backupccl: prevent restoring a newer backup #61737
Conversation
|
This change is |
dt
force-pushed
the
restore-version-check
branch
from
1e051d5 to
d8e5802
Compare
|
I have a couple of questions (and want to make sure that my understanding of what we do in these scenarios is sane):
I think this is a good indication that we may actually need to store the cluster version to do this check? And I think it would be good to start persisting that in 21.1 before it sets sail. |
|
re:1) ah, yeah, good point, I should just be comparing Major. Done.
|
|
Thank you for updating your pull request. My owl senses detect your PR is good for review. Please keep an eye out for any test failures in CI. 🦉 Hoot! I am a Blathers, a bot for CockroachDB. My owner is otan. |
Agreed, and just to spell it out completely, I think that this means that we can't do this build version check in that case right? Since in the mixed-version situation I described a new node may take a backup with build tag 21.1, but that backup would not be restorable by the older nodes in the same cluster that would have build version 20.2. |
dt
force-pushed
the
restore-version-check
branch
from
0416a80 to
3e5d2d1
Compare
|
Thought about this a little more and opted to just do the cluster version one now instead. I'd initially held off on it, thinking we'd wait to use it instead of build info in a later version once it'd been being persisted for a release, but on reflection it doesn't matter: if only new nodes are doing the check, it is fine if they look for a field only written by nodes at least that new since they're specifically look for newer nodes anyway. Reworked to be all cluster-version. |
| sqlDB.ExpectErr(t, "backup from version 99.1 is newer than current version", `RESTORE DATABASE r1 FROM 'nodelocal://0/too_new'`) | ||
|
|
||
| // Bump the version down and write it back out to make it look older. | ||
| backupManifest.ClusterVersion = roachpb.Version{Major: 20, Minor: 2, Internal: 2} |
There was a problem hiding this comment.
Can we also add a test case where we nil out the cluster version to simulate earlier backups?
dt
force-pushed
the
restore-version-check
branch
from
3e5d2d1 to
a55f668
Compare
This adds a check during RESTORE that the backup(s) being restored were produced by a cluster with a cluster version no newer than the current version. The cluster version was not previously persisted in the backup so this new field is only set on new backups, but as this check is only in new versions, that is fine. Release note (ops change): RESTORE now refuses to restore BACKUPs made by newer versions.
dt
force-pushed
the
restore-version-check
branch
from
a55f668 to
2c4257d
Compare
|
TFTR! bors r+ |
|
Build succeeded: |
This adds a check during RESTORE that the backup(s) being restored were produced by a version
no newer than the current version. The build info for the version that produced a
backup is persisted in the manifest and is used for this check.
Note: this is checking the build version, not the cluster version. A follow-up
change should likely be added to persist cluster versions and check them as well
so that most-migration data cannot be restored to a pre-migration cluster even if
both are on the same binary version.
Release note (ops change): RESTORE now refuses to restore BACKUPs made by newer versions.