Potential for total data loss?

I have identified this issue with the DroboFS, but it may exist in the Drobo family as a whole.

The 5 disk array consists of 3 x 2Tb drives, and 2 x 3Tb drives. There is 2.34Tb of data on the Drobo.

If I eject (‘fail’) one of the 3Tb drives then after a few seconds of yellow/green flashing, the 4 bays revert to green, and the empty slot to solid red.

This leads me to think that my data is safe, but that I should add another drive to increase storage.

However, if I eject the other 3Tb drive, everything goes red, restarts, and stays red with no access to data.

Looking at the Drobo Calculator, 3 x 2Tb drives should yield storage of 3.63Tb - and I only have 2.34Tb on there.

Is it - and I am just guessing here - that Drobo ‘scales up’ when larger drives are added, but fails to ‘scale down’ when drives are removed?

If so, this does not seem the best way of doing things. It would mean that potentially a drive could fail, as I simulated above, be told by the Drobo that all my other drives were fine and my data was protected but should another drive fail, I would be left with no access to my data unless I went out and bought another hard drive.

Dual disk redundancy is OFF - am I misunderstanding its concept? I thought it was to protect against two SIMULTANEOUS failures, not a later failure when all lights are green on drives.

I would just emphasis again - there is only 2.34Tb of data in there - well below the max storage capacity of the 3 x 2Tb drives remaining.

hi tony,
just a quick check… if DDR is off, then as far as i understand it, the drobo is in SDR mode, which means only 1 drive can fail.

(there might be a cascading effect/feature for sdr if there is enough space) but generally speaking, if SDR is the mode being used, then that is for single drive redundancy protection.)

From the sounds of it, the Drobo did not complete its data protection.

The data protection could take some time and it will likely take more then a few seconds.

It sounds like the data protection was not complete when the second drive was removed.

I agree. The data protection didn’t complete for some reason and the four green lights plus a single solid red was an erroneous indication. Two things I’d be interested to know: did the Dashboard agree with the lights? How long did you leave it in the apparently safe state before removing the second drive? If it was only a short amount of time it’s possible that it would have entered data protection mode again if you’d left it, though however you look at it the indicator lights were wrong. The fact that data protection appeared to be complete in only a few seconds ought to have been a warning that something wasn’t right. Perhaps you’ve found an obscure bug.

Your 2.34 TB of data is capable of behind stored and protected on three 2 TB drives, or stored but unprotected on two. However to get there from your original state would need data protection to run to completion before the failure or removal of each successive drive - something that didn’t happen in your case.

While data protection is in progress your data is unprotected if you have single disk redundancy selected. Drobo data protection is notoriously slow, so dual disk redundancy is used to provide protection against further failure during that process. So it isn’t two literally simultaneous failures that it protects against, but the much more likely case of two failures occurring within several hours (days, even) of each other.

Actually - semi-false alarm.

I went out for the afternoon after posting, and when I came back I was getting the yellow/green flashing, so in fact the Drobo is ‘scaling down’ - seems it just needed a bit of time to decide that it was.

I say ‘semi’ false alarm as dear old Drobo did do its couple of mins of reconfiguration and then lit all the other drives as green, i.e. ok, and data protected. But that wasn’t true.

Now for people who leave their Drobos on all the time, that’s fine. Give it a while and it’ll go into its scale down/data protection mode. But what if you fire up your Drobo manually as and when? You might think all is well, power down, leave it a week (in which time another drive fails for no reason) and you’ve lost all your data, because it hasn’t had the chance to go through data protection, and falsely reports all is well. I realise this scenario is not most Drobo owners, but best to cover all bases thoroughly where data storage is concerned!

What do you mean by “another drive fails for no reason”? Things don’t happen for no reason - effects always have a cause, even if it’s not expected. The Drobo is meant to be powered on all the time so that it can do its background maintenance tasks. Sure, if you plan to go away for two weeks then shut it down before you go, but shut it down cleanly. It won’t shut down until it’s happy and it won’t start up again until it’s happy. Thing is, they take so long to start up and use so little power when the drives are spun down there’s really no reason to power down, say, every night. I’m a strong advocate of dual disk redundancy - it would help in this somewhat contrived scenario. Otherwise you would have to restore from your most recent backup.