Version 1.14. This version is no longer supported. For information about how to upgrade to version 1.15, see Upgrading Anthos on bare metal in the 1.15 documentation. For more information about supported and unsupported versions, see the Version history page in the latest documentation.
This page describes how to use bmctl to back up and restore clusters created
with Google Distributed Cloud. These instructions apply to all cluster types supported
by Google Distributed Cloud.
The bmctl backup and restore process does not include persistent
volumes. Any volumes created by the local volume provisioner (LVP) are left
unaltered.
Back up a cluster
The bmctl backup cluster command adds the cluster information from the etcd
store and the PKI certificates for the specified cluster the cluster to a tar
file. The etcd store is the Kubernetes backing store for all cluster data and
contains all the Kubernetes objects and custom objects required to manage
cluster state. The PKI certificates are used for authentication over TLS. This
data is backed up from the cluster's control plane or from one of the control
planes for a
high-availability (HA)
deployment.
The backup tar file contains sensitive credentials, including your service
account keys and the SSH key. Store backup files in a secure location. To
prevent unintended file exposure, the Google Distributed Cloud backup process uses
in-memory files only.
Back up your clusters regularly to ensure your snapshot data is relatively
current. Adjust the rate of backups to reflect the frequency of significant
changes to your clusters.
The bmctl version you use to back up a cluster must match the version of
the managing cluster.
To back up a cluster:
Ensure your cluster is operating properly, with working credentials and SSH
connectivity to all nodes.
The intent of the backup process is to capture your cluster in a known good
state, so that you can restore operation if a catastrophic failure occurs.
CLUSTER_NAMESPACE: the namespace for the
cluster. By default, the cluster namespaces for Google Distributed Cloud
are the name of the cluster prefaced with cluster-. For example, if
you name your cluster test, the namespace has a name like
cluster-test.
ADMIN_KUBECONFIG: the path of the kubeconfig file for
the admin cluster.
Check the Status section in the command output for Conditions of type
Reconciling.
As shown in the following example, a status of False for these
Conditions means the cluster is stable and ready to be backed up.
...
Status:
...
Cluster State: Running
...
Control Plane Node Pool Status:
...
Conditions:
Last Transition Time: 2023-11-03T16:37:15Z
Observed Generation: 1
Reason: ReconciliationCompleted
Status: False
Type: Reconciling
...
ADMIN_KUBECONFIG: the path to the admin cluster
kubeconfig file.
By default, the backup tar file saved to the workspace directory
(bmctl-workspace, by default) on your admin workstation. The tar file is named
CLUSTER_NAME_backup_TIMESTAMP.tar.gz,
where CLUSTER_NAME is the name of the cluster being
backed up and TIMESTAMP is the date and time the backup
was made. For example, if the cluster name is testuser, the backup file
has a name like testuser_backup_2006-01-02T150405Z0700.tar.gz.
To specify a different name and location for your backup file, use the
--backup-file flag.
The backup file expires after a year and the cluster restore process doesn't
work with expired backup files.
Restore a cluster
Restoring a cluster from a backup is a last resort and should be used when a
cluster has failed catastrophically and cannot be returned to service any other
way. For example, the etcd data is corrupted or the etcd Pod is in a crash
loop.
The backup tar file contains sensitive credentials, including your service
account keys and the SSH key. To prevent unintended file exposure, the
Google Distributed Cloud restore process uses in-memory files only.
The bmctl version you use to restore a cluster must match the version of
the managing cluster.
To restore a cluster:
Ensure all node machines that were available for the cluster at the time of
the backup are operating properly and reachable.
Ensure that SSH connectivity between nodes works with the SSH keys that were
used at the time of the backup.
These SSH keys are reinstated as part of the restore process.
Ensure that the service account keys that were used at the time of the
backup are still active.
These service account keys are reinstated for the restored cluster.
To restore an admin, hybrid, or standalone cluster, run the following
command:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003e\u003ccode\u003ebmctl\u003c/code\u003e is used to back up and restore Google Distributed Cloud clusters, applicable to all cluster types, but restoring from a backup should be a last resort due to the overwriting nature of the process.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003ebmctl backup cluster\u003c/code\u003e command creates a tar file containing cluster data from the etcd store and PKI certificates, which are essential for managing cluster state and TLS authentication.\u003c/p\u003e\n"],["\u003cp\u003eBefore backing up, ensure the cluster is stable by running a cluster check and confirming it is not in a reconciliation state, and backups should be done regularly.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003ebmctl restore cluster\u003c/code\u003e command is used for restoring clusters, requiring all node machines, SSH keys, and service account keys to be available as they were during the backup.\u003c/p\u003e\n"],["\u003cp\u003eBackup files expire after one year and the \u003ccode\u003ebmctl\u003c/code\u003e version used for backup and restore must be the same as the managing cluster's version.\u003c/p\u003e\n"]]],[],null,["# Back up and restore clusters with bmctl\n\n\u003cbr /\u003e\n\nThis page describes how to use `bmctl` to back up and restore clusters created\nwith Google Distributed Cloud. These instructions apply to all cluster types supported\nby Google Distributed Cloud.\n| **Warning:** Using a backup file to restore your cluster is a last resort. The restore process resets the existing cluster and overwrites the cluster information. We don't recommend restoring from a backup file unless the cluster has failed catastrophically. Contact Cloud Customer Care for help in deciding the best course of action.\n\nThe `bmctl` backup and restore process does not include persistent\nvolumes. Any volumes created by the local volume provisioner (LVP) are left\nunaltered.\n\nBack up a cluster\n-----------------\n\nThe `bmctl backup cluster` command adds the cluster information from the etcd\nstore and the PKI certificates for the specified cluster the cluster to a tar\nfile. The etcd store is the Kubernetes backing store for all cluster data and\ncontains all the Kubernetes objects and custom objects required to manage\ncluster state. The PKI certificates are used for authentication over TLS. This\ndata is backed up from the cluster's control plane or from one of the control\nplanes for a\n[high-availability](/anthos/clusters/docs/bare-metal/1.14/installing/install-prep#high_availability) (HA)\ndeployment.\n\nThe backup tar file contains sensitive credentials, including your service\naccount keys and the SSH key. Store backup files in a secure location. To\nprevent unintended file exposure, the Google Distributed Cloud backup process uses\nin-memory files only.\n\nBack up your clusters regularly to ensure your snapshot data is relatively\ncurrent. Adjust the rate of backups to reflect the frequency of significant\nchanges to your clusters.\n\nThe `bmctl` version you use to back up a cluster must match the version of\nthe managing cluster.\n\nTo back up a cluster:\n\n1. Ensure your cluster is operating properly, with working credentials and SSH\n connectivity to all nodes.\n\n The intent of the backup process is to capture your cluster in a known good\n state, so that you can restore operation if a catastrophic failure occurs.\n\n Use the following command to check your cluster: \n\n bmctl check cluster -c \u003cvar translate=\"no\"\u003eCLUSTER_NAME\u003c/var\u003e --kubeconfig \u003cvar label=\"path of the kubeconfig file for the admin cluster\" translate=\"no\"\u003eADMIN_KUBECONFIG\u003c/var\u003e\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eCLUSTER_NAME\u003c/var\u003e: the name of the cluster you plan to back up.\n - \u003cvar translate=\"no\"\u003eADMIN_KUBECONFIG\u003c/var\u003e: the path of the kubeconfig file for the admin cluster.\n2. Run the following command to ensure the target cluster is not in\n a reconciliation state:\n\n kubectl describe cluster \u003cvar translate=\"no\"\u003eCLUSTER_NAME\u003c/var\u003e -n \u003cvar translate=\"no\"\u003eCLUSTER_NAMESPACE\u003c/var\u003e --kubeconfig \u003cvar label=\"path of the kubeconfig file for the admin cluster\" translate=\"no\"\u003eADMIN_KUBECONFIG\u003c/var\u003e\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eCLUSTER_NAME\u003c/var\u003e: the name of the cluster to back up.\n - \u003cvar translate=\"no\"\u003eCLUSTER_NAMESPACE\u003c/var\u003e: the namespace for the cluster. By default, the cluster namespaces for Google Distributed Cloud are the name of the cluster prefaced with `cluster-`. For example, if you name your cluster `test`, the namespace has a name like `cluster-test`.\n - \u003cvar translate=\"no\"\u003eADMIN_KUBECONFIG\u003c/var\u003e: the path of the kubeconfig file for the admin cluster.\n3. Check the `Status` section in the command output for `Conditions` of type\n `Reconciling`.\n\n As shown in the following example, a status of `False` for these\n `Conditions` means the cluster is stable and ready to be backed up. \n\n ...\n Status:\n ...\n Cluster State: Running\n ...\n Control Plane Node Pool Status:\n ...\n Conditions:\n Last Transition Time: 2023-11-03T16:37:15Z\n Observed Generation: 1\n Reason: ReconciliationCompletedStatus: False\n Type: Reconciling\n ...\n\n4. Run the following command to back up the cluster:\n\n bmctl backup cluster -c \u003cvar translate=\"no\"\u003eCLUSTER_NAME\u003c/var\u003e --kubeconfig \u003cvar label=\"path of the kubeconfig file for the admin cluster\" translate=\"no\"\u003eADMIN_KUBECONFIG\u003c/var\u003e\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eCLUSTER_NAME\u003c/var\u003e: the name of the cluster to back up.\n - \u003cvar translate=\"no\"\u003eADMIN_KUBECONFIG\u003c/var\u003e: the path to the admin cluster kubeconfig file.\n\n By default, the backup tar file saved to the workspace directory\n (`bmctl-workspace`, by default) on your admin workstation. The tar file is named\n \u003cvar translate=\"no\"\u003eCLUSTER_NAME\u003c/var\u003e`_backup_`\u003cvar translate=\"no\"\u003eTIMESTAMP\u003c/var\u003e`.tar.gz`,\n where \u003cvar translate=\"no\"\u003eCLUSTER_NAME\u003c/var\u003e is the name of the cluster being\n backed up and \u003cvar translate=\"no\"\u003eTIMESTAMP\u003c/var\u003e is the date and time the backup\n was made. For example, if the cluster name is `testuser`, the backup file\n has a name like `testuser_backup_2006-01-02T150405Z0700.tar.gz`.\n\n To specify a different name and location for your backup file, use the\n `--backup-file` flag.\n\nThe backup file expires after a year and the cluster restore process doesn't\nwork with expired backup files.\n\nRestore a cluster\n-----------------\n\nRestoring a cluster from a backup is a last resort and should be used when a\ncluster has failed catastrophically and cannot be returned to service any other\nway. For example, the etcd data is corrupted or the `etcd` Pod is in a crash\nloop.\n\nThe backup tar file contains sensitive credentials, including your service\naccount keys and the SSH key. To prevent unintended file exposure, the\nGoogle Distributed Cloud restore process uses in-memory files only.\n\nThe `bmctl` version you use to restore a cluster must match the version of\nthe managing cluster.\n\nTo restore a cluster:\n\n1. Ensure all node machines that were available for the cluster at the time of\n the backup are operating properly and reachable.\n\n2. Ensure that SSH connectivity between nodes works with the SSH keys that were\n used at the time of the backup.\n\n These SSH keys are reinstated as part of the restore process.\n3. Ensure that the service account keys that were used at the time of the\n backup are still active.\n\n These service account keys are reinstated for the restored cluster.\n4. To restore an admin, hybrid, or standalone cluster, run the following\n command:\n\n bmctl restore cluster -c \u003cvar translate=\"no\"\u003eCLUSTER_NAME\u003c/var\u003e --backup-file \u003cvar translate=\"no\"\u003eBACKUP_FILE\u003c/var\u003e\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eCLUSTER_NAME\u003c/var\u003e: the name of the cluster you are restoring.\n - \u003cvar translate=\"no\"\u003eBACKUP_FILE\u003c/var\u003e: the path and name of the backup file you are using.\n5. To restore a user cluster, run the following command:\n\n bmctl restore cluster -c \u003cvar translate=\"no\"\u003eCLUSTER_NAME\u003c/var\u003e --backup-file \u003cvar translate=\"no\"\u003eBACKUP_FILE\u003c/var\u003e \\\n --kubeconfig \u003cvar label=\"path of the kubeconfig file for the admin cluster\" translate=\"no\"\u003eADMIN_KUBECONFIG\u003c/var\u003e\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eCLUSTER_NAME\u003c/var\u003e: the name of the cluster you are restoring.\n - \u003cvar translate=\"no\"\u003eBACKUP_FILE\u003c/var\u003e: the path and name of the backup file you are using.\n - \u003cvar translate=\"no\"\u003eADMIN_KUBECONFIG\u003c/var\u003e: the path to the admin cluster kubeconfig file.\n\nAt the end of the restore process, a new kubeconfig file is generated for the\nrestored cluster."]]