An introduction to system snapshot and rollback with Snapper and BtrFS on SLES 11 SP2


With the release of Service Pack 2 for SUSE Linux Enterprise Server 11, the support to a new (better) file system and a new (snappy) tool have been introduced providing the ability to do system snapshots rollbacks, a very powerful and interesting feature. These are BtrFS and Snapper respectively.


Btrfs is a new copy-on-write (COW) filesystem for Linux aimed at implementing advanced features while focusing on fault tolerance, repair and easy administration. Among the other things, BtrFS supports file system snapshots of subvolumes.

A subvolume in btrfs is not the same as an LVM logical volume as it is not a block device and thus cannot be treated as one. Rather, a btrfs subvolume can be thought of as a POSIX file namespace. This namespace can be accessed via the top-level subvolume of the filesystem, or it can be mounted in its own right. In other words, a subvolume can be seen just like a normal directory containing other files and other directories but with the possibility to be mounted like it was a filesystem on its own.

A snapshot is a copy of the state of a subvolume at a certain point of time, it is essentially a clone of a subvolume. In fact, snapshots and subvolumes are basically the same thing, they are separate “subvolume trees” within the “parent” file system, providing multiple root directories which can be mounted separately by label. By default there is at least one subvolume in every Btrfs filesystem, which is named “default”

There are many documents available on the internet about the topic. A good starting point to investigate it further is The Sysadmin’s Guide to Btrfs


Snapper is a tool for managing btrfs snapshots, it allows to create, delete and compare them as well as revert differences between them. In other words, it allows users to view older versions of files and revert changes.

Snapper is available as a command line interface tool and a YaST module.

By default Snapper and Btrfs on SUSE Linux Enterprise Server 11 Sp2 are set up to serve as an “undo tool” for system changes made with YaST and zypper. Before and after running a YaST module or zypper, a snapshot is created. Snapper lets you compare the two snapshots and provides means to revert the differences between the two snapshots. The tools also provide system backups by creating hourly snapshots of the system subvolumes.


In order to use BtrFS and Snapper as an “undo tool” for file system changes, the steps to take during the installation of the operating system are as simple as partitioning the hard disk with YaST and creating a partition for the boot mount point using an alternative file system, i.e. ext3 (currently it is not possible to boot from Btrfs partitions), and specifying the BtrFS for the root file system. Keep in mind that partitions containing snapshots need to be larger than “normal” ones. As a rule of thumb you should consider using twice the size than you normally would.

When selecting the file system Btrfs the button “subvolumes handling” is enabled to allow you to manage subvolumes. By default YaST automatically creates the following subvolumes when using BtrFS for the root file system:

  • /tmp
  • /opt
  • /srv
  • /var/crash
  • /var/spool
  • /var/log
  • /var/run
  • /var/tmp


These subvolumes are automatically created in order to exclude the specified path from snapshotting. For example, the directory /var/log is made a subvolume since reverting logs makes searching for problems difficult.

That’s all is needed. Once completed with the partitioning it is possible to proceed with the installation as usual, Snapper will automatically be installed when the BtrFS file system is used. When planing for partitioning remember that snapshots will be available only for those partitions using BtrFS. So for example, if you create a own partition for /home consider to use BtrFS to take advantage of its functionalities.

Snapper in action

Now the system is ready to be used, Snapper is pre-configured for doing rollbacks of YaST or zypper changes. This means that every time you start a YaST module or a zypper transaction, two snapshots are created: 1) a “pre-snapshot” capturing the state of the filesystem before the start of the module and 2) a “post-snapshot” after the module has been finished.

By default, the last 100 YaST and zypper snapshots are being kept. It is possible to change this behavior as well as other settings of Snapper in the configuration file for the specific volume located in /etc/snapper/configs.

As an example, let’s now try to modify a system setting using YaST and see how Snapper behaves.

  1. Let’s launch YaST and simply create a new user with some basic information. (yast2 users from command line)
  2. Once the user has been created close YaST and open it again, this time selecting the Snapper module, and see what it shows (yast2 snapper from command line).

    This is the list of the available root filesystem snapshots. To fully understand this table it is important to understand that essentially there are three types of snapshots:

    • Single – used for storing the file system state in a certain time.
    • Pre – used for storing the file system state *before* the changes are made with YaST or zypper
    • Post – used for storing the file system state *after* the changes are made with YaST or zypper

    In our picture, notice the snapshot with ID “1” marked with the description “timeline”. This is a snapshot of type “single” which help us to introduce another great feature about Snapper, the hourly snapshot. Apart from the YaST and zypper snapshots, Snapper by default creates hourly snapshots of the system partition (/). You can use these backup snapshots to restore files that have accidentally been deleted or modified beyond recovery. Even more interesting, using the Snapper’s diff feature you can also find out which modifications have been made at a certain point of time.

    Back to our example, notice the two snapshots with ID “2” and “3” being on the same line and marked with the description “yast users”. These are basically the Pre and Post snapshots which are coupled together to define the changes done by special operation, in our case the creation of the new user made via YaST.

  3. Let’s select the pair of Pre and Post snapshots from the list referring to the changes we have applied via YaST when creating the new user. In our example the pair with ID “2-3”. Click on “Show Changes” and following appears:

    The tree on the left shows all the files that were modified between creating the Pre and the Post snapshots. On the right side, it is shown the description generated when the first snapshot was created and the time of creation of both snapshots.

    When a file is selected in the tree, you see the changes done to it: for a file which is changed it is possible to display a “diff” of it, for a file which has been created or removed it is simply indicated with a message “New file was created” or “New file was removed” respectively.

  4. Now let’s select the file /etc/passwd from the tree and see the changes for it after having added the new user:
  5. Let’s then simulate a situation where the administrator of the server accidentally deletes the user just created and relative home directory from YaST (deleting the user from command line is not the same. Remember that by default snapshots are automatically taken when running YaST or zypper and on hourly basis)
  6. As before, let’s see what Snapper now shows:
  7. A new pair of Pre and Post snapshots is listed referring to the latest changes we have applied via YaST when deleting the user “Snappy”. Let’s now select it and see the new changes for the file /etc/passwd
  8. Now let’s finally taste the goodness of Snapper and BtrFS simulating the “undo” of the user delete. Let’s select the files to be restored, in this case all the files under /etc and /home, and click on “Restore Selected”. A dialog listing all the files appears.
  9. At this point click “Yes” to proceed with the restore of the user and.. that’s it, if we now take a look at the list of existing users (yast2 users from command line) we can see the user back where he was before:

The same operations (and even more) we have done so far with YaST are also available via command line, of course. The following are some examples:

Get a list of yast and zypper snapshots:

# snapper list -t pre-post

Get a list of changed files for a snapshot pair with ID 2 and 3:

# snapper status 2..3

To display the diff for a certain file:

# snapper diff 2..3 /etc/passwd

To restore all the changes:

# snapper -v undochange 2..3

To restore changes of one specific file:

# snapper -v undochange 2..3 /etc/passwd

…and many others..

Of course, this is intended to be only a simple example of the use of Snapper, however it is easy to think of many other scenarios where it can be used to get tremendous benefits not only in terms of fast system backup and restore but also as tool for tracking the activity on the system.

Many other examples and information about Snapper are available with the “SUSE Linux Enterprise Server 11 SP2 Administration Guide” available at the following link:

A very interesting and funny video about Snapshot and Rollback from the Kernel Hacker Greg Kroah-Hartman and SUSE Product Manager Matthias Eckermann is available at the following link:

(Visited 1 times, 1 visits today)


  • txrjohnson says:

    That is exactly what I have been looking for. I nice article on how all this works!

  • darrenjthompson says:

    @ jkalcic
    I agree with the poster above (txrjohnson) very helpful article…

    well done for sharing this information with us.

    One question though, do the snapshots accumulate forever or are the “pruned” after a certain time interval?

    If the are

  • Leave a Reply

    Your email address will not be published. Required fields are marked *