Merge lp:~hrvojem/percona-xtrabackup/rn-2.1.0-alpha1 into lp:percona-xtrabackup/2.1
- rn-2.1.0-alpha1
- Merge into 2.1
Proposed by
Hrvoje Matijakovic
Status: | Merged |
---|---|
Approved by: | Alexey Kopytov |
Approved revision: | no longer in the source branch. |
Merged at revision: | 524 |
Proposed branch: | lp:~hrvojem/percona-xtrabackup/rn-2.1.0-alpha1 |
Merge into: | lp:percona-xtrabackup/2.1 |
Diff against target: |
343 lines (+203/-7) 12 files modified
doc/source/conf.py (+2/-2) doc/source/innobackupex/encrypted_backups_innobackupex.rst (+83/-0) doc/source/innobackupex/innobackupex_option_reference.rst (+24/-0) doc/source/innobackupex/innobackupex_script.rst (+1/-0) doc/source/installation/compiling_xtrabackup.rst (+1/-1) doc/source/intro.rst (+4/-0) doc/source/manual.rst (+6/-2) doc/source/release-notes.rst (+9/-0) doc/source/release-notes/2.1/2.1.0.rst (+27/-0) doc/source/xbcrypt/xbcrypt.rst (+42/-0) doc/source/xbstream/xbstream.rst (+2/-0) innobackupex (+2/-2) |
To merge this branch: | bzr merge lp:~hrvojem/percona-xtrabackup/rn-2.1.0-alpha1 |
Related bugs: | |
Related blueprints: |
Document encrypted backups
(Undefined)
|
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Alexey Kopytov (community) | Approve | ||
George Ormond Lorch III (community) | g2 | Needs Fixing | |
Review via email: mp+155949@code.launchpad.net |
Commit message
Description of the change
To post a comment you must log in.
Revision history for this message
George Ormond Lorch III (gl-az) wrote : | # |
As Alexey pointed out, diff line 134 is incorrect, the chunk size specification is in bytes.
Missing is the --compress-
One thing not mentioned is that encryption can not be used on streaming tar backups.
Everything else looks pretty good.
review:
Needs Fixing
(g2)
Revision history for this message
Alexey Kopytov (akopytov) : | # |
review:
Approve
Preview Diff
[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1 | === modified file 'doc/source/conf.py' |
2 | --- doc/source/conf.py 2013-03-19 15:26:59 +0000 |
3 | +++ doc/source/conf.py 2013-03-29 10:35:27 +0000 |
4 | @@ -51,9 +51,9 @@ |
5 | # built documents. |
6 | # |
7 | # The short X.Y version. |
8 | -version = '2.1' |
9 | +version = '2.1.0' |
10 | # The full version, including alpha/beta/rc tags. |
11 | -release = '2.1' |
12 | +release = '2.1.0-alpha1' |
13 | |
14 | # The language for content autogenerated by Sphinx. Refer to documentation |
15 | # for a list of supported languages. |
16 | |
17 | === added file 'doc/source/innobackupex/encrypted_backups_innobackupex.rst' |
18 | --- doc/source/innobackupex/encrypted_backups_innobackupex.rst 1970-01-01 00:00:00 +0000 |
19 | +++ doc/source/innobackupex/encrypted_backups_innobackupex.rst 2013-03-29 10:35:27 +0000 |
20 | @@ -0,0 +1,83 @@ |
21 | +.. _encrypted_backups_ibk: |
22 | + |
23 | +=================== |
24 | + Encrypted Backups |
25 | +=================== |
26 | + |
27 | +|Percona XtraBackup| has implemented support for encrypted backups. This feature was introduced in |Percona XtraBackup| 2.1. It can be used to encrypt/decrypt local or streaming backup with |xbstream| option (streaming tar backups are not supported) in order to add another layer of protection to the backups. Encryption is done with the ``libgcrypt`` library. |
28 | + |
29 | +Creating Encrypted Backups |
30 | +=========================== |
31 | + |
32 | +To make an encrypted backup following options need to be specified (options :option:`--encrypt-key` and :option:`--encrypt-key-file` are mutually exclusive, i.e. just one of them needs to be provided): |
33 | + |
34 | + * :option:`--encryption=ALGORITHM` - currently supported algorithms are: ``AES128``, ``AES192`` and ``AES256`` |
35 | + |
36 | + * :option:`--encrypt-key=ENCRYPTION_KEY` - proper length encryption key to use. It is not recommended to use this option where there is uncontrolled access to the machine as the command line and thus the key can be viewed as part of the process info. |
37 | + |
38 | + * :option:`--encrypt-key-file=KEYFILE` - the name of a file where the raw key of the appropriate length can be read from. The file must be a simple binary (or text) file that contains exactly the key to be used. |
39 | + |
40 | +Both :option:`--encrypt-key` option and :option:`--encrypt-key-file` option can be used to specify the encryption key. |
41 | + |
42 | +Using the :option:`--encrypt-key` option |
43 | +----------------------------------------- |
44 | +Example of the innobackupex command using the :option:`--encrypt-key` should look like this :: |
45 | + |
46 | + $ innobackupex --encrypt=AES256 --encrypt-key="secret_key_with_the_length_of_32" /data/backups |
47 | + |
48 | + |
49 | +Using the :option:`--encrypt-key-file` option |
50 | +---------------------------------------------- |
51 | +Example of the innobackupex command using the :option:`--encrypt-key-file` should look like this :: |
52 | + |
53 | + $ innobackupex --encrypt=AES256 --encrypt-key-file=/data/backups/keyfile /data/backups |
54 | + |
55 | +.. note:: |
56 | + |
57 | + Depending on the text editor used for making the ``KEYFILE``, text file in some cases can contain the CRLF and this will cause the key size to grow and thus making it invalid. Suggested way to do this would be to create the file with: ``echo -n "secret_key_with_the_length_of_32" > /data/backups/keyfile`` |
58 | + |
59 | + |
60 | +Both of these examples will create a timestamped directory in :file:`/data/backups` containing the encrypted backup. |
61 | + |
62 | +.. note:: |
63 | + |
64 | + You can use the :option:`innobackupex --no-timestamp` option to override this behavior and the backup will be created in the given directory. |
65 | + |
66 | +Optimizing the encryption process |
67 | +================================= |
68 | + |
69 | +Two new options have been introduced with the encrypted backups that can be used to speed up the encryption process. These are :option:`--encrypt-threads` and :option:`--encrypt-chunk-size`. By using the :option:`--encrypt-threads` option multiple threads can be specified to be used for encryption in parallel. Option :option:`--encrypt-chunk-size` can be used to specify the size (in bytes) of the working encryption buffer for each encryption thread (default is 64K). |
70 | + |
71 | +Decrypting Encrypted Backups |
72 | +============================ |
73 | + |
74 | +Backups can be decrypted with :ref:`xbcrypt`. Following one-liner can be used to encrypt the whole folder: :: |
75 | + |
76 | + $ for i in `find . -iname "*\.xbcrypt"`; do xbcrypt -d --encrypt-key-file=/root/secret_key --encrypt-algo=AES256 < $i > $(dirname $i)/$(basename $i .xbcrypt) && rm $i; done |
77 | + |
78 | +When the files have been decrypted backup can be prepared. |
79 | + |
80 | +Preparing Encrypted Backups |
81 | +============================ |
82 | + |
83 | +After the backups have been decrypted, they can be prepared the same way as the standard full backups with the :option:`--apply-logs` option: :: |
84 | + |
85 | + $ innobackupex --apply-log /data/backups/2013-03-25_10-34-04 |
86 | + |
87 | +Restoring Encrypted Backups |
88 | +============================= |
89 | + |
90 | +|innobackupex| has a :option:`--copy-back` option, which performs the restoration of a backup to the server's :term:`datadir` :: |
91 | + |
92 | + $ innobackupex --copy-back /path/to/BACKUP-DIR |
93 | + |
94 | +It will copy all the data-related files back to the server's :term:`datadir`, determined by the server's :file:`my.cnf` configuration file. You should check the last line of the output for a success message:: |
95 | + |
96 | + innobackupex: Finished copying back files. |
97 | + 130201 11:08:13 innobackupex: completed OK! |
98 | + |
99 | +Other Reading |
100 | +============= |
101 | + |
102 | +* `The Libgcrypt Reference Manual <http://www.gnupg.org/documentation/manuals/gcrypt/>`_ |
103 | + |
104 | |
105 | === modified file 'doc/source/innobackupex/innobackupex_option_reference.rst' |
106 | --- doc/source/innobackupex/innobackupex_option_reference.rst 2013-01-17 15:11:02 +0000 |
107 | +++ doc/source/innobackupex/innobackupex_option_reference.rst 2013-03-29 10:35:27 +0000 |
108 | @@ -26,6 +26,10 @@ |
109 | |
110 | This option specifies the number of worker threads that will be used for parallel compression. It is passed directly to the xtrabackup child process. See the :program:`xtrabackup` :doc:`documentation <../xtrabackup_bin/xtrabackup_binary>` for details. |
111 | |
112 | +.. option:: --compress-chunk-size |
113 | + |
114 | + This option specifies the size of the internal working buffer for each compression thread, measured in bytes. It is passed directly to the xtrabackup child process. See the :program:`xtrabackup` :doc:`documentation <../xtrabackup_bin/xtrabackup_binary>` for details. |
115 | + |
116 | .. option:: --copy-back |
117 | |
118 | Copy all the files in a previously made backup from the backup directory to their original locations. |
119 | @@ -46,6 +50,26 @@ |
120 | |
121 | This option accepts a string argument that specifies the group which should be read from the configuration file. This is needed if you use mysqld_multi. |
122 | |
123 | +.. option:: --encrypt=ENCRYPTION_ALGORITHM |
124 | + |
125 | + This option instructs xtrabackup to encrypt backup copies of InnoDB data files using the algorithm specified in the ENCRYPTION_ALGORITHM. It is passed directly to the xtrabackup child process. See the :program:`xtrabackup` :doc:`documentation <../xtrabackup_bin/xtrabackup_binary>` for more details. |
126 | + |
127 | +.. option:: --encrypt-key=ENCRYPTION_KEY |
128 | + |
129 | + This option instructs xtrabackup to use the given ENCRYPTION_KEY when using the --encrypt option. It is passed directly to the xtrabackup child process. See the :program:`xtrabackup` :doc:`documentation <../xtrabackup_bin/xtrabackup_binary>` for more details. |
130 | + |
131 | +.. option:: --encrypt-key-file=ENCRYPTION_KEY_FILE |
132 | + |
133 | + This option instructs xtrabackup to use the encryption key stored in the given ENCRYPTION_KEY_FILE when using the --encrypt option. It is passed directly to the xtrabackup child process. See the :program:`xtrabackup` :doc:`documentation <../xtrabackup_bin/xtrabackup_binary>` for more details. |
134 | + |
135 | +.. option:: --encrypt-threads |
136 | + |
137 | + This option specifies the number of worker threads that will be used for parallel encryption. It is passed directly to the xtrabackup child process. See the :program:`xtrabackup` :doc:`documentation <../xtrabackup_bin/xtrabackup_binary>` for more details. |
138 | + |
139 | +.. option:: --encrypt-chunk-size |
140 | + |
141 | + This option specifies the size of the internal working buffer for each encryption thread, measured in bytes. It is passed directly to the xtrabackup child process. See the :program:`xtrabackup` :doc:`documentation <../xtrabackup_bin/xtrabackup_binary>` for more details. |
142 | + |
143 | .. option:: --export |
144 | |
145 | This option is passed directly to :option:`xtrabackup --export` option. It enables exporting individual tables for import into another server. See the |xtrabackup| documentation for details. |
146 | |
147 | === modified file 'doc/source/innobackupex/innobackupex_script.rst' |
148 | --- doc/source/innobackupex/innobackupex_script.rst 2013-02-04 14:09:53 +0000 |
149 | +++ doc/source/innobackupex/innobackupex_script.rst 2013-03-29 10:35:27 +0000 |
150 | @@ -36,6 +36,7 @@ |
151 | incremental_backups_innobackupex |
152 | partial_backups_innobackupex |
153 | compact_backups_innobackupex |
154 | + encrypted_backups_innobackupex |
155 | |
156 | Proficiency |
157 | =========== |
158 | |
159 | === modified file 'doc/source/installation/compiling_xtrabackup.rst' |
160 | --- doc/source/installation/compiling_xtrabackup.rst 2013-01-17 15:11:02 +0000 |
161 | +++ doc/source/installation/compiling_xtrabackup.rst 2013-03-29 10:35:27 +0000 |
162 | @@ -20,7 +20,7 @@ |
163 | In Debian-based distributions, you need to: :: |
164 | |
165 | $ apt-get install debhelper autotools-dev libaio-dev wget automake \ |
166 | - libtool bison libncurses-dev libz-dev cmake bzr |
167 | + libtool bison libncurses-dev libz-dev cmake bzr libgcrypt11-dev |
168 | |
169 | In ``RPM``-based distributions, you need to: :: |
170 | |
171 | |
172 | === modified file 'doc/source/intro.rst' |
173 | --- doc/source/intro.rst 2012-11-19 02:09:59 +0000 |
174 | +++ doc/source/intro.rst 2013-03-29 10:35:27 +0000 |
175 | @@ -54,6 +54,10 @@ |
176 | +---------------------------------------+----------------------+-----------------------+ |
177 | |Streaming backups | Yes | | |
178 | +---------------------------------------+----------------------+-----------------------+ |
179 | +|Compact backups | Yes | | |
180 | ++---------------------------------------+----------------------+-----------------------+ |
181 | +|Encrypted backups | Yes | | |
182 | ++---------------------------------------+----------------------+-----------------------+ |
183 | |Parallel compression | Yes | | |
184 | +---------------------------------------+----------------------+-----------------------+ |
185 | |LRU backups | Yes | | |
186 | |
187 | === modified file 'doc/source/manual.rst' |
188 | --- doc/source/manual.rst 2012-11-19 02:09:59 +0000 |
189 | +++ doc/source/manual.rst 2013-03-29 10:35:27 +0000 |
190 | @@ -11,9 +11,10 @@ |
191 | innobackupex/innobackupex_script |
192 | xtrabackup_bin/xtrabackup_binary |
193 | xbstream/xbstream |
194 | + xbcrypt/xbcrypt |
195 | how_xtrabackup_works |
196 | |
197 | -|XtraBackup| is really a set of three tools: |
198 | +|XtraBackup| is a set of following tools: |
199 | |
200 | :doc:`innobackupex <innobackupex/innobackupex_script>` |
201 | a wrapper script that provides functionality to backup a whole |MySQL| database instance with :term:`MyISAM`, :term:`InnoDB`, and :term:`XtraDB` tables. |
202 | @@ -21,7 +22,10 @@ |
203 | :doc:`xtrabackup <xtrabackup_bin/xtrabackup_binary>` |
204 | a compiled *C* binary, which copies only :term:`InnoDB` and :term:`XtraDB` data |
205 | |
206 | +:doc:`xbcrypt <xbcrypt/xbcrypt>` |
207 | + utility used for encrypting and decrypting backup files. |
208 | + |
209 | :doc:`xbstream <xbstream/xbstream>` |
210 | - new utility that allows streaming and extracting files to/from the :term:`xbstream` format. |
211 | + utility that allows streaming and extracting files to/from the :term:`xbstream` format. |
212 | |
213 | It is possible to use the |xtrabackup| binary alone, however, the recommend way is using it through the |innobackupex| wrapper script and let it execute |xtrabackup| for you. It might be helpful to first learn :doc:`how to use innobackupex <innobackupex/innobackupex_script>`, and then learn :doc:`how to use xtrabackup <xtrabackup_bin/xtrabackup_binary>` for having a better low-level understanding or control of the tool if needed. |
214 | |
215 | === modified file 'doc/source/release-notes.rst' |
216 | --- doc/source/release-notes.rst 2012-11-19 02:09:59 +0000 |
217 | +++ doc/source/release-notes.rst 2013-03-29 10:35:27 +0000 |
218 | @@ -31,3 +31,12 @@ |
219 | |
220 | release-notes/2.0/* |
221 | |
222 | +Percona |XtraBackup| 2.1 |
223 | +========================= |
224 | + |
225 | +.. toctree:: |
226 | + :maxdepth: 1 |
227 | + :glob: |
228 | + |
229 | + release-notes/2.1/* |
230 | + |
231 | |
232 | === added directory 'doc/source/release-notes/2.1' |
233 | === added file 'doc/source/release-notes/2.1/2.1.0.rst' |
234 | --- doc/source/release-notes/2.1/2.1.0.rst 1970-01-01 00:00:00 +0000 |
235 | +++ doc/source/release-notes/2.1/2.1.0.rst 2013-03-29 10:35:27 +0000 |
236 | @@ -0,0 +1,27 @@ |
237 | +======================================= |
238 | +|Percona XtraBackup| 2.1.0-alpha1 |
239 | +======================================= |
240 | + |
241 | +Percona is glad to announce the release of |Percona XtraBackup| 2.1.0-alpha1 on April 2nd 2013. Downloads are available from our download site `here <http://www.percona.com/downloads/XtraBackup/2.1.0/>`_. For this ALPHA release, we will not be making APT and YUM repositories available, just base deb and RPM packages |
242 | + |
243 | +This is an *ALPHA* quality release and is not intended for production. If you want a high quality, Generally Available release, the current Stable version should be used (currently 2.0.6 in the 2.0 series at the time of writing). |
244 | + |
245 | +This release contains all of the features and bug fixes in :doc:`Percona XtraBackup 2.0.6 </release-notes/2.0/2.0.6>`, plus the following: |
246 | + |
247 | +New features |
248 | +------------ |
249 | + |
250 | + |Percona Xtrabackup| now has support for :ref:`compact_backups_ibk`. This feature can be used for taking the backups that will take less amount of disk space. |
251 | + |
252 | + |Percona XtraBackup| has implemented :ref:`encrypted_backups_ibk`. This feature can be used to encrypt/decrypt both local and streamed backups in order to add another layer of protection to the backups. |
253 | + |
254 | + |innobackupex| now uses Perl's ``DBD::MySQL`` package for server communication instead of spawning the mysql command line client. |
255 | + |
256 | + Support for |InnoDB| 5.0 and |InnoDB| 5.1 builtin has been removed from |Percona XtraBackup|. |
257 | + |
258 | + After being deprecated in previous version, option :option:`--remote-host` has been completely removed in |Percona XtraBackup| 2.1. |
259 | + |
260 | +Bugs Fixed |
261 | +---------- |
262 | + |
263 | + |innobackupex| now supports empty arguments in the :option:`--password` option. Bug fixed :bug:`1032667` (*Andrew Gaul*). |
264 | |
265 | === added directory 'doc/source/xbcrypt' |
266 | === added file 'doc/source/xbcrypt/xbcrypt.rst' |
267 | --- doc/source/xbcrypt/xbcrypt.rst 1970-01-01 00:00:00 +0000 |
268 | +++ doc/source/xbcrypt/xbcrypt.rst 2013-03-29 10:35:27 +0000 |
269 | @@ -0,0 +1,42 @@ |
270 | +.. _xbcrypt: |
271 | + |
272 | +====================== |
273 | + The xbcrypt binary |
274 | +====================== |
275 | + |
276 | +To support encryption and decryption of the backups, a new tool ``xbcrypt`` was introduced to XtraBackup. |
277 | + |
278 | +This utility has been modeled after :ref:`xbstream_binary` to perform encryption and decryption outside of |XtraBackup|. Xbcrypt has following command line options: |
279 | + |
280 | +.. option:: -d, --decrypt |
281 | + |
282 | + Decrypt data input to output. |
283 | + |
284 | +.. option:: -i, --input=name |
285 | + |
286 | + Optional input file. If not specified, input will be read from standard input. |
287 | + |
288 | +.. option:: -o, --output=name |
289 | + |
290 | + Optional output file. If not specified, output will be written to standard output. |
291 | + |
292 | +.. option:: -a, --encrypt-algo=name |
293 | + |
294 | + Encryption algorithm. |
295 | + |
296 | +.. option:: -k, --encrypt-key=name |
297 | + |
298 | + Encryption key. |
299 | + |
300 | +.. option:: -f, --encrypt-key-file=name |
301 | + |
302 | + File which contains encryption key. |
303 | + |
304 | +.. option:: -s, --encrypt-chunk-size=# |
305 | + |
306 | + Size of working buffer for encryption in bytes. The default value is 64K. |
307 | + |
308 | +.. option:: -v, --verbose |
309 | + |
310 | + Display verbose status output. |
311 | + |
312 | |
313 | === modified file 'doc/source/xbstream/xbstream.rst' |
314 | --- doc/source/xbstream/xbstream.rst 2012-04-21 07:12:28 +0000 |
315 | +++ doc/source/xbstream/xbstream.rst 2013-03-29 10:35:27 +0000 |
316 | @@ -1,3 +1,5 @@ |
317 | +.. _xbstream_binary: |
318 | + |
319 | ====================== |
320 | The xbstream Binary |
321 | ====================== |
322 | |
323 | === modified file 'innobackupex' |
324 | --- innobackupex 2013-03-19 15:06:52 +0000 |
325 | +++ innobackupex 2013-03-29 10:35:27 +0000 |
326 | @@ -2823,7 +2823,7 @@ |
327 | =item --compress-chunk-size |
328 | |
329 | This option specifies the size of the internal working buffer for each |
330 | -compression thread, measured in kilobytes. It is passed directly to the |
331 | +compression thread, measured in bytes. It is passed directly to the |
332 | xtrabackup child process. Try 'xtrabackup --help' for more details. |
333 | |
334 | =item --copy-back |
335 | @@ -2870,7 +2870,7 @@ |
336 | =item --encrypt-chunk-size |
337 | |
338 | This option specifies the size of the internal working buffer for each |
339 | -encryption thread, measured in kilobytes. It is passed directly to the |
340 | +encryption thread, measured in bytes. It is passed directly to the |
341 | xtrabackup child process. Try 'xtrabackup --help' for more details. |
342 | |
343 | =item --export |
A couple of comments:
- the note about possible CRLF is present twice. Is that intentional? chunk-size is not measured in kilobytes
- the argument to --encrypt-
(as originally implemented). It must be specified in bytes now, but
accepts unit suffixes (i.e. 'K', 'M' or 'G' to indicate kilobytes,
megabytes and gigabytes, respectively)
I'd also like George to review the encryption docs (technical content and possible grammar?). Adding him to reviewers.