Backup & Recovery

Backup

BACKUP TENANT acme TO '/backups/acme-2026-04.bak';

Backups cover all 7 engines: documents, indexes, vectors, graph edges, KV tables, timeseries, and CRDT state. Encrypted with AES-256-GCM using the tenant WAL key.

The backup envelope embeds catalog rows and the source tombstone set alongside segment data, so a restored snapshot reconstructs the catalog deterministically and refuses to resurrect collections tombstoned before the backup was taken. Each StoredCollection row carries a size_bytes_estimate field surfaced through _system.dropped_collections for sizing the L2 cleanup queue before PURGE.

Validate

RESTORE TENANT acme FROM '/backups/acme-2026-04.bak' DRY RUN;

Validates the backup without restoring.

Restore

RESTORE TENANT acme FROM '/backups/acme-2026-04.bak';

Crash Recovery

On startup, NodeDB:

  1. Scans WAL segments from the last checkpoint
  2. Validates CRC32C checksums
  3. Replays valid records to reconstruct state
  4. Discards partially written records

The Event Plane resumes from its LSN watermark — no events are lost.

WAL Archiving

WAL segments can be archived for point-in-time recovery. Old segments are eligible for cleanup once all records have been flushed to L1 segments.

Object storage for snapshots and quarantine

By default, snapshots and quarantined segment files are stored on local disk alongside the data directory. Both can be redirected to S3-compatible object storage.

[snapshot_storage]
endpoint = "https://s3.amazonaws.com"
bucket   = "my-nodedb-snapshots"
region   = "us-east-1"
prefix   = "cluster-prod"
access_key = "AKIA..."
secret_key = "..."

[quarantine_storage]
endpoint = "https://s3.amazonaws.com"
bucket   = "my-nodedb-quarantine"
region   = "us-east-1"
prefix   = "cluster-prod"
access_key = "AKIA..."
secret_key = "..."

Omit endpoint (or leave it empty) to use the local filesystem — this is the default. Both sections are independent: you can put snapshots on S3 and leave quarantine files local, or vice versa.

The cold data tier ([cold_storage]) is a separate config from these two — it covers Parquet archives and timeseries L2 data, not snapshots or quarantine files.

View page sourceLast updated on May 12, 2026 by Farhan Syah