Configuring Trilio

Learn about configuring Trilio for OpenStack

The configuration process used by Trilio for OpenStack heavily utilizes Ansible scripts. In recent years, Ansible has emerged as a leading tool for configuration management, due to which Trilio makes extensive use of Ansible playbooks to effectively configure the Trilio cluster. To address any potential Trilio configuration issues, it's crucial for users to have a fundamental understanding of Ansible playbook output.

Given the inherent repeatability of Ansible modules, the Trilio configuration can be run as many times as needed to alter or reconfigure the Trilio cluster.

Upon booting the VM, direct your browser (preferably Chrome or Firefox) to the Trilio node's IP address. This will take you to the Trilio Dashboard, which houses the Trilio configurator.

The user is: admin The default password is: password

After the first login, you will be prompted to change the admin password.

Unlike previous versions of Trilio, the current version only requires you to configure the cluster once and the Trilio dashboard provides cluster-wide management capability.

Uploading the OpenStack certificate bundle

OpenStack endpoints can be configured to use TLS. In such a configuration the Trilio appliance needs to trust the certificates provided by the OpenStack endpoints.

To achieve this trust it is required to upload the OpenStack certificate bundle through the OS API certificate tab of the Trilio appliance Dashboard.

The certificate bundle is located on the controller nodes of the OpenStack installation.

The default paths for each distribution are as follows:

RHOSP/TripleO: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
Kolla Ansible with CentOS: /etc/pki/tls/certs/ca-bundle.crt
Kolla Ansible with Ubuntu:  /usr/local/share/ca-certificates/
OpenStack Ansible (OSA) with Ubuntu in our lab: /etc/openstack_deploy/ssl/
OpenStack Asnible (OSA) with CentOS: /etc/openstack_deploy/ssl

The uploaded certificates can be verified on the Trilio appliance at the following location.

/etc/workloadmgr/ca-chain.pem

Details needed for the Trilio Appliance

Once you log in to an unconfigured Trilio Appliance, the first page you encounter is the configurator. This tool needs specific details about the Trilio Appliance, OpenStack, and Backup Storage to proceed.

Trilio Cluster information

The Trilio Cluster must integrated into an existing OpenStack environment. The following fields ask for the details of your Trilio Cluster.

Controller Nodes
- This is the list of Trilio virtual appliance IP addresses along with their hostnames.
- Format: comma-separated list with pairs combined through '='
- Example: 172.20.4.151=tvault-104-1,172.20.4.152=tvault-104-2,172.20.4.153=tvault-104-3’

The Trilio Cluster supports only 1 node and 3 node clusters.

Virtual IP Address
- This is the Trilio cluster IP address which is mandatory
- Format: IP/Subnet
- Example: 172.20.4.150/24

The Virtual IP is mandatory even for single-node clusters and has to be different from any IP assigned to a Trilio Controller Node.

Name Server
- List of nameservers, primarily used to resolve OpenStack service endpoints.
- Format: comma-separated list
- example: 10.10.10.1,172.20.4.1

If defining OpenStack endpoint hostnames in the /etc/hosts file on the Trilio Applicance VM is preferred over a DNS solution you may set the nameserver to 0.0.0.0, the default gateway.

Domain Search Order
- The domain the Trilio Cluster will use.
- Format: comma-separated list
- example: trilio.io,trilio.demo
NTP Servers
- NTP servers the Trilio Cluster will use
- format: comma-separated list
- example: 0.pool.ntp.org,10.10.10.10
Timezone
- Timezone the Trilio Cluster will use internally
- format: pre-populated list
- example: UTC

OpenStack Credentials information

The Trilio Appliance integrates with one OpenStack environment. The following fields ask for the information required to access and connect with the OpenStack Cluster.

Keystone URL
- The Keystone endpoint used to fetch authentication for configuration
- format: URL
- example: https://keystone.trilio.io:5000/v3
Endpoint Type
- Defines which endpoint type will be used to communicate with the Openstack endpoints
- format: predefined list of radio buttons
- example: Public

When FQDNs are used for the Keystone endpoints it is necessary to configure at least one DNS server before the configuration.

Absent a DNS server, the IPs should be defined in the /etc/hosts file on the Trilio Appliance, and the nameserver should be set to 0.0.0.0.

Otherwise, the validation of the Openstack Credentials will fail.

Domain ID
- domain the provided user and tenant are located in
- format: ID
- example: default
Administrator
- Username of an account with the domain admin role
- format: String
- example: admin
Password
- password for the prior provided user
- format: String
- example: password

Trilio requires domain admin role access. To provide domain admin role to a user, the following command can be used:

openstack role add --domain <domain id> --user <username> admin

The Trilio configurator verifies after every entry if it is possible to login into Openstack using the provided credentials.

This verification will fail until all entries are set and correct.

When the verification is successful it is possible to choose the Admin tenant, the Region, and the Trustee role without error.

Admin Tenant
- The tenant to be used together with the provided user
- format: a pre-populated list
- example: admin
Region
- Openstack Region the user and tenant are located in
- format: a pre-populated list
- example: RegionOne
Trustee Role
- The Openstack role required to be able to use Trilio functionalities
- format: a pre-populated list
- example: _member_

When leveraging OpenStack Barbican for protecting encrypted volumes and offering encrypted backups, it's essential that the Trustee Role is assigned as 'Creator' or a role that possesses equivalent permissions to the Creator role.

This is crucial because only the Creator role has the authority to create, read, and delete secrets within Barbican. The generation of encryption-enabled workloads would be unsuccessful if the Trustee Role does not possess the permissions associated with the 'Creator' role.

Backup Storage Configuration information

These fields request information about the backup target that the Trilio installation will use to store your backups.

OpenStack Distribution
- Select the Distribution of OpenStack for Trilio integration
- format: predefined list
- example: RHOSP

Some distributions of OpenStack require a special mount point to be used, so make the OpenStack Distribution selection carefully.

Backup Storage
- Defines the Backup Storage protocol to use
- format: predefined list of radio buttons
- example: NFS

Using the NFS protocol

NFS Export
- The path under which the NFS Volumes to be used can be found
- format: comma-separated list of NFS Volumes paths
- example: 10.10.2.20:/upstream,10.10.5.100:/nfs2
NFS Options
- NFS options used by the Trilio Cluster when mounting the NFS Exports
- format: NFS options
- example: nolock,soft,timeo=180,intr,lookupcache=none
- NFS options for Cohesity NFS : nolock,soft,timeo=600,intr,lookupcache=none,nfsvers=3,retrans=10

On Cohesity NFS if Input/Output errors are observed then try increasing timeout and retrans parameter value in NFS options

Please use the predefined NFS Options and only change them when it is know that changes are necessary.

Trilio is testing against the predefined NFS options.

Using the S3 protocol

S3 Compatible
- Switch between Amazon and other S3 compatible storage solutions
- format: predefined list
- example: Amazon S3
(S3 compatible) Endpoint URL
- URL to be used to reach and access the provided S3 compatible storage
- format: URL
- example: objects.trilio.io
Access Key
- Access Key necessary to login into the S3 storage
- format: access key
- example: SFHSAFHPFFSVVBSVBSZRF
Secret Key
- Secret Key necessary to login into the S3 storage
- format: secret key
- example: bfAEURFGHsnvd3435BdfeF
Region
- Configured Region for the S3 Bucket (keep the default for S3 compatible without Region)
- format: String
- example: us-east-1
Signature Version
- S3 signature version to use for signing into the S3 storage
- format: string
- example: default
Bucket Name
- Name of the bucket to be used as Backup target
- format: string
- example: Trilio-backup

Using a Secured HTTPS Endpoint for Non-AWS S3 Storage

When using a secure HTTPS endpoint for non-AWS S3 storage (for example Ceph), you should validate the Certificate Authority (CA) by uploading the corresponding CA certificate. The certificate can be uploaded in the "OS API Certificate" section, under the "Upload Client Certificate" subsection, as explained in Uploading the OpenStack Certificate Bundle.

Advanced settings

At the end of the configurator is the option to activate advanced settings.

Activating this option provides the ability to configure the Keystone endpoints used for the Datamover API and Trilio.

Setup Trilio and Datamover API endpoints.

Trilio generates Keystone endpoints for 2 services. The Trilio Datamover API and the Trilio Workloadmanager.

OpenStack installations typically distribute endpoint types across various networks.

The advanced settings for both the Datamover API endpoints and TrilioWorkloadManager endpoints enable Trilio configuration options which allow the user to accommodate for such an environment.

IP addresses supplied in these fields are added as additional VIPs to the Trilio cluster.

Should a Fully Qualified Domain Name (FQDN) be used for those endpoints, the Trilio configurator will resolve the FQDN, subsequently identifying the associated IP addresses, which are then added as additional Virtual IP addresses (VIPs).

It is recommended to verify the Datamover API settings against the ones configured during the installation of the Trilio components.

Should these endpoints already exist in Keystone, their values will be prefilled and immutable. If changes are necessary, you must first remove the old Keystone endpoints.

Providing a URL with https activates the TLS enabled configuration, which requires the upload of certificates and the connected private key.

Set up an external database

Trilio allows the use of an external MySQL or MariaDB database.

This database needs to be prepared by creating the empty workloadmgr database, creating the workloadmgr user and setting the right permissions.

An example command to create this database would be:

create database workloadmgr_auto;
CREATE USER 'trilio'@'localhost' IDENTIFIED BY 'password';
GRANT ALL PRIVILEGES ON workloadmgr_auto.* TO 'trilio'@'10.10.10.67' IDENTIFIED BY 'password';

Provide the connection string to the Trilio configurator.

mysql://trilio:password@10.10.10.67/workloadmgr_auto?charset=utf8

The database value can only be set upon an initial configuration of the Trilio solution.

When the Cluster has been configured to use the internal database, then the connection string will not be shown in the next configuration attempt.

In the case of an external database, the connection string will be shown but is immutable.

Define the Trilio service user password

Trilio is using a service user that is located in the OpenStack service project.

The password for this service user will be generated randomly or can be defined in the advanced settings.

Starting the configurator

Once all entries have been set and all validations are error-free the configurator can be started.

Click Finish
Reconfirm in the pop-up that you want to start the configuration
Wait for the configurator to finish

Some elements of the configuration take longer than others. Even when it looks like the configurator is stuck, please wait till the configurator finishes. Should the configurator not be finished after 6 hours have elapsed, please contact Trilio Support for assistance.

The configurator utilizes Ansible and Trilio internal API calls during the configuration process

Following each configuration block or upon completion of the entire configurator process, you have the opportunity to examine the output generated by Ansible.

At the end of a successful configuration, the page will be forwarded to the configured VIP for the Trilio Appliance.

PreviousInstalling on TripleO Train NextApply the Trilio license

Last updated 1 year ago