Selftest

Checks backup data to ensure that it is consistent.

This does not compare backup data to its original source in the filesystem, but instead does an integrity check of the backup data. For example, selftest can be used after a backup directory is copied to another file system or recovered from an offsite server to ensure that the transfer was successful and all backup data is intact. Selftest is commonly used after each backup with -v2 (check database only) or with -v4 and --inc to incrementally download and check backup data over a long period of time.

Several levels of progressively intense testing can be performed with -v:

-v0 check that the main database is readable
-v1 check low-level database integrity (B-tree structure, etc.)
-v2 check HB data structures within the database (default level)
-v3 check local archive files
-v4 check local + remote archive files
-v5 verify user file hashes by simulating a restore of each file

If cache-size-limit is set, some archive files may not be stored locally and -v2 is a useful selftest level. It will test the database without downloading any files.

Recommended -v Levels

Partial Checking

-r rev checks a specific backup version

arc name …​ checks specific arc files like arc.0.0 with -v2 to -v4

pathname …​ checks specific files and directories with either -v2 or -v5

block id …​ looks up a block id and tests the arc file containing that block

--inc incspec incremental checking that may span a long time period

--sample n tests n random samples from arc files with -v3 or -v4

Incremental checking, for example, --inc 1d/30d, means that selftest is run every day (the 1d part), perhaps via a cron job, and the entire backup should be checked over a 30-day period (the 30d part). Each day, 1/30th of the backup is checked. The -v3, -v4, and -v5 options control the check level, and each level has its own incremental check schedule. For huge backups, it may be necessary to spread checking out over a quarter or even longer. The schedule can be changed at any time by changing the time specification.

You may also specify a download limit with -v4 incremental checking. For example, --inc 1d/30d,500MB means to limit the check to 500MB of downloaded backup data. Many storage services have free allowances for downloads but charge for going over the limit. Adding a download limit ensures that incremental selftest doesn’t go over the free allowance. The download limit is always honored, even if it causes a complete cycle to take longer than specified.

The --sample n option will download and test n random samples from each arc file instead of downloading and testing the entire arc file. This can be used with -v3 or -v4. It is useful with large backups that would take too long or be too costly to download completely. This is a better test than the dest verify command because some data is actually downloaded and verified with a strong hash to make sure it is available. Sampling only works on destinations that support selective downloads. If the --sample option is used on a backup that has destinations that don’t support selective downloads, like rsync, those destinations are not sampled. A reasonable sample size is 1-5, though any sample size is supported. If the sample size is 2 or more, the last block is always sampled to catch truncation errors. The --sample option cannot be used with --fix. If a problem is detected in an arc file with --sample, run selftest again with --fix and the include the bad arc file name on the command line. This will do a full selftest and correction of the file listed.

Debug and Corrections

The --debug option will display the logid and pathname for each file as it is verified. The logid is an internal identification for a unique file and version number. This option is not normally used but may be requested for technical problems.

The --fix option can correct some errors that selftest detects, but not all. Errors will not normally occur, but there have been times where a bug or other problem has caused a selftest error; using this option may fix it. Corrections occur with -v2 or higher.

Errors

The selftest command is designed to give a high level of confidence that the backup data is correct. If selftest errors occur, it could be because of a software defect, an unanticipated usage of the software, or in unusual cases, a hardware problem. Problems with software are usually easy to correct in a new software release. Problems with hardware are another matter. Because HashBackup runs nearly all of its data through secure checksums, it can often verify data correctness, whereas most programs do not. For example, if you copy a file with the Unix cp command, the source file is read into memory then written to a new file. If a memory parity error occurs during the copy and a bit is flipped, the new copy will not be identical, but there is no checking to detect this error and no error will occur unless you have error-correcting (ECC) memory.

HashBackup has been used since 2010 to backup a Mac Mini Server used for development. There are several VMs running on this machine for testing, as well as 7 copies of a Prime minicomputer emulator. In 2012, a selftest showed these errors:

After a lot of head scratching and debugging, the culprit was found: marginally bad RAM. A bit had been flipped in memory (the same bit), two different times, causing these 3 errors. It seemed incredibly unlikely since this machine had been running fine for years, yet everything pointed to this as the cause.

A little research turned up a Google paper on the subject of memory errors: DRAM Errors in the Wild: A Large-Scale Field Study. This paper describes data analysis of memory errors in Google’s server farm, and in the conclusions, states:

On server-class hardware using ECC (error correcting) memory, a parity error, especially correctible, is not so bad. On typical business-class hardware, which often does not even support ECC, a memory error means a bit getting flipped. If you are lucky, the machine will crash. In this case, it corrupted a backup. Because of redundancy in HashBackup, it was possible to determine the bit that was flipped, correct it, and selftest was fine again. Even if it wasn’t possible to find the error, it was isolated to one block of one file, so removing that file would have been an alternate solution. The RAM was replaced and no errors like this have occurred again.

After reading this paper, it seems that hard drive "silent corruption" or "bit rot" problems, where bad data is returned without I/O errors, are more likely RAM errors. There are ECC codes on every hard drive sector, so it seems unlikely that bits could get changed without triggering an I/O error. This example shows that if the bit is flipped in RAM, before it ever reaches the hard drive (write), or after it is read from a hard drive, the end result appears to be "silent disk corruption", though the real culprit is bad RAM.

Another research paper from the University of Wisconsin (link downloads a PDF) details disk and memory fault injection with ZFS, a filesystem that is designed to handle failure. The conclusion is that ZFS handles disk faults well, but like most software, does not work well in the presence of memory faults.

Verifying Backups With Selftest and Mount

There are several ways to verify your backup and each has trade-offs. Here are three common ways:

1. selftest -v4

2. selftest -v5

3. mount + diff or rsync -a: