On September 5, 2014 7:02:12 AM EDT, Brian Foster <bfoster@xxxxxxxxxx> wrote:
>On Fri, Sep 05, 2014 at 11:24:04AM +1000, Dave Chinner wrote:
>> On Thu, Sep 04, 2014 at 08:04:51PM -0500, Eric Sandeen wrote:
>> > On 9/4/14, 7:45 PM, Dave Chinner wrote:
>> > >On Thu, Sep 04, 2014 at 12:38:28PM -0400, Brian Foster wrote:
>> > >>xfsdump encodes and stores the full atime and mtime for each file
>> > >>nanosecond resolution. xfsrestore uses utime() to set the times
>> > >>file that is restored. The latter supports resolution of 1
>> > >>sub-second timestamp data is lost on restore.
>> > >
>> > >That doesn't seem like a big deal. What sort of problems does this
>> > >actually cause?
>> > >
>> > >FYI, many linux filesystems only have second resolution timestamps
>> > >and hence applications can't rely on sub-second timestamp
>> > >to actually mean anything useful....
>> > But why not restore the same resolution as is actually stored in
>> > Throwing it away seems odd, and restoring it looks easy enough.
>> Comes from a time when we couldn't restore what was in the dump. :/
>> > In any case, there was a user who noticed & complained. Seems like
>> > very reasonable thing to fix, to me.
>> Sure, but we don't make changes with the justification "just
>> because". xfsrestore has had this behaviour since dump/restore was
>> first introduced, so first we need to understand what the actual
>> problem is. Was the user complaining because they noticed they were
>> "different" in passing, or was it noticed because the difference is
>> the root cause of some other problem?
>No problems that I'm aware of. As Eric mentioned, it was noticed during
>an evaluation of possible data transfer mechanisms for a glusterfs
>setup. The user had to evaluate whether it would lead to any issues (a
>geo-replication tracking thing I suspect) for a customer, but I hadn't
>heard anything that suggested it was. The utime() call appears to be
>obsolete as well, for whatever that's worth.
During forensic exams, detailed examination of timestamps can be useful. For
instance I saw a report recently that timestamps with only milliseconds
precision (xxx.yyy00000) are an indication that malware has overridden the
It seems that the Windows api in particular has a time set mechanism that
supports millisecond precision only. Thus xfs backing a samba share would I
assume share that same forensic detail.
The average breach is not detected until months after the initial penetration,
so a xfsrestore between the activity of interest and the time of the
investigation is very much a possibility.
I don't know if you care about that use case.
Sent from my Android phone with K-9 Mail. Please excuse my brevity.