feat(backup): incremental NAS backup support for KVM#13074
Conversation
Adds the design document for incremental NAS backups using QEMU dirty bitmaps and libvirt's backup-begin API. Reduces daily backup storage 80-95% for large VMs. Refs: apache#12899
NASBackupChainKeys defines the keys this provider stores under the existing backup_details kv table (parent_backup_id, bitmap_name, chain_id, chain_position, type). This keeps the backups table provider-agnostic per the RFC review. nas.backup.full.every is a zone-scoped ConfigKey that controls how often a full backup is taken; the remaining backups in the cycle are incremental. Counts backups (not days), so it works for hourly, daily, and ad-hoc schedules. Default 10. Set to 1 to disable incrementals (every backup is full). Refs: apache#12899
Adds three new optional CLI flags to nasbackup.sh:
-M|--mode <full|incremental>
--bitmap-new <name> (checkpoint to create with this backup)
--bitmap-parent <name> (incremental: parent bitmap to read changes since)
--parent-path <path> (incremental: parent backup file for rebase)
Behavior:
- When -M is omitted, behavior is unchanged (legacy full-only, no checkpoint
created), so existing callers are not affected.
- With -M full + --bitmap-new, a full backup is taken AND a libvirt
checkpoint of that name is registered atomically (via backup-begin's
--checkpointxml), giving the next incremental its starting bitmap.
- With -M incremental, libvirt's <incremental> element references the
parent bitmap; only changed blocks are written. After completion,
qemu-img rebase wires the new file to its parent so the chain on the
NAS is self-describing for restore.
- Stopped VMs cannot use backup-begin; if -M incremental is requested
while VM is stopped, the script falls back to a full and emits
INCREMENTAL_FALLBACK= on stderr so the orchestrator can record it
correctly in the chain.
- The script echoes BITMAP_CREATED=<name> on success so the Java caller
can store it under backup_details (NASBackupChainKeys.BITMAP_NAME).
Works across local file, NFS-file, and LINSTOR primary storage. Ceph RBD
running-VM support is a pre-existing limitation of this script, not
affected by this change.
Refs: apache#12899
Adds the Java side of the incremental NAS backup feature:
TakeBackupCommand
+ mode, bitmapNew, bitmapParent, parentPath fields (null for legacy
callers — script preserves its existing behaviour when these are
omitted).
BackupAnswer
+ bitmapCreated (echoed by the agent on success)
+ incrementalFallback (true when an incremental was requested but the
agent had to fall back to full because the VM was stopped).
LibvirtTakeBackupCommandWrapper
- Forwards the new fields to nasbackup.sh.
- Strips the new BITMAP_CREATED= / INCREMENTAL_FALLBACK= marker lines
out of stdout before the existing numeric-suffix size parser runs,
so the script can keep the same "size as last line(s)" contract.
- Surfaces both markers on the BackupAnswer.
NASBackupProvider
- decideChain(vm) walks backup_details (chain_id, chain_position,
bitmap_name) for the latest BackedUp backup of the VM and decides:
* Stopped VM -> full (libvirt backup-begin needs running QEMU)
* No prior chain -> full (chain_position=0)
* chain_position+1 >= nas.backup.full.every -> new full
* otherwise -> incremental, parent=last bitmap
- Generates timestamp-based bitmap names ("backup-<epoch>") matching
what the script then registers as the libvirt checkpoint name.
- persistChainMetadata() writes parent_backup_id, bitmap_name,
chain_id, chain_position, type into the existing backup_details
key/value table (per the RFC review — no new columns on backups).
- Honours the agent's INCREMENTAL_FALLBACK= signal: re-records the
backup as a full and starts a fresh chain.
- createBackupObject() now takes a type argument so the BackupVO
reflects the actual decision instead of always being "FULL".
Refs: apache#12899
CloudStack rebuilds the libvirt domain XML on every VM start, which means
persistent QEMU dirty bitmaps don't survive a stop/start cycle. Rather
than hooking into the VM start lifecycle (intrusive across the
orchestration layer), this commit handles the missing bitmap *lazily* at
the next backup attempt:
nasbackup.sh
- When -M incremental is requested, the script first checks
`virsh checkpoint-list` for the parent bitmap. If absent, it
recreates the checkpoint on the running domain so libvirt accepts
the <incremental> reference. The next incremental will be larger
than usual (it captures all writes since recreate, not since the
previous incremental) but is correct; subsequent ones return to
normal size.
- On recreation, emits BITMAP_RECREATED=<name> on stdout for the
orchestrator to record.
BackupAnswer
+ bitmapRecreated field surfaced from the agent.
LibvirtTakeBackupCommandWrapper
- Strips BITMAP_RECREATED= line from stdout before size parsing.
- Sets answer.setBitmapRecreated(...).
NASBackupChainKeys
+ BITMAP_RECREATED key for backup_details.
NASBackupProvider
- When the agent reports a recreated bitmap, persists it under
backup_details and logs an info-level message so operators can
correlate larger-than-usual incrementals with VM restarts.
This satisfies the bitmap-loss-on-VM-restart concern from the RFC review
without touching VirtualMachineManager / StartCommand / agent lifecycle.
Refs: apache#12899
Two changes that together let an incremental NAS backup be restored
without manual chain assembly:
scripts/vm/hypervisor/kvm/nasbackup.sh
- qemu-img rebase now writes a backing-file path that is RELATIVE to
the new qcow2's directory (e.g. ../<parent-ts>/root.<uuid>.qcow2)
rather than the absolute path on the current mount point. NAS mount
points are ephemeral (mktemp -d), so an absolute reference would
not resolve when the backup is re-mounted at restore time. Relative
references are resolved by qemu-img against the file's own
directory, so the chain stays valid no matter where the NAS is
mounted next.
- Verifies the parent file exists on the NAS before rebasing.
LibvirtRestoreBackupCommandWrapper
- For file-based primary storage (local, NFS-file), the existing
code rsync'd the source qcow2 to the volume. That copies only the
differential blocks of an incremental, leaving a volume whose
backing-file reference points at a path the primary storage host
doesn't have. Now: detect a backing-chain via qemu-img info JSON
and flatten via 'qemu-img convert -O qcow2', which follows the
chain and produces a self-contained qcow2. Full backups continue
to use rsync (faster, no chain to flatten).
- The block-storage path (RBD/Linstor) already used qemu-img convert
via the QemuImg helper, which auto-flattens chains, so that path
needed no change.
Refs: apache#12899
Adds the delete-with-chain-repair semantics agreed in the RFC review:
scripts/vm/hypervisor/kvm/nasbackup.sh
- New '-o rebase' operation: rebases an existing on-NAS qcow2 onto
a new backing parent. Uses a SAFE rebase (no -u) so the target
absorbs blocks of the about-to-be-deleted parent before the
backing pointer is moved up to the grandparent. Writes the new
backing reference relative to the target's directory so it
survives mount-point changes.
- New CLI flags --rebase-target, --rebase-new-backing (both passed
mount-relative).
RebaseBackupCommand + LibvirtRebaseBackupCommandWrapper
- New agent command that wraps the script's rebase operation. The
provider sends one of these per child that needs re-pointing.
NASBackupProvider.deleteBackup
- Now plans the chain repair before touching files via
computeChainRepair():
* No chain metadata -> single-file delete (legacy behaviour)
* Tail incremental -> single delete, no rebase
* Middle incremental -> rebase immediate child onto our
parent, then delete; shift
chain_position of all later
descendants by -1
* Full with descendants -> refuse unless forced=true; with
forced=true delete full + every
descendant newest-first
- Updates parent_backup_id, chain_position metadata in
backup_details after each rebase so the model in the DB matches
the on-disk chain.
This implements the cascade-delete behaviour requested in @abh1sar's
review point apache#7.
Refs: apache#12899
Adds five new test cases to test_backup_recovery_nas.py covering the
end-to-end behaviour of the incremental NAS backup feature:
* test_incremental_chain_cadence
- Sets nas.backup.full.every=3, takes 5 backups, verifies the
type pattern is FULL, INC, INC, FULL, INC.
* test_restore_from_incremental
- FULL + 2 INCs, each with a marker file. Restores from the
latest INC and verifies all three markers are present
(i.e. qemu-img convert flattened the chain correctly).
* test_delete_middle_incremental_repairs_chain
- Builds FULL, INC1, INC2; deletes INC1 (no force needed);
restores from the surviving INC2 and verifies that markers
from FULL, INC1 (which was deleted), and INC2 are all present
— proving the rebase merged INC1's blocks into INC2.
* test_refuse_delete_full_with_children
- Verifies plain delete of a FULL that has children fails, and
delete with forced=true succeeds and removes the whole chain.
* test_stopped_vm_falls_back_to_full
- Sets cadence to 2, takes one backup (FULL), stops the VM,
triggers another (cadence would say INC). Verifies the second
backup is recorded as FULL because the agent fell back when
backup-begin couldn't run on a stopped VM.
All tests restore nas.backup.full.every to 10 in finally blocks.
Refs: apache#12899
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #13074 +/- ##
============================================
+ Coverage 18.02% 18.92% +0.90%
- Complexity 16621 18261 +1640
============================================
Files 6029 6175 +146
Lines 542184 555617 +13433
Branches 66451 67853 +1402
============================================
+ Hits 97740 105177 +7437
- Misses 433428 438875 +5447
- Partials 11016 11565 +549
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
|
@jmsperu can you check the build failure. thanks. |
|
@jmsperu |
Phase 6 added a hasBackingChain() check before rsync that uses qemu-img info to detect chained incrementals. The existing testExecuteWithRsyncFailure test mocks Script.runSimpleBashScriptForExitValue to return 0 for any command, so the new qemu-img info check incorrectly evaluates as "has backing chain" and routes the test through the chain-flatten path instead of rsync — the test then asserts a failure that never occurs. Add a clause to the mock that returns 1 (no backing chain) for the qemu-img info backing-filename probe, so the test continues to exercise the rsync path it was designed for.
|
@weizhouapache yes — ready for review. @sureshanaparti — apologies, I missed your earlier ping. The build failure was a unit test in Fixed in d80ed16: the test's CI should be green on the next run. Cc @abh1sar @JoaoJandre @harikrishna-patnala in case you also want to take a look. |
There was a problem hiding this comment.
Pull request overview
Adds incremental backup-chain support to the NAS backup provider for KVM by leveraging libvirt backup-begin with checkpoints/dirty-bitmaps, plus restore/flatten and chain-aware delete/repair semantics.
Changes:
- Introduces backup-chain metadata keys (
NASBackupChainKeys) and zone-scoped cadence confignas.backup.full.every, with orchestration logic to choose full vs incremental and persist chain details inbackup_details. - Extends the KVM agent +
nasbackup.shto support full-with-checkpoint and incremental-with-rebase, plus a new “rebase” operation used for chain repair during delete. - Updates restore logic to detect qcow2 backing chains and flatten via
qemu-img convert, and adds new integration smoke tests for incremental-chain behavior.
Reviewed changes
Copilot reviewed 12 out of 12 changed files in this pull request and generated 9 comments.
Show a summary per file
| File | Description |
|---|---|
| test/integration/smoke/test_backup_recovery_nas.py | Adds incremental-chain smoke tests (cadence, restore, delete-middle repair, forced delete behavior, stopped-VM fallback). |
| scripts/vm/hypervisor/kvm/nasbackup.sh | Adds mode-aware backup (full/incremental), checkpoint creation, incremental rebase, and a new rebase operation for delete-middle chain repair. |
| plugins/hypervisors/kvm/src/test/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtRestoreBackupCommandWrapperTest.java | Extends restore wrapper tests to exercise the “no backing chain => rsync” path. |
| plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtTakeBackupCommandWrapper.java | Passes incremental args to nasbackup.sh and parses bitmap/fallback markers from script output. |
| plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtRestoreBackupCommandWrapper.java | Detects qcow2 backing chains and flattens incrementals during restore using qemu-img convert. |
| plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtRebaseBackupCommandWrapper.java | New wrapper to run nasbackup.sh -o rebase for chain repair. |
| plugins/backup/nas/src/main/java/org/apache/cloudstack/backup/NASBackupProvider.java | Implements full-vs-incremental decisions, stores chain metadata in backup_details, and adds chain-aware delete/repair logic. |
| plugins/backup/nas/src/main/java/org/apache/cloudstack/backup/NASBackupChainKeys.java | Defines backup_details keys for chain id/position/type/bitmap/parent linkage. |
| docs/rfcs/incremental-nas-backup.md | Adds an RFC document describing incremental NAS backup approach (needs alignment with final implementation). |
| core/src/main/java/org/apache/cloudstack/backup/TakeBackupCommand.java | Adds optional incremental-mode fields (mode/bitmap names/parent path). |
| core/src/main/java/org/apache/cloudstack/backup/RebaseBackupCommand.java | New agent command to rebase a backup qcow2 onto a new backing file for chain repair. |
| core/src/main/java/org/apache/cloudstack/backup/BackupAnswer.java | Adds fields to return bitmap creation/recreation and incremental-fallback markers back to orchestration. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # All tests set nas.backup.full.every to a small value (3) so a chain | ||
| # forms quickly without needing many backup iterations. They restore | ||
| # the original value at teardown. | ||
|
|
||
| def _set_full_every(self, value): | ||
| Configurations.update(self.apiclient, name='nas.backup.full.every', | ||
| value=str(value), zoneid=self.zone.id) | ||
|
|
There was a problem hiding this comment.
The incremental tests always reset nas.backup.full.every to 10 in finally, but they never read/preserve the original zone value. If a test environment has a non-default value configured, these tests will leave the zone config changed. Consider capturing the current value once (e.g., via Configurations.list(...) in setup) and restoring that exact value in each finally (or in tearDown).
| command.setBitmapParent(decision.bitmapParent); | ||
| command.setParentPath(decision.parentPath); | ||
|
|
||
| if (VirtualMachine.State.Stopped.equals(vm.getState())) { |
There was a problem hiding this comment.
For stopped VMs decideChain returns fullStart(newBitmap) and takeBackup always sets command.mode="full" / bitmapNew. But nasbackup.sh's stopped-VM path doesn’t create a checkpoint/bitmap (no BITMAP_CREATED=), so persisting nas.bitmap_name from the requested bitmap can cause the next backup to attempt an incremental against a bitmap that was never created. Consider clearing mode/bitmapNew (legacy full) for stopped VMs and/or only persisting nas.bitmap_name when the agent confirms it via BITMAP_CREATED=.
| if (VirtualMachine.State.Stopped.equals(vm.getState())) { | |
| if (VirtualMachine.State.Stopped.equals(vm.getState())) { | |
| // Stopped-VM backups use the offline path and do not create checkpoints/bitmaps. | |
| // Clear chain metadata so a full backup does not imply a bitmap was created. | |
| command.setMode(null); | |
| command.setBitmapNew(null); | |
| command.setBitmapParent(null); | |
| command.setParentPath(null); |
| if [[ "$effective_mode" == "incremental" ]]; then | ||
| volUuid="${fullpath##*/}" | ||
| if [[ "$fullpath" == /dev/drbd/by-res/* ]]; then | ||
| volUuid=$(get_linstor_uuid_from_path "$fullpath") | ||
| fi | ||
| # PARENT_PATH from the orchestrator is the parent backup's path relative to the | ||
| # NAS mount root (e.g. "i-2-X/2026.04.27.12.00.00/root.UUID.qcow2"). Convert it to | ||
| # a path relative to THIS new qcow2's directory so the backing reference resolves | ||
| # correctly the next time the NAS is mounted (mount points are ephemeral). | ||
| local parent_abs="$mount_point/$PARENT_PATH" | ||
| if [[ ! -f "$parent_abs" ]]; then | ||
| echo "Parent backup file does not exist on NAS: $parent_abs" | ||
| cleanup | ||
| exit 1 | ||
| fi | ||
| local parent_rel | ||
| parent_rel=$(realpath --relative-to="$dest" "$parent_abs") | ||
| if ! qemu-img rebase -u -b "$parent_rel" -F qcow2 "$dest/$name.$volUuid.qcow2" >> "$logFile" 2> >(cat >&2); then | ||
| echo "qemu-img rebase failed for $dest/$name.$volUuid.qcow2 onto $parent_rel" |
There was a problem hiding this comment.
In incremental mode, each exported qcow2 (root.* and datadisk.*) is rebased onto the same PARENT_PATH. For VMs with multiple volumes this will rebase data-disk incrementals onto the root-disk parent file, corrupting the chain for non-root volumes. PARENT_PATH needs to be per-disk (or pass the parent backup directory and derive the correct parent filename for each volUuid/disk role).
| echo "Incremental backup options (running VMs only; requires QEMU >= 4.2 and libvirt >= 7.2):" | ||
| echo " -M|--mode full Take a full backup AND create a checkpoint (--bitmap-new required) for future incrementals." | ||
| echo " -M|--mode incremental Take an incremental backup since --bitmap-parent and create new checkpoint --bitmap-new." | ||
| echo " Requires --bitmap-parent, --bitmap-new, and --parent-path (parent backup file for rebase)." | ||
| echo " Without -M, behaves as legacy full-only backup with no checkpoint creation." |
There was a problem hiding this comment.
The usage text says “Without -M, behaves as legacy full-only backup with no checkpoint creation”, but the script still runs sanity_checks unconditionally (QEMU>=4.2/libvirt>=7.2) even for legacy callers and non-backup ops (delete/stats/rebase). To preserve the documented legacy behavior/backward compatibility, gate the version checks to only the code paths that actually require backup-begin/incremental features (or only when MODE is set).
@bernardodemarco pointed out that design docs / RFCs go in the project wiki or as a separate issue rather than into the source tree. The RFC content has been posted as a comment on the existing tracking issue apache#12899 (which is where the design discussion already lives), and the docs/rfcs/ directory is removed from this PR.
|
@bernardodemarco thanks — good point. Done in 9764025:
PR is now purely the implementation. Updated PR description to drop the doc reference. |
|
@abh1sar a [SL] Jenkins job has been kicked to build packages. It will be bundled with no SystemVM templates. I'll keep you posted as I make progress. |
|
Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 18250 |
|
@blueorangutan test |
|
@abh1sar a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests |
…ancestors Address abh1sar review on PR apache#13074 (NASBackupProvider.java:995). The previous sweep/cascade path called findChainParent in a loop, each one issuing a fresh listByVmId — O(N) DB calls per chain walk. Add getChainOrderedLeafToRoot(member) which materialises the full chain (every backup row sharing CHAIN_ID) via a single listByVmId, sorted leaf-first by CHAIN_POSITION. Rewrite deleteLeafBackupAndSweepPendingAncestors to snapshot that chain BEFORE the leaf delete (so the in-memory list stays resolvable after the row is gone), then iterate ancestors from the snapshot. Rewrite cascadeDeleteSubtree as a plain leaf-first walk of the ordered chain — NAS backups are a linear chain, no tree-walking needed. findChainParent is kept (the parent-row lookup is still a useful primitive) with a Javadoc note recommending the new method when iterating.
…wrapper Address abh1sar review on PR apache#13074 (nasbackup.sh:155, :193, :358; LibvirtTake BackupCommandWrapper.java:124). The script was carrying caller-side policy: arg validation, fallback decisions, and stdout markers that the wrapper had to parse out before the size-parsing logic could run. Move that policy into Java and use dedicated exit codes for the signals the wrapper needs. Script (scripts/vm/hypervisor/kvm/nasbackup.sh): * Drop the per-mode required-args checks (the wrapper now pre-validates). * Replace the INCREMENTAL_FALLBACK stdout marker with exit code 21 (EXIT_INCREMENTAL_UNSUPPORTED): emitted when the running-VM path can't re-register the parent checkpoint, and when the stopped-VM path was asked for incremental. The wrapper retries the script as a full backup and sets incrementalFallback on the BackupAnswer. * Replace the BITMAP_CREATED stdout marker with exit code 22 (EXIT_BITMAP_NOT_SEEDED), emitted only by the stopped-VM path when qemu-img bitmap --add failed for every source disk. Backup file is valid but no usable bitmap exists on the host; wrapper records bitmapCreated=null so NASBackupProvider clears active_checkpoint_id and the next backup starts a fresh full chain. Running-VM success path no longer needs a marker — libvirt's backup-begin atomically creates the checkpoint. LibvirtTakeBackupCommandWrapper.java: * Pre-validate incremental args (mode-vs-bitmapNew/Parent/parentPaths) before invoking the script. Returns a failed BackupAnswer on missing args, keeping the script agnostic to caller policy. * Extract runBackupScript() so the same code can fire the retry-as-full after EXIT_INCREMENTAL_UNSUPPORTED without duplicating arg assembly. * On EXIT_INCREMENTAL_UNSUPPORTED + requestedMode==incremental, re-invoke with mode=full and only --bitmap-new (drop --bitmap-parent/--parent-paths); set incrementalFallback=true on the eventual answer. * On EXIT_BITMAP_NOT_SEEDED, treat as success but set bitmapCreated=null. * Drop the stdout-marker stripping loop (markers no longer emitted), and the separate BITMAP_CREATED parsing — bitmapCreated mirrors command.getBitmapNew() unless the not-seeded exit code says otherwise. NASBackupProvider.java: * Refresh the two comment blocks that referenced the old BITMAP_CREATED= stdout signal to describe the new exit-code path. No behaviour change in this file.
|
@abh1sar — I picked up the 2026-06-13 review batch in one author for style consistency with the earlier rounds. Two commits pushed: 1. 2. The script was carrying caller-side policy (arg validation, fallback decisions) and emitting stdout markers the wrapper had to parse around. Both have moved into Java; the script now uses dedicated exit codes for the signals the wrapper actually needs:
Note on the parent-checkpoint redefine itself: I kept the actual Tested: chain N+1 fix is straightforward refactor against the existing unit tests; for the script + exit codes I'd appreciate a fresh |
…ures deletingLeafSweepsUpDeletePendingParent previously omitted CHAIN_POSITION because the old PARENT_BACKUP_ID-walking sweep didn't depend on it. The new getChainOrderedLeafToRoot helper (096bef1) sorts the chain by CHAIN_POSITION desc; without those mocks both backups returned MAX_VALUE, the stable sort left the leaf at index 0 and the parent never got swept. Real backups always carry CHAIN_POSITION (set in persistChainMetadata), so this aligns the fixtures with production data rather than papering over the new sort assumption.
|
[SF] Trillian test result (tid-16304)
|
|
@jmsperu can you please fix the failing test |
…-parent test
deletingLeafSweepsUpDeletePendingParent stubbed the leaf's PARENT_BACKUP_ID
but production never reads it on this path:
- findLiveChildren(leaf) iterates the sibling list and reads each *other*
backup's PARENT_BACKUP_ID against leaf.getUuid() — never the leaf's own.
- getChainOrderedLeafToRoot (introduced in 096bef1) walks the chain by
CHAIN_ID + CHAIN_POSITION; the legacy findChainParent → PARENT_BACKUP_ID
walk is bypassed for the sweep.
Same UnnecessaryStubbingException pattern as 9f4d61f; the parent's
PARENT_BACKUP_ID stub IS still used (findLiveChildren reads it) so it stays.
Unblocks CI for apache#13074.
|
@harikrishna-patnala Done — fixed in The only remaining red is the smoke batch ( |
|
@blueorangutan package |
|
@DaanHoogland a [SL] Jenkins job has been kicked to build packages. It will be bundled with no SystemVM templates. I'll keep you posted as I make progress. |
|
Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 18327 |
There was a problem hiding this comment.
Re-register the parent with
checkpoint-create --redefineusing the fullcheckpoint-dumpxmloutput (a minimal/synthesized XML is rejected by libvirt's checkpoint RNG schema). So: persist<bitmap>.checkpoint.xmlnext to each backup on the NAS, and on recreate--redefinefrom the parent backup's saved XML
@jmsperu In my testing, I found that a full checkpoint xml was not required. Just the checkpoint name and the created tag is enough for redefine. We don't have to store created as it doesn't have to be accurate. Checkpoints are ephemeral anyway.
Can you please check https://github.com/shapeblue/cloudstack/blob/integration-veeam-kvm/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtStartBackupCommandWrapper.java#L127?
This way we don't have to persist the full checkpoint xml.
On the larger "move the checks into Java" suggestion: I started it, but testing showed the recreate needs checkpoint-dumpxml + --redefine against NAS-side XML, which is cohesive in the script — I've kept it there for now and can revisit the Java move as a follow-up.
With the above change the Virsh checkpoint redefine logic can be moved to Java as we don't need to read the checkpoint.xml file. If checkpoint redefine fails, the Java code can fallback to full and call nasbackup.sh without the -M flag.
It is possible that the checkpoint we have stored in DB as the VM active checkpoint is not present in the qcow2 file (after migration etc.). In that case backup currently fails with error. We should try to fallback to full backup is such cases. I handled a similar thing recently here https://github.com/shapeblue/cloudstack/blob/integration-veeam-kvm/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtStartBackupCommandWrapper.java#L127.
You can take some ideas from that.
restoreBackedUpVolume() restores a single volume, we should refer vm's active checkpoint to null in this case also. - Disregard this as restore and attach volume to an instance which is assigned a backup offering is not allowed
We need to fix the backup delete logic. Specially around hidden deletes, cascade deletes and how resource limit and usage is decremented in BackupManagerImpl(). Can you explore that?
Currently BackupManagerImpl again tries deleting the backup from the DB which Nas provider has already deleted. Also Nas provider might have deleted the full chain but resource limits and usage is not updated.
Can you check how snapshot delete does that? We need to look for a simple fix with a rigid expectations and rules.
I have started testing the PR. But these comments need to be addressed as well.
abh1sar
left a comment
There was a problem hiding this comment.
During testing I observed that backup_details and vm_instance_details tables were having chain and checkpoint related fields persisted one though the incremental feature was not enabled.
We should make sure that no changes are done to the existing functionality if the feature is not enabled.
| rebase_backup() { | ||
| mount_operation | ||
|
|
||
| if [[ -z "$REBASE_TARGET" || -z "$REBASE_NEW_BACKING" ]]; then | ||
| echo "rebase requires --rebase-target and --rebase-new-backing" | ||
| cleanup | ||
| exit 1 | ||
| fi | ||
|
|
||
| local target_abs="$mount_point/$REBASE_TARGET" | ||
| local backing_abs="$mount_point/$REBASE_NEW_BACKING" | ||
| if [[ ! -f "$target_abs" ]]; then | ||
| echo "Rebase target file does not exist: $target_abs" | ||
| cleanup | ||
| exit 1 | ||
| fi | ||
| if [[ ! -f "$backing_abs" ]]; then | ||
| echo "New backing file does not exist: $backing_abs" | ||
| cleanup | ||
| exit 1 | ||
| fi | ||
| local target_dir | ||
| target_dir=$(dirname "$target_abs") | ||
| local backing_rel | ||
| backing_rel=$(realpath --relative-to="$target_dir" "$backing_abs") | ||
|
|
||
| # SAFE rebase (no -u): qemu-img reads blocks from the old chain and writes them into | ||
| # the target where the new chain doesn't cover them. This is the "merge into" semantic | ||
| # required when we're about to delete the old immediate parent — the target needs to | ||
| # absorb the to-be-deleted parent's blocks so the chain remains consistent against the | ||
| # new (further-back) backing. | ||
| if ! qemu-img rebase -b "$backing_rel" -F qcow2 "$target_abs" >> "$logFile" 2> >(cat >&2); then | ||
| echo "qemu-img rebase failed for $target_abs onto $backing_rel" | ||
| cleanup | ||
| exit 1 | ||
| fi | ||
| sync | ||
| umount $mount_point | ||
| rmdir $mount_point |
There was a problem hiding this comment.
rebase_backup() is not being called now. Remove all occurrences from script.
| # QEMU >= 4.2 and libvirt >= 7.2 are only required for backup-begin (incremental | ||
| # checkpoints and per-bitmap exports). Legacy full-only backups, plus delete / | ||
| # stats / rebase operations, run on older versions just fine. Gate the version | ||
| # check to the paths that actually need it to preserve backward compatibility. | ||
| if [ "$OP" = "backup" ] && [ -n "$MODE" ]; then | ||
| sanity_checks | ||
| fi |
There was a problem hiding this comment.
This doesn't look right.
sanity_checks was being called unconditionally before. It has nothing to do with incremental backups.
This change should be removed.
| --rebase-target) | ||
| REBASE_TARGET="$2" | ||
| shift | ||
| shift | ||
| ;; | ||
| --rebase-new-backing) | ||
| REBASE_NEW_BACKING="$2" | ||
| shift | ||
| shift | ||
| ;; |
| # No saved checkpoint XML (e.g. a backup taken before this fix) or redefine failed. | ||
| # Signal the Java wrapper to retry as a full backup so the chain restarts cleanly | ||
| # instead of failing the backup. The wrapper is responsible for the retry and for | ||
| # recording incrementalFallback=true on the resulting BackupAnswer. | ||
| log -e "incremental: parent checkpoint $BITMAP_PARENT could not be re-registered — exiting $EXIT_INCREMENTAL_UNSUPPORTED for caller-driven fallback" | ||
| cleanup | ||
| exit $EXIT_INCREMENTAL_UNSUPPORTED | ||
| fi |
There was a problem hiding this comment.
Can't we just set $effective_mode="full" here instead of returning? I think that will make the code much simpler.
We can remove the below check as well since backup of stopped VM should not be sent using incremental mode anyway.
backup_stopped_vm() {
# Stopped VMs cannot use libvirt's backup-begin (no QEMU process). Take a full
# backup via qemu-img convert. If the caller asked for incremental, signal the
# Java wrapper to retry as full and record the fallback on the BackupAnswer.
if [[ "$MODE" == "incremental" ]]; then
log -e "incremental: VM stopped — exiting $EXIT_INCREMENTAL_UNSUPPORTED for caller-driven fallback to full"
exit $EXIT_INCREMENTAL_UNSUPPORTED
fi
With these two changes we can remove EXIT_INCREMENTAL_UNSUPPORTED completely from the script and the wrapper
| // bitmapCreated mirrors what we asked the script to create — except when the | ||
| // script exited EXIT_BITMAP_NOT_SEEDED, in which case the host has no bitmap | ||
| // and the orchestrator must clear active_checkpoint_id. | ||
| answer.setBitmapCreated(bitmapSeeded ? command.getBitmapNew() : null); |
There was a problem hiding this comment.
bitmapSeeded is by default true. Event if incremental backup feature is not enabled and bitmaps are not actually created.
This causes nas.active_checkpoint_id to be set in vm_details without the feature being enabled.
I suggest returning an error if bitmaps cannot be created instead of EXIT_BITMAP_NOT_SEEDED.
It is only being used in case of stopped VMs. bitmap --add operation should not fail ideally and it should be ok to fail the backup if bitmap --add fails for any disk, so that the underlying problem is dealt with instead of forcing full backups.
And for the cases where the incremental feature is not enabled, we should not be sending bitmap_new in the TakeBackupCommand
| // of the live config). The next backup with this flag back on starts a new chain. | ||
| Boolean incrementalEnabled = NASBackupIncrementalEnabled.valueIn(vm.getDataCenterId()); | ||
| if (incrementalEnabled == null || !incrementalEnabled) { | ||
| return ChainDecision.fullStart(newBitmap); |
There was a problem hiding this comment.
Don't set newBitmap if incremental backups are not enabled.
Otherwise it causes the bitmap information being persisted in backup_details and vm_instance_details even though the bitmap didn't actually get persisted on disk.
There was a problem hiding this comment.
Also return mode as legacy-full as suggested in the other comment
| command.setBitmapNew(decision.bitmapNew); | ||
| command.setBitmapParent(decision.bitmapParent); | ||
| command.setParentPaths(decision.parentPaths); |
There was a problem hiding this comment.
Let's have 3 modes here as well: incremental | full and | legacy_full
And not set any bitmap fields or parent path if the mode is legacy_full.
…che#13074) restoreBackedUpVolume() attaches a restored volume whose image carries no QEMU bitmap, so the target VM's nas.active_checkpoint_id becomes stale. Clear it (mirroring the full-restore paths restoreVMFromBackup/restoreBackupToVM) so the next backup of that VM is a fresh full. Adds NASBackupProviderTest.restoreBackedUpVolumeClearsTargetVmActiveCheckpoint, which fails against the pre-fix code (removeDetail never invoked).
…bled (apache#13074) Addresses abh1sar review: with the incremental feature off, chain/checkpoint metadata was still written to backup_details/vm_instance_details. Introduce a distinct legacy-full mode so the feature-off path stays byte-for-byte legacy: - decideChain returns legacyFull() when nas.backup.incremental.enabled is off: no bitmap generated, no chain id, no parent paths. - takeBackup persists no chain metadata and does not touch active_checkpoint_id for legacy-full backups. - TakeBackupCommand mode carries "legacy-full"; the KVM wrapper accepts it (no bitmap/chain args) and forwards -M legacy-full to nasbackup.sh, which already maps it to make_checkpoint=0. Updates the disabled-switch unit test to assert legacy-full + null bitmap/chain.
…cks (apache#13074) Per abh1sar review: - Remove the unused rebase_backup() operation (-o rebase), its --rebase-target/ --rebase-new-backing arguments and REBASE_* variables — no longer called from the orchestrator. - Restore unconditional sanity_checks(): the QEMU/libvirt version check ran for every operation before; gating it to backup+MODE was incorrect and unrelated to incremental backups.
…ted dump (apache#13074) Per abh1sar review: libvirt's --redefine only needs the checkpoint name and a creationTime (the value need not be accurate — checkpoints are ephemeral), so synthesize a minimal <domaincheckpoint> on the fly instead of persisting the full checkpoint-dumpxml next to each backup. Removes the per-backup <bitmap>.checkpoint.xml file. Verified on libvirt 10: create checkpoint -> delete its metadata (simulating a VM restart that wipes the registry while the bitmap persists on the qcow2) -> redefine from the minimal XML succeeds and re-registers the checkpoint. (The EXIT_INCREMENTAL_UNSUPPORTED removal / inline-fallback simplification is a separate follow-up pending the fallback-signal design.)
…lling (apache#13074) Per abh1sar round-2 review: - When the parent checkpoint can't be re-registered, fall back to a full backup in place (effective_mode=full) and emit an INCREMENTAL_FALLBACK marker on stdout, instead of exiting EXIT_INCREMENTAL_UNSUPPORTED for a caller-driven retry. - Remove the stopped-VM incremental guard — the orchestrator never sends incremental mode for a stopped VM. - bitmap --add failure now fails the backup (instead of EXIT_BITMAP_NOT_SEEDED silently degrading future backups to full), surfacing the underlying problem. - Drop EXIT_INCREMENTAL_UNSUPPORTED / EXIT_BITMAP_NOT_SEEDED from the script. LibvirtTakeBackupCommandWrapper: remove the re-invoke-as-full retry and the two exit-code constants; detect the INCREMENTAL_FALLBACK stdout marker (recording incrementalFallback) and strip it before parsing the backup size.
… the qcow2 (apache#13074) Per abh1sar review (item 3): the VM's active checkpoint/bitmap can be absent from the qcow2 after a migration even though the orchestrator says it should be there, which previously made the incremental backup-begin fail hard. Before building the incremental, probe the running disk via QMP query-block; if the parent bitmap is not present, fall back to a full backup in place (emit INCREMENTAL_FALLBACK so the wrapper records it as full) instead of failing. Verified on a real CirrOS VM (libvirt 10): bitmap present -> true incremental (marker=0); bitmap absent -> full backup (marker=1, full-size output, rc=0).
|
@abh1sar — on the delete-logic / resource-accounting point: I dug into how
Comparing with Proposed rule (rigid, exactly-once): a backup's One open question before I implement — the manager currently decrements for all providers (Veeam/Networker too). To keep their accounting intact while the NAS provider owns chain accounting, do you prefer: I'm leaning (a) as the smaller, more rigid change — happy to implement whichever you prefer. |
…al (apache#13074) Per abh1sar review (delete-logic / resource accounting): deleteCheckedBackup decremented backup count / backup_storage and removed the DB row for ONE backup, but the NAS provider deletes whole chains per call (leaf + swept delete-pending ancestors) and removes those rows itself — double-handling the row (destroying delete-pending tombstones) and under-counting resources for swept ancestors. Fix (exactly-once, owned by the chain provider): - BackupProvider.handlesChainDeleteResourceAccounting() (default false). - NASBackupProvider overrides it true and decrements backup + backup_storage at the single physical-removal choke-point (deleteBackupFileAndRow), which runs for the leaf and every swept ancestor — once per actually-removed backup. A tombstoned (delete-pending) backup is not decremented until it is swept. - deleteCheckedBackup skips its own decrement + row removal for such providers. NASBackupProviderTest: leaf+sweep decrements both removed backups; live-children (tombstone) path decrements none.
|
Implemented Option A in
Unit tests ( This also fixes the two concrete bugs noted above — the manager no longer destroys the |
Summary
Implements incremental backup support for the NAS backup provider on KVM, using QEMU dirty bitmaps and libvirt's
backup-beginAPI. RFC: #12899.For large VMs this reduces daily backup storage 80–95% and shortens backup windows from hours to minutes (e.g. a 500 GB VM with moderate writes goes from ~500 GB/day to ~5–15 GB/day after the initial full backup).
What's in the PR
f2a9202d741981469099NASBackupChainKeysconstants + zone-scopednas.backup.full.everyConfigKey (default 10)fbb916b254nasbackup.shmode-aware: full+checkpoint or incremental+rebase viabackup-begin1f2aebca36backup_details43e2f7504a39303fbf88qemu-img convertflatten for file-based primaryb8d069e127RebaseBackupCommand, chain repair for delete-middle, refuse-delete-full-with-children49edc7f22ctest/integration/smoke/test_backup_recovery_nas.pyFull diff: 11 files, +1617 / −30.
Review feedback addressed (all from #12899 thread)
backupsbackup_detailskv table viaNASBackupChainKeysnas.backup.full.interval(days) doesn't fit hourly/ad-hocnas.backup.full.every(default 10)backup-beginfor full backups toobackup-begin; full omits<incremental>backup-<epoch>(System.currentTimeMillis()/1000)block-dirty-bitmap-add--checkpointxml; manual bitmap commands removedqemu-img rebaseafter each incrementalnasbackup.sh, with relative backing path so chain survives mount-point churnINCREMENTAL_FALLBACK=if cadence asked for incforced=truevirsh checkpoint-list, recreates if missing, emitsBITMAP_RECREATED=test_backup_recovery_nas.pyBackwards compatibility
-M/--bitmap-*flags onnasbackup.share optional. Without them, the script preserves the legacy full-only behaviour exactly (no checkpoint creation, same XML).TakeBackupCommandnew fields default to null;LibvirtTakeBackupCommandWrapperonly emits the new flags when set, so a 4.22 management server talking to a 4.23 agent still works.chain_idinbackup_details) are treated as standalone fulls by the cascade-delete logic — no migration needed.Test plan
Environment
feature/nas-backup-incrementalagainstmain(4.23-SNAPSHOT)ol8 mgmt + kvm-ol8profile)backup-begin --checkpointxml)Automated coverage
NASBackupProviderTestLibvirtRestoreBackupCommandWrapperTesttest/integration/smoke/test_backup_recovery_nas.pyrequired_hardware="true"Smoke scenarios
test_incremental_chain_cadencenas.backup.full.every=3and 5 backups, observed type sequence is['FULL','INCREMENTAL','INCREMENTAL','FULL','INCREMENTAL']test_restore_from_incrementaltest_delete_middle_incremental_repairs_chainparent_idis repointed to the surviving ancestor, backing file is rebased, downstream restore still correcttest_refuse_delete_full_with_childrenCloudRuntimeException;forced=truecascadestest_stopped_vm_falls_back_to_fullManual scenarios (outside smoke scope)
full.every=10; take 25 backups across 5 daysbackup_detailscarries no chain keysnas.backup.incremental.enabled=falsezone-scopedvirsh checkpoint-create; INC succeeds; restore from this INC is correctnasbackup.shlegacy invocation-M/--bitmap-*Backwards-compat checks
TakeBackupCommandnew fields default null → 4.22 agents ignore them (covered by Scenario B).chain_idinbackup_detailsare treated as standalone FULLs; cascade-delete short-circuits without touching them.RebaseBackupCommandis only sent when chain metadata is present, so a downgraded agent never receives it.Results
Test results from running this plan will be posted as a follow-up comment after execution.
Refs