Percona XtraBackup moved to https://jira.percona.com/projects/PXB

Merge lp:~hrvojem/percona-xtrabackup/rn-2.1.0-alpha1 into lp:percona-xtrabackup/2.1

  1. rn-2.1.0-alpha1
  2. Merge into 2.1
Proposed by Hrvoje Matijakovic
Status: Merged
Approved by: Alexey Kopytov
Approved revision: no longer in the source branch.
Merged at revision: 524
Proposed branch: lp:~hrvojem/percona-xtrabackup/rn-2.1.0-alpha1
Merge into: lp:percona-xtrabackup/2.1
Diff against target: 343 lines (+203/-7)
12 files modified
doc/source/conf.py (+2/-2)
doc/source/innobackupex/encrypted_backups_innobackupex.rst (+83/-0)
doc/source/innobackupex/innobackupex_option_reference.rst (+24/-0)
doc/source/innobackupex/innobackupex_script.rst (+1/-0)
doc/source/installation/compiling_xtrabackup.rst (+1/-1)
doc/source/intro.rst (+4/-0)
doc/source/manual.rst (+6/-2)
doc/source/release-notes.rst (+9/-0)
doc/source/release-notes/2.1/2.1.0.rst (+27/-0)
doc/source/xbcrypt/xbcrypt.rst (+42/-0)
doc/source/xbstream/xbstream.rst (+2/-0)
innobackupex (+2/-2)
To merge this branch: bzr merge lp:~hrvojem/percona-xtrabackup/rn-2.1.0-alpha1
Reviewer Review Type Date Requested Status
Alexey Kopytov (community) Approve
George Ormond Lorch III (community) g2 Needs Fixing
Review via email: mp+155949@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Alexey Kopytov (akopytov) wrote :

A couple of comments:

   - the note about possible CRLF is present twice. Is that intentional?
   - the argument to --encrypt-chunk-size is not measured in kilobytes
     (as originally implemented). It must be specified in bytes now, but
     accepts unit suffixes (i.e. 'K', 'M' or 'G' to indicate kilobytes,
     megabytes and gigabytes, respectively)

I'd also like George to review the encryption docs (technical content and possible grammar?). Adding him to reviewers.

review: Needs Fixing
Revision history for this message
George Ormond Lorch III (gl-az) wrote :

As Alexey pointed out, diff line 134 is incorrect, the chunk size specification is in bytes.

Missing is the --compress-chunk-size option that was added as well which performs exactly like --encrypt-chunk-size but for the compression stage.

One thing not mentioned is that encryption can not be used on streaming tar backups.

Everything else looks pretty good.

review: Needs Fixing (g2)
Revision history for this message
Alexey Kopytov (akopytov) :
review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'doc/source/conf.py'
2--- doc/source/conf.py 2013-03-19 15:26:59 +0000
3+++ doc/source/conf.py 2013-03-29 10:35:27 +0000
4@@ -51,9 +51,9 @@
5 # built documents.
6 #
7 # The short X.Y version.
8-version = '2.1'
9+version = '2.1.0'
10 # The full version, including alpha/beta/rc tags.
11-release = '2.1'
12+release = '2.1.0-alpha1'
13
14 # The language for content autogenerated by Sphinx. Refer to documentation
15 # for a list of supported languages.
16
17=== added file 'doc/source/innobackupex/encrypted_backups_innobackupex.rst'
18--- doc/source/innobackupex/encrypted_backups_innobackupex.rst 1970-01-01 00:00:00 +0000
19+++ doc/source/innobackupex/encrypted_backups_innobackupex.rst 2013-03-29 10:35:27 +0000
20@@ -0,0 +1,83 @@
21+.. _encrypted_backups_ibk:
22+
23+===================
24+ Encrypted Backups
25+===================
26+
27+|Percona XtraBackup| has implemented support for encrypted backups. This feature was introduced in |Percona XtraBackup| 2.1. It can be used to encrypt/decrypt local or streaming backup with |xbstream| option (streaming tar backups are not supported) in order to add another layer of protection to the backups. Encryption is done with the ``libgcrypt`` library.
28+
29+Creating Encrypted Backups
30+===========================
31+
32+To make an encrypted backup following options need to be specified (options :option:`--encrypt-key` and :option:`--encrypt-key-file` are mutually exclusive, i.e. just one of them needs to be provided):
33+
34+ * :option:`--encryption=ALGORITHM` - currently supported algorithms are: ``AES128``, ``AES192`` and ``AES256``
35+
36+ * :option:`--encrypt-key=ENCRYPTION_KEY` - proper length encryption key to use. It is not recommended to use this option where there is uncontrolled access to the machine as the command line and thus the key can be viewed as part of the process info.
37+
38+ * :option:`--encrypt-key-file=KEYFILE` - the name of a file where the raw key of the appropriate length can be read from. The file must be a simple binary (or text) file that contains exactly the key to be used.
39+
40+Both :option:`--encrypt-key` option and :option:`--encrypt-key-file` option can be used to specify the encryption key.
41+
42+Using the :option:`--encrypt-key` option
43+-----------------------------------------
44+Example of the innobackupex command using the :option:`--encrypt-key` should look like this ::
45+
46+ $ innobackupex --encrypt=AES256 --encrypt-key="secret_key_with_the_length_of_32" /data/backups
47+
48+
49+Using the :option:`--encrypt-key-file` option
50+----------------------------------------------
51+Example of the innobackupex command using the :option:`--encrypt-key-file` should look like this ::
52+
53+ $ innobackupex --encrypt=AES256 --encrypt-key-file=/data/backups/keyfile /data/backups
54+
55+.. note::
56+
57+ Depending on the text editor used for making the ``KEYFILE``, text file in some cases can contain the CRLF and this will cause the key size to grow and thus making it invalid. Suggested way to do this would be to create the file with: ``echo -n "secret_key_with_the_length_of_32" > /data/backups/keyfile``
58+
59+
60+Both of these examples will create a timestamped directory in :file:`/data/backups` containing the encrypted backup.
61+
62+.. note::
63+
64+ You can use the :option:`innobackupex --no-timestamp` option to override this behavior and the backup will be created in the given directory.
65+
66+Optimizing the encryption process
67+=================================
68+
69+Two new options have been introduced with the encrypted backups that can be used to speed up the encryption process. These are :option:`--encrypt-threads` and :option:`--encrypt-chunk-size`. By using the :option:`--encrypt-threads` option multiple threads can be specified to be used for encryption in parallel. Option :option:`--encrypt-chunk-size` can be used to specify the size (in bytes) of the working encryption buffer for each encryption thread (default is 64K).
70+
71+Decrypting Encrypted Backups
72+============================
73+
74+Backups can be decrypted with :ref:`xbcrypt`. Following one-liner can be used to encrypt the whole folder: ::
75+
76+ $ for i in `find . -iname "*\.xbcrypt"`; do xbcrypt -d --encrypt-key-file=/root/secret_key --encrypt-algo=AES256 < $i > $(dirname $i)/$(basename $i .xbcrypt) && rm $i; done
77+
78+When the files have been decrypted backup can be prepared.
79+
80+Preparing Encrypted Backups
81+============================
82+
83+After the backups have been decrypted, they can be prepared the same way as the standard full backups with the :option:`--apply-logs` option: ::
84+
85+ $ innobackupex --apply-log /data/backups/2013-03-25_10-34-04
86+
87+Restoring Encrypted Backups
88+=============================
89+
90+|innobackupex| has a :option:`--copy-back` option, which performs the restoration of a backup to the server's :term:`datadir` ::
91+
92+ $ innobackupex --copy-back /path/to/BACKUP-DIR
93+
94+It will copy all the data-related files back to the server's :term:`datadir`, determined by the server's :file:`my.cnf` configuration file. You should check the last line of the output for a success message::
95+
96+ innobackupex: Finished copying back files.
97+ 130201 11:08:13 innobackupex: completed OK!
98+
99+Other Reading
100+=============
101+
102+* `The Libgcrypt Reference Manual <http://www.gnupg.org/documentation/manuals/gcrypt/>`_
103+
104
105=== modified file 'doc/source/innobackupex/innobackupex_option_reference.rst'
106--- doc/source/innobackupex/innobackupex_option_reference.rst 2013-01-17 15:11:02 +0000
107+++ doc/source/innobackupex/innobackupex_option_reference.rst 2013-03-29 10:35:27 +0000
108@@ -26,6 +26,10 @@
109
110 This option specifies the number of worker threads that will be used for parallel compression. It is passed directly to the xtrabackup child process. See the :program:`xtrabackup` :doc:`documentation <../xtrabackup_bin/xtrabackup_binary>` for details.
111
112+.. option:: --compress-chunk-size
113+
114+ This option specifies the size of the internal working buffer for each compression thread, measured in bytes. It is passed directly to the xtrabackup child process. See the :program:`xtrabackup` :doc:`documentation <../xtrabackup_bin/xtrabackup_binary>` for details.
115+
116 .. option:: --copy-back
117
118 Copy all the files in a previously made backup from the backup directory to their original locations.
119@@ -46,6 +50,26 @@
120
121 This option accepts a string argument that specifies the group which should be read from the configuration file. This is needed if you use mysqld_multi.
122
123+.. option:: --encrypt=ENCRYPTION_ALGORITHM
124+
125+ This option instructs xtrabackup to encrypt backup copies of InnoDB data files using the algorithm specified in the ENCRYPTION_ALGORITHM. It is passed directly to the xtrabackup child process. See the :program:`xtrabackup` :doc:`documentation <../xtrabackup_bin/xtrabackup_binary>` for more details.
126+
127+.. option:: --encrypt-key=ENCRYPTION_KEY
128+
129+ This option instructs xtrabackup to use the given ENCRYPTION_KEY when using the --encrypt option. It is passed directly to the xtrabackup child process. See the :program:`xtrabackup` :doc:`documentation <../xtrabackup_bin/xtrabackup_binary>` for more details.
130+
131+.. option:: --encrypt-key-file=ENCRYPTION_KEY_FILE
132+
133+ This option instructs xtrabackup to use the encryption key stored in the given ENCRYPTION_KEY_FILE when using the --encrypt option. It is passed directly to the xtrabackup child process. See the :program:`xtrabackup` :doc:`documentation <../xtrabackup_bin/xtrabackup_binary>` for more details.
134+
135+.. option:: --encrypt-threads
136+
137+ This option specifies the number of worker threads that will be used for parallel encryption. It is passed directly to the xtrabackup child process. See the :program:`xtrabackup` :doc:`documentation <../xtrabackup_bin/xtrabackup_binary>` for more details.
138+
139+.. option:: --encrypt-chunk-size
140+
141+ This option specifies the size of the internal working buffer for each encryption thread, measured in bytes. It is passed directly to the xtrabackup child process. See the :program:`xtrabackup` :doc:`documentation <../xtrabackup_bin/xtrabackup_binary>` for more details.
142+
143 .. option:: --export
144
145 This option is passed directly to :option:`xtrabackup --export` option. It enables exporting individual tables for import into another server. See the |xtrabackup| documentation for details.
146
147=== modified file 'doc/source/innobackupex/innobackupex_script.rst'
148--- doc/source/innobackupex/innobackupex_script.rst 2013-02-04 14:09:53 +0000
149+++ doc/source/innobackupex/innobackupex_script.rst 2013-03-29 10:35:27 +0000
150@@ -36,6 +36,7 @@
151 incremental_backups_innobackupex
152 partial_backups_innobackupex
153 compact_backups_innobackupex
154+ encrypted_backups_innobackupex
155
156 Proficiency
157 ===========
158
159=== modified file 'doc/source/installation/compiling_xtrabackup.rst'
160--- doc/source/installation/compiling_xtrabackup.rst 2013-01-17 15:11:02 +0000
161+++ doc/source/installation/compiling_xtrabackup.rst 2013-03-29 10:35:27 +0000
162@@ -20,7 +20,7 @@
163 In Debian-based distributions, you need to: ::
164
165 $ apt-get install debhelper autotools-dev libaio-dev wget automake \
166- libtool bison libncurses-dev libz-dev cmake bzr
167+ libtool bison libncurses-dev libz-dev cmake bzr libgcrypt11-dev
168
169 In ``RPM``-based distributions, you need to: ::
170
171
172=== modified file 'doc/source/intro.rst'
173--- doc/source/intro.rst 2012-11-19 02:09:59 +0000
174+++ doc/source/intro.rst 2013-03-29 10:35:27 +0000
175@@ -54,6 +54,10 @@
176 +---------------------------------------+----------------------+-----------------------+
177 |Streaming backups | Yes | |
178 +---------------------------------------+----------------------+-----------------------+
179+|Compact backups | Yes | |
180++---------------------------------------+----------------------+-----------------------+
181+|Encrypted backups | Yes | |
182++---------------------------------------+----------------------+-----------------------+
183 |Parallel compression | Yes | |
184 +---------------------------------------+----------------------+-----------------------+
185 |LRU backups | Yes | |
186
187=== modified file 'doc/source/manual.rst'
188--- doc/source/manual.rst 2012-11-19 02:09:59 +0000
189+++ doc/source/manual.rst 2013-03-29 10:35:27 +0000
190@@ -11,9 +11,10 @@
191 innobackupex/innobackupex_script
192 xtrabackup_bin/xtrabackup_binary
193 xbstream/xbstream
194+ xbcrypt/xbcrypt
195 how_xtrabackup_works
196
197-|XtraBackup| is really a set of three tools:
198+|XtraBackup| is a set of following tools:
199
200 :doc:`innobackupex <innobackupex/innobackupex_script>`
201 a wrapper script that provides functionality to backup a whole |MySQL| database instance with :term:`MyISAM`, :term:`InnoDB`, and :term:`XtraDB` tables.
202@@ -21,7 +22,10 @@
203 :doc:`xtrabackup <xtrabackup_bin/xtrabackup_binary>`
204 a compiled *C* binary, which copies only :term:`InnoDB` and :term:`XtraDB` data
205
206+:doc:`xbcrypt <xbcrypt/xbcrypt>`
207+ utility used for encrypting and decrypting backup files.
208+
209 :doc:`xbstream <xbstream/xbstream>`
210- new utility that allows streaming and extracting files to/from the :term:`xbstream` format.
211+ utility that allows streaming and extracting files to/from the :term:`xbstream` format.
212
213 It is possible to use the |xtrabackup| binary alone, however, the recommend way is using it through the |innobackupex| wrapper script and let it execute |xtrabackup| for you. It might be helpful to first learn :doc:`how to use innobackupex <innobackupex/innobackupex_script>`, and then learn :doc:`how to use xtrabackup <xtrabackup_bin/xtrabackup_binary>` for having a better low-level understanding or control of the tool if needed.
214
215=== modified file 'doc/source/release-notes.rst'
216--- doc/source/release-notes.rst 2012-11-19 02:09:59 +0000
217+++ doc/source/release-notes.rst 2013-03-29 10:35:27 +0000
218@@ -31,3 +31,12 @@
219
220 release-notes/2.0/*
221
222+Percona |XtraBackup| 2.1
223+=========================
224+
225+.. toctree::
226+ :maxdepth: 1
227+ :glob:
228+
229+ release-notes/2.1/*
230+
231
232=== added directory 'doc/source/release-notes/2.1'
233=== added file 'doc/source/release-notes/2.1/2.1.0.rst'
234--- doc/source/release-notes/2.1/2.1.0.rst 1970-01-01 00:00:00 +0000
235+++ doc/source/release-notes/2.1/2.1.0.rst 2013-03-29 10:35:27 +0000
236@@ -0,0 +1,27 @@
237+=======================================
238+|Percona XtraBackup| 2.1.0-alpha1
239+=======================================
240+
241+Percona is glad to announce the release of |Percona XtraBackup| 2.1.0-alpha1 on April 2nd 2013. Downloads are available from our download site `here <http://www.percona.com/downloads/XtraBackup/2.1.0/>`_. For this ALPHA release, we will not be making APT and YUM repositories available, just base deb and RPM packages
242+
243+This is an *ALPHA* quality release and is not intended for production. If you want a high quality, Generally Available release, the current Stable version should be used (currently 2.0.6 in the 2.0 series at the time of writing).
244+
245+This release contains all of the features and bug fixes in :doc:`Percona XtraBackup 2.0.6 </release-notes/2.0/2.0.6>`, plus the following:
246+
247+New features
248+------------
249+
250+ |Percona Xtrabackup| now has support for :ref:`compact_backups_ibk`. This feature can be used for taking the backups that will take less amount of disk space.
251+
252+ |Percona XtraBackup| has implemented :ref:`encrypted_backups_ibk`. This feature can be used to encrypt/decrypt both local and streamed backups in order to add another layer of protection to the backups.
253+
254+ |innobackupex| now uses Perl's ``DBD::MySQL`` package for server communication instead of spawning the mysql command line client.
255+
256+ Support for |InnoDB| 5.0 and |InnoDB| 5.1 builtin has been removed from |Percona XtraBackup|.
257+
258+ After being deprecated in previous version, option :option:`--remote-host` has been completely removed in |Percona XtraBackup| 2.1.
259+
260+Bugs Fixed
261+----------
262+
263+ |innobackupex| now supports empty arguments in the :option:`--password` option. Bug fixed :bug:`1032667` (*Andrew Gaul*).
264
265=== added directory 'doc/source/xbcrypt'
266=== added file 'doc/source/xbcrypt/xbcrypt.rst'
267--- doc/source/xbcrypt/xbcrypt.rst 1970-01-01 00:00:00 +0000
268+++ doc/source/xbcrypt/xbcrypt.rst 2013-03-29 10:35:27 +0000
269@@ -0,0 +1,42 @@
270+.. _xbcrypt:
271+
272+======================
273+ The xbcrypt binary
274+======================
275+
276+To support encryption and decryption of the backups, a new tool ``xbcrypt`` was introduced to XtraBackup.
277+
278+This utility has been modeled after :ref:`xbstream_binary` to perform encryption and decryption outside of |XtraBackup|. Xbcrypt has following command line options:
279+
280+.. option:: -d, --decrypt
281+
282+ Decrypt data input to output.
283+
284+.. option:: -i, --input=name
285+
286+ Optional input file. If not specified, input will be read from standard input.
287+
288+.. option:: -o, --output=name
289+
290+ Optional output file. If not specified, output will be written to standard output.
291+
292+.. option:: -a, --encrypt-algo=name
293+
294+ Encryption algorithm.
295+
296+.. option:: -k, --encrypt-key=name
297+
298+ Encryption key.
299+
300+.. option:: -f, --encrypt-key-file=name
301+
302+ File which contains encryption key.
303+
304+.. option:: -s, --encrypt-chunk-size=#
305+
306+ Size of working buffer for encryption in bytes. The default value is 64K.
307+
308+.. option:: -v, --verbose
309+
310+ Display verbose status output.
311+
312
313=== modified file 'doc/source/xbstream/xbstream.rst'
314--- doc/source/xbstream/xbstream.rst 2012-04-21 07:12:28 +0000
315+++ doc/source/xbstream/xbstream.rst 2013-03-29 10:35:27 +0000
316@@ -1,3 +1,5 @@
317+.. _xbstream_binary:
318+
319 ======================
320 The xbstream Binary
321 ======================
322
323=== modified file 'innobackupex'
324--- innobackupex 2013-03-19 15:06:52 +0000
325+++ innobackupex 2013-03-29 10:35:27 +0000
326@@ -2823,7 +2823,7 @@
327 =item --compress-chunk-size
328
329 This option specifies the size of the internal working buffer for each
330-compression thread, measured in kilobytes. It is passed directly to the
331+compression thread, measured in bytes. It is passed directly to the
332 xtrabackup child process. Try 'xtrabackup --help' for more details.
333
334 =item --copy-back
335@@ -2870,7 +2870,7 @@
336 =item --encrypt-chunk-size
337
338 This option specifies the size of the internal working buffer for each
339-encryption thread, measured in kilobytes. It is passed directly to the
340+encryption thread, measured in bytes. It is passed directly to the
341 xtrabackup child process. Try 'xtrabackup --help' for more details.
342
343 =item --export

Subscribers

People subscribed via source and target branches