0 Replies
      Latest reply on Jun 5, 2019 8:29 PM by rtrouton
      rtrouton Level 1 Level 1 (0 points)

        Protecting system software on macOS

        APFS volume replication

        External files for iOS and iPadOS



        APFS Refresher



        Default filesystem on iOS since 10.3 and on macOS since High Sierra





        Protecting system software on macOS



        Read-only System volume on macOS Catalina



        On macOS Mojave:



        One main APFS volume - used to store user data and system software



        Upgrading to Catalina:



        Change role of main volume to data volume

        Create a new empty volume which will be used to store system software

        Once system software is installed, new volume is marked as read-only

        Data volume is then used to store user data and third-party software

        UI shows both system volume and data volume as one unified volume



        Firmlink - Bi-directional wormhole in path traversal

        New filesystem object, similar to Unix symlink

        - Consistent forward and backward traversal of the filename space



        Firmlinks are used on the system volume to point to the user data on the data volume. So there will be a /Users firmlink on the system volume and so on.



        The volumes are split during the update, no opt-out

        System volume is read/write in the WWDC beta

        It will not be in future betas

        Read-only state of the system volume can be disabled via disabling SIP, but this change is not persistent and will revert to read-only after a reboot.



        Big change - Test your applications for breakage as a result of this change.



        ASR, volume replication and snapshots



        Volume replication



        - Copying one volume to another with high fidelity

        - All data, all metadata, all attributes, all everything.



        Who wants this?



        Enterprise/Education IT, setting up labs

        Backup utilities



        APFS presents challenges for replication



        Before APFS:



        Replication of partitions and volumes are 1 to 1 - block copy of the entire partition works on HFS+



        With APFS:



        Volume management and space sharing means that partitions and volumes do not have a 1 to 1 relationship.

        Encryption is done at the filesystem level



        Block copies are not possible with APFS volumes



        APFS Volume Replication with ASR



        Encryption / decryption is part of the generation / restore of the replication

        If the destination is itself encrypted, the data is stored as encrypted on the destination.

        Volume is also defragmented as part of the replication stream.



        Restore options:



        Restoring to an existing target volume (erasing prior content)

        Restoring to a newly created target volume






        Point in time capture of volume state



        Restoring with snapshots



        Restore from snapshot to new volume

        Restore snapshot deltas - Replication to new volume which has an earlier snapshot restored to it, subsequent snapshot restore only replicates over the deltas between earlier and later snapshot.



        New features in APFS need new replication methods

        APFS volume replication is best done with ASR

        ASR can restore snapshots and snapshot deltas