Operator reference for backup targets, PITR, and cloud backup configuration.
Backups & Disaster Recovery
CortexDB supports an operational backup path for disaster recovery based on:
- RocksDB checkpoint backups
- object-store upload targets:
local,s3,gcs,azure - WAL archival for point-in-time recovery (PITR)
- restore-time rebuilding of vector, graph, fulltext, content, and memory-state projections
Minimal backup configuration
[security.backup]
enabled = true
interval_secs = 86400
backup_dir = "/var/lib/cortexdb/backups"
retention_count = 7
target = "s3"
cloud_bucket = "cortex-backups"
cloud_prefix = "prod/cluster-a"
compression = true
wal_archival = true
wal_archive_dir = "/var/lib/cortexdb/wal-archive"
cloud_region = "us-east-1"
cloud_sse_mode = "aws:kms"
cloud_kms_key_id = "arn:aws:kms:us-east-1:123456789012:key/your-key"
For local validation, the repository also includes:
python tests/live/run_docker_live_suite.py
That live Docker matrix exercises backup creation/listing plus the repository's cloud backup smoke coverage for S3-compatible and Azure-emulated targets.
General [backup] fields
| Field | Purpose |
|---|---|
enabled | Enable scheduled backups |
interval_secs | Backup interval in seconds |
backup_dir | Local staging directory for snapshots and restores |
retention_count | Number of completed backups to retain |
target | local, s3, gcs, or azure |
cloud_bucket | Bucket or container name for remote targets |
cloud_prefix | Object-store prefix under the bucket/container |
compression | Enable compressed backup artifacts |
wal_archival | Enable WAL archival for PITR |
wal_archive_dir | Local WAL archive directory |
S3-compatible fields
| Field | Purpose |
|---|---|
cloud_endpoint | Override endpoint for MinIO or other S3-compatible stores |
cloud_region | AWS region |
cloud_access_key_id | Explicit access key |
cloud_secret_access_key | Explicit secret key |
cloud_session_token | Temporary session token |
cloud_allow_http | Allow non-TLS endpoints for dev/test |
cloud_virtual_hosted_style_request | Force virtual-hosted-style requests |
cloud_metadata_endpoint | Override AWS metadata endpoint |
cloud_sse_mode | AES256, aws:kms, aws:kms:dsse, or sse-c |
cloud_kms_key_id | KMS key id for SSE-KMS modes |
cloud_bucket_key_enabled | Enable S3 bucket keys for SSE-KMS |
cloud_customer_encryption_key_base64 | Base64 SSE-C customer key |
Standard env fallback also works: AWS_ENDPOINT_URL, AWS_REGION, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN, AWS_SERVER_SIDE_ENCRYPTION, and related AWS_* encryption variables.
GCS fields
| Field | Purpose |
|---|---|
cloud_gcs_service_account_key | Service account JSON path or inline JSON |
cloud_gcs_application_credentials | ADC credentials path |
cloud_allow_http | Allow HTTP for emulator/test setups |
Standard env fallback also works: GOOGLE_SERVICE_ACCOUNT_KEY and GOOGLE_APPLICATION_CREDENTIALS.
Azure fields
| Field | Purpose |
|---|---|
cloud_azure_account | Storage account name |
cloud_azure_access_key | Storage account access key |
cloud_endpoint | Blob endpoint override |
cloud_azure_client_id | Azure AD client id |
cloud_azure_client_secret | Azure AD client secret |
cloud_azure_tenant_id | Azure tenant id |
cloud_azure_authority_host | Authority host override |
cloud_azure_bearer_token | Direct bearer token override |
cloud_use_emulator | Enable Azurite/emulator semantics |
Standard env fallback also works: AZURE_STORAGE_ACCOUNT, AZURE_STORAGE_ACCESS_KEY, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_TENANT_ID, AZURE_STORAGE_BLOB_ENDPOINT, and AZURE_USE_EMULATOR.
Restore and PITR notes
When PITR is used, CortexDB restores the base backup and then replays archived WAL data into recovered state. The restore target also rebuilds derived stores such as:
pitr_vector_indexpitr_graph_indexpitr_fulltext_indexpitr_content_dbpitr_memory_state
Operators should review pitr_replay_manifest.json after restore to verify replay counts and derived-store paths.