An occasional public admission of stupidity can be good for the soul, a bit of psychic self-flagellation. I’m sure you all know by now how obsessive I am about backups, so I’m sure you’ll enjoy a bit of schadenfreude related to this story of how I’ve been losing data for two months without even noticing, thanks to my backups. That’s right, my backups ate my data.
Down the Rabbit Hole of Data Loss -- It all started when I received email from a PR person asking if I’d had a chance to check out Boinx Software’s You Gotta See This iOS app, which makes it easy to create a panorama with an iPhone or camera-equipped iPod touch. The app worked fine, but because of the extremely wide aspect ratio of the panoramas, the results didn’t ring my bells. In an effort to explain this to the PR person, I launched iPhoto to snag a recent panorama I’d made, along with a single image of roughly the same scene that I wanted to show her for comparison. But when iPhoto launched, the photos I wanted weren’t there. And when I looked more closely, the last event showing was from two months ago. Uh oh.
Data loss always gives me the horrible sinking feeling in my stomach that I get when I know I’ve done something stupid and There Will Be Consequences. I realized quickly that the problem was that I had somehow been using an iPhoto Library package on a backup disk. In my panic, I initially blamed Time Machine because, well, I don’t trust it. But after my pulse settled down, I realized that Time Machine was not at fault, and that the blame instead lay with my backup strategy, aided and abetted by iPhoto (this was iPhoto ’09, but I suspect that iPhoto ’11 would also be vulnerable) and another nemesis, Spotlight.
My backup strategy, which I’ve previously been quite proud of, is threefold. First, I use Time Machine, sending archival backups to a partition on a second internal drive in my Mac Pro. Second, to provide offsite backups and as a secondary archival backup, I use CrashPlan+ to back up my entire home folder over the Internet to a hard drive attached to a friend’s Mac. Third, for quick recoveries and in case my main hard drive (named Zeus) dies a sudden death, Carbon Copy Cloner clones my startup drive to another partition (named DoppleZeus) on the second internal hard disk. That clone runs every night before my Mac goes to sleep.
Normally having DoppleZeus mounted isn’t a problem; the way applications generally default either to previous locations or default locations (like
~/Documents) ensures that there’s no confusion between my main drive (Zeus) and the clone (DoppleZeus) when opening or saving files. Since I got the Mac Pro in early 2008, this approach has worked fine.
But I hadn’t counted on iPhoto. When you Option-launch iPhoto ’09 to switch between iPhoto libraries, iPhoto doesn’t give you a standard Open dialog like iTunes does. Instead, it displays a custom dialog that lists all the iPhoto Library packages it can find via Spotlight. Since DoppleZeus is an exact clone of Zeus, iPhoto displays the same libraries on both, differentiating only by a path that’s displayed at the bottom of the dialog. Apparently, at some point in August, I had switched iPhoto libraries to test something, and when I switched back, I accidentally chose the backup version on DoppleZeus. (Although iPhoto won’t see iPhoto libraries on a disk that’s in the Privacy list in the Spotlight preference pane, if you’ve
ever chosen a library on that disk before adding the disk to Spotlight’s Privacy list, iPhoto remembers the library’s location from then on in the com.apple.iPhoto.plist file in
~/Library/Preferences, regardless of any Spotlight settings.)
I’m sure you can imagine what this means. Every time I imported photos, they were imported into the iPhoto Library on my DoppleZeus backup disk, and the following evening Carbon Copy Cloner deleted them as it followed my commands to keep DoppleZeus looking exactly like Zeus.
I hadn’t been doing much with iPhoto, so it took me two months to notice, meaning that I’d lost every imported photo since mid-August. And they were totally gone, with no chance of recovery. Since both Time Machine and CrashPlan back up Zeus and not DoppleZeus, there was no backup of those photos—they never existed on a drive that was itself backed up.
Before I explain how to avoid this problem, there is a happy ending. I take photos with two cameras: my iPhone 4 and a Canon PowerShot SD870. I use the iPhone when I haven’t anticipated a photo opportunity and failed to pocket the PowerShot SD870. Any time I think of it, I use the PowerShot, since it takes better photos. But since I’ve been busy this summer, it turns out that the only photos I’ve imported into iPhoto were those taken with the iPhone. All my “good” photos are still sitting on the PowerShot’s SD card. I feel a bit like my parents back in the 1980s, who would often forget to develop rolls of film for months. So, while I’m not happy that I lost all my iPhone photos since mid-August, it’s not that big of a deal.
This problem is pretty specific, and I doubt most people switch iPhoto libraries as often as I do for testing, but be warned if you do use iPhoto’s Option-launch approach to switching. Or use Fat Cat Software’s iPhoto Library Manager, which requires that you specify the iPhoto libraries you want to switch among manually, rather than relying on Spotlight to find every last one.
An Ounce of Prevention -- So how could I prevent this from happening again in the future, and, what’s the solution for those who also use Carbon Copy Cloner or Shirt Pocket’s SuperDuper to clone to another hard disk? My buddy Andrew Laurence gave me the hint I needed when he commented on Twitter that backups should be out of sight, out of mind, read-only, and far away.
Looking at my three-pronged backup strategy, CrashPlan’s backups meet all four criteria. Apart from the partition’s icon on my Desktop, my Time Machine backups are out of sight, and they’re essentially read-only because Time Machine manages the permissions on the folder containing the backups to prevent you from writing to it. (Time Machine fails the out-of-mind test because it’s disconcerting when it’s running, and it isn’t designed to meet the far-away test by allowing backups over the Internet.) My Carbon Copy Cloner setup is out of mind, since it runs only at night when I’m not at the Mac, but there’s no easy way to make it read-only (since Carbon Copy Cloner has to write to the disk), and I don’t want it to be far away.
The trick is in the remaining goal—putting the Carbon Copy Cloner backup destination out of sight while I’m using my Mac. To achieve that, I can mount the DoppleZeus volume right before Carbon Copy Cloner’s backup runs, and unmount it afterward. Were it on its own disk, rather than sharing the disk with the Time Machine partition, a nice side-effect of this approach would be that the drive wouldn’t be spun up so much, and it might save a tiny bit of power.
In fact, Carbon Copy Cloner’s documentation gives a script for unmounting a volume after backup with a post-flight script, but it notes that a pre-flight script can’t mount a volume because Carbon Copy Cloner performs sanity checks for the existence of the destination volume. Instead, the documentation suggests mounting the drive in some other way and having Carbon Copy Cloner start the backup when it sees the drive appear.
There are undoubtedly a bazillion ways of mounting a disk at a particular time, but I chose to have Stairways Software’s Keyboard Maestro execute a short shell script at the appropriate time. The script is simply
diskutil mount disk0s2 (you can find the disk identifier—the
disk0s2 bit—with the command
For the unmount script, I simply copied the script from the Carbon Copy Cloner documentation to a text file, saved it as UnmountDoppleZeus-CCC.sh in
~/Library/Scripts, specified it in Carbon Copy Cloner’s Advanced Settings dialog, and then saved the task, setting Carbon Copy Cloner to execute the entire task whenever the disk appears.
It works perfectly, with Keyboard Maestro mounting the disk, Carbon Copy Cloner noticing and performing the clone action, and the post-flight script unmounting the disk.
Actually, there is one additional problem to solve. Whenever I reboot, the DoppleZeus volume mounts automatically. Luckily, this is solved easily with another Keyboard Maestro macro that executes at login; it simply unmounts DoppleZeus right away. (If you were doing this, you’d want to replace “DoppleZeus” with the name of your disk.)
Although I don’t currently use SuperDuper in my backup strategy, it’s an extremely popular, useful program for making duplicates as well. But it requires a slightly different approach. Nothing needs to be done to mount the disk before backup, because SuperDuper does that automatically as needed. And if you’re using an external hard disk or a removable disk, you can make it unmount after SuperDuper runs by choosing Eject from the On Successful Completion pop-up menu in the General view of SuperDuper’s options for the backup. So if you’re not using an internal disk, you’re done.
However, I am using a partition on an internal hard disk in my Mac Pro as the backup destination. Because the Finder doesn’t give an internal disk an Eject button in the sidebar, the current version of SuperDuper doesn’t see it as ejectable. The next minor revision will do this, according to SuperDuper author Dave Nanian (I suspect he named the program SuperDuper just so it would sound like an adjective when used in front of his name—clearly I need to write a book called “BestSelling”).
In the meantime, Dave gave me a script that does what’s necessary, forking off an independent process that unmounts the disk that was just backed up to.
nohup /bin/bash -c "sleep 30; diskutil unmount \"$4\"" &
To use this script, I simply put the above two lines in a text file called UnmountDoppleZeus-SD.sh in
~/Library/Scripts and marked it as executable with the Terminal command below.
chmod u+x /Users/adam/Library/Scripts/UnmountDoppleZeus-SD.sh
Then I specified it in SuperDuper’s Advanced options, scheduled SuperDuper to execute at the appropriate time, and all was golden.
Out of Sight -- So, regardless of whether you use Carbon Copy Cloner or SuperDuper to create a bootable duplicate of your hard disk, you can ensure that the clone is mounted only when necessary, and is properly unmounted and out of sight the rest of the time. And hopefully, that will prevent you from making the kind of mistake I made with my iPhoto Library.