Skip to main content

asrestore command-line options

The asrestore utility restores backups created with asbackup. If the namespace on the cluster already contains existing records, a configurable write policy determines, which records take precedence - records in the namespace or records from the backup. The Write Policy section on the overview page has more details on this.

If the initial insertion of a record fails asrestore will retry inserting the record 10 times. Between tries there is a 1 second pause and the error is written to the logs at the debug severity level. If a record is not written after 10 tries, the restore is aborted with the error message "Too many errors, giving up". The specific errors in which a retry is not effected are "record exists" (when the --unique option is used), "generation mismatch" (unless if the --no-generation option is used) and "invalid username or password".

When run with the --directory option, asrestore expects multiple .asb backup files in the given directory. Alternatively, --input-file makes asrestore read the complete backup from the given single file. If - is specified as the file, asrestore reads the backup from stdin. This allows for pipelines:

cat backup.asb.gz | gunzip | asrestore --input-file - [...]


The -Z or --help option of asrestore gives an overview of all supported command line options.

$ asrestore --help

The most basic form of running asrestore is to just specify the cluster to restore (--host) and the local directory containing the backup files (--directory). Suppose that we have a cluster that contains a node with IP address To restore a backup from directory backup_2015_08_24, we would issue the following command.

$ asrestore --host --directory backup_2015_08_24

By default, the backup is restored to the namespace that it was taken from. The --namespace option can be used to restore to a different namespace. Suppose that the above backup was taken from namespace test and we would like to restore it to namespace prod. We would then issue the following command.

$ asrestore --host --directory backup_2015_08_24 --namespace test,prod

Connection Options

-h <host> or --host <host> host that acts as the entry point to the cluster. Any of the cluster nodes can be specified. The remaining cluster nodes will be automatically discovered.
-p <port> or --port <port>3000Port to connect to.
-U <user> or --user <user>-User name with write permission. Mandatory if the server has security enabled.
-P<password> or --password-Password to authenticate the given user. The first form passes the password on the command line. The second form prompts for the password.
-A or --authINTERNALSet authentication mode when user and password are defined. Modes are (INTERNAL, EXTERNAL, EXTERNAL_INSECURE, PKI) and the default is INTERNAL. This mode must be set EXTERNAL when using LDAP.
-t <threads> or --parallel <threads>20The number of client threads to spawn for writing to the cluster. Higher numbers mean faster restores, which may, however, have a negative impact on server performance.
--tls-enabledisabledIndicates a TLS connection should be used.
-T <timeout> or --timeout <timeout>10000Timeout (ms) for Aerospike commands to write records, create indexes and create UDFs.
-S or --services-alternatefalseUse to connect to alternate-access-address when the cluster nodes publish IP addresses through access-address which are not accessible over WAN and alternate IP addresses accessible over WAN through alternate-access-address.
--socket-timeout <ms>10000Socket timeout for write transactions in milliseconds. If this value is 0, it is set to total-timeout. If both are 0, there is no socket idle time limit.
--total-timeout <ms>0Total socket timeout in milliseconds. If this value is 0 and --timeout is set, then the --timeout value is used as the write transaction timeout. Default is 0, i.e. no timeout.
--max-retries <n>0Maximum number of retries before aborting the current write transaction.
--retry-delay <ms>0The amount of time to sleep between retries of write transactions.

TLS Options

--tls-cafile=TLS_CAFILEPath to a trusted CA certificate file.
--tls-capath=TLS_CAPATHPath to a directory of trusted CA certificates.
--tls-name=TLS_NAMEThe default TLS name used to authenticate each TLS socket connection. Note: this must also match the cluster name.
--tls-protocols=TLS_PROTOCOLSSet the TLS protocol selection criteria. This format is the same as Apache's SSLProtocol documented at . If not specified the asrestore will use '-all +TLSv1.2' if has support for TLSv1.2, otherwise it will be '-all +TLSv1'.
--tls-cipher-suite=TLS_CIPHER_SUITESet the TLS cipher selection criteria. The format is the same as Open_sSL's Cipher List Format documented at .
--tls-keyfile=TLS_KEYFILEPath to the key for mutual authentication (if Aerospike Cluster is supporting it).
--tls-keyfile-password=TLS_KEYFILE_PASSWORDPassword to load protected tls-keyfile. It can be one of the following:
1) Environment varaible: 'env:<VAR>'
2) File: 'file:<PATH>'
3) String: 'PASSWORD'
User will be prompted on command line if --tls-keyfile-password specified and no password is given.
--tls-certfile=TLS_CERTFILE <path>Path to the chain file for mutual authentication (if Aerospike Cluster is supporting it).
--tls-cert-blacklist <path>Path to a certificate blacklist file. The file should contain one line for each blacklisted certificate. Each line starts with the certificate serial number expressed in hex. Each entry may optionally specify the issuer name of the certificate (serial numbers are only required to be unique per issuer). Example: 867EC87482B2 /C=US/ST=CA/O=Acme/OU=Engineering/CN=TestChainCA
--tls-crl-checkEnable CRL checking for leaf certificate. An error occurs if a valid CRL files cannot be found in tls_capath.
--tls-crl-checkallEnable CRL checking for entire certificate chain. An error occurs if a valid CRL files cannot be found in tls_capath.
--tls-log-session-infoEnable logging session information for each TLS connection.

The tlsname is only used when connecting with a secure TLS enabled server. The following example restores a cluster backup to node using the default Aerospike port of 3000 with tls configured.

HOST is "<host>[:<tlsname>][:`<port>`],...".

asrestore --host --directory backup_2015_08_24 --namespace test --tls-enable --tls-cafile /cluster_name.pem --tls-protocols TLSv1.2 --tls-keyfile /cluster_name.key --tls-certfile /cluster_name.pem

Input Options

-d <path> or --directory <path>-Directory from which to read the .asb backup files. Mandatory, unless --input-file is given.
-i <path> or --input-file <path>-The single file from which to read the backup. - means stdin. Mandatory, unless --directory is given.
-N <bandwidth>,<TPS> or --nice <bandwidth>,<TPS>-Throttles asrestore's read operations from the backup file(s) to not exceed the given I/O bandwidth in MiB/s and its database write operations to not exceed the given number of transactions per second. Useful to limit the impact of asrestore on server performance.
-y <compression_alg> or --compress <compression_alg>noneThe decompression algorithm to be used on backup files as they are read. This option must match that used when taking the backup. The options available are zstd. See compression and encryption
-z <encryption_alg> or --encrypt <encryption_alg>noneThe decryption algorithm to be used on backup files as they are read. This option must match that used when taking the backup. The options available are aes128 and aes256. This option must be accompanied by either --encryption-key-file or encryption-key-env. See compression and encryption

Data Selection Options

-n <original-ns>[,<new-ns>] or --namespace <original-ns>[,<new-ns>]Original namespaceNamespace to be restored. By default, asrestore restores a backup to the namespace from which it was taken. If this option is specified and the namespace from which the backup was taken does not match <original-ns>, asrestore aborts with an error. This ensures that we restore the data that we intend to restore. If <new-ns> is specified, the backup will be restored to <new-ns> instead of the namespace from which it was taken.
-s <set1>[,<set2>[,...]] or --set-list <set1>[,<set2>[,...]]All setsThe sets to restore.
-B <bin1>[,<bin2>[,...]] or --bin-list <bin1>[,<bin2>[,...]]All binsThe bins to restore.
-R or --no-records-Do not restore any record data (metadata or bin data). By default, asrestore restores record data, secondary index definitions, and UDF modules.
-I or --no-indexes-Do not restore any secondary index definitions. See above.
-F or --no-udfs-Do not restore any UDF modules. See above.
-K or --ignore-record-errorfalseIgnore permanent record specific error. e.g AEROSPIKE_RECORD_TOO_BIG. By default such errors are not ignored and asrestore terminates. Optional: Use verbose mode to see errors in detail.

Write Policy Options

-u or --unique-Existing records take precedence. With this option, only records that do not exist in the namespace are restored, regardless of generation numbers. If a record exists in the namespace, the record from the backup is ignored. Note: this option is mutually exclusive to --replace and --no-generation.
-g or --no-generation-Records from backups take precedence. This option disables the generation check. With this option, records from the backup always overwrite records that already exist in the namespace, regardless of generation numbers. Note: this option is mutually exclusive to --unique. {{#warn}}By using this option you may lose a more recent version of your data by overwriting it with an older version.{{/warn}}
-r or --replace-Replace records. This controls how records from the backup overwrite existing records in the namespace. By default, restoring a record from a backup only replaces the bins contained in the backup; all other bins of an existing record remain untouched. With this option, the existing record is completely replaced; i.e., any bins that are not contained in the backup are discarded. This option still does a generation check by default and would need to be combined with the -g option if no generation check is desired. Note: this option is mutually exclusive to --unique.
-l or --extra-ttl <N>-For records with expirable void-times, add N seconds of extra-ttl to the recorded void-time.

Restore from S3

To restore files from Amazon S3, prefix file/directory names with "s3://<bucket>/<key>", where <bucket> is the name of the S3 bucket to download from, and <key> is the key of the object to download/prefix of files in the S3 "directory". If using the default S3 endpoint, --s3-region <region> must be set to the region that the bucket you're uploading to is in. If using another endpoint, specify that endpoint with --s3-endpoint-override <url>.

Files are downloaded in chunks of 5MB, and the maximum number of simultaneous downloads across all threads is controlled with --s3-max-async-downloads.

--s3-region <region>-Sets the S3 region of the bucket being uploaded to/downloaded from. Must be set if using the default S3 endpoint.
--s3-endpoint-override <url>-Sets the S3 endpoint to use. Must point to an S3-compatible storage system.
--s3-profile <profile_name>defaultSets the S3 profile to use for credentials.
--s3-max-async-downloads <n>32The maximum number of simultaneous download requests from S3.


To restore all records to an S3 bucket "test-bucket" in region "us-west-1" under directory "test-dir", run

asrestore -d s3://test-bucket/test-dir --s3-region us-west-1

Configuration File Options

asrestore can be configured by using tools configuration files. Please see Aerospike Tools Configuration for more details. The following options effect configuration file behavior.

--no-config-file disabledDo not read any configuration file. Mutually exclusive to --only-config-file.
--instance <name>-Section with these instance is read. e.g in case instance a is specified sections cluster_a, asrestore_a is read.
--config-file <path>-Read this file after default configuration file.
--only-config-file <path>-Read only this configuration file. Mutually exclusive to --no-config-file.

Other Options

-v or --verbosedisabledOutput considerably more information about the running restore.
-L or --indexes-last-Create indexes after restoring everything else. By default, indexes are restored before everything else, which can prevent costly SSD reads required to build the indexes.
-w or --wait-Wait for secondary indexes to finish building before proceeding. Wait for restored UDFs to be distributed across the cluster.
-m or --machine <path>-Output machine-readable status updates to the given path, typically a FIFO.

If you would like to change the target set to which to restore data, please contact Aerospike Support for assistance.