Configuring TrilioVault

Added external database-support Added the Openstack distribution for storage (mount path)
TrilioVault configuration process is using Ansible scripts. Ansible, in the last few years, has grown in popularity as a preferred configuration management tool and TrilioVault uses ansible playbooks extensively to configure the TrilioVault cluster. To troubleshoot TrilioVault configuration issues, the user should have a basic understanding of Ansible playbook output.
Ansible modules are inherently idempotent and hence TrilioVault configuration can run any number of times to change or reconfigure TrilioVault cluster.
Once the VM is booted, point your browser (Chrome or Firefox) to TrilioVault node IP address.
This will bring you to the TrilioVault Dashboard, which contains the TrilioVault configurator.
The user is: admin The default password is: password
After the very first login, you are requested to change the admin password.
Unlike previous versions of TrilioVault, the current version only requires you to configure the cluster once and the TrilioVault dashboard provides cluster-wide management capability.

Uploading the OpenStack certificate bundle

OpenStack endpoints can be configured to use TLS. In such a configuration the TrilioVault appliance needs to trust the certificates provided by the OpenStack endpoints.
To achieve this trust it is required to upload the OpenStack certificate bundle through the OS API certificate tab of the TrilioVault appliance Dashboard.
The certificate bundle is located on the controller nodes of the OpenStack installation.
The default paths for each distribution are as follows:
RHOSP/TripleO: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
Kolla Ansible with CentOS: /etc/pki/tls/certs/ca-bundle.crt
Kolla Ansible with Ubuntu: /usr/local/share/ca-certificates/
OpenStack Ansible (OSA) with Ubuntu in our lab: /etc/openstack_deploy/ssl/
OpenStack Asnible (OSA) with CentOS: /etc/openstack_deploy/ssl
The uploaded certificates can be verified on the TrilioVault appliance at the following location.

Details needed for the TrilioVault Appliance

Upon login into an unconfigured TrilioVault Appliance, the shown page is the configurator. The configurator requires some information about the TrilioVault Appliance, Openstack, and Backup Storage.

TrilioVault Cluster information

The TrilioVault Cluster needs to be integrated into an existing environment to be able to operate correctly. This block asks for information about the TrilioVault Cluster operating details.
  • Controller Nodes
    • This is the list of TrilioVault virtual appliance IP addresses along with their hostnames.
    • Format: comma-separated list with pairs combined through '='
    • Example:,,’
The TrilioVault Cluster supports only 1 node and 3 node clusters.
  • Virtual IP Address
    • This is the TrilioVault cluster IP address which is mandatory
    • Format: IP/Subnet
    • Example:
The Virtual IP is mandatory even for single-node clusters and has to be different from any IP given at the Controller Nodes.
  • Name Server
    • List of nameservers, primarily used to resolve OpenStack service endpoints.
    • Format: comma-separated list
    • example:,
  • Domain Search Order
    • The domain the TrilioVault Cluster will use.
    • Format: comma-separated list
    • example:,trilio.demo
  • NTP Servers
    • NTP servers the TrilioVault Cluster will use
    • format: comma-separated list
    • example:,
  • Timezone
    • Timezone the TrilioVault Cluster will use internally
    • format: pre-populated list
    • example: UTC

Openstack Credentials information

The TrilioVault appliance integrates with one RHV environment. This block asks for the information required to access and connect with the RHV Cluster.
  • Keystone URL
    • The Keystone endpoint used to fetch authentication for configuration
    • format: URL
    • example:
  • Endpoint Type
    • Defines which endpoint type will be used to communicate with the Openstack endpoints
    • format: predefined list of radio buttons
    • example: Public
When FQDNs are used for the Keystone endpoints it is necessary to configure at least one DNS server before the configuration.
Otherwise, the validation of the Openstack Credentials will fail.
  • Domain ID
    • domain the provided user and tenant are located in
    • format: ID
    • example: default
  • Administrator
    • Username of an account with the domain admin role
    • format: String
    • example: admin
  • Password
    • password for the prior provided user
    • format: String
    • example: password
TrilioVault requires domain admin role access. To provide domain admin role to a user, the following command can be used:
openstack role add --domain <domain id> --user <username> admin
The TrilioVault configurator verifies after every entry if it is possible to login into Openstack using the provided credentials.
This verification will fail until all entries are set and correct.
When the verification is successful it is possible to choose the Admin tenant, the Region, and the Trustee role without any error message shown.
  • Admin Tenant
    • The tenant to be used together with the provided user
    • format: a pre-populated list
    • example: admin
  • Region
    • Openstack Region the user and tenant are located in
    • format: a pre-populated list
    • example: RegionOne
  • Trustee Role
    • The Openstack role required to be able to use TrilioVault functionalities
    • format: a pre-populated list
    • example: _member_
In the case of utilizing OpenStack Barbican to protect encrypted Volumes and to provide encrypted Backups, the Trustee Role has to be Creator or a role, that contains the same permissions as the Creator role.
This is required as only the Creator role is able to create, read and delete secrets inside Barbican. The creation of encryption-enabled Workloads will fail when the Trustee Role is not having Creator role permissions.

Backup Storage Configuration information

This block is requesting the necessary information about the backup target that the TrilioVault installation will be used to store and read backups.
  • Openstack Dist
    • RHOSP and Kolla Ansible require a special mount point to be used
    • format: predefined list
    • example: RHOSP
  • Backup Storage
    • Defines the Backup Storage protocol to use
    • format: predefined list of radio buttons
    • example: NFS

Using the NFS protocol

  • NFS Export
    • The path under which the NFS Volumes to be used can be found
    • format: comma-separated list of NFS Volumes paths
    • example:,
  • NFS Options
    • NFS options used by the TrilioVault Cluster when mounting the NFS Exports
    • format: NFS options
    • example: nolock,soft,timeo=180,intr,lookupcache=none
Please use the predefined NFS Options and only change them when it is know that changes are necessary.
Trilio is testing against the predefined NFS options.

Using the S3 protocol

  • S3 Compatible
    • Switch between Amazon and other S3 compatible storage solutions
    • format: predefined list
    • example: Amazon S3
  • (S3 compatible) Endpoint URL
    • URL to be used to reach and access the provided S3 compatible storage
    • format: URL
    • example:
  • Access Key
    • Access Key necessary to login into the S3 storage
    • format: access key
  • Secret Key
    • Secret Key necessary to login into the S3 storage
    • format: secret key
    • example: bfAEURFGHsnvd3435BdfeF
  • Region
    • Configured Region for the S3 Bucket (keep the default for S3 compatible without Region)
    • format: String
    • example: us-east-1
  • Signature Version
    • S3 signature version to use for signing into the S3 storage
    • format: string
    • example: default
  • Bucket Name
    • Name of the bucket to be used as Backup target
    • format: string
    • example: Trilio-backup

Using secured non-aws S3 storage

When using secured connection with a non-aws S3 storage like CEPH you have to provide the certificate used for the connection.
To enter this certificate type the https:// based endpoint into the field Endpoint URL.
Once you tab out of the field will the upload certificate button be shown. See picture below.
Accessing the upload certificate for secured connection

Workload Import

Check this box in case of reinitialization or reinstallation of the TrilioVault Appliance to import all matching Workloads located on the Backup Target.
Workloads that are not assigned to an existing tenant will fail to import and need to be reassigned manually once the configuration is done.

Advanced settings

At the end of the configurator is the option to activate the advanced settings.
Activating this option does provide the possibility to configure the Keystone endpoints used for the Datamover API and TrilioVault.

Setup TrilioVault and Datamover API endpoints.

TrilioVault generates Keystone endpoints for 2 services. The TrilioVault Datamover API and the TrilioVault Workloadmanager.
Modern Openstack installation have the endpoint types split over multiple networks. The advanced settings for the Datamover API endpoints and TrilioVault Workloadmanager endpoints allow configuring TrilioVault accordingly.
Used IP addresses are added as additional VIPs to the TrilioVault cluster.
In the case of FQDN used for those endpoints will the TrilioVault configurator resolve the FQDN to learn of the IPs that are then set as VIPs.
It is recommended to verify the datamover api settings against the ones configured during installation of the TrilioVault components.
If these endpoints do already exist in Keystone are the values prefilled and can not be changed. In case of a change required, delete the old Keystone endpoints first.
Providing an URL with https activates the TLS enabled configuration, which requires the upload of certificates and the connected private key.

Set up an external database

TrilioVault allows the use of an external MySQL or MariaDB database.
This database needs to be prepared by creating the empty workloadmgr database, creating the workloadmgr user and setting the right permissions. An example command to create this database would be:
create database workloadmgr_auto;
CREATE USER 'trilio'@'localhost' IDENTIFIED BY 'password';
GRANT ALL PRIVILEGES ON workloadmgr_auto.* TO 'trilio'@'' IDENTIFIED BY 'password';
Provide the connection string to the TrilioVault configurator.
mysql://trilio:[email protected]/workloadmgr_auto?charset=utf8
This value can only be set upon an initial configuration of the TrilioVault solution.
When the Cluster has been configured to use the internal database, then the connection string will not be shown in the next configuration attempt.
In case of an external database, will the connection string be shown, but is uneditable.

Define the TrilioVault service user password

TrilioVault is using a service user that is located in the Openstack service project.
The password for this service user will be generated randomly or can be defined in the advanced settings.

Starting the configurator

Once all entries have been set and all validations are error-free the configurator can be started.
  • Click Finish
  • Reconfirm in the pop-up that you want to start the configuration
  • Wait for the configurator to finish
Some elements of the configurator take time. Even when it looks like the configurator is stuck, please wait till the configurator finishes. Should the configurator have not finished after 6h, please contact Trilio Support for help.
The configurator is using Ansible and a few TrilioVault internal API calls. After each configuration block or after the configurator finished it is possible to visit the Ansible output.
At the end of a successful configuration does the configurator forward to the set VIP.