Backups and disaster recovery
Estimated reading time: 4 minutesWhen you decide to start using Docker Trusted Registry on a production setting, you should configure it for high availability.
The next step is creating a backup policy and disaster recovery plan.
DTR data persistency
Docker Trusted Registry persists:
- Configurations: the cluster configurations are stored on a key-value store that is replicated through all DTR replicas.
- Repository metadata: the information about the repositories and images deployed. This information is replicated through all DTR replicas.
- Certificates and keys: the certificates, public keys, and private keys that are used for mutual TLS communication.
This data is persisted on the host where DTR is running, using named volumes. Learn more about DTR named volumes.
DTR also persists Docker images on the filesystem of the host running DTR, or on a cloud provider, depending on the way DTR is configured.
Backup DTR data
To perform a backup of a DTR node, use the docker/dtr backup command. This
command creates a backup of DTR:
- Configurations,
- Repository metadata,
- Certificates and keys used by DTR.
These files are added to a tar archive, and the result is streamed to stdout.
The backup command does not create a backup of Docker images. You should implement a separate backup policy for the Docker images, taking in consideration whether your DTR installation is configured to store images on the filesystem or using a cloud provider.
The backup command also doesn’t create a backup of the users and organizations. That data is managed by UCP, so when you create a UCP backup you’re creating a backup of the users and organizations metadata.
When creating a backup, the resulting .tar file contains sensitive information like private keys. You should ensure the backups are stored securely.
You can check the reference documentation, for the backup command to learn about all the available flags.
As an example, to create a backup of a DTR node, you can use:
# Get the certificates used by UCP
$ curl https://<ucp-url>/ca > ucp-ca.pem
# Create the backup
$ docker run -i --rm docker/dtr backup \
--ucp-url <ucp-url> \
--ucp-ca "$(cat ucp-ca.pem)" \
--existing-replica-id <replica-id> \
--ucp-username <ucp-admin> \
--ucp-password <ucp-password> > /var/tmp/backup.tar
Where:
--ucp-urlis the address of UCP,--ucp-cais the UCP certificate authority,--existing-replica-idis the id of the replica to backup,--ucp-username, and--ucp-passwordare the credentials of a UCP administrator.
To validate that the backup was correctly performed, you can print the contents of the tar file created:
$ tar -tf /tmp/backup.tar
Restore DTR data
This command performs a fresh installation of DTR, and reconfigures it with
the configuration created during a backup.
When restoring, make sure you use the same version of the docker/dtr image that you’ve used to create the backup.
The command starts by installing DTR, restores the configurations stored on
etcd, and then restores the repository metadata stored on RethinkDB. You
can use the --config-only option, to only restore the configurations stored
on etcd.
This command does not restore Docker images. You should implement a separate restore procedure for the Docker images stored in your registry, taking in consideration whether your DTR installation is configured to store images on the filesystem or using a cloud provider.
You can check the reference documentation, for the restore command to learn about all the available flags.
As an example, to install DTR on the host and restore its state from an existing backup:
# Get the certificates used by UCP
$ curl https://<ucp-url>/ca > ucp-ca.pem
# Install and restore configurations from an existing backup
$ docker run -i --rm \
docker/dtr restore \
--ucp-url <ucp-url> \
--ucp-ca "$(cat ucp-ca.pem)" \
--ucp-username <ucp-admin> \
--ucp-password <ucp-password> \
--dtr-external-url <dtr-domain-name> < /var/tmp/backup.tar
Where:
--ucp-urlis the address of UCP,--ucp-cais the UCP certificate authority,--ucp-username, and--ucp-passwordare the credentials of a UCP administrator,--dtr-external-urlis the domain name or ip where DTR can be reached.