mirror of
https://github.com/Zygo/bees.git
synced 2025-05-17 13:25:45 +02:00
de38b46dd8
* `nodev`: This reduces rename attack surface by preventing bees from opening any device file on the target filesystem. * `noexec`: This prevents access to the mount point from being leveraged to execute setuid binaries, or execute anything at all through the mount point. These options are not required because they duplicate features in the bees binary (assuming that the mount namespace remains private): * `noatime`: bees always opens every file with `O_NOATIME`, making this option redundant. * `nosymfollow`: bees uses `openat2` on kernels 5.6 and later with flags that prevent symlink attacks. `nosymfollow` was introduced in kernel 5.10, so every kernel that can do `nosymfollow` can already do `openat2`. Also, historically, `$BEESHOME` can be a relative path with symlinks in any path component except the last one, and `nosymfollow` doesn't allow that. Between `openat2` and `nodev`, all symlink attacks are prevented, and rename attacks cannot be used to force bees to open a device file. Signed-off-by: Zygo Blaxell <bees@furryterror.org>
BEES
Best-Effort Extent-Same, a btrfs deduplication agent.
About bees
bees is a block-oriented userspace deduplication agent designed to scale up to large btrfs filesystems. It is an offline dedupe combined with an incremental data scan capability to minimize time data spends on disk from write to dedupe.
Strengths
- Space-efficient hash table - can use as little as 1 GB hash table per 10 TB unique data (0.1GB/TB)
- Daemon mode - incrementally dedupes new data as it appears
- Largest extents first - recover more free space during fixed maintenance windows
- Works with btrfs compression - dedupe any combination of compressed and uncompressed files
- Whole-filesystem dedupe - scans data only once, even with snapshots and reflinks
- Persistent hash table for rapid restart after shutdown
- Constant hash table size - no increased RAM usage if data set becomes larger
- Works on live data - no scheduled downtime required
- Automatic self-throttling - reduces system load
- btrfs support - recovers more free space from btrfs than naive dedupers
Weaknesses
- Whole-filesystem dedupe - has no include/exclude filters, does not accept file lists
- Requires root privilege (
CAP_SYS_ADMINplus the usual filesystem read/modify caps) - First run may increase metadata space usage if many snapshots exist
- Constant hash table size - no decreased RAM usage if data set becomes smaller
- btrfs only
Installation and Usage
Recommended Reading
- bees Gotchas
- btrfs kernel bugs - especially DATA CORRUPTION WARNING for old kernels
- bees vs. other btrfs features
- What to do when something goes wrong
More Information
Bug Reports and Contributions
Email bug reports and patches to Zygo Blaxell bees@furryterror.org.
You can also use Github:
https://github.com/Zygo/bees
Copyright & License
Copyright 2015-2025 Zygo Blaxell bees@furryterror.org.
GPL (version 3 or later).