Dear Proxmox Support / Development Team,
I am writing with a design suggestion arising from a recent real-world incident, offered in the spirit of constructive feedback rather than criticism.
During a restore operation from snapshot roll back, the system correctly warned that the action would overwrite the current state and that there would be no way back. Under fatigue and operational pressure (at 4am working all night), I proceeded — and only later realised that I had restored from a much older backup than intended, with no snapshot having been taken beforehand. I lost everyone's email from the server with no backup as this was the backup; which system was faulty (my fault).
What struck me afterwards is that the warning was *informational* but not *protective*. At the exact moment when human judgement is most fallible (stress, tiredness, urgency), the system relies entirely on the operator having already taken the correct precaution.
I would like to suggest a very minimal and human-factors-oriented enhancement:
**A short-lived “undo horizon” snapshot, created automatically immediately before any destructive restore or overwrite operation.** or indeed just roll backs - maybe when there are no recent snapshots.
Key characteristics of this idea:
- Snapshot creation is **automatic**, not dependent on operator action
- The snapshot exists **in spite of the operator**, not because of them
- It is not necessarily prominent in the usual snapshot list (implementation detail)
- **No automatic deletion** — later deletion of it should be an explicit, conscious user action taken later, when the situation has stabilised
- Disk usage can be surfaced calmly after the fact (“Undo snapshot exists, consumes X GB”)
- A global setting could allow this feature to be disabled for environments with exceptional privacy or sensitivity requirements, but enabled by default
The intent is not to add warnings, buttons, or friction, but to ensure that at the moment of maximum risk (I was "out of it" with stress and fatigue at 4am) , the system quietly guarantees reversibility. Decision-making about retention is deferred to a time when the operator is no longer under pressure.
In hindsight, such a mechanism would almost certainly have prevented a serious but avoidable no recovery incident. More broadly, it seems aligned with the philosophy of designing systems that assume capable, but tired humans.
I hope this suggestion is useful. Thank you for the work you do — Proxmox has enabled me to run robust infrastructure for many months, and this idea comes from that same place of respect.
Kind regards,
Anthony - approaching 70 years of age; tech involved for 50 years.
I am writing with a design suggestion arising from a recent real-world incident, offered in the spirit of constructive feedback rather than criticism.
During a restore operation from snapshot roll back, the system correctly warned that the action would overwrite the current state and that there would be no way back. Under fatigue and operational pressure (at 4am working all night), I proceeded — and only later realised that I had restored from a much older backup than intended, with no snapshot having been taken beforehand. I lost everyone's email from the server with no backup as this was the backup; which system was faulty (my fault).
What struck me afterwards is that the warning was *informational* but not *protective*. At the exact moment when human judgement is most fallible (stress, tiredness, urgency), the system relies entirely on the operator having already taken the correct precaution.
I would like to suggest a very minimal and human-factors-oriented enhancement:
**A short-lived “undo horizon” snapshot, created automatically immediately before any destructive restore or overwrite operation.** or indeed just roll backs - maybe when there are no recent snapshots.
Key characteristics of this idea:
- Snapshot creation is **automatic**, not dependent on operator action
- The snapshot exists **in spite of the operator**, not because of them
- It is not necessarily prominent in the usual snapshot list (implementation detail)
- **No automatic deletion** — later deletion of it should be an explicit, conscious user action taken later, when the situation has stabilised
- Disk usage can be surfaced calmly after the fact (“Undo snapshot exists, consumes X GB”)
- A global setting could allow this feature to be disabled for environments with exceptional privacy or sensitivity requirements, but enabled by default
The intent is not to add warnings, buttons, or friction, but to ensure that at the moment of maximum risk (I was "out of it" with stress and fatigue at 4am) , the system quietly guarantees reversibility. Decision-making about retention is deferred to a time when the operator is no longer under pressure.
In hindsight, such a mechanism would almost certainly have prevented a serious but avoidable no recovery incident. More broadly, it seems aligned with the philosophy of designing systems that assume capable, but tired humans.
I hope this suggestion is useful. Thank you for the work you do — Proxmox has enabled me to run robust infrastructure for many months, and this idea comes from that same place of respect.
Kind regards,
Anthony - approaching 70 years of age; tech involved for 50 years.
Last edited:
