DSM 7.2 Immutable Snapshots - do they work for existing replication series?

DS1517+, DS1515+, RS815+, RS1221+
I've upgraded two of our NAS (RS1221+) to DSM 7.2-64570 because we're keen on the immutable snapshots feature. Anyone else played with this? Doesn't seem to work as expected....read on.

We already daily replicate a folder from one NAS to the other (i.e., remote snapshots). Once I upgraded to 7.2, and I edited the Replication Task (existing), I saw a checkmark for Immutable snapshots! Joy! Couldn't be easier! Checked it, and let the next replication run.

Next day (today), I checked the Snapshot list, and the snapshot that was taken after I selected Immutable snapshots is not marked immutable. I can edit the snapshot and mark it immutable, but obviously I don't want to be doing that manually every day!

Am I missing something? Do we have to wipe out and re-create the replication task for immutability to take effect? If so, the fact that the checkmark is there when editing an existing snapshot is misleading.

Thanks in advance for any insight here.
I still haven't upgraded all of my units, so can't say, but I think this will be for new, fresh, backups only. Editing the existing ones would mean that no change can be done on the replica side, and if there is some sort of versioning going on, it will clash in logic.

Make a small new sample and test it out.
Thanks for the quick reply, much appreciated!

"Make a small new sample and test it out"...good suggestion, thanks. I should have thought of that. I'll try to do that and report back.

Your reasoning that it would only be applicable to new, fresh replications seems sound, but DSM 7.2 provides a facility to make any existing snapshot immutable by editing the snapshot.


After checking "Immutable Snapshots" and OK, the snapshot is indicated immutable.

So it would follow that immutability could be selected on existing replication tasks, not just new ones.

The mystery continues....
Update... as suggested by @Rusty, I created a completely new BTRFS share on the same NAS and then created a new snapshot replication task, and clicked the checkbox for Immutable snapshots. The first snapshot does not show as immutable.

Exactly the same behaviour as I reported in my initial post.

And I've raised a support ticket with Synology on this...one reply asking for clarification (at least the first response relatively quick!) but no answers yet.
Ok, here's the scoop after dealing with Synology support (refreshingly attentive support, by the way):

For immutability to work, in Snapshot Replication, immutability must be enabled on the Replication task (as per Syno documentation). ADDITIONALLY, on the corresponding snapshot under the Snapshots tab, "Enable snapshot schedule" must be checked and Immutable snapshots must be enabled there. Set the schedule under snapshots the same as the replication task. The documentation doesn't mention that requirement, but once that's done, immutability seems to work. Immutability can be applied to existing replication tasks; they don't have to be newly created.

Unfortunatly, this doesn't work for us. Out issue is that we do replications on the same folder to 3 different NAS, on three different schedules. If I enable ANOTHER schedule under the Snapshots tab, how does that work? Which one of the 4 schedules takes precedence? Big hmmmmmmm....

The Synology support rep concedes this is an issue to be pushed higher in their organization.
A bit of good news...

1. I tried to delete an immutable snapshot. Not allowed.
2. I tried to delete the replicated folders with immutable snapshots, and I could not..."Unable to perform this operation because some shared folders have immutable snapshots".

So, looks like Synology did their homework here - at least it at the simple DSM interface level.

Note that I didn't go real deep...I didn't attempt to circumvent the protections via any lower-level linux commands. And I didn't attempt to reformat the volume. Both of these could be potential attacks by a sophisticated hacker to try to blow away your backups and force you to cough up some Bitcoin.
Update, in case anyone is interested...

Immutability works correctly in 7.2. My issue was interpreting the results.

When I checked "Immutable snapshots", I then looked at the snapshot list on the source server and they aren't marked immutable. But if one looks at the snapshot list on the remote server, they are marked immutable.

I confirm that this feature works on existing replication tasks, not just new tasks. However, if only the most recent snapshots are immutable, and those snapshots only contain the latest incremental changes, protection against cyberattack may be partial only.
