使用 BR 备份 TiDB 集群数据到兼容 S3 的存储

本文详细描述了如何将运行在 AWS Kubernetes 环境中的 TiDB 集群数据备份到 AWS 的存储上。BR 会在底层获取集群的逻辑备份,然后再将备份数据上传到 AWS 的存储上。

本文使用的备份方式基于 TiDB Operator v1.1 及以上版本的 Custom Resource Definition(CRD) 实现。

Ad-hoc 备份

Ad-hoc 备份支持全量备份与增量备份。Ad-hoc 备份通过创建一个自定义的 Backup Custom Resource (CR) 对象来描述一次备份。TiDB Operator 根据这个 Backup 对象来完成具体的备份过程。如果备份过程中出现错误,程序不会自动重试,此时需要手动处理。

为了更好地描述备份的使用方式,本文档提供如下备份示例。示例假设对部署在 Kubernetes test1 这个 namespace 中的 TiDB 集群 demo1 进行数据备份,下面是具体操作过程。

Ad-hoc 备份环境准备

  1. 下载文件 backup-rbac.yaml,并执行以下命令在 test1 这个 namespace 中创建备份需要的 RBAC 相关资源:

    kubectl apply -f backup-rbac.yaml -n test1
  2. 远程存储访问授权。

    如果使用 Amazon S3 来备份集群,可以使用三种权限授予方式授予权限,参考 AWS 账号授权授权访问兼容 S3 的远程存储;使用 Ceph 作为后端存储测试备份时,是通过 AccessKey 和 SecretKey 模式授权,设置方式可参考通过 AccessKey 和 SecretKey 授权

  3. 创建 backup-demo1-tidb-secret secret。该 secret 存放用于访问 TiDB 集群的用户所对应的密码。

    kubectl create secret generic backup-demo1-tidb-secret --from-literal=password=${password} --namespace=test1

数据库账户权限

  • mysql.tidb 表的 SELECTUPDATE 权限:备份前后,Backup CR 需要一个拥有该权限的数据库账户,用于调整 GC 时间

使用 BR 备份数据到 Amazon S3 的存储

  • 创建 Backup CR,通过 accessKey 和 secretKey 授权的方式备份集群:

    kubectl apply -f backup-aws-s3.yaml

    backup-aws-s3.yaml 文件内容如下:

    --- apiVersion: pingcap.com/v1alpha1 kind: Backup metadata: name: demo1-backup-s3 namespace: test1 spec: backupType: full br: cluster: demo1 clusterNamespace: test1 # logLevel: info # statusAddr: ${status_addr} # concurrency: 4 # rateLimit: 0 # timeAgo: ${time} # checksum: true # sendCredToTikv: true # options: # - --lastbackupts=420134118382108673 # Only needed for TiDB Operator < v1.1.10 or TiDB < v4.0.8 from: host: ${tidb_host} port: ${tidb_port} user: ${tidb_user} secretName: backup-demo1-tidb-secret s3: provider: aws secretName: s3-secret region: us-west-1 bucket: my-bucket prefix: my-folder
  • 创建 Backup CR,通过 IAM 绑定 Pod 授权的方式备份集群:

    kubectl apply -f backup-aws-s3.yaml

    backup-aws-s3.yaml 文件内容如下:

    --- apiVersion: pingcap.com/v1alpha1 kind: Backup metadata: name: demo1-backup-s3 namespace: test1 annotations: iam.amazonaws.com/role: arn:aws:iam::123456789012:role/user spec: backupType: full br: cluster: demo1 sendCredToTikv: false clusterNamespace: test1 # logLevel: info # statusAddr: ${status_addr} # concurrency: 4 # rateLimit: 0 # timeAgo: ${time} # checksum: true # options: # - --lastbackupts=420134118382108673 # Only needed for TiDB Operator < v1.1.10 or TiDB < v4.0.8 from: host: ${tidb_host} port: ${tidb_port} user: ${tidb_user} secretName: backup-demo1-tidb-secret s3: provider: aws region: us-west-1 bucket: my-bucket prefix: my-folder
  • 创建 Backup CR,通过 IAM 绑定 ServiceAccount 授权的方式备份集群:

    kubectl apply -f backup-aws-s3.yaml

    backup-aws-s3.yaml 文件内容如下:

    --- apiVersion: pingcap.com/v1alpha1 kind: Backup metadata: name: demo1-backup-s3 namespace: test1 spec: backupType: full serviceAccount: tidb-backup-manager br: cluster: demo1 sendCredToTikv: false clusterNamespace: test1 # logLevel: info # statusAddr: ${status_addr} # concurrency: 4 # rateLimit: 0 # timeAgo: ${time} # checksum: true # options: # - --lastbackupts=420134118382108673 # Only needed for TiDB Operator < v1.1.10 or TiDB < v4.0.8 from: host: ${tidb_host} port: ${tidb_port} user: ${tidb_user} secretName: backup-demo1-tidb-secret s3: provider: aws region: us-west-1 bucket: my-bucket prefix: my-folder

以上三个示例分别使用三种授权模式将数据导出到 Amazon S3 存储上。Amazon S3 的 aclendpointstorageClass 配置项均可以省略。兼容 S3 的存储相关配置参考 S3 存储字段介绍

以上示例中,.spec.br 中的一些参数项均可省略,如 logLevelstatusAddrconcurrencyrateLimitchecksumtimeAgosendCredToTikv。更多 .spec.br 字段的详细解释参考 BR 字段介绍

自 v1.1.6 版本起,如果需要增量备份,只需要在 spec.br.options 中指定上一次的备份时间戳 --lastbackupts 即可。有关增量备份的限制,可参考使用 BR 进行备份与恢复

更多 Backup CR 字段的详细解释参考 Backup CR 字段介绍

创建好 Backup CR 后,可通过如下命令查看备份状态:

kubectl get bk -n test1 -o wide

备份示例

备份全部集群数据
--- apiVersion: pingcap.com/v1alpha1 kind: Backup metadata: name: demo1-backup-s3 namespace: test1 spec: backupType: full serviceAccount: tidb-backup-manager br: cluster: demo1 sendCredToTikv: false clusterNamespace: test1 # Only needed for TiDB Operator < v1.1.10 or TiDB < v4.0.8 from: host: ${tidb_host} port: ${tidb_port} user: ${tidb_user} secretName: backup-demo1-tidb-secret s3: provider: aws region: us-west-1 bucket: my-bucket prefix: my-folder
备份单个数据库的数据

以下示例中,备份 db1 数据库的数据。

--- apiVersion: pingcap.com/v1alpha1 kind: Backup metadata: name: demo1-backup-s3 namespace: test1 spec: backupType: full serviceAccount: tidb-backup-manager tableFilter: - "db1.*" br: cluster: demo1 sendCredToTikv: false clusterNamespace: test1 # Only needed for TiDB Operator < v1.1.10 or TiDB < v4.0.8 from: host: ${tidb_host} port: ${tidb_port} user: ${tidb_user} secretName: backup-demo1-tidb-secret s3: provider: aws region: us-west-1 bucket: my-bucket prefix: my-folder
备份单张表的数据

以下示例中,备份 db1.table1 表的数据。

--- apiVersion: pingcap.com/v1alpha1 kind: Backup metadata: name: demo1-backup-s3 namespace: test1 spec: backupType: full serviceAccount: tidb-backup-manager tableFilter: - "db1.table1" br: cluster: demo1 sendCredToTikv: false clusterNamespace: test1 # Only needed for TiDB Operator < v1.1.10 or TiDB < v4.0.8 from: host: ${tidb_host} port: ${tidb_port} user: ${tidb_user} secretName: backup-demo1-tidb-secret s3: provider: aws region: us-west-1 bucket: my-bucket prefix: my-folder
使用表库过滤功能备份多张表的数据

以下示例中,备份 db1.table1 表 和 db1.table2 表的数据。

--- apiVersion: pingcap.com/v1alpha1 kind: Backup metadata: name: demo1-backup-s3 namespace: test1 spec: backupType: full serviceAccount: tidb-backup-manager tableFilter: - "db1.table1" - "db1.table2" # ... br: cluster: demo1 sendCredToTikv: false clusterNamespace: test1 # Only needed for TiDB Operator < v1.1.10 or TiDB < v4.0.8 from: host: ${tidb_host} port: ${tidb_port} user: ${tidb_user} secretName: backup-demo1-tidb-secret s3: provider: aws region: us-west-1 bucket: my-bucket prefix: my-folder

定时全量备份

用户通过设置备份策略来对 TiDB 集群进行定时备份,同时设置备份的保留策略以避免产生过多的备份。定时全量备份通过自定义的 BackupSchedule CR 对象来描述。每到备份时间点会触发一次全量备份,定时全量备份底层通过 Ad-hoc 全量备份来实现。下面是创建定时全量备份的具体步骤:

定时全量备份环境准备

Ad-hoc 备份环境准备

使用 BR 定时备份数据到 Amazon S3 的存储

  • 创建 BackupSchedule CR,开启 TiDB 集群定时全量备份,通过 accessKey 和 secretKey 授权的方式备份集群:

    kubectl apply -f backup-scheduler-aws-s3.yaml

    backup-scheduler-aws-s3.yaml 文件内容如下:

    --- apiVersion: pingcap.com/v1alpha1 kind: BackupSchedule metadata: name: demo1-backup-schedule-s3 namespace: test1 spec: #maxBackups: 5 #pause: true maxReservedTime: "3h" schedule: "*/2 * * * *" backupTemplate: backupType: full # Clean outdated backup data based on maxBackups or maxReservedTime. If not configured, the default policy is Retain # cleanPolicy: Delete br: cluster: demo1 clusterNamespace: test1 # logLevel: info # statusAddr: ${status_addr} # concurrency: 4 # rateLimit: 0 # timeAgo: ${time} # checksum: true # sendCredToTikv: true # Only needed for TiDB Operator < v1.1.10 or TiDB < v4.0.8 from: host: ${tidb_host} port: ${tidb_port} user: ${tidb_user} secretName: backup-demo1-tidb-secret s3: provider: aws secretName: s3-secret region: us-west-1 bucket: my-bucket prefix: my-folder
  • 创建 BackupSchedule CR,开启 TiDB 集群定时全量备份,通过 IAM 绑定 Pod 授权的方式备份集群:

    kubectl apply -f backup-scheduler-aws-s3.yaml

    backup-scheduler-aws-s3.yaml 文件内容如下:

    --- apiVersion: pingcap.com/v1alpha1 kind: BackupSchedule metadata: name: demo1-backup-schedule-s3 namespace: test1 annotations: iam.amazonaws.com/role: arn:aws:iam::123456789012:role/user spec: #maxBackups: 5 #pause: true maxReservedTime: "3h" schedule: "*/2 * * * *" backupTemplate: backupType: full # Clean outdated backup data based on maxBackups or maxReservedTime. If not configured, the default policy is Retain # cleanPolicy: Delete br: cluster: demo1 sendCredToTikv: false clusterNamespace: test1 # logLevel: info # statusAddr: ${status_addr} # concurrency: 4 # rateLimit: 0 # timeAgo: ${time} # checksum: true # Only needed for TiDB Operator < v1.1.10 or TiDB < v4.0.8 from: host: ${tidb_host} port: ${tidb_port} user: ${tidb_user} secretName: backup-demo1-tidb-secret s3: provider: aws region: us-west-1 bucket: my-bucket prefix: my-folder
  • 创建 BackupSchedule CR,开启 TiDB 集群定时全量备份, 通过 IAM 绑定 ServiceAccount 授权的方式备份集群:

    kubectl apply -f backup-scheduler-aws-s3.yaml

    backup-scheduler-aws-s3.yaml 文件内容如下:

    --- apiVersion: pingcap.com/v1alpha1 kind: BackupSchedule metadata: name: demo1-backup-schedule-s3 namespace: test1 spec: #maxBackups: 5 #pause: true maxReservedTime: "3h" schedule: "*/2 * * * *" backupTemplate: backupType: full serviceAccount: tidb-backup-manager # Clean outdated backup data based on maxBackups or maxReservedTime. If not configured, the default policy is Retain # cleanPolicy: Delete br: cluster: demo1 sendCredToTikv: false clusterNamespace: test1 # logLevel: info # statusAddr: ${status_addr} # concurrency: 4 # rateLimit: 0 # timeAgo: ${time} # checksum: true # Only needed for TiDB Operator < v1.1.10 or TiDB < v4.0.8 from: host: ${tidb_host} port: ${tidb_port} user: ${tidb_user} secretName: backup-demo1-tidb-secret s3: provider: aws region: us-west-1 bucket: my-bucket prefix: my-folder

定时全量备份创建完成后,可以通过以下命令查看定时全量备份的状态:

kubectl get bks -n test1 -o wide

在进行集群恢复时,需要指定备份的路径,可以通过如下命令查看定时快照备份下面所有的备份条目,这些备份的名称以定时快照备份名称为前缀:

kubectl get bk -l tidb.pingcap.com/backup-schedule=demo1-backup-schedule-s3 -n test1

从以上示例可知,backupSchedule 的配置由两部分组成。一部分是 backupSchedule 独有的配置,另一部分是 backupTemplatebackupTemplate 指定集群及远程存储相关的配置,字段和 Backup CR 中的 spec 一样,详细介绍可参考 Backup CR 字段介绍backupSchedule 独有的配置项具体介绍可参考 BackupSchedule CR 字段介绍

删除备份的 Backup CR

删除备份的 Backup CR 可参考删除备份的 Backup CR

故障诊断

在使用过程中如果遇到问题,可以参考故障诊断

下载 PDF
产品
TiDB
TiDB Cloud
© 2024 PingCAP. All Rights Reserved.
Privacy Policy.