being received, the dataset will have the same encryption 325keys as it did on the send side, although the 326.Sy keylocation 327property will be defaulted to 328.Sy prompt 329if not otherwise provided. For unencrypted datasets, this flag will be 330equivalent to 331.Fl Lec . 332Note that if you do not use this flag for sending encrypted datasets, data will 333be sent unencrypted and may be re-encrypted with a different encryption key on 334the receiving system, which will disable the ability to do a raw send to that 335system for incrementals. 336.It Fl e, -embed 337Generate a more compact stream by using 338.Sy WRITE_EMBEDDED 339records for blocks which are stored more compactly on disk by the 340.Sy embedded_data 341pool feature. 342This flag has no effect if the 343.Sy embedded_data 344feature is disabled. 345The receiving system must have the 346.Sy embedded_data 347feature enabled. 348If the 349.Sy lz4_compress 350feature is active on the sending system, then the receiving system must have 351that feature enabled as well. Datasets that are sent with this flag may not be 352received as an encrypted dataset, since encrypted datasets cannot use the 353.Sy embedded_data 354feature. 355See 356.Xr zpool-features 5 357for details on ZFS feature flags and the 358.Sy embedded_data 359feature. 360.It Fl i Ar snapshot Ns | Ns Ar bookmark 361Generate an incremental send stream. 362The incremental source must be an earlier snapshot in the destination's history. 363It will commonly be an earlier snapshot in the destination's file system, in 364which case it can be specified as the last component of the name 365.Po the 366.Sy # 367or 368.Sy @ 369character and following 370.Pc . 371.Pp 372If the incremental target is a clone, the incremental source can be the origin 373snapshot, or an earlier snapshot in the origin's filesystem, or the origin's 374origin, etc. 375.It Fl n, -dryrun 376Do a dry-run 377.Pq Qq No-op 378send. 379Do not generate any actual send data. 380This is useful in conjunction with the 381.Fl v 382or 383.Fl P 384flags to determine what data will be sent. 385In this case, the verbose output will be written to standard output 386.Po contrast with a non-dry-run, where the stream is written to standard output 387and the verbose output goes to standard error 388.Pc . 389.It Fl v, -verbose 390Print verbose information about the stream package generated. 391This information includes a per-second report of how much data has been sent. 392.El 393.It Xo 394.Nm 395.Cm send 396.Fl -redact Ar redaction_bookmark 397.Op Fl DLPcenpv 398.br 399.Op Fl i Ar snapshot Ns | Ns Ar bookmark 400.Ar snapshot 401.Xc 402Generate a redacted send stream. 403This send stream contains all blocks from the snapshot being sent that aren't 404included in the redaction list contained in the bookmark specified by the 405.Fl -redact 406(or 407.Fl -d 408) flag. 409The resulting send stream is said to be redacted with respect to the snapshots 410the bookmark specified by the 411.Fl -redact No flag was created with. 412The bookmark must have been created by running 413.Sy zfs redact 414on the snapshot being sent. 415.sp 416This feature can be used to allow clones of a filesystem to be made available on 417a remote system, in the case where their parent need not (or needs to not) be 418usable. 419For example, if a filesystem contains sensitive data, and it has clones where 420that sensitive data has been secured or replaced with dummy data, redacted sends 421can be used to replicate the secured data without replicating the original 422sensitive data, while still sharing all possible blocks. 423A snapshot that has been redacted with respect to a set of snapshots will 424contain all blocks referenced by at least one snapshot in the set, but will 425contain none of the blocks referenced by none of the snapshots in the set. 426In other words, if all snapshots in the set have modified a given block in the 427parent, that block will not be sent; but if one or more snapshots have not 428modified a block in the parent, they will still reference the parent's block, so 429that block will be sent. 430Note that only user data will be redacted. 431.sp 432When the redacted send stream is received, we will generate a redacted 433snapshot. 434Due to the nature of redaction, a redacted dataset can only be used in the 435following ways: 436.sp 4371. To receive, as a clone, an incremental send from the original snapshot to one 438of the snapshots it was redacted with respect to. 439In this case, the stream will produce a valid dataset when received because all 440blocks that were redacted in the parent are guaranteed to be present in the 441child's send stream. 442This use case will produce a normal snapshot, which can be used just like other 443snapshots. 444.sp 4452. To receive an incremental send from the original snapshot to something 446redacted with respect to a subset of the set of snapshots the initial snapshot 447was redacted with respect to. 448In this case, each block that was redacted in the original is still redacted 449(redacting with respect to additional snapshots causes less data to be redacted 450(because the snapshots define what is permitted, and everything else is 451redacted)). 452This use case will produce a new redacted snapshot. 453.sp 4543. To receive an incremental send from a redaction bookmark of the original 455snapshot that was created when redacting with respect to a subset of the set of 456snapshots the initial snapshot was created with respect to 457anything else. 458A send stream from such a redaction bookmark will contain all of the blocks 459necessary to fill in any redacted data, should it be needed, because the sending 460system is aware of what blocks were originally redacted. 461This will either produce a normal snapshot or a redacted one, depending on 462whether the new send stream is redacted. 463.sp 4644. To receive an incremental send from a redacted version of the initial 465snapshot that is redacted with respect to a subject of the set of snapshots the 466initial snapshot was created with respect to. 467A send stream from a compatible redacted dataset will contain all of the blocks 468necessary to fill in any redacted data. 469This will either produce a normal snapshot or a redacted one, depending on 470whether the new send stream is redacted. 471.sp 4725. To receive a full send as a clone of the redacted snapshot. 473Since the stream is a full send, it definitionally contains all the data needed 474to create a new dataset. 475This use case will either produce a normal snapshot or a redacted one, depending 476on whether the full send stream was redacted. 477.sp 478These restrictions are detected and enforced by \fBzfs receive\fR; a 479redacted send stream will contain the list of snapshots that the stream is 480redacted with respect to. 481These are stored with the redacted snapshot, and are used to detect and 482correctly handle the cases above. Note that for technical reasons, raw sends 483and redacted sends cannot be combined at this time. 484.It Xo 485.Nm 486.Cm send 487.Op Fl Penv 488.Fl t 489.Ar receive_resume_token 490.Xc 491Creates a send stream which resumes an interrupted receive. 492The 493.Ar receive_resume_token 494is the value of this property on the filesystem or volume that was being 495received into. 496See the documentation for 497.Sy zfs receive -s 498for more details. 499.It Xo 500.Nm 501.Cm send 502.Op Fl Pnv 503.Op Fl i Ar snapshot Ns | Ns Ar bookmark 504.Fl S 505.Ar filesystem 506.Xc 507Generate a send stream from a dataset that has been partially received. 508.Bl -tag -width "-L" 509.It Fl S, -saved 510This flag requires that the specified filesystem previously received a resumable 511send that did not finish and was interrupted. In such scenarios this flag 512enables the user to send this partially received state. Using this flag will 513always use the last fully received snapshot as the incremental source if it 514exists. 515.El 516.It Xo 517.Nm 518.Cm redact 519.Ar snapshot redaction_bookmark 520.Ar redaction_snapshot Ns ... 521.Xc 522Generate a new redaction bookmark. 523In addition to the typical bookmark information, a redaction bookmark contains 524the list of redacted blocks and the list of redaction snapshots specified. 525The redacted blocks are blocks in the snapshot which are not referenced by any 526of the redaction snapshots. 527These blocks are found by iterating over the metadata in each redaction snapshot 528to determine what has been changed since the target snapshot. 529Redaction is designed to support redacted zfs sends; see the entry for 530.Sy zfs send 531for more information on the purpose of this operation. 532If a redact operation fails partway through (due to an error or a system 533failure), the redaction can be resumed by rerunning the same command. 534.El 535.Ss Redaction 536ZFS has support for a limited version of data subsetting, in the form of 537redaction. Using the 538.Sy zfs redact 539command, a 540.Sy redaction bookmark 541can be created that stores a list of blocks containing sensitive information. When 542provided to 543.Sy zfs 544.Sy send , 545this causes a 546.Sy redacted send 547to occur. Redacted sends omit the blocks containing sensitive information, 548replacing them with REDACT records. When these send streams are received, a 549.Sy redacted dataset 550is created. A redacted dataset cannot be mounted by default, since it is 551incomplete. It can be used to receive other send streams. In this way datasets 552can be used for data backup and replication, with all the benefits that zfs send 553and receive have to offer, while protecting sensitive information from being 554stored on less-trusted machines or services. 555.Pp 556For the purposes of redaction, there are two steps to the process. A redact 557step, and a send/receive step. First, a redaction bookmark is created. This is 558done by providing the 559.Sy zfs redact 560command with a parent snapshot, a bookmark to be created, and a number of 561redaction snapshots. These redaction snapshots must be descendants of the 562parent snapshot, and they should modify data that is considered sensitive in 563some way. Any blocks of data modified by all of the redaction snapshots will 564be listed in the redaction bookmark, because it represents the truly sensitive 565information. When it comes to the send step, the send process will not send 566the blocks listed in the redaction bookmark, instead replacing them with 567REDACT records. When received on the target system, this will create a 568redacted dataset, missing the data that corresponds to the blocks in the 569redaction bookmark on the sending system. The incremental send streams from 570the original parent to the redaction snapshots can then also be received on 571the target system, and this will produce a complete snapshot that can be used 572normally. Incrementals from one snapshot on the parent filesystem and another 573can also be done by sending from the redaction bookmark, rather than the 574snapshots themselves. 575.Pp 576In order to make the purpose of the feature more clear, an example is 577provided. Consider a zfs filesystem containing four files. These files 578represent information for an online shopping service. One file contains a list 579of usernames and passwords, another contains purchase histories, a third 580contains click tracking data, and a fourth contains user preferences. The 581owner of this data wants to make it available for their development teams to 582test against, and their market research teams to do analysis on. The 583development teams need information about user preferences and the click 584tracking data, while the market research teams need information about purchase 585histories and user preferences. Neither needs access to the usernames and 586passwords. However, because all of this data is stored in one ZFS filesystem, 587it must all be sent and received together. In addition, the owner of the data 588wants to take advantage of features like compression, checksumming, and 589snapshots, so they do want to continue to use ZFS to store and transmit their 590data. Redaction can help them do so. First, they would make two clones of a 591snapshot of the data on the source. In one clone, they create the setup they 592want their market research team to see; they delete the usernames and 593passwords file, and overwrite the click tracking data with dummy 594information. In another, they create the setup they want the development teams 595to see, by replacing the passwords with fake information and replacing the 596purchase histories with randomly generated ones. They would then create a 597redaction bookmark on the parent snapshot, using snapshots on the two clones 598as redaction snapshots. The parent can then be sent, redacted, to the target 599server where the research and development teams have access. Finally, 600incremental sends from the parent snapshot to each of the clones can be send 601to and received on the target server; these snapshots are identical to the 602ones on the source, and are ready to be used, while the parent snapshot on the 603target contains none of the username and password data present on the source, 604because it was removed by the redacted send operation. 605.Sh SEE ALSO 606.Xr zfs-bookmark 8 , 607.Xr zfs-receive 8 , 608.Xr zfs-redact 8 , 609.Xr zfs-snapshot 8 610