使用 BR 备份 TiDB 集群数据到兼容 S3 的存储
本文详细描述了如何将运行在 AWS Kubernetes 环境中的 TiDB 集群数据备份到 AWS 的存储上。BR 会在底层获取集群的逻辑备份,然后再将备份数据上传到 AWS 的存储上。
本文使用的备份方式基于 TiDB Operator v1.1 及以上版本的 Custom Resource Definition(CRD) 实现。
Ad-hoc 备份
Ad-hoc 备份支持全量备份与增量备份。Ad-hoc 备份通过创建一个自定义的 Backup Custom Resource (CR) 对象来描述一次备份。TiDB Operator 根据这个 Backup 对象来完成具体的备份过程。如果备份过程中出现错误,程序不会自动重试,此时需要手动处理。
为了更好地描述备份的使用方式,本文档提供如下备份示例。示例假设对部署在 Kubernetes test1 这个 namespace 中的 TiDB 集群 demo1 进行数据备份,下面是具体操作过程。
Ad-hoc 备份环境准备
下载文件 backup-rbac.yaml,并执行以下命令在
test1这个 namespace 中创建备份需要的 RBAC 相关资源:kubectl apply -f backup-rbac.yaml -n test1远程存储访问授权。
如果使用 Amazon S3 来备份集群,可以使用三种权限授予方式授予权限,参考 AWS 账号授权授权访问兼容 S3 的远程存储;使用 Ceph 作为后端存储测试备份时,是通过 AccessKey 和 SecretKey 模式授权,设置方式可参考通过 AccessKey 和 SecretKey 授权。
创建
backup-demo1-tidb-secretsecret。该 secret 存放用于访问 TiDB 集群的用户所对应的密码。kubectl create secret generic backup-demo1-tidb-secret --from-literal=password=${password} --namespace=test1
数据库账户权限
mysql.tidb表的SELECT和UPDATE权限:备份前后,Backup CR 需要一个拥有该权限的数据库账户,用于调整 GC 时间
使用 BR 备份数据到 Amazon S3 的存储
创建
BackupCR,通过 accessKey 和 secretKey 授权的方式备份集群:kubectl apply -f backup-aws-s3.yamlbackup-aws-s3.yaml文件内容如下:--- apiVersion: pingcap.com/v1alpha1 kind: Backup metadata: name: demo1-backup-s3 namespace: test1 spec: backupType: full br: cluster: demo1 clusterNamespace: test1 # logLevel: info # statusAddr: ${status_addr} # concurrency: 4 # rateLimit: 0 # timeAgo: ${time} # checksum: true # sendCredToTikv: true # options: # - --lastbackupts=420134118382108673 # Only needed for TiDB Operator < v1.1.10 or TiDB < v4.0.8 from: host: ${tidb_host} port: ${tidb_port} user: ${tidb_user} secretName: backup-demo1-tidb-secret s3: provider: aws secretName: s3-secret region: us-west-1 bucket: my-bucket prefix: my-folder创建
BackupCR,通过 IAM 绑定 Pod 授权的方式备份集群:kubectl apply -f backup-aws-s3.yamlbackup-aws-s3.yaml文件内容如下:--- apiVersion: pingcap.com/v1alpha1 kind: Backup metadata: name: demo1-backup-s3 namespace: test1 annotations: iam.amazonaws.com/role: arn:aws:iam::123456789012:role/user spec: backupType: full br: cluster: demo1 sendCredToTikv: false clusterNamespace: test1 # logLevel: info # statusAddr: ${status_addr} # concurrency: 4 # rateLimit: 0 # timeAgo: ${time} # checksum: true # options: # - --lastbackupts=420134118382108673 # Only needed for TiDB Operator < v1.1.10 or TiDB < v4.0.8 from: host: ${tidb_host} port: ${tidb_port} user: ${tidb_user} secretName: backup-demo1-tidb-secret s3: provider: aws region: us-west-1 bucket: my-bucket prefix: my-folder创建
BackupCR,通过 IAM 绑定 ServiceAccount 授权的方式备份集群:kubectl apply -f backup-aws-s3.yamlbackup-aws-s3.yaml文件内容如下:--- apiVersion: pingcap.com/v1alpha1 kind: Backup metadata: name: demo1-backup-s3 namespace: test1 spec: backupType: full serviceAccount: tidb-backup-manager br: cluster: demo1 sendCredToTikv: false clusterNamespace: test1 # logLevel: info # statusAddr: ${status_addr} # concurrency: 4 # rateLimit: 0 # timeAgo: ${time} # checksum: true # options: # - --lastbackupts=420134118382108673 # Only needed for TiDB Operator < v1.1.10 or TiDB < v4.0.8 from: host: ${tidb_host} port: ${tidb_port} user: ${tidb_user} secretName: backup-demo1-tidb-secret s3: provider: aws region: us-west-1 bucket: my-bucket prefix: my-folder
以上三个示例分别使用三种授权模式将数据导出到 Amazon S3 存储上。Amazon S3 的 acl、endpoint、storageClass 配置项均可以省略。兼容 S3 的存储相关配置参考 S3 存储字段介绍。
以上示例中,.spec.br 中的一些参数项均可省略,如 logLevel、statusAddr、concurrency、rateLimit、checksum、timeAgo、sendCredToTikv。更多 .spec.br 字段的详细解释参考 BR 字段介绍。
自 v1.1.6 版本起,如果需要增量备份,只需要在 spec.br.options 中指定上一次的备份时间戳 --lastbackupts 即可。有关增量备份的限制,可参考使用 BR 进行备份与恢复。
更多 Backup CR 字段的详细解释参考 Backup CR 字段介绍。
创建好 Backup CR 后,可通过如下命令查看备份状态:
kubectl get bk -n test1 -o wide
备份示例
备份全部集群数据
---
apiVersion: pingcap.com/v1alpha1
kind: Backup
metadata:
name: demo1-backup-s3
namespace: test1
spec:
backupType: full
serviceAccount: tidb-backup-manager
br:
cluster: demo1
sendCredToTikv: false
clusterNamespace: test1
# Only needed for TiDB Operator < v1.1.10 or TiDB < v4.0.8
from:
host: ${tidb_host}
port: ${tidb_port}
user: ${tidb_user}
secretName: backup-demo1-tidb-secret
s3:
provider: aws
region: us-west-1
bucket: my-bucket
prefix: my-folder
备份单个数据库的数据
以下示例中,备份 db1 数据库的数据。
---
apiVersion: pingcap.com/v1alpha1
kind: Backup
metadata:
name: demo1-backup-s3
namespace: test1
spec:
backupType: full
serviceAccount: tidb-backup-manager
tableFilter:
- "db1.*"
br:
cluster: demo1
sendCredToTikv: false
clusterNamespace: test1
# Only needed for TiDB Operator < v1.1.10 or TiDB < v4.0.8
from:
host: ${tidb_host}
port: ${tidb_port}
user: ${tidb_user}
secretName: backup-demo1-tidb-secret
s3:
provider: aws
region: us-west-1
bucket: my-bucket
prefix: my-folder
备份单张表的数据
以下示例中,备份 db1.table1 表的数据。
---
apiVersion: pingcap.com/v1alpha1
kind: Backup
metadata:
name: demo1-backup-s3
namespace: test1
spec:
backupType: full
serviceAccount: tidb-backup-manager
tableFilter:
- "db1.table1"
br:
cluster: demo1
sendCredToTikv: false
clusterNamespace: test1
# Only needed for TiDB Operator < v1.1.10 or TiDB < v4.0.8
from:
host: ${tidb_host}
port: ${tidb_port}
user: ${tidb_user}
secretName: backup-demo1-tidb-secret
s3:
provider: aws
region: us-west-1
bucket: my-bucket
prefix: my-folder
使用表库过滤功能备份多张表的数据
以下示例中,备份 db1.table1 表 和 db1.table2 表的数据。
---
apiVersion: pingcap.com/v1alpha1
kind: Backup
metadata:
name: demo1-backup-s3
namespace: test1
spec:
backupType: full
serviceAccount: tidb-backup-manager
tableFilter:
- "db1.table1"
- "db1.table2"
# ...
br:
cluster: demo1
sendCredToTikv: false
clusterNamespace: test1
# Only needed for TiDB Operator < v1.1.10 or TiDB < v4.0.8
from:
host: ${tidb_host}
port: ${tidb_port}
user: ${tidb_user}
secretName: backup-demo1-tidb-secret
s3:
provider: aws
region: us-west-1
bucket: my-bucket
prefix: my-folder
定时全量备份
用户通过设置备份策略来对 TiDB 集群进行定时备份,同时设置备份的保留策略以避免产生过多的备份。定时全量备份通过自定义的 BackupSchedule CR 对象来描述。每到备份时间点会触发一次全量备份,定时全量备份底层通过 Ad-hoc 全量备份来实现。下面是创建定时全量备份的具体步骤:
定时全量备份环境准备
使用 BR 定时备份数据到 Amazon S3 的存储
创建
BackupScheduleCR,开启 TiDB 集群定时全量备份,通过 accessKey 和 secretKey 授权的方式备份集群:kubectl apply -f backup-scheduler-aws-s3.yamlbackup-scheduler-aws-s3.yaml文件内容如下:--- apiVersion: pingcap.com/v1alpha1 kind: BackupSchedule metadata: name: demo1-backup-schedule-s3 namespace: test1 spec: #maxBackups: 5 #pause: true maxReservedTime: "3h" schedule: "*/2 * * * *" backupTemplate: backupType: full # Clean outdated backup data based on maxBackups or maxReservedTime. If not configured, the default policy is Retain # cleanPolicy: Delete br: cluster: demo1 clusterNamespace: test1 # logLevel: info # statusAddr: ${status_addr} # concurrency: 4 # rateLimit: 0 # timeAgo: ${time} # checksum: true # sendCredToTikv: true # Only needed for TiDB Operator < v1.1.10 or TiDB < v4.0.8 from: host: ${tidb_host} port: ${tidb_port} user: ${tidb_user} secretName: backup-demo1-tidb-secret s3: provider: aws secretName: s3-secret region: us-west-1 bucket: my-bucket prefix: my-folder创建
BackupScheduleCR,开启 TiDB 集群定时全量备份,通过 IAM 绑定 Pod 授权的方式备份集群:kubectl apply -f backup-scheduler-aws-s3.yamlbackup-scheduler-aws-s3.yaml文件内容如下:--- apiVersion: pingcap.com/v1alpha1 kind: BackupSchedule metadata: name: demo1-backup-schedule-s3 namespace: test1 annotations: iam.amazonaws.com/role: arn:aws:iam::123456789012:role/user spec: #maxBackups: 5 #pause: true maxReservedTime: "3h" schedule: "*/2 * * * *" backupTemplate: backupType: full # Clean outdated backup data based on maxBackups or maxReservedTime. If not configured, the default policy is Retain # cleanPolicy: Delete br: cluster: demo1 sendCredToTikv: false clusterNamespace: test1 # logLevel: info # statusAddr: ${status_addr} # concurrency: 4 # rateLimit: 0 # timeAgo: ${time} # checksum: true # Only needed for TiDB Operator < v1.1.10 or TiDB < v4.0.8 from: host: ${tidb_host} port: ${tidb_port} user: ${tidb_user} secretName: backup-demo1-tidb-secret s3: provider: aws region: us-west-1 bucket: my-bucket prefix: my-folder创建
BackupScheduleCR,开启 TiDB 集群定时全量备份, 通过 IAM 绑定 ServiceAccount 授权的方式备份集群:kubectl apply -f backup-scheduler-aws-s3.yamlbackup-scheduler-aws-s3.yaml文件内容如下:--- apiVersion: pingcap.com/v1alpha1 kind: BackupSchedule metadata: name: demo1-backup-schedule-s3 namespace: test1 spec: #maxBackups: 5 #pause: true maxReservedTime: "3h" schedule: "*/2 * * * *" backupTemplate: backupType: full serviceAccount: tidb-backup-manager # Clean outdated backup data based on maxBackups or maxReservedTime. If not configured, the default policy is Retain # cleanPolicy: Delete br: cluster: demo1 sendCredToTikv: false clusterNamespace: test1 # logLevel: info # statusAddr: ${status_addr} # concurrency: 4 # rateLimit: 0 # timeAgo: ${time} # checksum: true # Only needed for TiDB Operator < v1.1.10 or TiDB < v4.0.8 from: host: ${tidb_host} port: ${tidb_port} user: ${tidb_user} secretName: backup-demo1-tidb-secret s3: provider: aws region: us-west-1 bucket: my-bucket prefix: my-folder
定时全量备份创建完成后,可以通过以下命令查看定时全量备份的状态:
kubectl get bks -n test1 -o wide
在进行集群恢复时,需要指定备份的路径,可以通过如下命令查看定时快照备份下面所有的备份条目,这些备份的名称以定时快照备份名称为前缀:
kubectl get bk -l tidb.pingcap.com/backup-schedule=demo1-backup-schedule-s3 -n test1
从以上示例可知,backupSchedule 的配置由两部分组成。一部分是 backupSchedule 独有的配置,另一部分是 backupTemplate。backupTemplate 指定集群及远程存储相关的配置,字段和 Backup CR 中的 spec 一样,详细介绍可参考 Backup CR 字段介绍。backupSchedule 独有的配置项具体介绍可参考 BackupSchedule CR 字段介绍。
删除备份的 Backup CR
删除备份的 Backup CR 可参考删除备份的 Backup CR。
故障诊断
在使用过程中如果遇到问题,可以参考故障诊断。