ZFS uses checksumming, replication, and self-healing data to minimize the chances of data corruption. Nonetheless, data corruption can occur if the pool isn't replicated, if corruption occurred while the pool was degraded, or an unlikely series of events conspired to corrupt multiple copies of a piece of data. Regardless of the source, the result is the same: The data is corrupted and therefore no longer accessible. The action taken depends on the type of data being corrupted, and its relative value. Two basic types of data can be corrupted:
Pool metadata – ZFS requires a certain amount of data to be parsed to open a pool and access datasets. If this data is corrupted, the entire pool or complete portions of the dataset hierarchy will become unavailable.
Object data – In this case, the corruption is within a specific file or directory. This problem might result in a portion of the file or directory being inaccessible, or this problem might cause the object to be broken altogether.
Data is verified during normal operation as well as through scrubbing. For more information about how to verify the integrity of pool data, see Checking ZFS Data Integrity.
By default, the zpool status command shows only that corruption has occurred, but not where this corruption occurred. For example:
# zpool status tank -v
pool: tank
state: ONLINE
status: One or more devices has experienced an error resulting in data
corruption. Applications may be affected.
action: Restore the file in question if possible. Otherwise restore the
entire pool from backup.
see: http://www.sun.com/msg/ZFS-8000-8A
scrub: none requested
config:
NAME STATE READ WRITE CKSUM
tank ONLINE 1 0 0
mirror ONLINE 1 0 0
c2t0d0 ONLINE 2 0 0
c1t1d0 ONLINE 2 0 0
errors: The following persistent errors have been detected:
DATASET OBJECT RANGE
tank 6 0-512
Each error indicates only that an error occurred at the given point in time. Each error is not necessarily still present on the system. Under normal circumstances, this situation is true. Certain temporary outages might result in data corruption that is automatically repaired once the outage ends. A complete scrub of the pool is guaranteed to examine every active block in the pool, so the error log is reset whenever a scrub finishes. If you determine that the errors are no longer present, and you don't want to wait for a scrub to complete, reset all errors in the pool by using the zpool online command.
If the data corruption is in pool-wide metadata, the output is slightly different. For example:
# zpool status -v morpheus
pool: morpheus
id: 1422736890544688191
state: FAULTED
status: The pool metadata is corrupted.
action: The pool cannot be imported due to damaged devices or data.
see: http://www.sun.com/msg/ZFS-8000-72
config:
morpheus FAULTED corrupted data
c1t10d0 ONLINE
In the case of pool-wide corruption, the pool is placed into the FAULTED state, because the pool cannot possibly provide the needed replication
level.
If a file or directory is corrupted, the system might still be able to function depending on the type of corruption. Any damage is effectively unrecoverable. No good copies of the data exist anywhere on the system. If the data is valuable, you have no choice but to restore the affected data from backup. Even so, you might be able to recover from this corruption without restoring the entire pool.
If the damage is within a file data block, then the file can safely be removed, thereby clearing the error from the system. The first step is to try removing the file with the rm command. If this command doesn't work, the corruption is within the file's metadata, and ZFS cannot determine which blocks belong to the file in order to remove the corruption.
If the corruption is within a directory or a file's metadata, the only choice is to move the file elsewhere. You can safely move any file or directory to a less convenient location, allowing the original object to be restored in place.
If the damage is in pool metadata that damage prevents the pool from
being opened, then you must restore the pool and all its data from backup.
The mechanism you use varies widely by the pool configuration and backup strategy.
First, save the configuration as displayed by zpool status so
that you can recreate it once the pool is destroyed. Then, use zpool
destroy
f to destroy the pool. Also, keep a file
describing the layout of the datasets and the various locally set properties
somewhere safe, as this information will become inaccessible if the pool is
ever rendered inaccessible. With the pool configuration and dataset layout,
you can reconstruct your complete configuration after destroying the pool.
The data can then be populated by using whatever backup or restoration strategy
you use.