Configuring Trilio

Added external database-support Added the Openstack distribution for storage (mount path)
Trilio configuration process is using Ansible scripts. Ansible, in the last few years, has grown in popularity as a preferred configuration management tool and Trilio uses ansible playbooks extensively to configure the Trilio cluster. To troubleshoot Trilio configuration issues, the user should have a basic understanding of Ansible playbook output.
Ansible modules are inherently idempotent and hence Trilio configuration can run any number of times to change or reconfigure Trilio cluster.
Once the VM is booted, point your browser (Chrome or Firefox) to Trilio node IP address.
This will bring you to the Trilio Dashboard, which contains the Trilio configurator.
The user is: admin The default password is: password
After the very first login, you are requested to change the admin password.
Unlike previous versions of Trilio, the current version only requires you to configure the cluster once and the Trilio dashboard provides cluster-wide management capability.

Uploading the OpenStack certificate bundle

OpenStack endpoints can be configured to use TLS. In such a configuration the Trilio appliance needs to trust the certificates provided by the OpenStack endpoints.
To achieve this trust it is required to upload the OpenStack certificate bundle through the OS API certificate tab of the Trilio appliance Dashboard.
The certificate bundle is located on the controller nodes of the OpenStack installation.
The default paths for each distribution are as follows:
RHOSP/TripleO: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
Kolla Ansible with CentOS: /etc/pki/tls/certs/ca-bundle.crt
Kolla Ansible with Ubuntu: /usr/local/share/ca-certificates/
OpenStack Ansible (OSA) with Ubuntu in our lab: /etc/openstack_deploy/ssl/
OpenStack Asnible (OSA) with CentOS: /etc/openstack_deploy/ssl
The uploaded certificates can be verified on the Trilio appliance at the following location.

Details needed for the Trilio Appliance

Upon login into an unconfigured Trilio Appliance, the shown page is the configurator. The configurator requires some information about the Trilio Appliance, Openstack, and Backup Storage.

Trilio Cluster information

The Trilio Cluster needs to be integrated into an existing environment to be able to operate correctly. This block asks for information about the Trilio Cluster operating details.
  • Controller Nodes
    • This is the list of Trilio virtual appliance IP addresses along with their hostnames.
    • Format: comma-separated list with pairs combined through '='
    • Example:,,’
The Trilio Cluster supports only 1 node and 3 node clusters.
  • Virtual IP Address
    • This is the Trilio cluster IP address which is mandatory
    • Format: IP/Subnet
    • Example:
The Virtual IP is mandatory even for single-node clusters and has to be different from any IP given at the Controller Nodes.
  • Name Server
    • List of nameservers, primarily used to resolve OpenStack service endpoints.
    • Format: comma-separated list
    • example:,
If defining OpenStack endpoint hostnames in the /etc/hosts file on the VM is preferred over a DNS solution you may set the nameserver to, the default gateway.
  • Domain Search Order
    • The domain the Trilio Cluster will use.
    • Format: comma-separated list
    • example:,trilio.demo
  • NTP Servers
    • NTP servers the Trilio Cluster will use
    • format: comma-separated list
    • example:,
  • Timezone
    • Timezone the Trilio Cluster will use internally
    • format: pre-populated list
    • example: UTC

Openstack Credentials information

The Trilio appliance integrates with one RHV environment. This block asks for the information required to access and connect with the RHV Cluster.
  • Keystone URL
    • The Keystone endpoint used to fetch authentication for configuration
    • format: URL
    • example:
  • Endpoint Type
    • Defines which endpoint type will be used to communicate with the Openstack endpoints
    • format: predefined list of radio buttons
    • example: Public
When FQDNs are used for the Keystone endpoints it is necessary to configure at least one DNS server before the configuration.
Otherwise, the validation of the Openstack Credentials will fail.
  • Domain ID
    • domain the provided user and tenant are located in
    • format: ID
    • example: default
  • Administrator
    • Username of an account with the domain admin role
    • format: String
    • example: admin
  • Password
    • password for the prior provided user
    • format: String
    • example: password
Trilio requires domain admin role access. To provide domain admin role to a user, the following command can be used:
openstack role add --domain <domain id> --user <username> admin
The Trilio configurator verifies after every entry if it is possible to login into Openstack using the provided credentials.
This verification will fail until all entries are set and correct.
When the verification is successful it is possible to choose the Admin tenant, the Region, and the Trustee role without any error message shown.
  • Admin Tenant
    • The tenant to be used together with the provided user
    • format: a pre-populated list
    • example: admin
  • Region
    • Openstack Region the user and tenant are located in
    • format: a pre-populated list
    • example: RegionOne
  • Trustee Role
    • The Openstack role required to be able to use Trilio functionalities
    • format: a pre-populated list
    • example: _member_
In the case of utilizing OpenStack Barbican to protect encrypted Volumes and to provide encrypted Backups, the Trustee Role has to be Creator or a role, that contains the same permissions as the Creator role.
This is required as only the Creator role is able to create, read and delete secrets inside Barbican. The creation of encryption-enabled Workloads will fail when the Trustee Role is not having Creator role permissions.

Backup Storage Configuration information

This block is requesting the necessary information about the backup target that the Trilio installation will be used to store and read backups.
  • Openstack Dist
    • RHOSP and Kolla Ansible require a special mount point to be used
    • format: predefined list
    • example: RHOSP
  • Backup Storage
    • Defines the Backup Storage protocol to use
    • format: predefined list of radio buttons
    • example: NFS

Using the NFS protocol

  • NFS Export
    • The path under which the NFS Volumes to be used can be found
    • format: comma-separated list of NFS Volumes paths
    • example:,
  • NFS Options
    • NFS options used by the Trilio Cluster when mounting the NFS Exports
    • format: NFS options
    • example: nolock,soft,timeo=180,intr,lookupcache=none
    • NFS options for Cohesity NFS : nolock,soft,timeo=600,intr,lookupcache=none,nfsvers=3,retrans=10
On Cohesity NFS if Input/Output errors are observed then try increasing timeout and retranse parameter value in NFS options
Please use the predefined NFS Options and only change them when it is know that changes are necessary.
Trilio is testing against the predefined NFS options.

Using the S3 protocol

  • S3 Compatible
    • Switch between Amazon and other S3 compatible storage solutions
    • format: predefined list
    • example: Amazon S3
  • (S3 compatible) Endpoint URL
    • URL to be used to reach and access the provided S3 compatible storage
    • format: URL
    • example:
  • Access Key
    • Access Key necessary to login into the S3 storage
    • format: access key
  • Secret Key
    • Secret Key necessary to login into the S3 storage
    • format: secret key
    • example: bfAEURFGHsnvd3435BdfeF
  • Region
    • Configured Region for the S3 Bucket (keep the default for S3 compatible without Region)
    • format: String
    • example: us-east-1
  • Signature Version
    • S3 signature version to use for signing into the S3 storage
    • format: string
    • example: default
  • Bucket Name
    • Name of the bucket to be used as Backup target
    • format: string
    • example: Trilio-backup

Using secured non-aws S3 storage

When using secured connection with a non-aws S3 storage like CEPH you have to provide the certificate used for the connection.
To enter this certificate type the https:// based endpoint into the field Endpoint URL.
Once you tab out of the field will the upload certificate button be shown. See picture below.
Accessing the upload certificate for secured connection

Workload Import

Check this box in case of reinitialization or reinstallation of the Trilio Appliance to import all matching Workloads located on the Backup Target.
Workloads that are not assigned to an existing tenant will fail to import and need to be reassigned manually once the configuration is done.

Advanced settings

At the end of the configurator is the option to activate the advanced settings.
Activating this option does provide the possibility to configure the Keystone endpoints used for the Datamover API and Trilio.

Setup Trilio and Datamover API endpoints.

Trilio generates Keystone endpoints for 2 services. The Trilio Datamover API and the Trilio Workloadmanager.
Modern Openstack installation have the endpoint types split over multiple networks. The advanced settings for the Datamover API endpoints and Trilio Workloadmanager endpoints allow configuring Trilio accordingly.
Used IP addresses are added as additional VIPs to the Trilio cluster.
In the case of FQDN used for those endpoints will the Trilio configurator resolve the FQDN to learn of the IPs that are then set as VIPs.
It is recommended to verify the datamover api settings against the ones configured during installation of the Trilio components.
If these endpoints do already exist in Keystone are the values prefilled and can not be changed. In case of a change required, delete the old Keystone endpoints first.
Providing an URL with https activates the TLS enabled configuration, which requires the upload of certificates and the connected private key.

Set up an external database

Trilio allows the use of an external MySQL or MariaDB database.
This database needs to be prepared by creating the empty workloadmgr database, creating the workloadmgr user and setting the right permissions. An example command to create this database would be:
create database workloadmgr_auto;
CREATE USER 'trilio'@'localhost' IDENTIFIED BY 'password';
GRANT ALL PRIVILEGES ON workloadmgr_auto.* TO 'trilio'@'' IDENTIFIED BY 'password';
Provide the connection string to the Trilio configurator.
mysql://trilio:[email protected]/workloadmgr_auto?charset=utf8
This value can only be set upon an initial configuration of the Trilio solution.
When the Cluster has been configured to use the internal database, then the connection string will not be shown in the next configuration attempt.
In case of an external database, will the connection string be shown, but is uneditable.

Define the Trilio service user password

Trilio is using a service user that is located in the Openstack service project.
The password for this service user will be generated randomly or can be defined in the advanced settings.

Starting the configurator

Once all entries have been set and all validations are error-free the configurator can be started.
  • Click Finish
  • Reconfirm in the pop-up that you want to start the configuration
  • Wait for the configurator to finish
Some elements of the configurator take time. Even when it looks like the configurator is stuck, please wait till the configurator finishes. Should the configurator have not finished after 6h, please contact Trilio Support for help.
The configurator is using Ansible and a few Trilio internal API calls. After each configuration block or after the configurator finished it is possible to visit the Ansible output.
At the end of a successful configuration does the configurator forward to the set VIP.