Nomad
Command: operator snapshot save
The operator snapshot save
command retrieves an atomic, point-in-time
snapshot of the state of the Nomad servers, which includes jobs, nodes,
allocations, periodic jobs, and ACLs for outage recovery.
If you enabled ACLs, you must supply a management token in order to perform snapshot operations.
Warning
This command includes Nomad's keyring in the snapshot. If you are not using a
KMS provider to secure the keyring, you should use the -redact
flag to
remove key material before transmitting the snapshot to HashiCorp Support.
Snapshots made before Nomad 1.9.0 will not include the keyrings. If you use older snapshots to recover a cluster, you also need to restore the keyring onto at least one server. Refer to the Key Management's Restoring the Keyring from Backup section for instructions.
Run the nomad operator snapshot save
command to create a snapshot from the
leader server.
This example saves the backup to backup.snap
.
$ nomad operator snapshot save backup.snap
This example creates a potentially stale snapshot from any available server
and saves it to backup.snap
. The -stale
option is useful if no
leader is available.
$ nomad operator snapshot save -stale backup.snap
Usage
nomad operator snapshot save [options] <file>
General Options
-address=<addr>
: The address of the Nomad server. Overrides theNOMAD_ADDR
environment variable if set. Defaults tohttp://127.0.0.1:4646
.-region=<region>
: The region of the Nomad server to forward commands to. Overrides theNOMAD_REGION
environment variable if set. Defaults to the Agent's local region.-no-color
: Disables colored command output. Alternatively,NOMAD_CLI_NO_COLOR
may be set. This option takes precedence over-force-color
.-force-color
: Forces colored command output. This can be used in cases where the usual terminal detection fails. Alternatively,NOMAD_CLI_FORCE_COLOR
may be set. This option has no effect if-no-color
is also used.-ca-cert=<path>
: Path to a PEM encoded CA cert file to use to verify the Nomad server SSL certificate. Overrides theNOMAD_CACERT
environment variable if set.-ca-path=<path>
: Path to a directory of PEM encoded CA cert files to verify the Nomad server SSL certificate. If both-ca-cert
and-ca-path
are specified,-ca-cert
is used. Overrides theNOMAD_CAPATH
environment variable if set.-client-cert=<path>
: Path to a PEM encoded client certificate for TLS authentication to the Nomad server. Must also specify-client-key
. Overrides theNOMAD_CLIENT_CERT
environment variable if set.-client-key=<path>
: Path to an unencrypted PEM encoded private key matching the client certificate from-client-cert
. Overrides theNOMAD_CLIENT_KEY
environment variable if set.-tls-server-name=<value>
: The server name to use as the SNI host when connecting via TLS. Overrides theNOMAD_TLS_SERVER_NAME
environment variable if set.-tls-skip-verify
: Do not verify TLS certificate. This is highly not recommended. Verification will also be skipped ifNOMAD_SKIP_VERIFY
is set.-token
: The SecretID of an ACL token to use to authenticate API requests with. Overrides theNOMAD_TOKEN
environment variable if set.
Snapshot Save Options
-redact
: The redact option will locally edit the snapshot to remove any cleartext key material from the root keyring. Only the AEAD keyring provider has cleartext key material in Raft. Note that this operation requires loading the snapshot into memory locally.-stale
: The stale option defaults tofalse
, which means the leader provides the result. If the cluster is in an outage state without a leader, you may need to set-stale
totrue
to get the configuration from a non-leader server.