kemko/nomad
1
0
Fork 0
mirror of https://github.com/kemko/nomad.git synced 2026-01-01 16:05:42 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
a7f2cb879ea927d9103d0425fba19d1d8d5b593b
nomad/website/content/docs/commands/operator/snapshot/save.mdx
Tim Gross a7f2cb879e command line tools for redacting keyring from snapshots (#24023) 
In #23977 we moved the keyring into Raft, which can expose key material in Raft
snapshots when using the less-secure AEAD keyring instead of KMS. This changeset
adds tools for redacting this material from snapshots:

* The `operator snapshot state` command gains the ability to display key
  metadata (only), which respects the `-filter` option.
* The `operator snapshot save` command gains a `-redact` option that removes key
  material from the snapshot after it's downloaded.
* A new `operator snapshot redact` command allows removing key material from an
  existing snapshot.
2024-09-20 15:30:14 -04:00

72 lines
2.3 KiB
Plaintext
Raw Blame History

---
layout: docs
page_title: 'Commands: operator snapshot save'
description: |
Saves snapshot of Nomad server state
---
# Command: operator snapshot save
The `operator snapshot save` command retrieves an atomic, point-in-time
snapshot of the state of the Nomad servers, which includes jobs, nodes,
allocations, periodic jobs, and ACLs for [outage recovery].
If you enabled ACLs, you must supply a management token in order to perform
snapshot operations.
<Warning>
This command includes Nomad's keyring in the snapshot. If you are not using a
[KMS provider][] to secure the keyring, you should use the `-redact` flag to
remove key material before transmitting the snapshot to HashiCorp Support.
Snapshots made before Nomad 1.9.0 will not include the keyrings. If you use
older snapshots to recover a cluster, you also need to restore the keyring onto
at least one server. Refer to the Key Management's [Restoring the Keyring from
Backup][restore the keyring] section for instructions.
</Warning>
Run the `nomad operator snapshot save` command to create a snapshot from the
leader server.
This example saves the backup to `backup.snap`.
```shell-session
$ nomad operator snapshot save backup.snap
```
This example creates a potentially stale snapshot from any available server
and saves it to `backup.snap`. The `-stale` option is useful if no
leader is available.
```shell-session
$ nomad operator snapshot save -stale backup.snap
```
## Usage
```plaintext
nomad operator snapshot save [options] <file>
```
## General Options
@include 'general_options_no_namespace.mdx'
## Snapshot Save Options
- `-redact`: The redact option will locally edit the snapshot to remove any
cleartext key material from the root keyring. Only the AEAD keyring provider
has cleartext key material in Raft. Note that this operation requires loading
the snapshot into memory locally.
- `-stale`: The stale option defaults to `false`, which means the leader
provides the result. If the cluster is in an outage state without a leader,
you may need to set `-stale` to `true` to get the configuration from a
non-leader server.
[outage recovery]: /nomad/tutorials/manage-clusters/outage-recovery
[restore the keyring]: /nomad/docs/operations/key-management#restoring-the-keyring-from-backup
[KMS provider]: /nomad/docs/configuration/keyring
Reference in New Issue View Git Blame Copy Permalink