TiDB Log Backup and PITR Command Manual

This document describes the commands used in TiDB log backup and point-in-time recovery (PITR).

For more information about log backup and PITR, refer to:

Perform log backup

You can start and manage log backup using the tiup br log command.

tiup br log --help backup stream log from TiDB/TiKV cluster Usage: br log [command] Available Commands: metadata get the metadata of log dir pause pause a log backup task resume resume a log backup task start start a log backup task status get status for the log backup task stop stop a log backup task truncate truncate the log data until sometime

Each subcommand is described as follows:

  • tiup br log start: start a log backup task.
  • tiup br log status: query the status of the log backup task.
  • tiup br log pause: pause a log backup task.
  • tiup br log resume: resume a paused log backup task.
  • tiup br log stop: stop a log backup task and delete the task metadata.
  • tiup br log truncate: clean up the log backup data from the backup storage.
  • tiup br log metadata: query the metadata of the log backup data.

Start a log backup task

You can run the tiup br log start command to start a log backup task. This task runs in the background of your TiDB cluster and automatically backs up the change log of KV storage to the backup storage.

Run tiup br log start --help to see the help information:

tiup br log start --help start a log backup task Usage: br log start [flags] Flags: -h, --help help for start --start-ts string usually equals last full backupTS, used for backup log. Default value is current ts. support TSO or datetime, e.g. '400036290571534337' or '2018-05-11 01:42:23+0800'. --task-name string The task name for the backup log task. Global Flags: --ca string CA certificate path for TLS connection --cert string Certificate path for TLS connection --key string Private key path for TLS connection -u, --pd strings PD address (default [127.0.0.1:2379]) -s, --storage string specify the url where backup storage, eg, "s3://bucket/path/prefix"

The example output only shows the common parameters. These parameters are described as follows:

  • --start-ts: specifies the start timestamp for the log backup. If this parameter is not specified, the backup program uses the current time as start-ts.
  • task-name: specifies the task name for the log backup. This name is also used to query, pause, and resume the backup task.
  • --ca, --cert, --key: specifies the mTLS encryption method to communicate with TiKV and PD.
  • --pd: specifies the PD address for the backup cluster. BR needs to access PD to start the log backup task.
  • --storage: specifies the backup storage address. Currently, BR supports Amazon S3, Google Cloud Storage (GCS), or Azure Blob Storage as the storage for log backup. The preceding command uses Amazon S3 as an example. For details, see URI Formats of External Storage Services.

Usage example:

tiup br log start \ --task-name=pitr \ --pd="${PD_IP}:2379" \ --storage='s3://backup-101/logbackup?access-key=${access-key}&secret-access-key=${secret-access-key}'

Encrypt the log backup data

BR enables you to encrypt log backup data before uploading it to your backup storage.

Starting from TiDB v8.4.0, you can encrypt log backup data by passing the following parameters in the log backup command, which is similar to snapshot backup encryption:

  • --log.crypter.method: Encryption algorithm, which can be aes128-ctr, aes192-ctr, or aes256-ctr. The default value is plaintext, indicating that data is not encrypted.
  • --log.crypter.key: Encryption key in hexadecimal string format. It is a 128-bit (16 bytes) key for the algorithm aes128-ctr, a 24-byte key for the algorithm aes192-ctr, and a 32-byte key for the algorithm aes256-ctr.
  • --log.crypter.key-file: The key file. You can directly pass in the file path where the key is stored as a parameter without passing in the crypter.key.

The following is an example:

tiup br log start \ --task-name=pitr-with-encryption --pd ${PD_IP}:2379 \ --storage "s3://${BACKUP_COLLECTION_ADDR}/snapshot-${DATE}?access-key=${AWS_ACCESS_KEY}&secret-access-key=${AWS_SECRET_ACCESS_KEY}" \ --log.crypter.method aes128-ctr \ --log.crypter.key 0123456789abcdef0123456789abcdef

However, in scenarios with higher security requirements, you might not want to pass a fixed encryption key directly in the command line. To further enhance security, you can use a master key based encryption system to manage encryption keys. This system generates different data keys to encrypt different log backup files and supports master key rotation. You can configure it using the following parameters:

  • --master-key-crypter-method: Encryption algorithm based on the master key, which can be aes128-ctr, aes192-ctr, or aes256-ctr. The default value is plaintext, indicating that data is not encrypted.
  • --master-key: Master key configuration. It can be a master key stored on a local disk or a master key managed by a cloud Key Management Service (KMS).

Encrypt using a master key stored on a local disk:

tiup br log start \ --task-name=pitr-with-encryption \ --pd ${PD_IP}:2379 \ --storage "s3://${BACKUP_COLLECTION_ADDR}/snapshot-${DATE}?access-key=${AWS_ACCESS_KEY}&secret-access-key=${AWS_SECRET_ACCESS_KEY}" \ --master-key-crypter-method aes128-ctr \ --master-key "local:///path/to/master.key"

Encrypt using a master key managed by AWS KMS:

tiup br log start \ --task-name=pitr-with-encryption \ --pd ${PD_IP}:2379 \ --storage "s3://${BACKUP_COLLECTION_ADDR}/snapshot-${DATE}?access-key=${AWS_ACCESS_KEY}&secret-access-key=${AWS_SECRET_ACCESS_KEY}" \ --master-key-crypter-method aes128-ctr \ --master-key "aws-kms:///${AWS_KMS_KEY_ID}?AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY}&AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}&REGION=${AWS_REGION}"

Encrypt using a master key managed by Google Cloud KMS:

tiup br log start \ --task-name=pitr-with-encryption \ --pd ${PD_IP}:2379 \ --storage "s3://${BACKUP_COLLECTION_ADDR}/snapshot-${DATE}?access-key=${AWS_ACCESS_KEY}&secret-access-key=${AWS_SECRET_ACCESS_KEY}" \ --master-key-crypter-method aes128-ctr \ --master-key "gcp-kms:///projects/$GCP_PROJECT_ID/locations/$GCP_LOCATION/keyRings/$GCP_KEY_RING/cryptoKeys/$GCP_KEY_NAME?AUTH=specified&CREDENTIALS=$GCP_CREDENTIALS_PATH"

Query the log backup status

You can run the tiup br log status command to query the log backup status.

Run tiup br log status --help to see the help information:

tiup br log status --help get status for the log backup task Usage: br log status [flags] Flags: -h, --help help for status --json Print JSON as the output. --task-name string The task name for backup stream log. If default, get status of all of tasks (default "*") Global Flags: --ca string CA certificate path for TLS connection --cert string Certificate path for TLS connection --key string Private key path for TLS connection -u, --pd strings PD address (default [127.0.0.1:2379])

In the example output, task-name is used to specify the name of the backup task. The default value is *, which means querying the status of all tasks.

Usage example:

tiup br log status --task-name=pitr --pd="${PD_IP}:2379"

Expected output:

● Total 1 Tasks. > #1 < name: pitr status: ● NORMAL start: 2022-07-14 20:08:03.268 +0800 end: 2090-11-18 22:07:45.624 +0800 storage: s3://backup-101/logbackup speed(est.): 0.82 ops/s checkpoint[global]: 2022-07-25 22:52:15.518 +0800; gap=2m52s

The output fields are described as follows:

  • status: the status of the backup task, which can be NORMAL, ERROR, or PAUSE.
  • start: the start time of the backup task. It is the start-ts value specified when the backup task is started.
  • storage: the backup storage address.
  • speed: the total QPS of the backup task. QPS means the number of logs backed per second.
  • checkpoint [global]: all data before this checkpoint is backed up to the backup storage. This is the latest timestamp available for restoring the backup data.
  • error [store]: the error the log backup program encounters on the storage node.

Pause and resume a log backup task

You can run the tiup br log pause command to pause a running log backup task.

Run tiup br log pause --help to see the help information:

tiup br log pause --help pause a log backup task Usage: br log pause [flags] Flags: --gc-ttl int the TTL (in seconds) that PD holds for BR's GC safepoint (default 86400) -h, --help help for status --task-name string The task name for backup stream log. Global Flags: --ca string CA certificate path for TLS connection --cert string Certificate path for TLS connection --key string Private key path for TLS connection -u, --pd strings PD address (default [127.0.0.1:2379])

Usage example:

tiup br log pause --task-name=pitr --pd="${PD_IP}:2379"

You can run the tiup br log resume command to resume a paused backup task.

Run tiup br log resume --help to see the help information:

tiup br log resume --help resume a log backup task Usage: br log resume [flags] Flags: -h, --help help for status --task-name string The task name for backup stream log. Global Flags: --ca string CA certificate path for TLS connection --cert string Certificate path for TLS connection --key string Private key path for TLS connection -u, --pd strings PD address (default [127.0.0.1:2379])

After the backup task is paused for more than 24 hours, running tiup br log resume reports an error, and BR prompts that backup data is lost. To handle this error, refer to Backup & Restore FAQs.

Usage example:

tiup br log resume --task-name=pitr --pd="${PD_IP}:2379"

Stop and restart a log backup task

You can stop a log backup task by running the tiup br log stop command and restart a log backup task that is stopped by using the original --storage directory.

Stop a log backup task

You can run the tiup br log stop command to stop a log backup task. This command cleans up the task metadata in the backup cluster.

Run tiup br log stop --help to see the help information:

tiup br log stop --help stop a log backup task Usage: br log stop [flags] Flags: -h, --help help for status --task-name string The task name for the backup log task. Global Flags: --ca string CA certificate path for TLS connection --cert string Certificate path for TLS connection --key string Private key path for TLS connection -u, --pd strings PD address (default [127.0.0.1:2379])

Usage example:

tiup br log stop --task-name=pitr --pd="${PD_IP}:2379"

Restart a log backup task

After running the tiup br log stop command to stop a log backup task, you can create a new log backup task in another --storage directory or restart the log backup task in the original --storage directory by running the tiup br log start command. If you restart the task in the original --storage directory, pay attention to the following points:

  • Parameters of the --storage directory for restarting a task must be the same as the task that is stopped.
  • The --start-ts does not need to be specified. BR automatically starts the backup from the last backup checkpoint.
  • If the task is stopped for a long time and multiple versions of the data have been garbage collected, the error BR:Backup:ErrBackupGCSafepointExceeded is reported when you attempt to restart the task. In this case, you have to create a new log backup task in another --storage directory.

Clean up log backup data

You can run the tiup br log truncate command to clean up the outdated or no longer needed log backup data.

Run tiup br log truncate --help to see the help information:

tiup br log truncate --help truncate the incremental log until sometime. Usage: br log truncate [flags] Flags: --dry-run Run the command but don't really delete the files. -h, --help help for truncate --until string Remove all backup data until this TS.(support TSO or datetime, e.g. '400036290571534337' or '2018-05-11 01:42:23+0800'.) -y, --yes Skip all prompts and always execute the command. Global Flags: -s, --storage string specify the url where backup storage, eg, "s3://bucket/path/prefix"

This command only accesses the backup storage and does not access the TiDB cluster. Some parameters are described as follows:

  • --dry-run: run the command but do not really delete the files.
  • --until: delete all log backup data before the specified timestamp.
  • --storage: the backup storage address. Currently, BR supports Amazon S3, GCS, or Azure Blob Storage as the storage for log backup. For details, see URI Formats of External Storage Services.

Usage example:

tiup br log truncate --until='2022-07-26 21:20:00+0800' \ --storage='s3://backup-101/logbackup?access-key=${access-key}&secret-access-key=${secret-access-key}'

Expected output:

Reading Metadata... DONE; take = 277.911599ms We are going to remove 9 files, until 2022-07-26 21:20:00.0000. Sure? (y/N) y Clearing data files... DONE; take = 43.504161ms, kv-count = 53, kv-size = 4573(4.573kB) Removing metadata... DONE; take = 24.038962ms

View the log backup metadata

You can run the tiup br log metadata command to view the log backup metadata in the storage system, such as the earliest and latest timestamp that can be restored.

Run tiup br log metadata --help to see the help information:

tiup br log metadata --help get the metadata of log backup storage Usage: br log metadata [flags] Flags: -h, --help help for metadata Global Flags: -s, --storage string specify the url where backup storage, eg, "s3://bucket/path/prefix"

This command only accesses the backup storage and does not access the TiDB cluster.

The --storage parameter is used to specify the backup storage address. Currently, BR supports Amazon S3, GCS, or Azure Blob Storage as the storage for log backup. For details, see URI Formats of External Storage Services.

Usage example:

tiup br log metadata --storage='s3://backup-101/logbackup?access-key=${access-key}&secret-access-key=${secret-access-key}'

Expected output:

[2022/07/25 23:02:57.236 +08:00] [INFO] [collector.go:69] ["log metadata"] [log-min-ts=434582449885806593] [log-min-date="2022-07-14 20:08:03.268 +0800"] [log-max-ts=434834300106964993] [log-max-date="2022-07-25 23:00:15.618 +0800"]

Restore to a specified point in time (PITR)

You can run the tiup br restore point command to perform a PITR on a new cluster or just restore the log backup data.

Run tiup br restore point --help to see the help information:

tiup br restore point --help restore data from log until specify commit timestamp Usage: br restore point [flags] Flags: --full-backup-storage string specify the backup full storage. fill it if want restore full backup before restore log. -h, --help help for point --restored-ts string the point of restore, used for log restore. support TSO or datetime, e.g. '400036290571534337' or '2018-05-11 01:42:23+0800' --start-ts string the start timestamp which log restore from. support TSO or datetime, e.g. '400036290571534337' or '2018-05-11 01:42:23+0800' Global Flags: --ca string CA certificate path for TLS connection --cert string Certificate path for TLS connection --key string Private key path for TLS connection -u, --pd strings PD address (default [127.0.0.1:2379]) -s, --storage string specify the url where backup storage, eg, "s3://bucket/path/prefix"

The example output only shows the common parameters. These parameters are described as follows:

  • --full-backup-storage: the storage address for the snapshot (full) backup. To use PITR, specify this parameter and choose the latest snapshot backup before the restore timestamp. To restore only log backup data, you can omit this parameter. Note that when initializing the recovery cluster for the first time, you must specify a snapshot backup. Currently, BR supports Amazon S3, GCS, and Azure Blob Storage as the storage for log backup. For details, see URI Formats of External Storage Services.
  • --restored-ts: the timestamp that you want to restore data to. If this parameter is not specified, BR restores data to the latest timestamp available in the log backup, that is, the checkpoint of the backup data.
  • --start-ts: the start timestamp that you want to restore log backup data from. If you only need to restore log backup data, you must specify this parameter.
  • --pd: the PD address of the restore cluster.
  • --ca, --cert, --key: specify the mTLS encryption method to communicate with TiKV and PD.
  • --storage: the storage address for the log backup. Currently, BR supports Amazon S3, GCS, or Azure Blob Storage as the storage for log backup. For details, see URI Formats of External Storage Services.

Usage example:

tiup br restore point --pd="${PD_IP}:2379" --storage='s3://backup-101/logbackup?access-key=${access-key}&secret-access-key=${secret-access-key}' --full-backup-storage='s3://backup-101/snapshot-202205120000?access-key=${access-key}&secret-access-key=${secret-access-key}' Full Restore <--------------------------------------------------------------------------------------------------------------------------------------------------------> 100.00% *** ***["Full Restore success summary"] ****** [total-take=3.112928252s] [restore-data-size(after-compressed)=5.056kB] [Size=5056] [BackupTS=434693927394607136] [total-kv=4] [total-kv-size=290B] [average-speed=93.16B/s] Restore Meta Files <--------------------------------------------------------------------------------------------------------------------------------------------------> 100.00% Restore KV Files <----------------------------------------------------------------------------------------------------------------------------------------------------> 100.00% "restore log success summary"] [total-take=192.955533ms] [restore-from=434693681289625602] [restore-to=434693753549881345] [total-kv-count=33] [total-size=21551]

Restore encrypted log backup data

To restore encrypted log backup data, you need to pass the corresponding decryption parameters in the restore command. Make sure that the decryption parameters are the same as those used for encryption. If the decryption algorithm or key is incorrect, the data cannot be restored.

The following is an example:

tiup br restore point --pd="${PD_IP}:2379" --storage='s3://backup-101/logbackup?access-key=${ACCESS-KEY}&secret-access-key=${SECRET-ACCESS-KEY}' --full-backup-storage='s3://backup-101/snapshot-202205120000?access-key=${ACCESS-KEY}&secret-access-key=${SECRET-ACCESS-KEY}' --crypter.method aes128-ctr --crypter.key 0123456789abcdef0123456789abcdef --log.crypter.method aes128-ctr --log.crypter.key 0123456789abcdef0123456789abcdef

If a log backup is encrypted using a master key, you can decrypt and restore the backup data using the following command:

tiup br restore point --pd="${PD_IP}:2379" --storage='s3://backup-101/logbackup?access-key=${ACCESS-KEY}&secret-access-key=${SECRET-ACCESS-KEY}' --full-backup-storage='s3://backup-101/snapshot-202205120000?access-key=${ACCESS-KEY}&secret-access-key=${SECRET-ACCESS-KEY}' --crypter.method aes128-ctr --crypter.key 0123456789abcdef0123456789abcdef --master-key-crypter-method aes128-ctr --master-key "local:///path/to/master.key"

Was this page helpful?