Learn about configuring Trilio for OpenStack
The configuration process used by Trilio for OpenStack heavily utilizes Ansible scripts. In recent years, Ansible has emerged as a leading tool for configuration management, due to which Trilio makes extensive use of Ansible playbooks to effectively configure the Trilio cluster. To address any potential Trilio configuration issues, it's crucial for users to have a fundamental understanding of Ansible playbook output.
Given the inherent repeatability of Ansible modules, the Trilio configuration can be run as many times as needed to alter or reconfigure the Trilio cluster.
Upon booting the VM, direct your browser (preferably Chrome or Firefox) to the Trilio node's IP address. This will take you to the Trilio Dashboard, which houses the Trilio configurator.
The user is: admin The default password is: password
After the first login, you will be prompted to change the admin password.
Unlike previous versions of Trilio, the current version only requires you to configure the cluster once and the Trilio dashboard provides cluster-wide management capability.
OpenStack endpoints can be configured to use TLS. In such a configuration the Trilio appliance needs to trust the certificates provided by the OpenStack endpoints.
To achieve this trust it is required to upload the OpenStack certificate bundle through the OS API certificate tab of the Trilio appliance Dashboard.
The certificate bundle is located on the controller nodes of the OpenStack installation.
The default paths for each distribution are as follows:
The uploaded certificates can be verified on the Trilio appliance at the following location.
Once you log in to an unconfigured Trilio Appliance, the first page you encounter is the configurator. This tool needs specific details about the Trilio Appliance, OpenStack, and Backup Storage to proceed.
The Trilio Cluster must integrated into an existing OpenStack environment. The following fields ask for the details of your Trilio Cluster.
Controller Nodes
This is the list of Trilio virtual appliance IP addresses along with their hostnames.
Format: comma-separated list with pairs combined through '='
Example: 172.20.4.151=tvault-104-1,172.20.4.152=tvault-104-2,172.20.4.153=tvault-104-3’
The Trilio Cluster supports only 1 node and 3 node clusters.
Virtual IP Address
This is the Trilio cluster IP address which is mandatory
Format: IP/Subnet
Example: 172.20.4.150/24
The Virtual IP is mandatory even for single-node clusters and has to be different from any IP assigned to a Trilio Controller Node.
Name Server
List of nameservers, primarily used to resolve OpenStack service endpoints.
Format: comma-separated list
example: 10.10.10.1,172.20.4.1
If defining OpenStack endpoint hostnames in the /etc/hosts file on the Trilio Applicance VM is preferred over a DNS solution you may set the nameserver to 0.0.0.0, the default gateway.
Domain Search Order
The domain the Trilio Cluster will use.
Format: comma-separated list
example: trilio.io,trilio.demo
NTP Servers
NTP servers the Trilio Cluster will use
format: comma-separated list
example: 0.pool.ntp.org,10.10.10.10
Timezone
Timezone the Trilio Cluster will use internally
format: pre-populated list
example: UTC
The Trilio Appliance integrates with one OpenStack environment. The following fields ask for the information required to access and connect with the OpenStack Cluster.
Keystone URL
The Keystone endpoint used to fetch authentication for configuration
format: URL
example: https://keystone.trilio.io:5000/v3
Endpoint Type
Defines which endpoint type will be used to communicate with the Openstack endpoints
format: predefined list of radio buttons
example: Public
When FQDNs are used for the Keystone endpoints it is necessary to configure at least one DNS server before the configuration.
Absent a DNS server, the IPs should be defined in the /etc/hosts file on the Trilio Appliance, and the nameserver should be set to 0.0.0.0.
Otherwise, the validation of the Openstack Credentials will fail.
Domain ID
domain the provided user and tenant are located in
format: ID
example: default
Administrator
Username of an account with the domain admin role
format: String
example: admin
Password
password for the prior provided user
format: String
example: password
Trilio requires domain admin role access. To provide domain admin role to a user, the following command can be used:
openstack role add --domain <domain id> --user <username> admin
The Trilio configurator verifies after every entry if it is possible to login into Openstack using the provided credentials.
This verification will fail until all entries are set and correct.
When the verification is successful it is possible to choose the Admin tenant, the Region, and the Trustee role without error.
Admin Tenant
The tenant to be used together with the provided user
format: a pre-populated list
example: admin
Region
Openstack Region the user and tenant are located in
format: a pre-populated list
example: RegionOne
Trustee Role
The Openstack role required to be able to use Trilio functionalities
format: a pre-populated list
example: _member_
When leveraging OpenStack Barbican for protecting encrypted volumes and offering encrypted backups, it's essential that the Trustee Role is assigned as 'Creator' or a role that possesses equivalent permissions to the Creator role.
This is crucial because only the Creator role has the authority to create, read, and delete secrets within Barbican. The generation of encryption-enabled workloads would be unsuccessful if the Trustee Role does not possess the permissions associated with the 'Creator' role.
These fields request information about the backup target that the Trilio installation will use to store your backups.
OpenStack Distribution
Select the Distribution of OpenStack for Trilio integration
format: predefined list
example: RHOSP
Some distributions of OpenStack require a special mount point to be used, so make the OpenStack Distribution selection carefully.
Backup Storage
Defines the Backup Storage protocol to use
format: predefined list of radio buttons
example: NFS
NFS Export
The path under which the NFS Volumes to be used can be found
format: comma-separated list of NFS Volumes paths
example: 10.10.2.20:/upstream,10.10.5.100:/nfs2
NFS Options
NFS options used by the Trilio Cluster when mounting the NFS Exports
format: NFS options
example: nolock,soft,timeo=180,intr,lookupcache=none
NFS options for Cohesity NFS : nolock,soft,timeo=600,intr,lookupcache=none,nfsvers=3,retrans=10
On Cohesity NFS if Input/Output errors are observed then try increasing timeout and retrans parameter value in NFS options
Please use the predefined NFS Options and only change them when it is know that changes are necessary.
Trilio is testing against the predefined NFS options.
S3 Compatible
Switch between Amazon and other S3 compatible storage solutions
format: predefined list
example: Amazon S3
(S3 compatible) Endpoint URL
URL to be used to reach and access the provided S3 compatible storage
format: URL
example: objects.trilio.io
Access Key
Access Key necessary to login into the S3 storage
format: access key
example: SFHSAFHPFFSVVBSVBSZRF
Secret Key
Secret Key necessary to login into the S3 storage
format: secret key
example: bfAEURFGHsnvd3435BdfeF
Region
Configured Region for the S3 Bucket (keep the default for S3 compatible without Region)
format: String
example: us-east-1
Signature Version
S3 signature version to use for signing into the S3 storage
format: string
example: default
Bucket Name
Name of the bucket to be used as Backup target
format: string
example: Trilio-backup
When using a secure HTTPS endpoint for non-AWS S3 storage (for example Ceph), you should validate the Certificate Authority (CA) by uploading the corresponding CA certificate. The certificate can be uploaded in the "OS API Certificate" section, under the "Upload Client Certificate" subsection, as explained in Uploading the OpenStack Certificate Bundle.
At the end of the configurator is the option to activate advanced settings.
Activating this option provides the ability to configure the Keystone endpoints used for the Datamover API and Trilio.
Trilio generates Keystone endpoints for 2 services. The Trilio Datamover API and the Trilio Workloadmanager.
OpenStack installations typically distribute endpoint types across various networks.
The advanced settings for both the Datamover API endpoints and TrilioWorkloadManager endpoints enable Trilio configuration options which allow the user to accommodate for such an environment.
IP addresses supplied in these fields are added as additional VIPs to the Trilio cluster.
Should a Fully Qualified Domain Name (FQDN) be used for those endpoints, the Trilio configurator will resolve the FQDN, subsequently identifying the associated IP addresses, which are then added as additional Virtual IP addresses (VIPs).
It is recommended to verify the Datamover API settings against the ones configured during the installation of the Trilio components.
Should these endpoints already exist in Keystone, their values will be prefilled and immutable. If changes are necessary, you must first remove the old Keystone endpoints.
Providing a URL with https activates the TLS enabled configuration, which requires the upload of certificates and the connected private key.
Trilio allows the use of an external MySQL or MariaDB database.
This database needs to be prepared by creating the empty workloadmgr database, creating the workloadmgr user and setting the right permissions.
An example command to create this database would be:
Provide the connection string to the Trilio configurator.
The database value can only be set upon an initial configuration of the Trilio solution.
When the Cluster has been configured to use the internal database, then the connection string will not be shown in the next configuration attempt.
In the case of an external database, the connection string will be shown but is immutable.
Trilio is using a service user that is located in the OpenStack service project.
The password for this service user will be generated randomly or can be defined in the advanced settings.
Once all entries have been set and all validations are error-free the configurator can be started.
Click Finish
Reconfirm in the pop-up that you want to start the configuration
Wait for the configurator to finish
Some elements of the configuration take longer than others. Even when it looks like the configurator is stuck, please wait till the configurator finishes. Should the configurator not be finished after 6 hours have elapsed, please contact Trilio Support for assistance.
The configurator utilizes Ansible and Trilio internal API calls during the configuration process
Following each configuration block or upon completion of the entire configurator process, you have the opportunity to examine the output generated by Ansible.
At the end of a successful configuration, the page will be forwarded to the configured VIP for the Trilio Appliance.