1 of 93

T4O-4.3

About Trilio for OpenStack

Trilio, by TrilioData, is a native OpenStack service that provides policy-based comprehensive backup and recovery for OpenStack workloads. The solution captures point-in-time workloads (Application, OS, Compute, Network, Configurations, Data and Metadata of an environment) as full or incremental snapshots. These snapshots can be held in a variety of storage environments including NFS AWS S3 compatible storage. With Trilio and its single click recovery, organizations can improve Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO). With Trilio, IT departments are enabled to fully deploy OpenStack solutions and provide business assurance through enhanced data retention, protection and integrity.

With the use of Trilio’s VAST (Virtual Snapshot Technology), Enterprise IT and Cloud Service Providers can now deploy backup and disaster recovery as a service to prevent data loss or data corruption through point-in-time snapshots and seamless one-click recovery. Trilio takes point-in-time backup of the entire workload consisting of compute resources, network configurations and storage data as one unit. It also takes incremental backups that only captures the changes that were made since last backup. Incremental snapshots save time and storage space as the backup only includes changes since the last backup. The benefits of using VAST for backup and restore could be summarized as below:

Trilio for OpenStack Architecture

Backup-as-a-Service

Trilio is an add on service to OpenStack cloud infrastructure and provides backup and disaster recovery functions for tenant workloads. Trilio is very similar to other OpenStack services including nova, cinder, glance, etc and adheres to all tenets of OpenStack. It is a stateless service that scales with your cloud.

Main Components

Trilio has four main software components:

Trilio ships as a QCOW2 image. User can instantiate one or more VMs from the QCOW2 image on a standalone KVM boxes.
Trilio API is a python module that is installed on all OpenStack controller nodes where the nova-api service is running.
Trilio Datamover is a python module that is installed on every OpenStack compute nodes

Service Endpoints

Trilio is both a provider and consumer into OpenStack ecosystem. It uses other OpenStack services such as nova, cinder, glance, neutron, and keystone and provides its own service to OpenStack tenants. To accomodate all possible OpenStack deployments, Trilio can be configured to use either public or internal URLs of services. Likewise Trilio provides its own public, internal and admin URLs.

Network Topology

This figure represents a typical network topology. Trilio exposes its public URL endpoint on public network and Trilio virtual appliances and data movers typically use either internal network or dedicated backup network for storing and retrieving backup images from backup store.

Trilio 4.3 Release Notes

Deployment Guide

Requirements

Trilio has four main software components:

Trilio ships as a QCOW2 image. User can instantiate one or more VMs from the QCOW2 image on a standalone KVM boxes.
Trilio API is a python module that is an extension to nova api service. This module is installed on all OpenStack controller nodes

Preparing the installation

It is recommended to think about the following elements prior to the installation of Trilio for Openstack.

Tenant Quotas

Trilio uses Cinder snapshots for calculating full and incremental backups. For full backups, Trilio creates Cinder snapshots for all the volumes in the backup job. It then leaves these Cinder snapshots behind for calculating the incremental backup image during next backup. During an incremental backup operation it creates new Cinder snapshots, calculates the changed blocks between the new snapshots and the old snapshots that were left behind during full/previous backups. It then deletes the old snapshots but leaves the newly created snapshots behind. So, it is important that each tenant who is availing Trilio backup functionality has sufficient Cinder snapshot quotas to accommodate these additional snapshots. The guideline is to add 2 snapshots for every volume that is added to backups to volume snapshot quotas for that tenant. You may also increase the volume quotas for the tenant by the same amount because Trilio briefly creates a volume from snapshot to read data from the snapshot for backup purposes. During a restore process, Trilio creates additional instances and Cinder volumes. To accommodate restore operations, a tenant should have sufficient quota for Nova instances and Cinder volumes. Otherwise restore operations will result in failures.

Installing Trilio Components

Once the Trilio VM or the Cluster of Trilio VMs has been spun, the actual installation process can begin. This process contains of the following steps:

Install the Trilio dm-api service on the control plane
Install the Trilio datamover service on the compute plane

Apply the Trilio license

After the Trilio VM has been configured and all components are installed can the license be applied.

The license can be applied either through the admin-tab in Horizon or the CLI

Apply license through Horizon

To apply the license through Horizon follow these steps:

Advanced Ceph configurations

Ceph is the most common OpenSource solution to provide block storage through OpenStack Cinder.

Ceph is a very flexible solution. The possibilities of Ceph require additional steps to the Trilio solution.

Additions for multiple CEPH configurations

It is possible to configure Cinder to have multiple configurations and keyrings for CEPH.

In this case, the Trilio Datamover file needs to be extended with the CEPH information.

For Trilio to be able to work in such an environment it is required to put copies of each of these configurations and keyrings into a separate directory, which is then made known to the Trilio Datamover inside a [ceph] block in the tvault-contego.conf.

A tvault-contego.conf file with the extended [ceph] block would look like this.

[DEFAULT]

vault_storage_type = nfs
vault_storage_nfs_export = 192.168.1.34:/mnt/tvault/tvm5
vault_storage_nfs_options = nolock,soft,timeo=180,intr,lookupcache=none


vault_data_directory_old = /var/triliovault
vault_data_directory = /var/trilio/triliovault-mounts
log_file = /var/log/kolla/triliovault-datamover/tvault-contego.log
debug = False
verbose = True
max_uploads_pending = 3
max_commit_pending = 3

dmapi_transport_url = rabbit://openstack:[email protected]:5672,openstack:[email protected]:5672,openstack:[email protected]:5672//

[dmapi_database]
connection = mysql+pymysql://dmapi:x5nvYXnAn4rXmCHfWTK8h3wwShA4vxMq3gE2jH57@kolla-victoriaR-internal.triliodata.demo:3306/dmapi


[libvirt]
images_rbd_ceph_conf = /etc/ceph/ceph.conf
rbd_user = volumes

[ceph]
keyring_ext = .volumes.keyring
ceph_dir = /etc/ceph/directory1/,/etc/ceph/directory2/

[contego_sys_admin]
helper_command = sudo /usr/bin/privsep-helper


[conductor]
use_local = True

[oslo_messaging_rabbit]
ssl = false

[cinder]
http_retries = 10

Additions for multiple Ceph users

It is possible to configure Cinder and Ceph to use different Ceph users for different Ceph pools and Cinder volume types. Or to have the nova boot volumes and cinder block volumes controlled by different users.

In the case of multiple Ceph users, it is required to adopt the keyring extension in the tvault-contego.conf inside the Ceph block.

The following example will try all files with the extension keyring that are located inside /etc/ceph to access the Ceph cluster for a Trilio related task.

Uninstall Trilio

The uninstallation of Trilio is depending on the Openstack Distribution it is installed in. The high-level process is the same for all Distributions.

Uninstall the Horizon Plugin or the Trilio Horizon container
Uninstall the datamover-api container

Uninstalling from Canonical OpenStack

Trilio is not providing the JuJu Charms to deploy Trilio 4.1 in Canonical Openstack. At the time of release are the JuJu Charms not yet updated to Trilio 4.1. We will update this page once the Charms are available.

Upgrade Trilio

Starting Trilio for Openstack 4.0 does Trilio for Openstack allow in-place upgrades.

The following versions can be upgraded to each other:

Old

New

Upgrade OpenStack

TrilioVault Upgrade Upon RHOSP cloud Upgrade

For example: RHOSP16.1 to RHOSP16.2 upgrade

1] Finish upgrade process for RHOSP cloud

Without any changes in TrilioVault, customer needs to complete RHOSP upgrade process first.

2] Now we need to upgrade TrilioVault to match with new RHOSP release

2.1] Identify correct TrilioVault release for new RHOSP release

Check if current TrilioVault release which is deployed on the RHOSP cloud supports new RHOSP release If it does not support new RHOSP release, identify the next TrilioVault release which supports this new RHOSP release.

2.2] Install TrilioVault using devops code compatible with new RHOSP release

Install TrilioVault release identified in step 2.1, Refer TrilioVault install for RHOSP Get the correct deployment document as per Triliovault release from Trilio support team.

Follow all the steps.

2.3] Done

Switch NFS Backing file

Trilio is using a base64 hash for the mount point of NFS Backup targets. This hash makes sure, that multiple NFS Shares can be used with the same Trilio installation.

This base64 hash is part of the Trilio incremental backups as an absolute path of the backing files. This requires the usage of mount bind during a DR scenario or quick migration scenario.

In the case that there is time for a thorough migration there is another option to change the backing file and make the Trilio backups available on a different NFS Share. This option is updating the backing file to the new NFS Share mount point.

Trilio Appliance Administration Guide

Set Trilio GUI login banner

To configure the banner shown upon accessing the Trilio Appliance GUI do the following.

Login into Trilio Appliance console
edit the banner.yaml at /etc/tvault-config/banner.yaml
restart tvault-config service

The content of the banner.yaml looks as follows and can be edited as required:

Trilio Appliance Dashboard

The Trilio Appliance Dashboard gives an overview of the running services and their Status inside the Cluster. The dashboard can be accessed using the virtual IP.

If service status panels on the dashboard page are not visible then access the virtual IP on port 3001 (https://<T4O-VIP>:3001/) and accept the SSL exception, and then refresh the dashboard page.

The Trilio Appliance Dashboard gives an overview of the running services and their Status inside the Cluster. This dashboard is accessible through the virtual IP.

Set network accessibility of Trilio GUI

By default is the Trilio GUI available on all NICs on port 443.

To limit this to only one IP the following steps need to be applied.

Network Setup

The Trilio Appliance provides by default the possibility of 4 VIPs.

A general VIP which can be used for everything
A public VIP for the public endpoint
An internal VIP for the internal endpoint
An admin VIP for the admin endpoint

Should an additional VIP be required to restrict the access of the Trilio Dashboard to this VIP the new VIP needs to be created as a new resource inside the PCS cluster.

Nginx setup

When the new dashboard_ip has been created or decided, then the next step is to set up the proxy forwarding inside Nginx, which will make the Trilio GUI available through port 8000.

All of the following steps need to be done all Trilio appliances of the cluster.

Create new conf file at /etc/nginx/conf.d/tvault-dashboard.conf. Replace variables dashboard_ip and virtual_ip as configured or decided.
edit /etc/nginx/nginx.conf and uncomment line #include /etc/nginx/conf.d/*.conf;

Limit the access of the Dashboard

The configured dashboard_ip will always end on the nginx service on port 8000 and will then be forwarded to the local dashboard service on port 443.

This configuration limits the required access to the local dashboard service to the Trilio appliance cluster itself. All other connections on port 443 can be dropped.

The following commands will set the required iptable rules.

Verify the accessibility as required

At this point is the Trilio GUI only reachable on the dashboard_ip on port 8000. Accessing the Trilio GUI through any other IP or on port 443 is not allowed.

Reconfigure the Trilio Cluster

The Trilio appliance can be reconfigured at any time to adjust the Trilio cluster to any changes in the Openstack environment or the general backup solution.

To reconfigure the Trilio Cluster go to the "Configure". The configure page shows the current configuration of the TriloVault cluster.

The configuration page also gives access to the ansible playbooks of the last successful configuration.

To start the reconfiguration of the Trilio Cluster click "Reconfigure" at the end of the table.

Follow the Configuring Trilio guide afterwards.

Once the Trilio configurator has started, it needs to run through successfully to continue to use Trilio.

The cluster will not roll back to its last working state in case of any errors.

When the reconfiguration is required to switch to an external database it is necessary to and configure it from scratch.

Change the Trilio GUI password

Change Trilio Dashboard password

To change the Trilio GUI password do:

Login into the Trilio Dashboard
Click on "admin" in the upper right corner to open the submenu
Choose "Reset Password"
Set the new Trilio password

Reset the Trilio GUI password

In case of the Trilio Dashboard being lost it can be resetted as long as SSH access to the appliance is available.

To reset the password to its default do the following:

[root@TVM1 ~]# source /home/stack/myansible/bin/activate
(myansible) [root@TVM1 ~]# cd /home/stack/myansible/lib/python3.6/site-packages/tvault_configurator
(myansible) [root@TVM1 tvault_configurator]# python recreate_conf.py
(myansible) [root@TVM1 tvault_configurator]# systemctl restart tvault-config

The dashboard login will be reset to:

Username: admin
Password: password

Reinitialize Trilio

The Trilio Appliance can be reinitialized, which will delete all workload related values from the Trilio database.

To reinitialize the Trilio Appliance do:

Login into the Trilio Dashboard
Click on "admin" in the upper right corner to open the submenu
Choose "Reinitialize"
Verify that you want to reinitialize the Trilio

Download Trilio logs

It is possible to download the Trilio logs directly through the Trilio web gui.

To download logs throught the Trilio web gui:

Clean up Trilio database

The Trilio database is following an older OpenStack database schema. This schema is not forgetting anything and is instead setting the deleted flag for any data that is no longer valid/deleted.

This leads to ever-growing databases, which can lead to performance degradation.

To counter this a database clean-up and optimization tool has been made available.

User Guide

Schedulers

Definition

Every Workload has its own schedule. Those schedules can be activated, deactivated and modified.

A schedule is defined by:

E-Mail Notifications

Definition

Trilio can notify users via E-Mail upon the completion of backup and restore jobs.

The E-Mail will be sent to the owner of the Workload.

Requirements to activate E-Mail Notifications

To use the E-mail notifications, two requirements need to be met.

Both requirements need to be set or configured by the Openstack Administrator. Please contact your Openstack Administrator to verify the requirements.

User E-Mail assigned

As the E-Mail will be sent to the owner of the Workload does the Openstack User, who created the workload, require to have an E-Mail address associated.

Trilio E-Mail Server configured

Trilio needs to know which E-Mail server to use, to send the E-mail notifications. Backup Administrators can do this in the "Backup Admin" area.

Activate/Deactivate the E-Mail Notifications

E-Mail notifications are activated tenant wide. To activate the E-Mail notification feature for a tenant follow these steps:

Login to Horizon
Navigate to the Backups
Navigate to Settings

Example E-Mails

The following screenshots show example E-mails send by Trilio.

Admin Guide

Managing Trusts

Trilio is using the which enables the Trilio service user to act in the name of another Openstack user.

This system is used during all backup and restore features.

Openstack Administrators should never have the need to directly work with the trusts created.

Disaster Recovery

Trilio Workloads are designed to allow a Desaster Recovery without the need to backup the Trilio database.

As long as the Trilio Workloads are existing on the Backup Target Storage and a Trilio installation has access to them, it is possible to restore the Workloads.

Disaster Recovery Process

Migrating encrypted Workloads

Same cloud - different owner

Migration within the same cloud to a different owner Cloud A — Domain A — Project A — User A => Cloud A — Domain A — Project A — User B Cloud A — Domain A — Project A — User A => Cloud A — Domain A — Project B — User B Cloud A — Domain A — Project A — User A =>Cloud A — Domain B — Project B — User B

Steps used:

Create a secret for Project A in Domain A via User A.
Create encrypted workload in Project A in Domain A via User A. Take snapshot.
Reassign workload to new owner
Load rc file of User A & provide read only rights through acl to the new owner
openstack acl user add --user <userB_id> <secret_href> --insecure

Different cloud

Migration between clouds Cloud A — Domain A — Project A — User A => Cloud B — Domain B — Project B — User B

Steps used:

Create a secret for Project A in Domain A via User A.
Create an encrypted workload in Project A in Domain A via User A. Trigger snapshot.
Reassign workload to Cloud B - Domain B — Project B — User B

Rebasing existing workloads

The Trilio solution is using the qcow2 backing file to provide full synthetic backups.

Especially when the NFS backup target is used, there are scenarios at which this backing file needs to be updated to a new mount path.

To make this process easier and streamlined Trilio is providing the following rebase tool.

Troubleshooting

Frequently Asked Questions

Frequently Asked Questions about Trilio for OpenStack

1. Can Trilio for OpenStack restore instance UUIDs?

Answer: NO

Trilio for OpenStack does not restore Instance UUIDs (also known as Instance IDs). The only scenario where we do not modify the Instance UUID is during an Inplace Restore, where we only recover the data without creating new instances.

When Trilio for OpenStack restores virtual machines (VMs), it effectively creates new instances. This means that new Virtual Machine Instance UUIDs are generated for the restored VMs. We achieve this by orchestrating a call to Nova, which creates new VMs with new UUIDs.

General Troubleshooting Tips

Troubleshooting inside a complex environment like Openstack can be very time-consuming. The following tipps will help to speed up the troubleshooting process to identify root causes.

What is happening where

Openstack and Trilio are divided into multiple services. Each service has a very specific purpose that is called during a backup or recovery procedure. Knowing which service is doing what helps to understand where the error is happening, allowing more focused troubleshooting.

Using the workloadmgr CLI tool on the Trilio Appliance

To use the workloadmgr CLI tool on the Trilio appliance it is only necessary to activate the virtual environment of the workloadmgr

An rc-file to authenticate against Openstack is required.

API GUIDE

Enabling T4O 4.1 or older backups when using NFS backup target

Trilio for OpenStack is generating a base64 hash value for every NFS backup target connected to the T4O solution. This enables T4O to mount multiple NFS backup targets to the same T4O installation.

The mountpoints are generated utilizing a hash value inside the mountpoint, providing a unique mount for every NFS backup target.

This mountpoint is then used inside the incremental backups to point to the qcow2 backing files. The backing file path is required as a full path and can not be set as a relative path. This is a limitation of the qcow2 format.

T4O 4.2 has changed how the hash value gets calculated. T4O 4.1 and prior calculated the hash value out of the complete NFS path provided as shown in the example below.

T4O 4.2 is now only considering the NFS directory part for the hash value as shown below.

It is therefore necessary to make older backups taken by T4O 4.1 or prior available for TVO4.2 to restore.

This can be done by one of two methods:

Rebase all backups and change the backing file path
Make the old mount point available again and point it to the new one using mount bind

Rebase all backups

This method is taking a significant amount of time depending on the number of backups, that need to be rebased. It is therefore recommended to determine the required time through a test workload.

Trilio is providing a script, that is taking care of the rebase procedure. This script can be downloaded from the following location.

Copy and use the script from the Trilio appliance as the nova user.

The nova user is required, as this user owns the backup files, and using any other user will change the ownership and lead to unrestorable backups.

The script is requiring the complete path to the workload directory on the backup target.

This needs to be repeated until all workloads have been rebased.

Use mount bind with the old mount point

This method is a temporary solution, which is to be kept in place until all workloads have gone through a complete retention cycle.

Once all Workloads only contain backups created by T4O 4.2 it is no longer required to keep the mount bind active.

This method is generating a second mount point based on the old hash value calculation and then mounting the new mount point to the old one. By doing this mount bind both mount points will be available and point to the same backup target.

To use this method the following information needs to be available:

old mount path
new mount path

Examples of how to calculate the base64 hash value are shown below.

Old mountpoint hash value:

New mountpoint hash value:

The mount bind needs to be done for all Trilio appliances and Datamover services.

Trilio Appliance

To enable the mount bind on the Trilio appliance follow these steps:

Create the old mountpoint directory mkdir -p old_mount_path
run mount --bind command mount --bind <new_mount_path> <old_mount_path>
set permissions for mountpoint chmod 777 <old_mount_path>

It is recommended to use df -h to identify the current mountpoint as RHOSP, TripleO and Kolla Ansible OpenStack are using a different path than Ansible OpenStack or Canonical OpenStack.

An example is given below.

RHOSP/TripleO Datamover

The following steps need to be done on the overcloud compute node. They don't need to be done inside any container.

To enable the mount bind on the Trilio appliance follow these steps:

Create the old mountpoint directory mkdir -p old_mount_path
run mount --bind command mount --bind <new_mount_path> <old_mount_path>
set permissions for mountpoint chmod 777 <old_mount_path>

Kolla Ansible OpenStack Datamover

The following steps need to be done on the overcloud compute node. They don't need to be done inside any container.

To enable the mount bind on the Trilio appliance follow these steps:

Create the old mountpoint directory mkdir -p old_mount_path
run mount --bind command mount --bind <new_mount_path> <old_mount_path>
set permissions for mountpoint chmod 777 <old_mount_path>

Ansible OpenStack Datamover

The following steps need to be done on the overcloud compute node. They don't need to be done inside any container.

To enable the mount bind on the Trilio appliance follow these steps:

Create the old mountpoint directory mkdir -p old_mount_path
run mount --bind command mount --bind <new_mount_path> <old_mount_path>
set permissions for mountpoint chmod 777 <old_mount_path>

Canonical Openstack WLM & Datamover containers

Canonical OpenStack does the creation of the mountpoint and the mount bind through JuJu using the following commands.

To create the mountpoint, if it doesn't already exist:

To create the mount bind

Trilio network considerations

Trilio integrates natively with Openstack. This includes that Trilio communicates completely through APIs using the Openstack Endpoints. Trilio is also generating its own Openstack endpoints. In addition, is the Trilio appliance and the compute nodes writing to and reading from the backup target. These points affect the network planning for the Trilio installation.

Existing endpoints in Openstack

Openstack knows 3 types of endpoints:

Public Endpoints
Internal Endpoints
Admin Endpoints

Each of these endpoint types is designed for a specific purpose. Public endpoints are meant to be used by the Openstack end-users to work with Openstack. Internal endpoints are meant to be used by the Openstack services to communicate with each other. Admin endpoints are meant to be used by Openstack administrators.

Out of those 3 endpoint types does only the admin endpoint sometimes contain APIs which are not available on any other endpoint type.

To learn more about Openstack endpoints please visit the official Openstack documentation.

Openstack endpoints required by Trilio

Trilio is communicating with all services of Openstack on a defined endpoint type. Which endpoint type Trilio is using to communicate with Openstack is decided during the configuration of the Trilio appliance.

There is one exception: The Trilio Appliance always requires access to the Keystone admin endpoint.

The following network requirement can be identified this way:

Trilio appliance needs access to the Keystone admin endpoint on the admin endpoint network
Trilio appliance needs access to all endpoints of one type

Recommendation: Provide access to all Openstack Endpoint types

Trilio is recommending providing full access to all Openstack endpoints to the Trilio appliance to follow the Openstack standards and best practices.

Trilio is generating its own endpoints as well. These endpoints are pointing towards the Trilio Appliance directly. This means that using those endpoints will not send the API calls towards the Openstack Controller nodes first, but directly to the Trilio VM.

Following the Openstack standards and best practices, it is therefore recommended to put the Trilio endpoints on the same networks as the already existing Openstack endpoints. This allows to extend the purpose of each endpoint type to the Trilio service:

The public endpoint to be used by Openstack users when using Trilio CLI or API
The internal endpoint to communicate with the Openstack services
The admin endpoint to use the required admin only APIs of Keystone

Backup target access required by Trilio

The Trilio solution is using backup target storage to securely place the backup data. Trilio is dividing its backup data into two parts:

Metadata
Volume Disk Data

The first type of data is generated by the Trilio appliance through communicating with the Openstack Endpoints. All metadata that is stored together with a backup is written by the Trilio Appliance to the backup target in the json format.

The second type of data is generated by the Trilio Datamover service running on the compute nodes. The Datamover service is reading the Volume Data from the Cinder or Nova storage and transferring this data as qcow2 image to the backup target. Each Datamover service is hereby responsible for the VMs running on its compute node.

The network requirements are therefor:

The Trilio appliance needs access to the backup target
Every compute node needs access to the backup target

Example of a typical Trilio network integration

Most Trilio customers are following the Openstack standards and best practices to have the public, internal, and admin endpoints on separate networks. They also typically don't have any network yet, which can access the desired backup target.

The starting network configuration typically looks like this:

Following the Openstack standards and Trilio's recommendation will the Trilio Appliance be placed on all those 3 networks. Further is the access to the backup target required by Trilio Appliance and Compute nodes. Here done by adding a 4th network.

The resulting network configuration would look like this:

It is of course possible to combine networks as necessary. As long as the required network access is available will Trilio work.

Other examples of Trilio network integrations

Each Openstack installation is different and so is the network configuration. There are endless possibilities of how to configure the Openstack network and how to implement the Trilio appliance into this network. The following three examples have been seen in production:

The first example is from a manufacturing company, which wanted to split the networks by function and decided to put the Trilio backup target on the internal network as the backup and recovery function was identified as an Openstack internal solution. This example looks complex but integrates Trilio just as recommended.

The second example is from a financial institute that wanted to be sure that the Openstack Users have no direct uncontrolled network access to the Openstack infrastructure. Following this example requires additional work as the internal HA-Proxy needs to be configured to correctly translates the API calls towards the Trilio

The third example is from a service company that was forced to treat Trilio as an external 3rd party solution, as we require a virtual machine running outside of Openstack. This kind of network configuration requires good planning on the Trilio endpoints and firewall rules.

Workload Encryption with Barbican

Learn about encrypting Trilio workloads with Barbican

Introduction

Integrating Trilio for OpenStack 4.2 with Barbican facilitates encryption support for the qcow2-data segment of Trilio backups. However, the JSON files housing the backed-up OpenStack metadata remain unencrypted.

This capability necessitates the presence of the OpenStack Barbican service. Absence of the Barbican service will result in the omission of encryption options for Workloads within the Horizon interface.

Trilio for OpenStack (T4O) 4.2 exclusively retrieves secrets from Barbican, without generating, modifying, or deleting any secrets within the Barbican platform.

Barbican secrets are indispensable for executing backups or restorations in encryption-enabled Workloads. The onus lies on the OpenStack project user to supply these secrets and guarantee their accurate availability.

In order to employ encrypted Workloads, the Trilio trustee role must be capable of interacting with the Barbican service to access and retrieve secrets from Barbican. By default, only the 'admin' and 'creator' roles are endowed with these permissions.

Encryption availability for a Workload is confined to the Workload creation stage. Post-creation, the encryption status of a Workload is irreversible; it cannot be altered or toggled.

Note : When leveraging OpenStack Barbican for protecting encrypted volumes and offering encrypted backups, it's essential that the Trustee Role is assigned as 'Creator' or a role that possesses equivalent permissions to the Creator role.

This is crucial because only the Creator role has the authority to create, read, and delete secrets within Barbican. The generation of encryption-enabled workloads would be unsuccessful if the Trustee Role does not possess the permissions associated with the 'Creator' role.

The following secret configurations are supported for AES-256

Mode(s)

Content Types

Payload Content Encoding

Secret Type

Payload/Secret File

By default Barbican will generate secrets of the following type:

Alghorithm: AES-256 (All supported types utilize this algorithm)
Mode: cbc
content type: application/octet-stream

Prerequisite

For encrypted workload Barbican should enabled on Openstack, then while configuring TVO-4.2, trustee role should be kept as creator .

Additionally every user who’ll be interacting with TrilioVault for any operator, should also have creator role assigned.

1. Secret creation

Secret can be created via OpenStack cli with following the below steps

Source the rc file of the user who is going to create the encrypted workload.
Create any supported type of secret and fetch the secret UUID using OpenStack secret cli.
1. Refer to this guide for more information about

b. View the details of the order to identify the location of the generated key, shown here as the Secret href value: ()[root@overcloudtrain1-controller-0 /]# openstack secret order get https://overcloudtrain1.trilio.local:13311/v1/orders/641bac2c-b5b2-4a7a-9172-8fe0cf55425d +----------------+--------------------------------------------------------------------------------------------+ | Field | Value | +----------------+--------------------------------------------------------------------------------------------+ | Order href | https://overcloudtrain1.trilio.local:13311/v1/orders/641bac2c-b5b2-4a7a-9172-8fe0cf55425d | | Type | Key | | Container href | N/A | | Secret href | https://overcloudtrain1.trilio.local:13311/v1/secrets/f2c96fe2-6ae7-4985-b98c-e571ba05403c | | Created | 2023-07-12T11:38:17+00:00 |

c. Fetch the secret UUID via below command (use Secret href)

()[root@overcloudtrain1-controller-0 /]# openstack secret get https://overcloudtrain1.trilio.local:13311/v1/secrets/f2c96fe2-6ae7-4985-b98c-e571ba05403c +---------------+--------------------------------------------------------------------------------------------+ | Field | Value | +---------------+--------------------------------------------------------------------------------------------+ | Secret href | https://overcloudtrain1.trilio.local:13311/v1/secrets/f2c96fe2-6ae7-4985-b98c-e571ba05403c | | Name | secret2 | | Created | 2023-07-12T11:38:17+00:00 | | Status | ACTIVE | | Content types | {'default': 'application/octet-stream'} | | Algorithm | aes | | Bit length | 256 |

Note down the last value from Secret href URL which is UUID (8-4-4-4-12 format).

For example secret UUID for the Secret href URL https://overcloudtrain1.trilio.local:13311/v1/secrets/f2c96fe2-6ae7-4985-b98c-e571ba05403c will be f2c96fe2-6ae7-4985-b98c-e571ba05403c

This UUID will be used further for creating the encrypted workload.

2. Workload creation

Login to openstack horizon dashboard with user who has created the secret & go to Project->Backup->workloads
click on create workload.
select the checkbox for Enable Encryption

Follow the usual procedure for further tabs (Workload member, Schedule, policy & Option) & click on create.
Workload will be created and value for Encryption field will be True.

Encrypted workload migration

For migration of encrypted workload please follow:

Upgrade from older release to 4.2

For upgrade from older release to 4.2 please follow:

For Trilio configuration please follow:

Snapshots

Definition

A Snapshot is a single Trilio backup of a workload including all data and metadata. It contains the information of all VM's that are protected by the workload.

List of Snapshots

Using Horizon

Login to Horizon
Navigate to the Backups
Navigate to Workloads

The List of Snapshots for the chosen Workload contains the following additional information:

Creation Time
Name of the Snapshot
Description of the Snapshot

Using CLI

--workload_id <workload_id> ➡️ Filter results by workload_id
--tvault_node <host> ➡️ List all the snapshot operations scheduled on a tvault node(Default=None)

Creating a Snapshot

Snapshots are automatically created by the Trilio scheduler. If necessary or in case of deactivated scheduler is it possible to create a Snapshot on demand.

Using Horizon

There are 2 possibilities to create a snapshot on demand.

Possibility 1: From the Workloads overview

Login to Horizon
Navigate to Backups
Navigate to Workloads

Possibility 2: From the Workload Snapshot list

Login to Horizon
Navigate to Backups
Navigate to Workloads

Using CLI

<workload_id>➡️ID of the workload to snapshot.
--full➡️ Specify if a full snapshot is required.

Snapshot overview

Each Snapshot contains a lot of information about the backup. These information can be seen in the Snapshot overview.

Using Horizon

To reach the Snapshot Overview follow these steps:

Login to Horizon
Navigate to Backups
Navigate to Workloads

Details Tab

The Snapshot Details Tab shows the most important information about the Snapshot.

Snapshot Name / Description
Snapshot Type
Time Taken

Restores Tab

The Snapshot Restores Tab shows the list of Restores that have been started from the chosen Snapshot. It is possible to start Restores from here.

Please refer to the User Guide to learn more about Restores.

Misc. Tab

The Snapshot Miscellaneous Tab provides the remaining metadata information about the Snapshot.

Creation Time
Last Update time
Snapshot ID

Using CLI

<snapshot_id>➡️ID of the snapshot to be shown
--output <output>➡️Option to get additional snapshot details, Specify --output metadata for snapshot metadata, Specify --output networks for snapshot vms networks, Specify --output disks for snapshot vms disks

Delete Snapshots

Once a Snapshot is no longer needed, it can be safely deleted from a Workload.

The retention policy will automatically delete the oldest Snapshots according to the configure policy.

You have to delete all Snapshots to be able to delete a Workload.

Deleting a Trilio Snapshot will not delete any Openstack Cinder Snapshots. Those need to be deleted separately if desired.

Using Horizon

There are 2 possibilities to delete a Snapshot.

Possibility 1: Single Snapshot deletion through the submenu

To delete a single Snapshot through the submenu follow these steps:

Login to Horizon
Navigate to Backups
Navigate to Workloads

Possibility 2: Multiple Snapshot deletion through checkbox in Snapshot overview

To delete one or more Snapshots through the Snapshot overview do the following:

Login to Horizon
Navigate to Backups
Navigate to Workloads

Using CLI

<snapshot_id>➡️ID of the snapshot to be deleted

Snapshot Cancel

Ongoing Snapshots can be canceled.

Canceled Snapshots will be treated like errored Snapshots

Using Horizon

Login to Horizon
Navigate to Backups
Navigate to Workloads

Using CLI

<snapshot_id>➡️ID of the snapshot to be canceled

Upgrading on Canonical OpenStack

Learn about upgrading Trilio on Canonical OpenStack

Trilio supports the upgrade of charms and Trilio components from older releases (4.0 onwards) to the latest release. More information about the latest 4.2 Trilio charms for the Trilio-4.2 release can be found here.

The following charms exist:

trilio-wlm ➡️ Installs and manages Trilio Controller services.
➡️Installs and manages the Trilio Datamover API service.
➡️ Installs and manages the Trilio Datamover service.
➡️ Installs and manages the Trilio Horizon Plugin.

The documentation of the charms can be found here:

The following steps have been tested and verified within Trilio environments. There have been cases where these steps updated all packages inside the LXC containers, leading to failures in basic OpenStack services.

It is recommended to run each of these steps in dry-run first.

When any other packages but Trilio packages are getting updated, stop the upgrade procedure and contact your Trilio customer success manager.

Upgrading the Trilio Charms

More detailed information about the latest 4.2 Trilio charms for the Trilio-4.2 release can be found .

Upgrading the Trilio Charms up to OpenStack Wallaby release

Follow the steps mentioned in this to upgrade the charms to the latest 4.2 charms before upgrading the Trilio packages.

Upgrading the Trilio Charms to OpenStack Yoga release onwards

Follow the steps mentioned below to upgrade the charms to the latest 4.2 charms before upgrading the Trilio packages.

General Prerequisites

No snapshot OR restore are to be running during this process.
Global job scheduler should be disabled

1. Upgrade juju charms

juju [-m <model>] upgrade-charm trilio-wlm --switch trilio-charmers-trilio-wlm-focal --channel latest/edge

juju [-m <model>] upgrade-charm trilio-horizon-plugin --switch trilio-charmers-trilio-horizon-plugin-focal --channel latest/edge

juju [-m <model>] upgrade-charm trilio-dm-api --switch trilio-charmers-trilio-dm-api-focal --channel latest/edge

juju [-m <model>] upgrade-charm trilio-data-mover --switch trilio-charmers-trilio-data-mover-focal --channel latest/edge

2. Wait till all trilio units are active/idle then Restart all the trilio services

juju [-m <model>] exec --application trilio-dm-api "sudo systemctl restart tvault-datamover-api"

juju [-m <model>] exec --application trilio-data-mover "sudo systemctl restart tvault-contego"

juju [-m <model>] exec --application trilio-horizon-plugin "sudo systemctl restart apache2"

3. Select Single Node or HA steps as appropriate to restart services

For setup with single node wlm unit

juju [-m <model>] exec --application trilio-wlm "sudo systemctl restart wlm-api wlm-scheduler wlm-workloads wlm-cron"

For setups with 3 node HA enabled wlm

juju [-m <model>] exec --application trilio-wlm "systemctl restart wlm-api wlm-scheduler wlm-workloads"

juju [-m <model>] exec --unit trilio-wlm/leader "sudo crm resource restart res_trilio_wlm_wlm_cron"

4. Ensure that wlm-cron is only running on a single Unit in the output of this command

juju [-m <model>] exec --application trilio-wlm "sudo systemctl status wlm-cron"

If wlm-cron is running in more than one unit, or nowhere at all, this can be fixed by following the below steps:

juju [-m <model>] exec --unit trilio-wlm/leader "sudo crm resource stop res_trilio_wlm_wlm_cron" juju [-m <model>] exec --application trilio-wlm "sudo systemctl stop wlm-cron" juju [-m <model>] exec --application trilio-wlm "sudo ps -ef | grep workloadmgr-cron | grep -v grep"

juju [-m <model>] exec --unit trilio-wlm/leader "sudo crm resource start res_trilio_wlm_wlm_cron" juju [-m <model>] exec --application trilio-wlm "sudo systemctl status wlm-cron"

wlm-cron service should only be running in a single Juju Unit and not running in the other two.

5. Check upgraded juju charm & trilio services

Check the trilio unit's status in juju status [-m <model>] | grep trilio output.

All the trilio units will be reporting the new juju charm version.

trilio-data-mover 4.2.64.26 active 3 trilio-charmers-trilio-data-mover-jammy latest/edge 4 no Unit is ready trilio-dm-api 4.2.64.2 active 1 trilio-charmers-trilio-dm-api-jammy latest/edge 2 no Unit is ready trilio-horizon-plugin 4.2.64.5 active 1 trilio-charmers-trilio-horizon-plugin-jammy latest/edge 4 no Unit is ready trilio-wlm 4.2.64.20 active 1 trilio-charmers-trilio-wlm-jammy latest/edge 3 no Unit is ready

6. Check that all Trilio services are running

juju [-m <model>] exec --application trilio-dm-api "sudo systemctl status tvault-datamover-api"

juju [-m <model>] exec --application trilio-data-mover "sudo systemctl status tvault-contego"

juju [-m <model>] exec --application trilio-horizon-plugin "sudo systemctl status apache2"

juju [-m <model>] exec --application trilio-wlm "sudo systemctl status wlm-api wlm-scheduler wlm-workloads wlm-cron"

Next move on the Updating the Trilio packages.

Upgrading the Trilio packages

Trilio is releasing hotfixes, which require updating the packages inside the containers. These hotfixes can not be installed using the Juju charms as they don't require an update to the charms.

Generic Prerequisites

Trilio packages can be upgraded after deployment. Trilio supports upgrade to the latest 4.2 releases from as old as the Trilio 4.0 release.
No snapshot OR restore are to be running during this process.
Global job scheduler should be disabled.

Stop the wlm-cron service

Ensure that no stale wlm-cron processes exist

If any stale process are found, they should be stopped manually.

Upgrade package on trilio units

The deployed Trilio version is controlled by the triliovault-pkg-source charm configuration option.

The gemfury repository should be accessible from all Trilio units. For each trilio charm, it should be pointing to the following Gemfury repository:

This can be checked via juju [-m ] config trilio-wlm triliovault-pkg-source command output.

The preferred, recommended, and tested method to update the packages is through the Juju command line.

Run the below commands from MAAS node

On Ubuntu Bionic environments

On other (not Ubuntu Bionic) environments

Check the trilio unit's status in `juju status [-m ] | grep trilio` output. All the trilio units will be with the new packages.

Update the DB schema

Run the below command to update the schema

Check the schema head with below command. It should point to latest schema head.

Enable mount-bind for NFS

T4O 4.2 is changing how the mount point is calculated. It is required to setup a mount bind to make T4O 4.1 or older backups available.

Please referfor detailed steps to set up the mount bind.

Post-Upgrade steps

If the trilio-wlm nodes are HA enabled:
1. Make sure the wlm-cron services are down after the pkg upgrade. Run the following command for the same:

Unset the cluster maintenance mode

Make sure the wlm-cron service up and running on any one node.

Set the Global Job Scheduler to the original state.

Troubleshooting

If any trilio unit gets into an error state with the message :

hook failed: "update-status"

One of the reasons could be the package installation did not finish correctly. One way to verify that is by logging into that unit and following the below steps;

Restart Trilio Services

In complex environments it is sometimes necessary to restart a single service or the complete solution. Rarely is restarting the complete node, where a service is running possible or even the ideal solution.

This page describes the services running by Trilio and how to restart those.

Trilio Appliance Services

The Trilio Appliance is the controller of Trilio. Most services on the Appliance are running in a High Availability mode on a 3-node cluster.

wlm-api

The wlm-api service takes the API calls against the Trilio Appliance. It is running in active-active mode on all nodes of the Trilio cluster.

To restart the wlm-api service run on each Trilio node:

wlm-scheduler

The wlm-scheduler service is taking job requests and identifies which Trilio node should take the request. It is running in active-active mode on all nodes of the Trilio cluster.

To restart the wlm-scheduler service run on each Trilio node:

wlm-workloads

The wlm-workloads service is the task worker of Trilio executing all jobs given to the Trilio node. It is running in active-active mode on all nodes of the Trilio cluster.

To restart the wlm-workloads service run on each Trilio node:

wlm-cron

The wlm-cron service is responsible for starting scheduled Backups according to the configurtation of Tenant Workloads. It is running in active-passive mode and controlled by the pacemaker cluster.

To restart the wlm-workloads service run on the Trilio node with VIP assigned:

VIP resources

The Trilio appliance is running 1 to 4 virtual IPs on the Trilio cluster. These are controlled by the pacemaker cluster and provided through NGINX.

To restart these resources the pacemaker NGINX resource is getting restarted:

RabbitMQ

The Trilio cluster is using RabbitMQ as messaging service. It is running in active-active mode on all nodes of the Trilio cluster.

RabbitMQ is a complex system in itself. This guide will only provide the basic commands to do a restart of a node and check the health of the cluster afterward. For complete documentation of how to restart RabbitMQ, please follow the .

To restart a RabbitMQ node run on each Trilio node:

It is recommended to wait for the node to rejoin and sync with the cluster before restarting another RabbitMQ node.

When the complete cluster is getting stopped and restarted it is important to keep the order of nodes in mind. The last node to be stopped needs to be the first node to be started.

Galera Cluster (MariaDB)

The Galera Cluster is managing the Trilio MariaDB database. It is running in active-active mode on all nodes of the Trilio cluster.

Galera Cluster is a complex system in itself. This guide will only provide the basic commands to do a restart of a node and check the health of the cluster afterward. For complete documentation of how to restart Galera clusters, please follow the .

When restarting Galera two different use-cases need to be considered:

Restarting a single node
Restarting the whole cluster

Restarting a single node

A single node can be restarted without any issues. It will automatically rejoin the cluster and sync against the remaining nodes.

The following commands will gracefully stop and restart the mysqld service.

After a restart will the cluster start the syncing process. Don't restart node after node to reach a complete cluster restart.

Check the cluster health after the restart.

Restarting the complete cluster

Restarting a complete cluster requires some additional steps as the Galera cluster is basically destroyed once all nodes have been shut down. It needs to be rebuild afterwards.

First gracefully shutdown the Galera cluster on all nodes:

The second step is to identify the Galera node with the latest dataset. This can be achieved by reading the grastate.dat file on the Trilio nodes.

When this documentation is followed the last mysqld service that got shut down will be the one with the latest dataset.

The value to check for are the seqno.

The node with the highest seqno is the node that contains the latest data. This node will also contain safe_to_bootstrap: 1 to indicate that the Galera cluster can be rebuild from this node.

On the identified node the new cluster is getting generated with the following command:

Running galera_new_cluster on the wrong node will lead to data loss as this command will set the node the command is issued on as the first node of the cluster. All nodes which join afterward will sync against the data of this first node.

After the command has been issued is the mysqld service running on this node. Now the other nodes can be restarted one by one. The started nodes will automatically rejoin the cluster and sync against the master node. Once a synced status has been reached is each node a primary node in the cluster.

Check the Cluster health after all services are up again.

Verify Health of the Galera Cluster

Verify the cluster health by running the following commands inside each Trilio MariaDB. The values returned from these statements have to be the same for each node.

Canonical workloadmgr container services

Canonical Openstack is not using the Trilio Appliance. In Canonical environments is the Trilio controller unit part of the JuJu deployment as workloadmgr container.

To restart the services inside this container the following commands are to be issued.

Single Node deployment

HA deployment

On all nodes:

On a single node:

Trilio dmapi service

The Trilio dmapi service is running on the Openstack controller nodes. Depending on the Openstack Distribution Trilio is installed on different commands are issued to restart the dmapi service.

RHOSP13

RHOSP13 is running the Trilio services as docker containers. The dmapi service can be restarted by issuing the following command on the host running the dmapi service.

RHOSP16

RHOSP16 is running the Trilio services as docker containers. The dmapi service can be restarted by issuing the following command on the host running the dmapi service.

Canonical

Canonical is running the Trilio services in JuJu controlled LXD containers. The dmapi service can be restarted by issuing the following command from the MASS node.

Kolla-Ansible Openstack

Kolla-Ansible Openstack is running the Trilio services as docker containers. The dmapi service can be restarted by issuing the following command on the host running the dmapi service.

Ansible Openstack

Ansible Openstack is running the Trilio services as LXD containers. The dmapi service can be restarted by issuing the following command on the host running the dmapi service.

Trilio datamover service (tvault-contego)

The Trilio datamover service is running on the Openstack compute nodes. Depending on the Openstack Distribution Trilio is installed on different commands are issued to restart the datamover service.

RHOSP13

RHOSP13 is running the Trilio services as docker containers. The datamover service can be restarted by issuing the following command on the compute node.

RHOSP16

RHOSP16 is running the Trilio services as docker containers. The datamover service can be restarted by issuing the following command on the compute node.

Canonical

Canonical is running the Trilio services in JuJu controlled LXD containers. The datamover service can be restarted by issuing the following command from the MASS node.

Kolla-Ansible Openstack

Kolla-Ansible Openstack is running the Trilio services as docker containers. The dmapi service can be restarted by issuing the following command on the host running the dmapi service.

Ansible Openstack

Ansible Openstack is running the Trilio datamover service directly on the compute node. The datamover service can be restarted by issuing the following command on.

Install workloadmgr CLI client

About the workloadmgr CLI client

The workloadmgr CLI client is provided as rpm and deb packages.

It got tested against the following operating systems:

CentOS7, CentOS8
Ubuntu 18.04, Ubuntu 20.04

Installing the workloadmgr client will automatically install all required Openstack clients as well.

Further will the installation of the workloadmgr client integrate the client into the global openstack python client, if available.

The required connection strings and package names can be found on the Trilio Dashboard under the Downloads tab.

Install workloadmgr client rpm package on CentOS7/8

The Trilio workload manager CLI client has several requirements that need to be met before the client can be installed without dependency issues.

Preparing the workloadmgr client installation

The following steps need to be done to prepare the installation the workloadmgr client:

Add required repositories
1. epel-release
2. for CentOS7: centos-release-openstack-stein

These repositories are required to fulfill the following dependencies:

On CentOS7 Python2: python-pbr,python-prettytable,python2-requests,python2-simplejson,python2-six,pytz,PyYAML,python2-openstackclient

On CentOS8 Python3: python3-pbr,python3-prettytable,python3-requests,python3-simplejson,python3-six,python3-pyyaml,python3-pytz,python3-openstackclient

Installing the workloadmgr client

There are 2 possibilities for how the workloadmgr client packages can be installed.

Download from the Trilio Appliance and install directly

The Trilio appliance is shipping the workloadmgr client version, that is matching the Trilio version of the Trilio appliance. These clients will always work with their respective Trilio versions.

The workloadmgr client can be directly downloaded using the following command:

For CentOS7: wget http://<TVM-IP>:8085/yum-repo/queens/workloadmgrclient-<Trilio-Version>-<Trilio-Release>.noarch.rpm

For CentOS8: http://<TVM-IP>:8085/yum-repo/queens/python3-workloadmgrclient-<Trilio-Version>-<TVault-Release>.noarch.rpm

To identify the Trilio Version and Trilio release login into the Trilio Dashboard and check the upper left corner.

The yum package manager is used to install the workloadmgr client package:

yum install workloadmgrclient-<Trilio-Version>-<Trilio-Release>.noarch.rpm

An example installation can be found below:

Installing from the Trilio online repository

To install the latest available workloadmgr package for a Trilio release from the Trilio repository the following steps need to be done:

Create the Trilio yum repository file /etc/yum.repos.d/trilio.repo Enter the following details into the repository file:

Install the workloadmgr client issuing the following command:

For CentOS7: yum install workloadmgrclient For CentOS8: yum install python-3-workloadmgrclient-el8

An example installation can be found below:

Install workloadmgr client deb packages on Ubuntu

The Trilio workloadmgr client packages for Ubuntu are only available from the online repository.

Preparing the workloadmgr client installation

There is no preparation required. All dependencies are automatically resolved by the standard repositories provided by Ubuntu.

Installing the Workloadmgr client

There are 2 possibilities for how the workloadmgr client packages can be installed.

Download from the Trilio Appliance and install directly

The Trilio appliance is shipping the workloadmgr client version, that is matching the Trilio version of the Trilio appliance. These clients will always work with their respective Trilio versions.

The workloadmgr client can be directly downloaded using the following command:

For Python2: curl -Og6 http://<TVM-IP>:8085/deb-repo/deb-repo/python-workloadmgrclient_<Trilio-Version>_all.deb

For Python3:curl -Og6 http://<TVM-IP>:8085/deb-repo/deb-repo/python3-workloadmgrclient_<Trilio-Version>_all.deb

o identify the Trilio Version and Trilio release login into the Trilio Dashboard and check the upper left corner.

The apt package manager is used to install the workloadmgr client package:

For Python2:apt-get install ./python-workloadmgrclient_<Trilio-Version>_all.deb -y For Python3:apt-get install ./python3-workloadmgrclient_<Trilio-Version>_all.deb -y

An example installation can be found below:

Installing from the Trilio online repository

To install the latest available workloadmgr package for a Trilio release from the Trilio repository the following steps need to be done:

Create the Trilio yum repository file /etc/apt/sources.list.d/fury.list Enter the following details into the repository file:

run apt update to make the new repository available.

The apt package manager is used to install the workloadmgr client package:

For Python2:apt-get install python-workloadmgrclient For Python3:apt-get install python3-workloadmgrclient

An example installation can be seen below:

Upgrading on Ansible OpenStack

Upgrading from Trilio 4.1 to a higher version

Trilio 4.1 can be upgraded without reinstallation to a higher version of T4O if available.

Pre-requisites

Please ensure the following points are met before starting the upgrade process:

No Snapshot or Restore is running
The Global-Job-Scheduler is disabled
wlm-cron is disabled on the Trilio Appliance

Deactivating the wlm-cron service

The following sets of commands will disable the wlm-cron service and verify that it has been completely shut down.

Update the repositories

Deb-based (Ubuntu)

Add the Gemfury repository on each of the DMAPI containers, Horizon containers & Compute nodes.

Create a file /etc/apt/sources.list.d/fury.list and add the below line to it.

The following commands can be used to verify the connection to the Gemfury repository and to check for available packages.

RPM-based (CentOS)

Add Trilio repo on each of the DMAPI containers, Horizon containers & Compute nodes.

Modify the file /etc/yum.repos.d/trilio.repo and add the below line in it.

The following commands can be used to verify the connection to the Gemfury repository and to check for available packages.

Upgrade tvault-datamover-api package

The following steps represent the best practice procedure to upgrade the DMAPI service.

Login to DMAPI container
Take a backup of the DMAPI configuration in /etc/dmapi/
use apt list --upgradeable to identify the package used for the dmapi service

These steps are done with the following commands. This example is assuming that the more common python3 packages are used.

Deb-based (Ubuntu)

RPM-based (CentOS)

Upgrade Horizon plugin

The following steps represent the best practice procedure to update the Horizon plugin.

Login to Horizon Container
use apt list --upgradeable to identify the package the Trilio packages for the workloadmgrclient, contegoclient and tvault-horizon-plugin

These steps are done with the following commands. This example is assuming that the more common python3 packages are used.

Deb-based (Ubuntu)

RPM-based (CentOS)

Upgrade the tvault-contego service

The following steps represent the best practice procedure to update the tvault-contego service on the compute nodes.

Login into the compute node
Take a backup of the config files at and /etc/tvault-contego/ and /etc/tvault-object-store (if S3)
Unmount storage mount path

These steps are done with the following commands. This example is assuming that the more common python3 packages are used.

NFS as Storage Backend

Take a backup of the config files

Check the mount path of the NFS storage using the command df -h and unmount the path using umount command. e.g.
Upgrade the Trilio packages:

Deb-based (Ubuntu):

RPM-based (CentOS):

Restore the config files, restart the service and verify the mount point

S3 as Storage Backend

Take a backup of the config files

Check the mount path of the S3 storage using the command df -h and unmount the path using umount command.

Upgrade the Trilio packages

Deb-based (Ubuntu):

RPM-based (CentOS):

Restore the config files, restart the service and verify the mount point

Advance settings/configuration

Customize HAproxy cfg parameters for Trilio datamover api service

Following are the haproxy cfg parameters recommended for optimal performance of dmapi service. File location on controller /etc/haproxy/haproxy.cfg

If values were already updated during any of the previous releases, further steps can be skipped.

Parameters timeout client, timeout server, and balance for DMAPI service

Remove the below content, if present in the file/etc/openstack_deploy/user_variables.ymlon the ansible host.

Add the below lines at end of the file /etc/openstack_deploy/user_variables.yml on the ansible host.

Update Haproxy configuration using the below command on the ansible host.

Enable mount-bind for NFS

T4O 4.2 has changed the calculation of the mount point. It is necessary to set up the mount-bind to make T4O 4.1 or older backups available for T4O 4.2

Please follow for detailed steps to set up mount bind.

Installing on TripleO Train

1. Prepare for deployment

1.1] Select 'backup target' type

Backup target storage is used to store backup images taken by Trilio and details needed for configuration:

The following backup target types are supported by Trilio

a) NFS

Need NFS share path

b) Amazon S3

- S3 Access Key - Secret Key - Region - Bucket name

c) Other S3 compatible storage (Like, Ceph based S3)

- S3 Access Key - Secret Key - Region - Endpoint URL (Valid for S3 other than Amazon S3) - Bucket name

1.2] Clone triliovault-cfg-scripts repository

The following steps are to be done on 'undercloud' node on an already installed RHOSP environment. The overcloud-deploy command has to be run successfully already and the overcloud should be available.

All commands need to be run as user 'stack' on undercloud node

TripleO CentOS8 is not supported anymore as CentOS Linux 8 has reached End of Life on December 31st,2021.

The following command clones the triliovault-cfg-scripts github repository.

Please note that the Trilio Appliance needs to get updated to the latest HF as well.

1.3] If the backup target type is 'Ceph based S3' with SSL:

If your backup target is ceph S3 with SSL and SSL certificates are self-signed or authorized by a private CA, then the user needs to provide a CA chain certificate to validate the SSL requests. For that, the user needs to rename his ca chain cert file to s3-cert.pem and copy it into the directory triliovault-cfg-scripts/redhat-director-scripts/redhat-director-scripts/<RHOSP_RELEASE_Directory/puppet/trilio/files

2] Upload Trilio puppet module

3] Update overcloud roles data file to include Trilio services

Trilio contains multiple services. Add these services to your roles_data.yaml.

In the case of uncustomized roles_data.yaml can the default file be found on the undercloud at:

/usr/share/openstack-tripleo-heat-templates/roles_data.yaml

Add the following services to the roles_data.yaml

All commands need to be run as user 'stack'

3.1] Add Trilio Datamover Api Service to role data file

This service needs to share the same role as the keystone and database service. In the case of the pre-defined roles will these services run on the role Controller. In the case of custom-defined roles, it is necessary to use the same role where OS::TripleO::Services::Keystone service is installed.

Add the following line to the identified role:

3.2] Add Trilio Datamover Service to role data file

This service needs to share the same role as the nova-compute service. In the case of the pre-defined roles will the nova-compute service run on the role Compute. In the case of custom-defined roles, it is necessary to use the role the nova-compute service is used.

Add the following line to the identified role:

3.3] Add Trilio Horizon Service role data file4] Prepare Trilio container images

This service needs to share the same role as the OpenStack Horizon server. In the case of the pre-defined roles, Horizon service runs on the role Controller. Add the following line to the identified role:

All commands need to be run as user 'stack'

Refer to the word <HOTFIX-TAG-VERSION> as 4.3.2 in the below sections

Trilio containers are pushed to 'Dockerhub'. Registry URL: 'docker.io'. Container pull URLs are given below.

CentOS7

There are two registry methods available in TripleO Openstack Platform.

Remote Registry
Local Registry

4.1] Remote Registry

Follow this section when 'Remote Registry' is used.

For this method, it is not necessary to pull the containers in advance. It is only necessary to populate the trilio_env.yaml file with the Trilio container URLs from the Dockerhub registry.

Populate the trilio_env.yaml with container URLs for:

Trilio Datamover container
Trilio Datamover api container
Trilio Horizon Plugin

trilio_env.yaml will be available in __triliovault-cfg-scripts/redhat-director-scripts/tripleo-train/environments

4.2] Local Registry

Follow this section when 'local registry' is used on the undercloud.

Run the following script. Script pulls the triliovault containers and updates the triliovault environment file with URLs.

The changes can be verified using the following commands.

5] Configure multi-IP NFS

This section is only required when the multi-IP feature for NFS is required.

This feature allows setting the IP to access the NFS Volume per datamover instead of globally.

On Undercloud node, change the directory

Edit file 'triliovault_nfs_map_input.yml' in the current directory and provide compute host and NFS share/IP map.

Get the compute hostnames from the following command. Check the 'Name' column. Use exact hostnames in 'triliovault_nfs_map_input.yml' file.

Run this command on undercloud by sourcing 'stackrc'.

Edit the input map file and fill in all the details. Refer to for details about the structure.

vi triliovault_nfs_map_input.yml

Update pyYAML on the undercloud node only

If pip isn't available please install pip on the undercloud.

Expand the map file to create a one-to-one mapping of the compute nodes and the NFS shares.

The result will be in file - 'triliovault_nfs_map_output.yml'

Validate output map file

Open file 'triliovault_nfs_map_output.yml

vi triliovault_nfs_map_output.yml

available in the current directory and validate that all compute nodes are covered with all the necessary NFS shares.

Append this output map file to 'triliovault-cfg-scripts/redhat-director-scripts/<RHOSP_RELEASE_DIRECTORY>/environments/trilio_nfs_map.yaml'

Validate the changes in file triliovault-cfg-scripts/redhat-director-scripts/<RHOSP_RELEASE_DIRECTORY>/environments/trilio_nfs_map.yaml

Include the environment file (trilio_nfs_map.yaml) in overcloud deploy command with '-e' option as shown below.

Ensure that MultiIPNfsEnabled is set to true in trilio_env.yaml file and that NFS is used as the backup target.

6] Fill in Trilio environment details

Fill Trilio details in the file /home/stack/triliovault-cfg-scripts/redhat-director-scripts/tripleo-train/environments/trilio_env.yaml, triliovault environment file is self-explanatory. Fill in details of the backup target, verify image URLs, and other details.

NFS options for Cohesity NFS : nolock,soft,timeo=600,intr,lookupcache=none,nfsvers=3,retrans=10

7] Install Trilio on Overcloud

Use the following heat environment file and roles data file in overcloud deploy command

trilio_env.yaml: This environment file contains Trilio backup target details and Trilio container image locations
roles_data.yaml: This file contains overcloud roles data with Trilio roles added.
Use the correct trilio endpoint map file as per your keystone endpoint configuration. - Instead of tls-endpoints-public-dns.yaml this file, use ‘environments/trilio_env_tls_endpoints_public_dns.yaml’ - Instead of tls-endpoints-public-ip.yaml

Deploy command with triliovault environment file looks like the following.

Post deployment for multipath enabled environment, log into respective datamover container and add uxsock_timeout with value as 60000 (i.e. 60 sec) in /etc/multipath.conf. Restart datamover container

8] Verify the deployment

If the containers are in restarting state or not listed by the following command then your deployment is not done correctly. Please recheck if you followed the complete documentation.

8.1] On the Controller node

Make sure Trilio dmapi and horizon containers are in a running state and no other Trilio container is deployed on controller nodes. When the role for these containers is not "controller" check on respective nodes according to configured roles_data.yaml.

Verify the haproxy configuration under:

8.2] On Compute node

Make sure Trilio datamover container is in running state and no other Trilio container is deployed on compute nodes.

8.3] On the node with Horizon service

Make sure horizon container is in running state. Please note that 'Horizon' container is replaced with Trilio Horizon container. This container will have the latest OpenStack horizon + Trilio's horizon plugin.

10] Troubleshooting for overcloud deployment failures

Trilio components will be deployed using puppet scripts.

In case of the overcloud deployment fails do the following command to provide the list of errors. The following document also provides valuable insights:

Upgrading on TripleO Train [CentOS7]

1. Generic Pre-requisites

Please ensure following points before starting the upgrade process:
1. Either 4.1 GA OR any hotfix patch against 4.1 should be already deployed for performing upgrades mentioned in the current document.
2. No snapshot OR restore to be running.
3. Global job scheduler should be disabled.
4. wlm-cron should be disabled (on primary T4O node).
  1. pcs resource disable wlm-cron
  2. Check : systemctl status wlm-cron OR pcs resource show wlm-cron

2. [On Undercloud node] Clone triliovault repo and upload trilio puppet module

Run all the commands with 'stack' user

2.1 Clone the latest configuration scripts

2.2 Backup target is “Ceph based S3” with SSL

If the backup target is Ceph S3 with SSL and SSL certificates are self-signed or authorized by private CA, then the user needs to provide a CA chain certificate to validate the SSL requests. For that, user needs to rename his CA chain cert file to 's3-cert.pem' and copy it into directory - 'triliovault-cfg-scripts/redhat-director-scripts/redhat-director-scripts/puppet/trilio/files'.

2.3 Upload triliovault puppet module

3. Prepare Trilio container images

In this step, we are going to pull triliovault container images to the user’s registry.

Trilio containers are pushed to ‘Dockerhub'. The registry URL is ‘docker.io’. Following are the triliovault container pull URLs.

Refer to the word <HOTFIX-TAG-VERSION> as 4.3.2 in the below sections

3.1 Trilio container URLs

Trilio container URLs for TripleO Train CentOS7:

There are two registry methods available in the TripleO Openstack Platform.

Remote Registry
Local Registry

Identify which method you are using. Below we have explained all three methods to pull and configure trilioVault's container images for overcloud deployment.

3.2 Remote Registry

If you are using the 'Remote Registry' method follow this section. You don't need to pull anything. You just need to populate the following container URLs in trilio env yaml.

Populate 'environments/trilio_env.yaml' file with triliovault container urls. Changes look like the following.

3.3 Registry on Undercloud

If you are using 'local registry' on undercloud, follow this section.

Run the following script. Script pulls the triliovault containers and updates the triliovault environment file with URLs.

## Above script pushes trilio container images to undercloud registry and sets correct trilio images URLs in ‘environments/trilio_env.yaml’. Verify the changes using the following command.

4. Configure multi-IP NFS

This section is only required when the multi-IP feature for NFS is required.

This feature allows to set the IP to access the NFS Volume per datamover instead of globally.

On Undercloud node, change directory

Edit file 'triliovault_nfs_map_input.yml' in the current directory and provide compute host and NFS share/ip map.

Get the compute hostnames from the following command. Check ‘Name' column. Use exact hostnames in 'triliovault_nfs_map_input.yml' file.

Run this command on undercloud by sourcing 'stackrc'.

Edit input map file and fill all the details. Refer to the for details about the structure.

vi triliovault_nfs_map_input.yml

Update pyyaml on the undercloud node only

If pip isn't available please install pip on the undercloud.

Expand the map file to create a one-to-one mapping of the compute nodes and the nfs shares.

The result will be in file - 'triliovault_nfs_map_output.yml'

Validate output map file

Open file 'triliovault_nfs_map_output.yml

vi triliovault_nfs_map_output.yml

available in the current directory and validate that all compute nodes are covered with all the necessary NFS shares.

Append this output map file to 'triliovault-cfg-scripts/redhat-director-scripts/<RHOSP_RELEASE_DIRECTORY>/environments/trilio_nfs_map.yaml'

Validate the changes in file 'triliovault-cfg-scripts/redhat-director-scripts/<RHOSP_RELEASE_DIRECTORY>/environments/trilio_nfs_map.yaml'

Include the environment file (trilio_nfs_map.yaml) in overcloud deploy command with '-e' option as shown below.

Ensure that MultiIPNfsEnabled is set to true in trilio_env.yaml file and that nfs is used as backup target.

5. Fill in triliovault environment details

Refer old 'trilio_env.yaml' - (/home/stack/triliovault-cfg-scripts-old/redhat-director-scripts/tripleo-train/environments/trilio_env.yaml) file and update new trilio_env.yaml file.
Fill triliovault details in file - '/home/stack/triliovault-cfg-scripts/redhat-director-scripts/tripleo-train/environments/trilio_env.yaml', triliovault environment file is self explanatory. Fill details of backup target, verify image urls and other details.

For Cohesity NFS format for NFS options : nolock,soft,timeo=600,intr,lookupcache=none,nfsvers=3,retrans=10

6. roles_data.yaml file changes

A new separate triliovault service is introduced in Trilio 4.3 release for Trilio Horizon plugin. User need to add following service to roles_data.yaml file and this service need to be co-located with openstack horizon service.

OS::TripleO::Services::TrilioHorizon

7. Install Trilio on Overcloud

Use the following heat environment file and roles data file in overcloud deploy command

trilio_env.yaml: This environment file contains Trilio backup target details and Trilio container image locations
roles_data.yaml: This file contains overcloud roles data with Trilio roles added. This file need not be changed, you can use the old role_data.yaml file
Use the correct trilio endpoint map file as per your keystone endpoint configuration. - Instead of tls-endpoints-public-dns.yaml this file, use ‘environments/trilio_env_tls_endpoints_public_dns.yaml’ - Instead of

Deploy command with triliovault environment file looks like following.

8. Steps to verify correct deployment

8.1 On overcloud controller node(s)

Make sure Trilio dmapi and horizon containers(shown below) are in a running state and no other Trilio container is deployed on controller nodes. If the containers are in restarting state or not listed by the following command then your deployment is not done correctly. You need to revisit the above steps

8.2 On overcloud compute node(s)

Make sure the Trilio datamover container (shown below) is in a running state and no other Trilio container is deployed on compute nodes. If the containers are in restarting state or not listed by the following command then your deployment is not done correctly. You need to revisit the above steps.

8.3 On OpenStack node where OpenStack Horizon Service is running

Make sure the horizon container is in a running state. Please note that the 'Horizon' container is replaced with the Trilio Horizon container. This container will have the latest OpenStack horizon + Trilio's horizon plugin

9. Troubleshooting if any failures

Trilio components will be deployed using puppet scripts.

In case of the overcloud deployment failing do the following command provide the list of errors. The following document also provides valuable insights:

10. Known Issues/Limitations

10.1 Overcloud deploy fails with the following error. Valid for Train CentOS7 only.

This is not a Trilio issue. It’s a TripleO issue that is not fixed in Train Centos7. This is fixed in higher versions of TripleO.

Undercloud jobs puppet task ertmonger_certificate[haproxy-external-cert] fails with Unrecognized parameter or wrong value type

Workaround:

APPLY the fix directly on the setup. It's not merged in train centos7. PR: Need fix in on controller and compute nodes /usr/share/openstack-puppet/modules/certmonger/lib/puppet/provider/certmonger_certificate/certmonger_certificate.rb

11. Enable mount-bind for NFS

Note : Below mentioned steps required only if target backend is NFS.

Please referfor detailed steps to setup mount bind.

Upgrading on RHOSP

0] Pre-requisites

Please ensure the following points are met before starting the upgrade process:

No Snapshot or Restore is running
Global job scheduler is disabled
wlm-cron is disabled on the Trilio Appliance

Deactivating the wlm-cron service

The following sets of commands will disable the wlm-cron service and verify that it is has been completely shut-down.

1] [On Undercloud node] Clone latest Trilio repository and upload Trilio puppet module

All commands need to be run as user 'stack' on undercloud node

1.1] Clone Trilio cfg scripts repository

Separate directories are created as per Redhat OpenStack release under 'triliovault-cfg-scripts/redhat-director-scripts/' directory. Use all scripts/templates from respective directory. For ex, if your RHOSP release is 13, then use scripts/templates from 'triliovault-cfg-scripts/redhat-director-scripts/rhosp13' directory only.

Available RHOSP_RELEASE___DIRECTORY values are:

rhosp13 rhosp16.1 rhosp16.2 rhosp17.0

1.2] If backup target type is 'Ceph based S3' with SSL:

If your backup target is ceph S3 with SSL and SSL certificates are self signed or authorized by private CA, then user needs to provide CA chain certificate to validate the SSL requests. For that, user needs to rename his ca chain cert file to 's3-cert.pem' and copy it into the puppet directory of the right release.

2] Upload Trilio puppet module

3] Update overcloud roles data file to include Trilio services

Trilio has two services as explained below. You need to add these two services to your roles_data.yaml. If you do not have customized roles_data file, you can find your default roles_data.yaml file at /usr/share/openstack-tripleo-heat-templates/roles_data.yaml on undercloud.

You need to find that role_data file and edit it to add the following Trilio services.

i) Trilio Datamover Api Service:

Service Entry in roles_data yaml: OS::TripleO::Services::TrilioDatamoverApi

This service needs to be co-located with database and keystone services. That said, you need to add this service on the same role as of keystone and database service.

Typically this service should be deployed on controller nodes where keystone and database runs. If you are using RHOSP's pre-defined roles, you need to addOS::TripleO::Services::TrilioDatamoverApiservice to Controller role.

ii) Trilio Datamover Service: Service Entry in roles_data yaml: OS::TripleO::Services::TrilioDatamover This service should be deployed on role where nova-compute service is running.

If you are using RHOSP's pre-defined roles, you need to add our OS::TripleO::Services::TrilioDatamover service to Compute role.

If you have defined your custom roles, then you need to identify the role name where in 'nova-compute' service is running and then you need to add 'OS::TripleO::Services::TrilioDatamover' service to that role.

iii) Trilio Horizon Service:

This service needs to share the same role as the OpenStack Horizon server. In the case of the pre-defined roles will the Horizon service run on the role Controller. Add the following to the identified role OS::TripleO::Services::TrilioHorizon

4] Prepare latest Trilio container images

All commands need to be run as user 'stack'

Trilio containers are pushed to 'RedHat Container Registry'. Registry URL is ''. The Trilio container URLs are as follows:

Refer to the word <HOTFIX-TAG-VERSION> as 4.3.2 in the below sections

4.1] available container images

RHOSP 13

RHOSP 16.1

RHOSP 16.2

RHOSP 17.0

There are three registry methods available in RedHat Openstack Platform.

Remote Registry
Local Registry
Satellite Server

4.2] Remote Registry

Please refer to the to see which containers are available.

Follow this section when 'Remote Registry' is used.

For this method it is not necessary to pull the containers in advance. It is only necessary to populate the trilio_env.yaml file with the Trilio container URLs from Redhat registry.

Populate the trilio_env.yaml with container URLs for:

Trilio Datamover container
Trilio Datamover api container
Trilio Horizon Plugin

trilio_env.yaml will be available in __triliovault-cfg-scripts/redhat-director-scripts/<RHOSP_RELEASE_DIRECTORY>/environments

Example

4.2] Local Registry

Please refer to the to see which containers are available.

Follow this section when 'local registry' is used on the undercloud.

In this case it is necessary to push the Trilio containers to the undercloud registry. Trilio provides shell scripts which will pull the containers from 'registry.connect.redhat.com' and push them to the undercloud and updates the trilio_env.yaml.

RHOSP13 example

RHOSP 16.1, RHOSP16.2 and RHOSP17.0 example

The changes can be verified using the following commands.

4.3] Red Hat Satellite Server

Please refer to the to see which containers are available.

Follow this section when a Satellite Server is used for the container registry.

Pull the Trilio containers on the Red Hat Satellite using the given

Populate the trilio_env.yaml with container urls.

RHOSP 13 example

RHOSP 16.1, RHOSP 16.2 and RHOSP 17.0

5. Verify Trilio environment details

It is recommended to re-populate the backup target details in the freshly downloaded trilio_env.yaml file. This will ensure that parameters that have been added since the last update/installation of Trilio are available and will be filled out too.

Locations of the trilio_env.yaml:

For more details about the trilio_env.yaml please check .

6] Configure multi-IP NFS

This section is only required when the multi-IP feature for NFS is required.

This feature allows to set the IP to access the NFS Volume per datamover instead of globally.

On Undercloud node, change directory

Edit file 'triliovault_nfs_map_input.yml' in the current directory and provide compute host and NFS share/ip map.

Get the compute hostnames from the following command. Check ‘Name' column. Use exact hostnames in 'triliovault_nfs_map_input.yml' file.

Run this command on undercloud by sourcing 'stackrc'.

Edit input map file and fill all the details. Refer to the for details about the structure.

vi triliovault_nfs_map_input.yml

Update pyyaml on the undercloud node only

If pip isn't available please install pip on the undercloud.

Expand the map file to create a one-to-one mapping of the compute nodes and the nfs shares.

The result will be in file - 'triliovault_nfs_map_output.yml'

Validate output map file

Open file 'triliovault_nfs_map_output.yml

vi triliovault_nfs_map_output.yml

available in the current directory and validate that all compute nodes are covered with all the necessary NFS shares.

Append this output map file to 'triliovault-cfg-scripts/redhat-director-scripts/<RHOSP_RELEASE_DIRECTORY>/environments/trilio_nfs_map.yaml'

Validate the changes in file 'triliovault-cfg-scripts/redhat-director-scripts/<RHOSP_RELEASE_DIRECTORY>/environments/trilio_nfs_map.yaml'

Include the environment file (trilio_nfs_map.yaml) in overcloud deploy command with '-e' option as shown below.

Ensure that MultiIPNfsEnabled is set to true in trilio_env.yaml file and that nfs is used as backup target.

7] Update Overcloud Trilio components

Use the following heat environment file and roles data file in overcloud deploy command:

trilio_env.yaml
roles_data.yaml
Use correct Trilio endpoint map file as per available Keystone endpoint configuration

To include new environment files use '-e' option and for roles data file use '-r' option. An example overcloud deploy command is shown below:

8] Verify deployment

If the containers are in restarting state or not listed by the following command then your deployment is not done correctly. Please recheck if you followed the complete documentation.

8.1] On Controller node

8.2] On Compute node

Make sure Trilio datamover container is in running state and no other Trilio container is deployed on compute nodes.

8.3] On the node with Horizon service

Make sure horizon container is in running state. Please note that 'Horizon' container is replaced with Trilio Horizon container. This container will have latest OpenStack horizon + Trilio's horizon plugin.

If Trilio Horizon container is in restarted state on RHOSP 16.1.8/RHSOP 16.2.4 then use below workaroud

9] Enable mount-bind for NFS

In T4O 4.2 and later releases, deriving of the mount point has been changed. It is necessary to set up the mount-bind to make T4O 4.1 or older backups available for T4O 4.2 and onwards releases.

Please follow to set up the mount bind for RHOSP.

Upgrading on Kolla OpenStack

Trilio supports the upgrade of Trilio-Openstack components from any of the older releases (4.1 onwards) to the latest 4.2 hotfix releases without ripping up the older deployments.

Refer to the below-mentioned acceptable values for the placeholders kolla_base_distro and triliovault_tag in this document as per the Openstack environment:

Openstack Version

triliovault_tag

kolla_base_distro

1] Pre-requisites

Please ensure the following points are met before starting the upgrade process:

Either 4.1 or 4.2 GA OR any hotfix patch against 4.1/4.2 should be already deployed
No Snapshot OR Restore is running
Global job scheduler should be disabled

1.1] Deactivating the wlm-cron service

The following sets of commands will disable the wlm-cron service and verify that it has been completly shut-down.

2] Clone latest configuration scripts

Before the latest configuration script is loaded it is recommended to take a backup of the existing config scripts' folder & Trilio ansible roles. The following command can be used for this purpose:

Clone the latest configuration scripts of the required branch and access the deployment script directory for Kolla Ansible Openstack.

Copy the downloaded Trilio ansible role into the Kolla-Ansible roles directory.

3] Append Trilio variables

3.1] Clean old Trilio variables and append new Trilio variables

This step is not always required. It is recommended to comparetriliovault_globals.ymlwith the Trilio entries in the/etc/kolla/globals.ymlfile.

In case of no changes, this step can be skipped.

This is required, in case of some variable names changed, some new variables have been added, or old variables removed in the latest triliovault_globals.yml they need to be updated in /etc/kolla/globals.yml file.

3.2] Clean old Trilio passwords and append new Trilio password variables

This step is not always required. It is recommended to comparetriliovault_passwords.ymlwith the Trilio entries in the/etc/kolla/passwords.ymlfile.

In case of no changes, this step can be skipped.

This step is required, when some password variable names have been added, changed, or removed in the latest triliovault_passwords.yml. In this case, the /etc/kolla/passwords.yml needs to be updated.

3.3] Append triliovault_site.yml content to kolla ansible's site.yml

This step is not always required. It is recommended to comparetriliovault_site.ymlwith the Trilio entries in the/usr/local/share/kolla-ansible/ansible/site.ymlfile.

In case of no changes, this step can be skipped.

This is required because, in case of some variable names changed, some new variables have been added, or old variables removed in the latest triliovault_site.yml they need to be updated in /usr/local/share/kolla-ansible/ansible/site.yml file.

3.4] Append triliovault_inventory.txt to the kolla-ansible inventory file

This step is not always required. It is recommended to comparetriliovault_inventory.yml ith the Trilio entries in the/root/multinodefile.

In case of no changes, this step can be skipped.

By default, the triliovault-datamover-api service gets installed on ‘control' hosts and the trilio-datamover service gets installed on 'compute’ hosts. You can edit the T4O groups in the inventory file as per your cloud architecture.

T4O group names are ‘triliovault-datamover-api’ and ‘triliovault-datamover’

4] Configure multi-IP NFS as Trilio backup target

This step is only required when the multi-IP NFS feature is used to connect different datamovers to the same NFS volume through multiple IPs

On kolla-ansible server node, change directory

Edit file 'triliovault_nfs_map_input.yml' in the current directory and provide compute host and NFS share/ip map.

If IP addresses are used in the kolla-ansible inventory file then you should use same IP addresses in 'triliovault_nfs_map_input.yml' file too. If you used hostnames there then you need to use same hostnames here in nfs map input file.

Compute host names or IP addresses that you are using in nfs map input file here should match with kolla-ansible inventory file entries.

vi triliovault_nfs_map_input.yml

The triliovault_nfs_map_input.yml is explained .

Update PyYAML on the kolla-ansible server node only

Expand the map file to create a one-to-one mapping of compute and NFS share.

The result will be in file - 'triliovault_nfs_map_output.yml'

Validate output map file

Open file 'triliovault_nfs_map_output.yml

vi triliovault_nfs_map_output.yml

available in the current directory and validate that all compute nodes are covered with all necessary NFS shares.

Append this output map file to triliovault_globals.yml File Path: /home/stack/triliovault-cfg-scripts/kolla-ansible/ansible/triliovault_globals.yml

Ensure to set multi_ip_nfs_enabled in _`_triliovault_globals.yml` file to yes

A new parameter is added to triliovault_globals.yml , set this parameter value to 'yes' if backup target NFS supports multiple endpoints/IPs. File Path: '/home/stack/triliovault-cfg-scripts/kolla-ansible/ansible/triliovault_globals.yml’ multi_ip_nfs_enabled: 'yes'
Later append triliovault_globals.yaml file to /etc/kolla/globals.yml

5] Edit globals.yml to set T4O parameters

Edit /etc/kolla/globals.yml file to fill triliovault backup target and build details. You will find the triliovault related parameters at the end of globals.yml. The user needs to fill in details like triliovault build version, backup target type, backup target details, etc.

Following is the list of parameters that the user needs to edit.

Parameter

Defaults/choices

comments

6] Enable T4O Snapshot mount feature

This step is already part of the 4.2 GA installation procedure and should only be verified.

To enable Trilio's Snapshot mount feature it is necessary to make the Trilio Backup target available to the nova-compute and nova-libvirt containers.

Edit /usr/local/share/kolla-ansible/ansible/roles/nova-cell/defaults/main.yml and find nova_libvirt_default_volumes variable. Append the Trilio mount bind /var/trilio:/var/trilio:shared to the list of already existing volumes.

For a default Kolla installation, will the variable look as follows afterward:

Next, find the variable nova_compute_default_volumes in the same file and append the mount bind /var/trilio:/var/trilio:shared to the list.

After the change will the variable look for a default Kolla installation as follows:

In the case of using Ironic compute nodes one more entry needs to be adjusted in the same file. Find the variable nova_compute_ironic_default_volumes and append trilio mount /var/trilio:/var/trilio:shared to the list.

After the changes the variable will look like the following:

7] Pull containers in case of private repository

In case, the user doesn’t want to use the docker hub registry for triliovault containers during cloud deployment, then the user can pull triliovault images before starting cloud deployment and push them to other preferred registries.

Following are the triliovault container image URLs for 4.3.2 releases. Replace kolla_base_distro and triliovault_tag variables with their values.

This {{ kolla_base_distro }} variable can be either 'centos' or 'ubuntu' depends on your base OpenStack distro This {{ triliovault_tag }} is mentioned at the start of this document.

Trilio supports the Source-based containers from the OpenStack Yoga release **** onwards.

Below are the Source-based OpenStack deployment images

Below are the Binary-based OpenStack deployment images

8] Pull T4O container images

Activate the login into dockerhub for Trilio tagged containers.

Please get the Dockerhub login credentials from Trilio Sales/Support team

Run the below command from the directory with the multinode file tull pull the required images.

9] Run Kolla-Ansible upgrade command

Run the below command from the directory with the multinode file to start the upgrade process.

10] Verify Trilio deployment

Verify on the controller and compute nodes that the Trilio containers are in UP state.

Following is a sample output of commands from controller and compute nodes. triliovault_tag will have value as per the openstack release where deployment being done.

11] Advance settings/configuration for Trilio services

11.1] Customize HAproxy configuration parameters for Trilio datamover api service

Following are the default haproxy conf parameters set against triliovault datamover api service.

These values work best for triliovault dmapi service. It’s not recommended to change these parameter values. However, in some exceptional cases, If needed to change any of the above parameter values then same can be done on kolla-ansible server in the following file.

After editing, run kolla-ansible deploy command again to push these changes to openstack cloud.

Post kolla-ansible deploy, to verify the changes, please check following file, available on all controller/haproxy nodes.

12] Enable mound-bind for NFS

In T4O 4.2 and later releases, deriving of the mount point has been changed. It is necessary to set up the mount-bind to make T4O 4.1 or older backups available for T4O 4.2 and onwards releases.

Please follow to ensure that Backups taken from T4O 4.1 or older can be used with T4O 4.2 and onwards releases.

HTTP/1.1 200 OK
Server: nginx/1.16.1
Date: Wed, 04 Nov 2020 14:07:18 GMT
Content-Type: application/json
Content-Length: 6609
Connection: keep-alive
X-Compute-Request-Id: req-f88fb28f-f4ce-4585-9c3c-ebe08a3f60cd

{
   "snapshot":{
      "id":"2e56d167-bad7-43c7-8ede-a613c3fe7844",
      "created_at":"2020-11-04T13:58:37.000000",
      "updated_at":"2020-11-04T14:06:03.000000",
      "finished_at":"2020-11-04T14:06:03.000000",
      "user_id":"ccddc7e7a015487fa02920f4d4979779",
      "project_id":"c76b3355a164498aa95ddbc960adc238",
      "status":"available",
      "snapshot_type":"full",
      "workload_id":"18b809de-d7c8-41e2-867d-4a306407fb11",
      "instances":[
         {
            "id":"67d6a100-fee6-4aa5-83a1-66b070d2eabe",
            "name":"cirros-2",
            "status":"available",
            "metadata":{
               "availability_zone":"nova",
               "config_drive":"",
               "data_transfer_time":"0",
               "object_store_transfer_time":"0",
               "root_partition_type":"Linux",
               "trilio_ordered_interfaces":"192.168.100.80",
               "vm_metadata":"{\"workload_name\": \"Workload_1\", \"workload_id\": \"18b809de-d7c8-41e2-867d-4a306407fb11\", \"trilio_ordered_interfaces\": \"192.168.100.80\", \"config_drive\": \"\"}",
               "workload_id":"18b809de-d7c8-41e2-867d-4a306407fb11",
               "workload_name":"Workload_1"
            },
            "flavor":{
               "vcpus":"1",
               "ram":"512",
               "disk":"1",
               "ephemeral":"0"
            },
            "security_group":[
               {
                  "name":"default",
                  "security_group_type":"neutron"
               }
            ],
            "nics":[
               {
                  "mac_address":"fa:16:3e:cf:10:91",
                  "ip_address":"192.168.100.80",
                  "network":{
                     "id":"5fb7027d-a2ac-4a21-9ee1-438c281d2b26",
                     "name":"robert_internal",
                     "cidr":null,
                     "network_type":"neutron",
                     "subnet":{
                        "id":"b7b54304-aa82-4d50-91e6-66445ab56db4",
                        "name":"robert_internal",
                        "cidr":"192.168.100.0/24",
                        "ip_version":4,
                        "gateway_ip":"192.168.100.1"
                     }
                  }
               }
            ],
            "vdisks":[
               {
                  "label":null,
                  "resource_id":"fa888089-5715-4228-9e5a-699f8f9d59ba",
                  "restore_size":1073741824,
                  "vm_id":"67d6a100-fee6-4aa5-83a1-66b070d2eabe",
                  "volume_id":"51491d30-9818-4332-b056-1f174e65d3e3",
                  "volume_name":"51491d30-9818-4332-b056-1f174e65d3e3",
                  "volume_size":"1",
                  "volume_type":"iscsi",
                  "volume_mountpoint":"/dev/vda",
                  "availability_zone":"nova",
                  "metadata":{
                     "readonly":"False",
                     "attached_mode":"rw"
                  }
               }
            ]
         },
         {
            "id":"e33c1eea-c533-4945-864d-0da1fc002070",
            "name":"cirros-1",
            "status":"available",
            "metadata":{
               "availability_zone":"nova",
               "config_drive":"",
               "data_transfer_time":"0",
               "object_store_transfer_time":"0",
               "root_partition_type":"Linux",
               "trilio_ordered_interfaces":"192.168.100.176",
               "vm_metadata":"{\"workload_name\": \"Workload_1\", \"workload_id\": \"18b809de-d7c8-41e2-867d-4a306407fb11\", \"trilio_ordered_interfaces\": \"192.168.100.176\", \"config_drive\": \"\"}",
               "workload_id":"18b809de-d7c8-41e2-867d-4a306407fb11",
               "workload_name":"Workload_1"
            },
            "flavor":{
               "vcpus":"1",
               "ram":"512",
               "disk":"1",
               "ephemeral":"0"
            },
            "security_group":[
               {
                  "name":"default",
                  "security_group_type":"neutron"
               }
            ],
            "nics":[
               {
                  "mac_address":"fa:16:3e:cf:4d:27",
                  "ip_address":"192.168.100.176",
                  "network":{
                     "id":"5fb7027d-a2ac-4a21-9ee1-438c281d2b26",
                     "name":"robert_internal",
                     "cidr":null,
                     "network_type":"neutron",
                     "subnet":{
                        "id":"b7b54304-aa82-4d50-91e6-66445ab56db4",
                        "name":"robert_internal",
                        "cidr":"192.168.100.0/24",
                        "ip_version":4,
                        "gateway_ip":"192.168.100.1"
                     }
                  }
               }
            ],
            "vdisks":[
               {
                  "label":null,
                  "resource_id":"c8293bb0-031a-4d33-92ee-188380211483",
                  "restore_size":1073741824,
                  "vm_id":"e33c1eea-c533-4945-864d-0da1fc002070",
                  "volume_id":"365ad75b-ca76-46cb-8eea-435535fd2e22",
                  "volume_name":"365ad75b-ca76-46cb-8eea-435535fd2e22",
                  "volume_size":"1",
                  "volume_type":"iscsi",
                  "volume_mountpoint":"/dev/vda",
                  "availability_zone":"nova",
                  "metadata":{
                     "readonly":"False",
                     "attached_mode":"rw"
                  }
               }
            ]
         }
      ],
      "name":"API taken 2",
      "description":"API taken description 2",
      "host":"TVM1",
      "size":44171264,
      "restore_size":2147483648,
      "uploaded_size":44171264,
      "progress_percent":100,
      "progress_msg":"Snapshot of workload is complete",
      "warning_msg":null,
      "error_msg":null,
      "time_taken":428,
      "pinned":false,
      "metadata":[
         {
            "created_at":"2020-11-04T14:05:57.000000",
            "updated_at":null,
            "deleted_at":null,
            "deleted":false,
            "version":"4.0.115",
            "id":"16fc1ce5-81b2-4c07-ac63-6c9232e0418f",
            "snapshot_id":"2e56d167-bad7-43c7-8ede-a613c3fe7844",
            "key":"backup_media_target",
            "value":"10.10.2.20:/upstream"
         },
         {
            "created_at":"2020-11-04T13:58:37.000000",
            "updated_at":null,
            "deleted_at":null,
            "deleted":false,
            "version":"4.0.115",
            "id":"5a56bbad-9957-4fb3-9bbc-469ec571b549",
            "snapshot_id":"2e56d167-bad7-43c7-8ede-a613c3fe7844",
            "key":"cancel_requested",
            "value":"0"
         },
         {
            "created_at":"2020-11-04T14:05:29.000000",
            "updated_at":"2020-11-04T14:05:45.000000",
            "deleted_at":null,
            "deleted":false,
            "version":"4.0.115",
            "id":"d36abef7-9663-4d88-8f2e-ef914f068fb4",
            "snapshot_id":"2e56d167-bad7-43c7-8ede-a613c3fe7844",
            "key":"data_transfer_time",
            "value":"0"
         },
         {
            "created_at":"2020-11-04T14:05:57.000000",
            "updated_at":null,
            "deleted_at":null,
            "deleted":false,
            "version":"4.0.115",
            "id":"c75f9151-ef87-4a74-acf1-42bd2588ee64",
            "snapshot_id":"2e56d167-bad7-43c7-8ede-a613c3fe7844",
            "key":"hostnames",
            "value":"[\"cirros-1\", \"cirros-2\"]"
         },
         {
            "created_at":"2020-11-04T14:05:29.000000",
            "updated_at":"2020-11-04T14:05:45.000000",
            "deleted_at":null,
            "deleted":false,
            "version":"4.0.115",
            "id":"02916cce-79a2-4ad9-a7f6-9d9f59aa8424",
            "snapshot_id":"2e56d167-bad7-43c7-8ede-a613c3fe7844",
            "key":"object_store_transfer_time",
            "value":"0"
         },
         {
            "created_at":"2020-11-04T14:05:57.000000",
            "updated_at":null,
            "deleted_at":null,
            "deleted":false,
            "version":"4.0.115",
            "id":"96efad2f-a24f-4cde-8e21-9cd78f78381b",
            "snapshot_id":"2e56d167-bad7-43c7-8ede-a613c3fe7844",
            "key":"pause_at_snapshot",
            "value":"0"
         },
         {
            "created_at":"2020-11-04T14:05:57.000000",
            "updated_at":null,
            "deleted_at":null,
            "deleted":false,
            "version":"4.0.115",
            "id":"572a0b21-a415-498f-b7fa-6144d850ef56",
            "snapshot_id":"2e56d167-bad7-43c7-8ede-a613c3fe7844",
            "key":"policy_id",
            "value":"b79aa5f3-405b-4da4-96e2-893abf7cb5fd"
         },
         {
            "created_at":"2020-11-04T14:05:57.000000",
            "updated_at":null,
            "deleted_at":null,
            "deleted":false,
            "version":"4.0.115",
            "id":"dfd7314d-8443-4a95-8e2a-7aad35ef97ea",
            "snapshot_id":"2e56d167-bad7-43c7-8ede-a613c3fe7844",
            "key":"preferredgroup",
            "value":"[]"
         },
         {
            "created_at":"2020-11-04T14:05:57.000000",
            "updated_at":null,
            "deleted_at":null,
            "deleted":false,
            "version":"4.0.115",
            "id":"2e17e1e4-4bb1-48a9-8f11-c4cd2cfca2a9",
            "snapshot_id":"2e56d167-bad7-43c7-8ede-a613c3fe7844",
            "key":"topology",
            "value":"\"\\\"\\\"\""
         },
         {
            "created_at":"2020-11-04T14:05:57.000000",
            "updated_at":null,
            "deleted_at":null,
            "deleted":false,
            "version":"4.0.115",
            "id":"33762790-8743-4e20-9f50-3505a00dbe76",
            "snapshot_id":"2e56d167-bad7-43c7-8ede-a613c3fe7844",
            "key":"workload_approx_backup_size",
            "value":"6"
         }
      ],
      "restores_info":""
   }
}

Example runbook for Disaster Recovery using NFS

This runbook will demonstrate how to set up Disaster Recovery with Trilio for a given scenario.

The chosen scenario is following an actively used Trilio customer environment.

Scenario

There are two Openstack clouds available "Openstack Cloud A" and Openstack Cloud B". "Openstack Cloud B" is the Disaster Recovery restore point of "Openstack Cloud A" and vice versa. Both clouds have an independent Trilio installation integrated. These Trilio installations are writing their Backups to NFS targets. "Trilio A" is writing to "NFS A1" and "Trilio B" is writing to "NFS B1". The NFS Volumes used are getting synced against another NFS Volume on the other side. "NFS A1" is syncing with "NFS B2" and "NFS B1" is syncing with "NFS A2". The syncing process is set up independently from Trilio and will always favor the newer dataset.

This scenario will cover the Disaster Recovery of a single Workload and a complete Cloud. All processes are done be the Openstack administrator.

Prerequisites for the Disaster Recovery process

This runbook will assume that the following is true:

"Openstack Cloud A" and "Openstack Cloud B" both have an active Trilio installation with a valid license
"Openstack Cloud A" and "Openstack Cloud B" have free resources to host additional VMs
"Openstack Cloud A" and "Openstack Cloud B" have Tenants/Projects available that are the designated restore points for Tenant/Projects of the other side

For ease of writing will this runbook assume from here on, that "Openstack Cloud A" is down and the Workloads are getting restored into "Openstack Cloud B".

In the case of the usage of shared Tenant networks, beyond the floating IP, the following additional requirement is needed: All Tenant Networks, Routers, Ports, Floating IPs, and DNS Zones are created

Disaster Recovery of a single Workload

A single Workload can do a Disaster Recovery in this Scenario, while both Clouds are still active. To do so the following high-level process needs to be followed:

Copy the Workload directories to the configured NFS Volume
Make the right Mount-Paths available
Reassign the Workload

Copy the Workload directories to the configured NFS Volume

This process only shows how to get a Workload from "Openstack Cloud A" to "Openstack Cloud B". The vice versa process is similar.

As only a single Workload is to be recovered it is more efficient to copy the data of that single Workload over to the "NFS B1" Volume, which is used by "Trilio B".

Mount "NFS B2" Volume to a Trilio VM

It is recommended to use the Trilio VM as a connector between both NFS Volumes, as the nova user is available on the Trilio VM.

Identify the Workload on the "NFS B2" Volume

Trilio Workloads are identified by their ID und which they are stored on the Backup Target. See below example:

In the case that the Workload ID is not known can available Metadata inside the Workload directories be used to identify the correct Workload.

Copy the Workload

The identified workload needs to be copied with all subdirectories and files. Afterward, it is necessary to adjust the ownership to nova:nova with the right permissions.

Make the Mount-Paths available

Trilio backups are using qcow2 backing files, which make every incremental backup a full synthetic backup. These backing files can be made visible using the qemu-img tool.

The MTAuMTAuMi4yMDovdXBzdHJlYW0= part of the backing file path is the base64 hash value, which will be calculated upon the configuration of a Trilio installation for each provided NFS-Share.

This hash value is calculated based on the provided NFS-Share path: <NFS_IP>/<path> If even one character in the NFS-Share path is different between the provided NFS-Share paths a completely different hash value is generated.

Workloads, that have been moved between NFS-Shares, require that their incremental backups can follow the same path as on their original Source Cloud. To achieve this it is necessary to create the mount path on all compute nodes of the Target Cloud.

Afterwards a mount bind is used to make the workloads data accessible over the old and the new mount path. The following example shows the process of how to successfully identify the necessary mount points and create the mount bind.

Identify the base64 hash values

The used hash values can be calculated using the base64 tool in any Linux distribution.

Create and bind the paths

Based on the identified base64 hash values the following paths are required on each Compute node.

/var/triliovault-mounts/MTAuMTAuMi4yMDovdXBzdHJlYW1fc291cmNl

and

/var/triliovault-mounts/MTAuMjAuMy4yMjovdXBzdHJlYW1fdGFyZ2V0

In the scenario of this runbook is the workload coming from the NFS_A1 NFS-Share, which means the mount path of that NFS-Share needs to be created and bound to the Target Cloud.

To keep the desired mount past a reboot it is recommended to edit the fstab of all compute nodes accordingly.

Reassign the workload

Trilio workloads have clear ownership. When a workload is moved to a different cloud it is necessary to change the ownership. The ownership can only be changed by Openstack administrators.

Add admin-user to required domains and projects

To fulfill the required tasks an admin role user is used. This user will be used until the workload has been restored. Therefore, it is necessary to provide this user access to the desired Target Project on the Target Cloud.

Discover orphaned Workloads from NFS-Storage of Target Cloud

Each Trilio installation maintains a database of workloads that are known to the Trilio installation. Workloads that are not maintained by a specific Trilio installation, are from the perspective of that installation, orphaned workloads. An orphaned workload is a workload accessible on the NFS-Share, that is not assigned to any existing project in the Cloud the Trilio installation is protecting.

List available projects on Target Cloud in the Target Domain

The identified orphaned workloads need to be assigned to their new projects. The following provides the list of all available projects viewable by the used admin-user in the target_domain.

List available users on the Target Cloud in the Target Project that have the right backup trustee role

To allow project owners to work with the workloads as well will they get assigned to a user with the backup trustee role that is existing in the target project.

Reassign the workload to the target project

Now that all informations have been gathered the workload can be reassigned to the target project.

Verify the workload is available at the desired target_project

After the workload has been assigned to the new project it is recommended to verify the workload is managed by the Target Trilio and is assigned to the right project and user.

Restore the workload

The reassigned workload can be restored using Horizon following the procedure described .

This runbook will continue on the CLI only path.

Prepare the selective restore by getting the snapshot information

To be able to do the necessary selective restore a few pieces of information about the snapshot to be restored are required. The following process will provide all necessary information.

List all Snapshots of the workload to restore to identify the snapshot to restore

Get Snapshot Details with network details for the desired snapshot

Get Snapshot Details with disk details for the desired Snapshot

Prepare the selective restore by creating the restore.json file

The selective restore is using a restore.json file for the CLI command. This restore.json file needs to be adjusted according to the desired restore.

Run the selective restore

To do the actual restore use the following command:

Verify the restore

To verify the success of the restore from a Trilio perspective the restore status is checked.

Clean up

After the Desaster Recovery Process has been successfully completed it is recommended to bring the TVM installation back into its original state to be ready for the next DR process.

Delete the workload

Delete the workload that got restored.

Remove the database entry

The Trilio database is following the Openstack standard of not deleting any database entries upon deletion of the cloud object. Any Workload, Snapshot or Restore, which gets deleted, is marked as deleted only.

To allow the Trilio installation to be ready for another disaster recovery it is necessary to completely delete the entries of the Workloads, which have been restored.

Trilio does provide and maintain a script to safely delete workload entries and all connected entities from the Trilio database.

This script can be found here:

Remove the admin user from the project

After all restores for the target project have been achieved it is recommended to remove the used admin user from the project again.

Disaster Recovery of a complete cloud

This Scenario will cover the Disaster Recovery of a full cloud. It is assumed that the source cloud is down or lost completly. To do the disaster recovery the following high-level process needs to be followed:

Reconfigure the Target Trilio installation
Make the right Mount-Paths available
Reassign the Workload

Reconfigure the Target Trilio installation

Before the Desaster Recovery Process can start is it necessary to make the backups to be restored available for the Trilio installation. The following steps need to be done to completely reconfigure the Trilio installation.

During the reconfiguration process will all backups of the Target Region be on hold and it is not recommended to create new Backup Jobs until the Desaster Recovery Process has finished and the original Trilio configuration has been restored.

Add NFS B2 to the Trilio Appliance Cluster

To add the NFS-Vol2 to the Trilio Appliance cluster the Trilio can either be to use both NFS Volumes or it is possible to edit the configuration file and then restart all services. This procedure describes how to edit the conf file and restart the services. This needs to be repeated on every Trilio Appliance.

Edit the workloadmgr.conf

Look for the line defining the NFS mounts

Add NFS B2 to that as comma-seperated list. Space is not necessary, but can be set.

Write and close the workloadmgr.conf

Restart the wlm-workloads service

Add NFS B2 to the Trilio Datamovers

Trilio is integrating natively into the Openstack deployment tools. When using the Red Hat director or JuJu charms it is recommended to adapt the environment files for these orchestrators and update the Datamovers through them.

To add the NFS B2 to the Trilio Datamovers manually the tvault-contego.conf file needs to be edited and the service restarted.

Edit the tvault-contego.conf

Look for the line defining the NFS mounts

Add NFS B2 to that as comma-seperated list. Space is not necessary, but can be set.

Write and close the tvault-contego.conf

Restart the tvault-contego service

Make the Mount-Paths available

Trilio backups are using qcow2 backing files, which make every incremental backup a full synthetic backup. These backing files can be made visible using the qemu-img tool.

The MTAuMTAuMi4yMDovdXBzdHJlYW0= part of the backing file path is the base64 hash value, which will be calculated upon the configuration of a Trilio installation for each provided NFS-Share.

Identify the base64 hash values

The used hash values can be calculated using the base64 tool in any Linux distribution.

Create and bind the paths

Based on the identified base64 hash values the following paths are required on each Compute node.

/var/triliovault-mounts/MTAuMTAuMi4yMDovdXBzdHJlYW1fc291cmNl

and

/var/triliovault-mounts/MTAuMjAuMy4yMjovdXBzdHJlYW1fdGFyZ2V0

In the scenario of this runbook is the workload coming from the NFS_A1 NFS-Share, which means the mount path of that NFS-Share needs to be created and bound to the Target Cloud.

To keep the desired mount past a reboot it is recommended to edit the fstab of all compute nodes accordingly.

Reassign the workload

Trilio workloads have clear ownership. When a workload is moved to a different cloud it is necessary to change the ownership. The ownership can only be changed by Openstack administrators.

Add admin-user to required domains and projects

Discover orphaned Workloads from NFS-Storage of Target Cloud

List available projects on Target Cloud in the Target Domain

The identified orphaned workloads need to be assigned to their new projects. The following provides the list of all available projects viewable by the used admin-user in the target_domain.

List available users on the Target Cloud in the Target Project that have the right backup trustee role

To allow project owners to work with the workloads as well will they get assigned to a user with the backup trustee role that is existing in the target project.

Reassign the workload to the target project

Now that all informations have been gathered the workload can be reassigned to the target project.

Verify the workload is available at the desired target_project

After the workload has been assigned to the new project it is recommended to verify the workload is managed by the Target Trilio and is assigned to the right project and user.

Restore the workload

The reassigned workload can be restored using Horizon following the procedure described .

This runbook will continue on the CLI only path.

Prepare the selective restore by getting the snapshot information

To be able to do the necessary selective restore a few pieces of information about the snapshot to be restored are required. The following process will provide all necessary information.

List all Snapshots of the workload to restore to identify the snapshot to restore

Get Snapshot Details with network details for the desired snapshot

Get Snapshot Details with disk details for the desired Snapshot

Prepare the selective restore by creating the restore.json file

The selective restore is using a restore.json file for the CLI command. This restore.json file needs to be adjusted according to the desired restore.

Run the selective restore

To do the actual restore use the following command:

Verify the restore

To verify the success of the restore from a Trilio perspective the restore status is checked.

Reconfigure the Target Trilio installation back to the original one

After the Desaster Recovery Process has finished it is necessary to return the Trilio installation to its original configuration. The following steps need to be done to completely reconfigure the Trilio installation.

Delete NFS B2 to the Trilio Appliance Cluster

Edit the workloadmgr.conf

Look for the line defining the NFS mounts

Delete NFS B2 from the comma-seperated list

Write and close the workloadmgr.conf

Restart the wlm-workloads service

Delete NFS B2 to the Trilio Datamovers

To add the NFS B2 to the Trilio Datamovers manually the tvault-contego.conf file needs to be edited and the service restarted.

Edit the tvault-contego.conf

Look for the line defining the NFS mounts

Add NFS B2 to that as comma-seperated list. Space is not necessary, but can be set.

Write and close the tvault-contego.conf

Restart the tvault-contego service

Clean up

After the Desaster Recovery Process has been successfully completed and the Trilio installation reconfigured to its original state, it is recommended to do the following additional steps to be ready for the next Disaster Recovery process.

Remove the database entry

To allow the Trilio installation to be ready for another disaster recovery it is necessary to completely delete the entries of the Workloads, which have been restored.

Trilio does provide and maintain a script to safely delete workload entries and all connected entities from the Trilio database.

This script can be found here:

Remove the admin user from the project

After all restores for the target project have been achieved it is recommended to remove the used admin user from the project again.

T4O-4.3

About Trilio for OpenStack

Trilio for OpenStack Architecture

hashtagBackup-as-a-Service

hashtagMain Components

hashtagService Endpoints

hashtagNetwork Topology

Trilio 4.3 Release Notes

Deployment Guide

Requirements

Preparing the installation

hashtagTenant Quotas

Installing Trilio Components

Apply the Trilio license

hashtagApply license through Horizon

Advanced Ceph configurations

Additions for multiple CEPH configurations

Additions for multiple Ceph users

Uninstall Trilio

Uninstalling from Canonical OpenStack

Upgrade Trilio

Upgrade OpenStack

TrilioVault Upgrade Upon RHOSP cloud Upgrade

hashtag1] Finish upgrade process for RHOSP cloud

hashtag2] Now we need to upgrade TrilioVault to match with new RHOSP release

hashtag2.1] Identify correct TrilioVault release for new RHOSP release

hashtag2.2] Install TrilioVault using devops code compatible with new RHOSP release

hashtag2.3] Done

Switch NFS Backing file

hashtag

Trilio Appliance Administration Guide

Set Trilio GUI login banner

Trilio Appliance Dashboard

Set network accessibility of Trilio GUI

hashtagNetwork Setup

hashtagNginx setup

hashtagLimit the access of the Dashboard

hashtagVerify the accessibility as required

Reconfigure the Trilio Cluster

Change the Trilio GUI password

hashtagChange Trilio Dashboard password

Reset the Trilio GUI password

Reinitialize Trilio

Download Trilio logs

hashtagDownload Trilio logs

Clean up Trilio database

User Guide

Schedulers

hashtagDefinition

E-Mail Notifications

hashtagDefinition

hashtagRequirements to activate E-Mail Notifications

hashtagUser E-Mail assigned

hashtagTrilio E-Mail Server configured

hashtagActivate/Deactivate the E-Mail Notifications

hashtagExample E-Mails

Admin Guide

Managing Trusts

Disaster Recovery

hashtagDisaster Recovery Process

Migrating encrypted Workloads

hashtagSame cloud - different owner

hashtagDifferent cloud

Rebasing existing workloads

Troubleshooting

Frequently Asked Questions

hashtag1. Can Trilio for OpenStack restore instance UUIDs?

General Troubleshooting Tips

hashtagWhat is happening where

Using the workloadmgr CLI tool on the Trilio Appliance

API GUIDE

Trilio 4.3 Release Notes

Trilio for OpenStack Architecture

hashtagBackup-as-a-Service

hashtagMain Components

hashtagService Endpoints

hashtagNetwork Topology

About Trilio for OpenStack

Uninstalling from Canonical OpenStack

Reinitialize Trilio

Backup-as-a-Service

Main Components

Service Endpoints

Network Topology

Tenant Quotas

Apply license through Horizon

1] Finish upgrade process for RHOSP cloud

2] Now we need to upgrade TrilioVault to match with new RHOSP release

2.1] Identify correct TrilioVault release for new RHOSP release

2.2] Install TrilioVault using devops code compatible with new RHOSP release

2.3] Done

Network Setup

Nginx setup

Limit the access of the Dashboard

Verify the accessibility as required

Change Trilio Dashboard password

Download Trilio logs

Definition

Definition

Requirements to activate E-Mail Notifications

User E-Mail assigned

Trilio E-Mail Server configured

Activate/Deactivate the E-Mail Notifications

Example E-Mails

Disaster Recovery Process

Same cloud - different owner

Different cloud

1. Can Trilio for OpenStack restore instance UUIDs?

What is happening where

Backup-as-a-Service

Main Components

Service Endpoints

Network Topology

Tenant Quotas

Download Trilio logs

AWS S3 eventual consistency¶

Trilio Cluster¶

Change Trilio Dashboard password

1] Finish upgrade process for RHOSP cloud

2] Now we need to upgrade TrilioVault to match with new RHOSP release

2.1] Identify correct TrilioVault release for new RHOSP release

2.2] Install TrilioVault using devops code compatible with new RHOSP release

2.3] Done

Definition

Requirements to activate E-Mail Notifications

User E-Mail assigned

Trilio E-Mail Server configured

Activate/Deactivate the E-Mail Notifications

Example E-Mails

Same cloud - different owner

Different cloud

1. Can Trilio for OpenStack restore instance UUIDs?

Apply license through Horizon

What is happening where

Disaster Recovery Process

System requirements Trilio Appliance

Software Requirements

OpenStack Barbican for encryption

During a backup process

During a restore process

dmapi

datamover

Everything on the Backup Target is happening as user nova

Input/Output Error with Cohesity NFS

Timeout receiving packet error in multipath iscsi environment

Trilio Trustee Role

Openstack Quotas

Trilio Configurator

Enable mount-bind for NFS

Apply license through CLI

Mount-paths

List all trusts

Show a trust