Red Hat SummitEste contenido no está disponible en el idioma seleccionado.
Chapter 4. Application backup and restore
4.1. OADP features and plugins
OpenShift API for Data Protection (OADP) features provide options for backing up and restoring applications.
The default plugins enable Velero to integrate with certain cloud providers and to back up and restore OpenShift Container Platform resources.
4.1.1. OADP features
OpenShift API for Data Protection (OADP) supports the following features:
- Backup
You can back up all resources in your cluster or you can filter the resources by type, namespace, or label.
OADP backs up Kubernetes objects and internal images by saving them as an archive file on object storage. OADP backs up persistent volumes (PVs) by creating snapshots with the native cloud snapshot API or with the Container Storage Interface (CSI). For cloud providers that do not support snapshots, OADP backs up resources and PV data with Restic.
- Restore
- You can restore resources and PVs from a backup. You can restore all objects in a backup or filter the restored objects by namespace, PV, or label.
- Schedule
- You can schedule backups at specified intervals.
- Hooks
-
You can use hooks to run commands in a container on a pod, for example,
fsfreezeto freeze a file system. You can configure a hook to run before or after a backup or restore. Restore hooks can run in an init container or in the application container.
4.1.2. OADP plugins
The OpenShift API for Data Protection (OADP) provides default Velero plugins that are integrated with storage providers to support backup and snapshot operations. You can create custom plugins based on the Velero plugins.
OADP also provides plugins for OpenShift Container Platform resource backups and Container Storage Interface (CSI) snapshots.
| OADP plugin | Function | Storage location |
|---|---|---|
|
| Backs up and restores Kubernetes objects by using object store. | AWS S3 |
| Backs up and restores volumes by using snapshots. | AWS EBS | |
|
| Backs up and restores Kubernetes objects by using object store. | Microsoft Azure Blob storage |
| Backs up and restores volumes by using snapshots. | Microsoft Azure Managed Disks | |
|
| Backs up and restores Kubernetes objects by using object store. | Google Cloud Storage |
| Backs up and restores volumes by using snapshots. | Google Compute Engine Disks | |
|
| Backs up and restores OpenShift Container Platform resources by using object store. [1] | Object store |
|
| Backs up and restores volumes by using CSI snapshots. [2] | Cloud storage that supports CSI snapshots |
- Mandatory.
-
The plugin uses the Velero CSI beta snapshot API.
csi
4.1.3. About OADP Velero plugins
You can configure two types of plugins when you install Velero:
- Default cloud provider plugins
- Custom plugins
Both types of plugin are optional, but most users configure at least one cloud provider plugin.
4.1.3.1. Default Velero cloud provider plugins
You can install any of the following default Velero cloud provider plugins when you configure the
oadp_v1alpha1_dpa.yaml-
(Amazon Web Services)
aws -
(Google Cloud Platform)
gcp -
(Microsoft Azure)
azure -
(OpenShift Velero plugin)
openshift -
(Container Storage Interface)
csi -
(KubeVirt)
kubevirt
You specify the desired default plugins in the
oadp_v1alpha1_dpa.yamlExample file
The following
.yamlopenshiftawsazuregcp apiVersion: oadp.openshift.io/v1alpha1
kind: DataProtectionApplication
metadata:
name: dpa-sample
spec:
configuration:
velero:
defaultPlugins:
- openshift
- aws
- azure
- gcp4.1.3.2. Custom Velero plugins
You can install a custom Velero plugin by specifying the plugin
imagenameoadp_v1alpha1_dpa.yamlYou specify the desired custom plugins in the
oadp_v1alpha1_dpa.yamlExample file
The following
.yamlopenshiftazuregcpcustom-plugin-examplequay.io/example-repo/custom-velero-pluginapiVersion: oadp.openshift.io/v1alpha1
kind: DataProtectionApplication
metadata:
name: dpa-sample
spec:
configuration:
velero:
defaultPlugins:
- openshift
- azure
- gcp
customPlugins:
- name: custom-plugin-example
image: quay.io/example-repo/custom-velero-plugin4.2. Installing and configuring OADP
4.2.1. About installing OADP
As a cluster administrator, you install the OpenShift API for Data Protection (OADP) by installing the OADP Operator. The OADP Operator installs Velero 1.7.
To back up Kubernetes resources and internal images, you must have object storage as a backup location, such as one of the following storage types:
- Amazon Web Services
- Microsoft Azure
- Google Cloud Platform
- Multicloud Object Gateway
- S3-compatible object storage, such as Noobaa or Minio
The
CloudStorageFor more information about the support scope of Red Hat Technology Preview features, see https://access.redhat.com/support/offerings/techpreview/.
You can back up persistent volumes (PVs) by using snapshots or Restic.
To back up PVs with snapshots, you must have a cloud provider that supports either a native snapshot API or Container Storage Interface (CSI) snapshots, such as one of the following cloud providers:
- Amazon Web Services
- Microsoft Azure
- Google Cloud Platform
- CSI snapshot-enabled cloud provider, such as OpenShift Container Storage
If your cloud provider does not support snapshots or if your storage is NFS, you can back up applications with Restic.
You create a
SecretAdditional resources
- Overview of backup locations and snapshot locations in the Velero documentation.
4.2.2. Installing and configuring the OpenShift API for Data Protection with Amazon Web Services
You install the OpenShift API for Data Protection (OADP) with Amazon Web Services (AWS) by installing the OADP Operator, configuring AWS for Velero, and then installing the Data Protection Application.
The
CloudStorageFor more information about the support scope of Red Hat Technology Preview features, see https://access.redhat.com/support/offerings/techpreview/.
To install the OADP Operator in a restricted network environment, you must first disable the default OperatorHub sources and mirror the Operator catalog. See Using Operator Lifecycle Manager on restricted networks for details.
4.2.2.1. Installing the OADP Operator
You install the OpenShift API for Data Protection (OADP) Operator on OpenShift Container Platform 4.8 by using Operator Lifecycle Manager (OLM).
The OADP Operator installs Velero 1.7.
Prerequisites
-
You must be logged in as a user with privileges.
cluster-admin
Procedure
-
In the OpenShift Container Platform web console, click Operators
OperatorHub. - Use the Filter by keyword field to find the OADP Operator.
- Select the OADP Operator and click Install.
-
Click Install to install the Operator in the project.
openshift-adp -
Click Operators
Installed Operators to verify the installation.
4.2.2.2. Configuring Amazon Web Services S3
You can configure an Amazon Web Services (AWS) S3 storage bucket as a replication repository for the Migration Toolkit for Containers (MTC).
Prerequisites
- The AWS S3 storage bucket must be accessible to the source and target clusters.
- You must have the AWS CLI installed.
If you are using the snapshot copy method:
- You must have access to EC2 Elastic Block Storage (EBS).
- The source and target clusters must be in the same region.
- The source and target clusters must have the same storage class.
- The storage class must be compatible with snapshots.
Procedure
Create an AWS S3 bucket:
$ aws s3api create-bucket \ --bucket <bucket> \1 --region <bucket_region>2 Create the IAM user
:velero$ aws iam create-user --user-name veleroCreate an EC2 EBS snapshot policy:
$ cat > velero-ec2-snapshot-policy.json <<EOF { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeVolumes", "ec2:DescribeSnapshots", "ec2:CreateTags", "ec2:CreateVolume", "ec2:CreateSnapshot", "ec2:DeleteSnapshot" ], "Resource": "*" } ] } EOFCreate an AWS S3 access policy for one or for all S3 buckets:
$ cat > velero-s3-policy.json <<EOF { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:DeleteObject", "s3:PutObject", "s3:AbortMultipartUpload", "s3:ListMultipartUploadParts" ], "Resource": [ "arn:aws:s3:::<bucket>/*"1 ] }, { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketLocation", "s3:ListBucketMultipartUploads" ], "Resource": [ "arn:aws:s3:::<bucket>"2 ] } ] } EOFExample output
"Resource": [ "arn:aws:s3:::*"Attach the EC2 EBS policy to
:velero$ aws iam put-user-policy \ --user-name velero \ --policy-name velero-ebs \ --policy-document file://velero-ec2-snapshot-policy.jsonAttach the AWS S3 policy to
:velero$ aws iam put-user-policy \ --user-name velero \ --policy-name velero-s3 \ --policy-document file://velero-s3-policy.jsonCreate an access key for
:velero$ aws iam create-access-key --user-name velero { "AccessKey": { "UserName": "velero", "Status": "Active", "CreateDate": "2017-07-31T22:24:41.576Z", "SecretAccessKey": <AWS_SECRET_ACCESS_KEY>,1 "AccessKeyId": <AWS_ACCESS_KEY_ID>2 } }Create a
file:credentials-velero$ cat << EOF > ./credentials-velero [default] aws_access_key_id=<AWS_ACCESS_KEY_ID> aws_secret_access_key=<AWS_SECRET_ACCESS_KEY> EOFYou use the
file to create acredentials-veleroobject for AWS before you install the Data Protection Application.Secret
4.2.2.3. Creating a secret for backup and snapshot locations
You create a
SecretThe default name of the
Secretcloud-credentialsPrerequisites
- Your object storage and cloud storage must use the same credentials.
- You must configure object storage for Velero.
You must create a
file for the object storage in the appropriate format.credentials-veleroNoteThe
custom resource (CR) requires aDataProtectionApplicationfor installation. If noSecretvalue is specified, the default name is used.spec.backupLocations.credential.nameIf you do not want to specify the backup locations or the snapshot locations, you must create a
with the default name by using an emptySecretfile.credentials-velero
Procedure
Create a
with the default name:Secret$ oc create secret generic cloud-credentials -n openshift-adp --from-file cloud=credentials-velero
The
Secretspec.backupLocations.credentialDataProtectionApplication4.2.2.3.1. Configuring secrets for different backup and snapshot location credentials
If your backup and snapshot locations use different credentials, you create separate profiles in the
credentials-veleroThen, you create a
SecretDataProtectionApplicationProcedure
Create a
file with separate profiles for the backup and snapshot locations, as in the following example:credentials-velero[backupStorage] aws_access_key_id=<AWS_ACCESS_KEY_ID> aws_secret_access_key=<AWS_SECRET_ACCESS_KEY> [volumeSnapshot] aws_access_key_id=<AWS_ACCESS_KEY_ID> aws_secret_access_key=<AWS_SECRET_ACCESS_KEY>Create a
object with theSecretfile:credentials-velero$ oc create secret generic cloud-credentials -n openshift-adp --from-file cloud=credentials-velero1 Add the profiles to the
CR, as in the following example:DataProtectionApplicationapiVersion: oadp.openshift.io/v1alpha1 kind: DataProtectionApplication metadata: name: <dpa_sample> namespace: openshift-adp spec: ... backupLocations: - name: default velero: provider: aws default: true objectStorage: bucket: <bucket_name> prefix: <prefix> config: region: us-east-1 profile: "backupStorage" credential: key: cloud name: cloud-credentials snapshotLocations: - name: default velero: provider: aws config: region: us-west-2 profile: "volumeSnapshot"
4.2.2.4. Configuring the Data Protection Application
You can configure Velero resource allocations and enable self-signed CA certificates.
4.2.2.4.1. Setting Velero CPU and memory resource allocations
You set the CPU and memory resource allocations for the
VeleroDataProtectionApplicationPrerequisites
- You must have the OpenShift API for Data Protection (OADP) Operator installed.
Procedure
Edit the values in the
block of thespec.configuration.velero.podConfig.ResourceAllocationsCR manifest, as in the following example:DataProtectionApplicationapiVersion: oadp.openshift.io/v1alpha1 kind: DataProtectionApplication metadata: name: <dpa_sample> spec: ... configuration: velero: podConfig: resourceAllocations: limits: cpu: "1"1 memory: 512Mi2 requests: cpu: 500m3 memory: 256Mi4
4.2.2.4.2. Enabling self-signed CA certificates
You must enable a self-signed CA certificate for object storage by editing the
DataProtectionApplicationcertificate signed by unknown authorityPrerequisites
- You must have the OpenShift API for Data Protection (OADP) Operator installed.
Procedure
Edit the
parameter andspec.backupLocations.velero.objectStorage.caCertparameters of thespec.backupLocations.velero.configCR manifest:DataProtectionApplicationapiVersion: oadp.openshift.io/v1alpha1 kind: DataProtectionApplication metadata: name: <dpa_sample> spec: ... backupLocations: - name: default velero: provider: aws default: true objectStorage: bucket: <bucket> prefix: <prefix> caCert: <base64_encoded_cert_string>1 config: insecureSkipTLSVerify: "false"2 ...
4.2.2.5. Installing the Data Protection Application
You install the Data Protection Application (DPA) by creating an instance of the
DataProtectionApplicationPrerequisites
- You must install the OADP Operator.
- You must configure object storage as a backup location.
- If you use snapshots to back up PVs, your cloud provider must support either a native snapshot API or Container Storage Interface (CSI) snapshots.
-
If the backup and snapshot locations use the same credentials, you must create a with the default name,
Secret.cloud-credentials If the backup and snapshot locations use different credentials, you must create a
with the default name,Secret, which contains separate profiles for the backup and snapshot location credentials.cloud-credentialsNoteIf you do not want to specify backup or snapshot locations during the installation, you can create a default
with an emptySecretfile. If there is no defaultcredentials-velero, the installation will fail.Secret
Procedure
-
Click Operators
Installed Operators and select the OADP Operator. - Under Provided APIs, click Create instance in the DataProtectionApplication box.
Click YAML View and update the parameters of the
manifest:DataProtectionApplicationapiVersion: oadp.openshift.io/v1alpha1 kind: DataProtectionApplication metadata: name: <dpa_sample> namespace: openshift-adp spec: configuration: velero: defaultPlugins: - openshift1 - aws restic: enable: true2 backupLocations: - name: default velero: provider: aws default: true objectStorage: bucket: <bucket_name>3 prefix: <prefix>4 config: region: <region> profile: "default" credential: key: cloud name: cloud-credentials5 snapshotLocations:6 - name: default velero: provider: aws config: region: <region>7 profile: "default"- 1
- The
openshiftplugin is mandatory in order to back up and restore namespaces on an OpenShift Container Platform cluster. - 2
- Set to
falseif you want to disable the Restic installation. Restic deploys a daemon set, which means that each worker node hasResticpods running. You configure Restic for backups by addingspec.defaultVolumesToRestic: trueto theBackupCR. - 3
- Specify a bucket as the backup storage location. If the bucket is not a dedicated bucket for Velero backups, you must specify a prefix.
- 4
- Specify a prefix for Velero backups, for example,
velero, if the bucket is used for multiple purposes. - 5
- Specify the name of the
Secretobject that you created. If you do not specify this value, the default name,cloud-credentials, is used. If you specify a custom name, the custom name is used for the backup location. - 6
- You do not need to specify a snapshot location if you use CSI snapshots or Restic to back up PVs.
- 7
- The snapshot location must be in the same region as the PVs.
- Click Create.
Verify the installation by viewing the OADP resources:
$ oc get all -n openshift-adpExample output
NAME READY STATUS RESTARTS AGE pod/oadp-operator-controller-manager-67d9494d47-6l8z8 2/2 Running 0 2m8s pod/oadp-velero-sample-1-aws-registry-5d6968cbdd-d5w9k 1/1 Running 0 95s pod/restic-9cq4q 1/1 Running 0 94s pod/restic-m4lts 1/1 Running 0 94s pod/restic-pv4kr 1/1 Running 0 95s pod/velero-588db7f655-n842v 1/1 Running 0 95s NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/oadp-operator-controller-manager-metrics-service ClusterIP 172.30.70.140 <none> 8443/TCP 2m8s service/oadp-velero-sample-1-aws-registry-svc ClusterIP 172.30.130.230 <none> 5000/TCP 95s NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE daemonset.apps/restic 3 3 3 3 3 <none> 96s NAME READY UP-TO-DATE AVAILABLE AGE deployment.apps/oadp-operator-controller-manager 1/1 1 1 2m9s deployment.apps/oadp-velero-sample-1-aws-registry 1/1 1 1 96s deployment.apps/velero 1/1 1 1 96s NAME DESIRED CURRENT READY AGE replicaset.apps/oadp-operator-controller-manager-67d9494d47 1 1 1 2m9s replicaset.apps/oadp-velero-sample-1-aws-registry-5d6968cbdd 1 1 1 96s replicaset.apps/velero-588db7f655 1 1 1 96s
4.2.2.5.1. Enabling CSI in the DataProtectionApplication CR
You enable the Container Storage Interface (CSI) in the
DataProtectionApplicationPrerequisites
- The cloud provider must support CSI snapshots.
Procedure
Edit the
CR, as in the following example:DataProtectionApplicationapiVersion: oadp.openshift.io/v1alpha1 kind: DataProtectionApplication ... spec: configuration: velero: defaultPlugins: - openshift - csi1 featureFlags: - EnableCSI2
4.2.3. Installing and configuring the OpenShift API for Data Protection with Microsoft Azure
You install the OpenShift API for Data Protection (OADP) with Microsoft Azure by installing the OADP Operator, configuring Azure for Velero, and then installing the Data Protection Application.
The
CloudStorageFor more information about the support scope of Red Hat Technology Preview features, see https://access.redhat.com/support/offerings/techpreview/.
To install the OADP Operator in a restricted network environment, you must first disable the default OperatorHub sources and mirror the Operator catalog. See Using Operator Lifecycle Manager on restricted networks for details.
4.2.3.1. Installing the OADP Operator
You install the OpenShift API for Data Protection (OADP) Operator on OpenShift Container Platform 4.8 by using Operator Lifecycle Manager (OLM).
The OADP Operator installs Velero 1.7.
Prerequisites
-
You must be logged in as a user with privileges.
cluster-admin
Procedure
-
In the OpenShift Container Platform web console, click Operators
OperatorHub. - Use the Filter by keyword field to find the OADP Operator.
- Select the OADP Operator and click Install.
-
Click Install to install the Operator in the project.
openshift-adp -
Click Operators
Installed Operators to verify the installation.
4.2.3.2. Configuring Microsoft Azure Blob
You can configure a Microsoft Azure Blob storage container as a replication repository for the Migration Toolkit for Containers (MTC).
Prerequisites
- You must have an Azure storage account.
- You must have the Azure CLI installed.
- The Azure Blob storage container must be accessible to the source and target clusters.
If you are using the snapshot copy method:
- The source and target clusters must be in the same region.
- The source and target clusters must have the same storage class.
- The storage class must be compatible with snapshots.
Procedure
Set the
variable:AZURE_RESOURCE_GROUP$ AZURE_RESOURCE_GROUP=Velero_BackupsCreate an Azure resource group:
$ az group create -n $AZURE_RESOURCE_GROUP --location <CentralUS>1 - 1
- Specify your location.
Set the
variable:AZURE_STORAGE_ACCOUNT_ID$ AZURE_STORAGE_ACCOUNT_ID=velerobackupsCreate an Azure storage account:
$ az storage account create \ --name $AZURE_STORAGE_ACCOUNT_ID \ --resource-group $AZURE_RESOURCE_GROUP \ --sku Standard_GRS \ --encryption-services blob \ --https-only true \ --kind BlobStorage \ --access-tier HotSet the
variable:BLOB_CONTAINER$ BLOB_CONTAINER=veleroCreate an Azure Blob storage container:
$ az storage container create \ -n $BLOB_CONTAINER \ --public-access off \ --account-name $AZURE_STORAGE_ACCOUNT_IDObtain the storage account access key:
$ AZURE_STORAGE_ACCOUNT_ACCESS_KEY=`az storage account keys list \ --account-name $AZURE_STORAGE_ACCOUNT_ID \ --query "[?keyName == 'key1'].value" -o tsv`Create a
file:credentials-velero$ cat << EOF > ./credentials-velero AZURE_SUBSCRIPTION_ID=${AZURE_SUBSCRIPTION_ID} AZURE_TENANT_ID=${AZURE_TENANT_ID} AZURE_CLIENT_ID=${AZURE_CLIENT_ID} AZURE_CLIENT_SECRET=${AZURE_CLIENT_SECRET} AZURE_RESOURCE_GROUP=${AZURE_RESOURCE_GROUP} AZURE_STORAGE_ACCOUNT_ACCESS_KEY=${AZURE_STORAGE_ACCOUNT_ACCESS_KEY}1 AZURE_CLOUD_NAME=AzurePublicCloud EOF- 1
- Mandatory. You cannot back up internal images if the
credentials-velerofile contains only the service principal credentials.
You use the
file to create acredentials-veleroobject for Azure before you install the Data Protection Application.Secret
4.2.3.3. Creating a secret for backup and snapshot locations
You create a
SecretThe default name of the
Secretcloud-credentials-azurePrerequisites
- Your object storage and cloud storage must use the same credentials.
- You must configure object storage for Velero.
You must create a
file for the object storage in the appropriate format.credentials-veleroNoteThe
custom resource (CR) requires aDataProtectionApplicationfor installation. If noSecretvalue is specified, the default name is used.spec.backupLocations.credential.nameIf you do not want to specify the backup locations or the snapshot locations, you must create a
with the default name by using an emptySecretfile.credentials-velero
Procedure
Create a
with the default name:Secret$ oc create secret generic cloud-credentials-azure -n openshift-adp --from-file cloud=credentials-velero
The
Secretspec.backupLocations.credentialDataProtectionApplication4.2.3.3.1. Configuring secrets for different backup and snapshot location credentials
If your backup and snapshot locations use different credentials, you create two
Secret-
Backup location with a custom name. The custom name is specified in the
Secretblock of thespec.backupLocationscustom resource (CR).DataProtectionApplication -
Snapshot location with the default name,
Secret. Thiscloud-credentials-azureis not specified in theSecretCR.DataProtectionApplication
Procedure
-
Create a file for the snapshot location in the appropriate format for your cloud provider.
credentials-velero Create a
for the snapshot location with the default name:Secret$ oc create secret generic cloud-credentials-azure -n openshift-adp --from-file cloud=credentials-velero-
Create a file for the backup location in the appropriate format for your object storage.
credentials-velero Create a
for the backup location with a custom name:Secret$ oc create secret generic <custom_secret> -n openshift-adp --from-file cloud=credentials-veleroAdd the
with the custom name to theSecretCR, as in the following example:DataProtectionApplicationapiVersion: oadp.openshift.io/v1alpha1 kind: DataProtectionApplication metadata: name: <dpa_sample> namespace: openshift-adp spec: ... backupLocations: - velero: config: resourceGroup: <azure_resource_group> storageAccount: <azure_storage_account_id> subscriptionId: <azure_subscription_id> storageAccountKeyEnvVar: AZURE_STORAGE_ACCOUNT_ACCESS_KEY credential: key: cloud name: <custom_secret>1 provider: azure default: true objectStorage: bucket: <bucket_name> prefix: <prefix> snapshotLocations: - velero: config: resourceGroup: <azure_resource_group> subscriptionId: <azure_subscription_id> incremental: "true" name: default provider: azure- 1
- Backup location
Secretwith custom name.
4.2.3.4. Configuring the Data Protection Application
You can configure Velero resource allocations and enable self-signed CA certificates.
4.2.3.4.1. Setting Velero CPU and memory resource allocations
You set the CPU and memory resource allocations for the
VeleroDataProtectionApplicationPrerequisites
- You must have the OpenShift API for Data Protection (OADP) Operator installed.
Procedure
Edit the values in the
block of thespec.configuration.velero.podConfig.ResourceAllocationsCR manifest, as in the following example:DataProtectionApplicationapiVersion: oadp.openshift.io/v1alpha1 kind: DataProtectionApplication metadata: name: <dpa_sample> spec: ... configuration: velero: podConfig: resourceAllocations: limits: cpu: "1"1 memory: 512Mi2 requests: cpu: 500m3 memory: 256Mi4
4.2.3.4.2. Enabling self-signed CA certificates
You must enable a self-signed CA certificate for object storage by editing the
DataProtectionApplicationcertificate signed by unknown authorityPrerequisites
- You must have the OpenShift API for Data Protection (OADP) Operator installed.
Procedure
Edit the
parameter andspec.backupLocations.velero.objectStorage.caCertparameters of thespec.backupLocations.velero.configCR manifest:DataProtectionApplicationapiVersion: oadp.openshift.io/v1alpha1 kind: DataProtectionApplication metadata: name: <dpa_sample> spec: ... backupLocations: - name: default velero: provider: aws default: true objectStorage: bucket: <bucket> prefix: <prefix> caCert: <base64_encoded_cert_string>1 config: insecureSkipTLSVerify: "false"2 ...
4.2.3.5. Installing the Data Protection Application
You install the Data Protection Application (DPA) by creating an instance of the
DataProtectionApplicationPrerequisites
- You must install the OADP Operator.
- You must configure object storage as a backup location.
- If you use snapshots to back up PVs, your cloud provider must support either a native snapshot API or Container Storage Interface (CSI) snapshots.
-
If the backup and snapshot locations use the same credentials, you must create a with the default name,
Secret.cloud-credentials-azure If the backup and snapshot locations use different credentials, you must create two
:Secrets-
with a custom name for the backup location. You add this
Secretto theSecretCR.DataProtectionApplication - with the default name,
Secret, for the snapshot location. Thiscloud-credentials-azureis not referenced in theSecretCR.DataProtectionApplicationNoteIf you do not want to specify backup or snapshot locations during the installation, you can create a default
with an emptySecretfile. If there is no defaultcredentials-velero, the installation will fail.Secret
-
Procedure
-
Click Operators
Installed Operators and select the OADP Operator. - Under Provided APIs, click Create instance in the DataProtectionApplication box.
Click YAML View and update the parameters of the
manifest:DataProtectionApplicationapiVersion: oadp.openshift.io/v1alpha1 kind: DataProtectionApplication metadata: name: <dpa_sample> namespace: openshift-adp spec: configuration: velero: defaultPlugins: - azure - openshift1 restic: enable: true2 backupLocations: - velero: config: resourceGroup: <azure_resource_group>3 storageAccount: <azure_storage_account_id>4 subscriptionId: <azure_subscription_id>5 storageAccountKeyEnvVar: AZURE_STORAGE_ACCOUNT_ACCESS_KEY credential: key: cloud name: cloud-credentials-azure6 provider: azure default: true objectStorage: bucket: <bucket_name>7 prefix: <prefix>8 snapshotLocations:9 - velero: config: resourceGroup: <azure_resource_group> subscriptionId: <azure_subscription_id> incremental: "true" name: default provider: azure- 1
- The
openshiftplugin is mandatory in order to back up and restore namespaces on an OpenShift Container Platform cluster. - 2
- Set to
falseif you want to disable the Restic installation. Restic deploys a daemon set, which means that each worker node hasResticpods running. You configure Restic for backups by addingspec.defaultVolumesToRestic: trueto theBackupCR. - 3
- Specify the Azure resource group.
- 4
- Specify the Azure storage account ID.
- 5
- Specify the Azure subscription ID.
- 6
- If you do not specify this value, the default name,
cloud-credentials-azure, is used. If you specify a custom name, the custom name is used for the backup location. - 7
- Specify a bucket as the backup storage location. If the bucket is not a dedicated bucket for Velero backups, you must specify a prefix.
- 8
- Specify a prefix for Velero backups, for example,
velero, if the bucket is used for multiple purposes. - 9
- You do not need to specify a snapshot location if you use CSI snapshots or Restic to back up PVs.
- Click Create.
Verify the installation by viewing the OADP resources:
$ oc get all -n openshift-adpExample output
NAME READY STATUS RESTARTS AGE pod/oadp-operator-controller-manager-67d9494d47-6l8z8 2/2 Running 0 2m8s pod/oadp-velero-sample-1-aws-registry-5d6968cbdd-d5w9k 1/1 Running 0 95s pod/restic-9cq4q 1/1 Running 0 94s pod/restic-m4lts 1/1 Running 0 94s pod/restic-pv4kr 1/1 Running 0 95s pod/velero-588db7f655-n842v 1/1 Running 0 95s NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/oadp-operator-controller-manager-metrics-service ClusterIP 172.30.70.140 <none> 8443/TCP 2m8s service/oadp-velero-sample-1-aws-registry-svc ClusterIP 172.30.130.230 <none> 5000/TCP 95s NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE daemonset.apps/restic 3 3 3 3 3 <none> 96s NAME READY UP-TO-DATE AVAILABLE AGE deployment.apps/oadp-operator-controller-manager 1/1 1 1 2m9s deployment.apps/oadp-velero-sample-1-aws-registry 1/1 1 1 96s deployment.apps/velero 1/1 1 1 96s NAME DESIRED CURRENT READY AGE replicaset.apps/oadp-operator-controller-manager-67d9494d47 1 1 1 2m9s replicaset.apps/oadp-velero-sample-1-aws-registry-5d6968cbdd 1 1 1 96s replicaset.apps/velero-588db7f655 1 1 1 96s
4.2.3.5.1. Enabling CSI in the DataProtectionApplication CR
You enable the Container Storage Interface (CSI) in the
DataProtectionApplicationPrerequisites
- The cloud provider must support CSI snapshots.
Procedure
Edit the
CR, as in the following example:DataProtectionApplicationapiVersion: oadp.openshift.io/v1alpha1 kind: DataProtectionApplication ... spec: configuration: velero: defaultPlugins: - openshift - csi1 featureFlags: - EnableCSI2
4.2.4. Installing and configuring the OpenShift API for Data Protection with Google Cloud Platform
You install the OpenShift API for Data Protection (OADP) with Google Cloud Platform (GCP) by installing the OADP Operator, configuring GCP for Velero, and then installing the Data Protection Application.
The
CloudStorageFor more information about the support scope of Red Hat Technology Preview features, see https://access.redhat.com/support/offerings/techpreview/.
To install the OADP Operator in a restricted network environment, you must first disable the default OperatorHub sources and mirror the Operator catalog. See Using Operator Lifecycle Manager on restricted networks for details.
4.2.4.1. Installing the OADP Operator
You install the OpenShift API for Data Protection (OADP) Operator on OpenShift Container Platform 4.8 by using Operator Lifecycle Manager (OLM).
The OADP Operator installs Velero 1.7.
Prerequisites
-
You must be logged in as a user with privileges.
cluster-admin
Procedure
-
In the OpenShift Container Platform web console, click Operators
OperatorHub. - Use the Filter by keyword field to find the OADP Operator.
- Select the OADP Operator and click Install.
-
Click Install to install the Operator in the project.
openshift-adp -
Click Operators
Installed Operators to verify the installation.
4.2.4.2. Configuring Google Cloud Platform
You can configure a Google Cloud Platform (GCP) storage bucket as a replication repository for the Migration Toolkit for Containers (MTC).
Prerequisites
- The GCP storage bucket must be accessible to the source and target clusters.
-
You must have
gsutilinstalled. If you are using the snapshot copy method:
- The source and target clusters must be in the same region.
- The source and target clusters must have the same storage class.
- The storage class must be compatible with snapshots.
Procedure
Log in to
:gsutil$ gsutil initExample output
Welcome! This command will take you through the configuration of gcloud. Your current configuration has been set to: [default] To continue, you must login. Would you like to login (Y/n)?Set the
variable:BUCKET$ BUCKET=<bucket>1 - 1
- Specify your bucket name.
Create a storage bucket:
$ gsutil mb gs://$BUCKET/Set the
variable to your active project:PROJECT_ID$ PROJECT_ID=`gcloud config get-value project`Create a
IAM service account:velero$ gcloud iam service-accounts create velero \ --display-name "Velero Storage"Create the
variable:SERVICE_ACCOUNT_EMAIL$ SERVICE_ACCOUNT_EMAIL=`gcloud iam service-accounts list \ --filter="displayName:Velero Storage" \ --format 'value(email)'`Create the
variable:ROLE_PERMISSIONS$ ROLE_PERMISSIONS=( compute.disks.get compute.disks.create compute.disks.createSnapshot compute.snapshots.get compute.snapshots.create compute.snapshots.useReadOnly compute.snapshots.delete compute.zones.get )Create the
custom role:velero.server$ gcloud iam roles create velero.server \ --project $PROJECT_ID \ --title "Velero Server" \ --permissions "$(IFS=","; echo "${ROLE_PERMISSIONS[*]}")"Add IAM policy binding to the project:
$ gcloud projects add-iam-policy-binding $PROJECT_ID \ --member serviceAccount:$SERVICE_ACCOUNT_EMAIL \ --role projects/$PROJECT_ID/roles/velero.serverUpdate the IAM service account:
$ gsutil iam ch serviceAccount:$SERVICE_ACCOUNT_EMAIL:objectAdmin gs://${BUCKET}Save the IAM service account keys to the
file in the current directory:credentials-velero$ gcloud iam service-accounts keys create credentials-velero \ --iam-account $SERVICE_ACCOUNT_EMAILYou use the
file to create acredentials-veleroobject for GCP before you install the Data Protection Application.Secret
4.2.4.3. Creating a secret for backup and snapshot locations
You create a
SecretThe default name of the
Secretcloud-credentials-gcpPrerequisites
- Your object storage and cloud storage must use the same credentials.
- You must configure object storage for Velero.
-
You must create a file for the object storage in the appropriate format.
credentials-velero
Procedure
Create a
with the default name:Secret$ oc create secret generic cloud-credentials-gcp -n openshift-adp --from-file cloud=credentials-velero
The
Secretspec.backupLocations.credentialDataProtectionApplication4.2.4.3.1. Configuring secrets for different backup and snapshot location credentials
If your backup and snapshot locations use different credentials, you create two
Secret-
Backup location with a custom name. The custom name is specified in the
Secretblock of thespec.backupLocationscustom resource (CR).DataProtectionApplication -
Snapshot location with the default name,
Secret. Thiscloud-credentials-gcpis not specified in theSecretCR.DataProtectionApplication
Procedure
-
Create a file for the snapshot location in the appropriate format for your cloud provider.
credentials-velero Create a
for the snapshot location with the default name:Secret$ oc create secret generic cloud-credentials-gcp -n openshift-adp --from-file cloud=credentials-velero-
Create a file for the backup location in the appropriate format for your object storage.
credentials-velero Create a
for the backup location with a custom name:Secret$ oc create secret generic <custom_secret> -n openshift-adp --from-file cloud=credentials-veleroAdd the
with the custom name to theSecretCR, as in the following example:DataProtectionApplicationapiVersion: oadp.openshift.io/v1alpha1 kind: DataProtectionApplication metadata: name: <dpa_sample> namespace: openshift-adp spec: ... backupLocations: - velero: provider: gcp default: true credential: key: cloud name: <custom_secret>1 objectStorage: bucket: <bucket_name> prefix: <prefix> snapshotLocations: - velero: provider: gcp default: true config: project: <project> snapshotLocation: us-west1- 1
- Backup location
Secretwith custom name.
4.2.4.4. Configuring the Data Protection Application
You can configure Velero resource allocations and enable self-signed CA certificates.
4.2.4.4.1. Setting Velero CPU and memory resource allocations
You set the CPU and memory resource allocations for the
VeleroDataProtectionApplicationPrerequisites
- You must have the OpenShift API for Data Protection (OADP) Operator installed.
Procedure
Edit the values in the
block of thespec.configuration.velero.podConfig.ResourceAllocationsCR manifest, as in the following example:DataProtectionApplicationapiVersion: oadp.openshift.io/v1alpha1 kind: DataProtectionApplication metadata: name: <dpa_sample> spec: ... configuration: velero: podConfig: resourceAllocations: limits: cpu: "1"1 memory: 512Mi2 requests: cpu: 500m3 memory: 256Mi4
4.2.4.4.2. Enabling self-signed CA certificates
You must enable a self-signed CA certificate for object storage by editing the
DataProtectionApplicationcertificate signed by unknown authorityPrerequisites
- You must have the OpenShift API for Data Protection (OADP) Operator installed.
Procedure
Edit the
parameter andspec.backupLocations.velero.objectStorage.caCertparameters of thespec.backupLocations.velero.configCR manifest:DataProtectionApplicationapiVersion: oadp.openshift.io/v1alpha1 kind: DataProtectionApplication metadata: name: <dpa_sample> spec: ... backupLocations: - name: default velero: provider: aws default: true objectStorage: bucket: <bucket> prefix: <prefix> caCert: <base64_encoded_cert_string>1 config: insecureSkipTLSVerify: "false"2 ...
4.2.4.5. Installing the Data Protection Application
You install the Data Protection Application (DPA) by creating an instance of the
DataProtectionApplicationPrerequisites
- You must install the OADP Operator.
- You must configure object storage as a backup location.
- If you use snapshots to back up PVs, your cloud provider must support either a native snapshot API or Container Storage Interface (CSI) snapshots.
-
If the backup and snapshot locations use the same credentials, you must create a with the default name,
Secret.cloud-credentials-gcp If the backup and snapshot locations use different credentials, you must create two
:Secrets-
with a custom name for the backup location. You add this
Secretto theSecretCR.DataProtectionApplication - with the default name,
Secret, for the snapshot location. Thiscloud-credentials-gcpis not referenced in theSecretCR.DataProtectionApplicationNoteIf you do not want to specify backup or snapshot locations during the installation, you can create a default
with an emptySecretfile. If there is no defaultcredentials-velero, the installation will fail.Secret
-
Procedure
-
Click Operators
Installed Operators and select the OADP Operator. - Under Provided APIs, click Create instance in the DataProtectionApplication box.
Click YAML View and update the parameters of the
manifest:DataProtectionApplicationapiVersion: oadp.openshift.io/v1alpha1 kind: DataProtectionApplication metadata: name: <dpa_sample> namespace: openshift-adp spec: configuration: velero: defaultPlugins: - gcp - openshift1 restic: enable: true2 backupLocations: - velero: provider: gcp default: true credential: key: cloud name: cloud-credentials-gcp3 objectStorage: bucket: <bucket_name>4 prefix: <prefix>5 snapshotLocations:6 - velero: provider: gcp default: true config: project: <project> snapshotLocation: us-west17 - 1
- The
openshiftplugin is mandatory in order to back up and restore namespaces on an OpenShift Container Platform cluster. - 2
- Set to
falseif you want to disable the Restic installation. Restic deploys a daemon set, which means that each worker node hasResticpods running. You configure Restic for backups by addingspec.defaultVolumesToRestic: trueto theBackupCR. - 3
- If you do not specify this value, the default name,
cloud-credentials-gcp, is used. If you specify a custom name, the custom name is used for the backup location. - 4
- Specify a bucket as the backup storage location. If the bucket is not a dedicated bucket for Velero backups, you must specify a prefix.
- 5
- Specify a prefix for Velero backups, for example,
velero, if the bucket is used for multiple purposes. - 6
- You do not need to specify a snapshot location if you use CSI snapshots or Restic to back up PVs.
- 7
- The snapshot location must be in the same region as the PVs.
- Click Create.
Verify the installation by viewing the OADP resources:
$ oc get all -n openshift-adpExample output
NAME READY STATUS RESTARTS AGE pod/oadp-operator-controller-manager-67d9494d47-6l8z8 2/2 Running 0 2m8s pod/oadp-velero-sample-1-aws-registry-5d6968cbdd-d5w9k 1/1 Running 0 95s pod/restic-9cq4q 1/1 Running 0 94s pod/restic-m4lts 1/1 Running 0 94s pod/restic-pv4kr 1/1 Running 0 95s pod/velero-588db7f655-n842v 1/1 Running 0 95s NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/oadp-operator-controller-manager-metrics-service ClusterIP 172.30.70.140 <none> 8443/TCP 2m8s service/oadp-velero-sample-1-aws-registry-svc ClusterIP 172.30.130.230 <none> 5000/TCP 95s NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE daemonset.apps/restic 3 3 3 3 3 <none> 96s NAME READY UP-TO-DATE AVAILABLE AGE deployment.apps/oadp-operator-controller-manager 1/1 1 1 2m9s deployment.apps/oadp-velero-sample-1-aws-registry 1/1 1 1 96s deployment.apps/velero 1/1 1 1 96s NAME DESIRED CURRENT READY AGE replicaset.apps/oadp-operator-controller-manager-67d9494d47 1 1 1 2m9s replicaset.apps/oadp-velero-sample-1-aws-registry-5d6968cbdd 1 1 1 96s replicaset.apps/velero-588db7f655 1 1 1 96s
4.2.4.5.1. Enabling CSI in the DataProtectionApplication CR
You enable the Container Storage Interface (CSI) in the
DataProtectionApplicationPrerequisites
- The cloud provider must support CSI snapshots.
Procedure
Edit the
CR, as in the following example:DataProtectionApplicationapiVersion: oadp.openshift.io/v1alpha1 kind: DataProtectionApplication ... spec: configuration: velero: defaultPlugins: - openshift - csi1 featureFlags: - EnableCSI2
4.2.5. Installing and configuring the OpenShift API for Data Protection with Multicloud Object Gateway
You install the OpenShift API for Data Protection (OADP) with Multicloud Object Gateway (MCG) by installing the OADP Operator, creating a
SecretMCG is a component of OpenShift Container Storage (OCS). You configure MCG as a backup location in the
DataProtectionApplicationThe
CloudStorageFor more information about the support scope of Red Hat Technology Preview features, see https://access.redhat.com/support/offerings/techpreview/.
If your cloud provider has a native snapshot API, configure a snapshot location. If your cloud provider does not support snapshots or if your storage is NFS, you can create backups with Restic.
You do not need to specify a snapshot location in the
DataProtectionApplicationTo install the OADP Operator in a restricted network environment, you must first disable the default OperatorHub sources and mirror the Operator catalog. For details, see Using Operator Lifecycle Manager on restricted networks.
4.2.5.1. Installing the OADP Operator
You install the OpenShift API for Data Protection (OADP) Operator on OpenShift Container Platform 4.8 by using Operator Lifecycle Manager (OLM).
The OADP Operator installs Velero 1.7.
Prerequisites
-
You must be logged in as a user with privileges.
cluster-admin
Procedure
-
In the OpenShift Container Platform web console, click Operators
OperatorHub. - Use the Filter by keyword field to find the OADP Operator.
- Select the OADP Operator and click Install.
-
Click Install to install the Operator in the project.
openshift-adp -
Click Operators
Installed Operators to verify the installation.
4.2.5.2. Configuring Multi-Cloud Object Gateway
You can install the OpenShift Container Storage Operator and configure a Multi-Cloud Object Gateway (MCG) storage bucket as a replication repository for the Migration Toolkit for Containers (MTC).
4.2.5.2.1. Installing the OpenShift Container Storage Operator
You can install the OpenShift Container Storage Operator from OperatorHub.
Procedure
-
In the OpenShift Container Platform web console, click Operators
OperatorHub. - Use Filter by keyword (in this case, OCS) to find the OpenShift Container Storage Operator.
- Select the OpenShift Container Storage Operator and click Install.
- Select an Update Channel, Installation Mode, and Approval Strategy.
Click Install.
On the Installed Operators page, the OpenShift Container Storage Operator appears in the openshift-storage project with the status Succeeded.
4.2.5.2.2. Creating the Multi-Cloud Object Gateway storage bucket
You can create the Multi-Cloud Object Gateway (MCG) storage bucket’s custom resources (CRs).
Procedure
Log in to the OpenShift Container Platform cluster:
$ oc login -u <username>Create the
CR configuration file,NooBaa, with the following content:noobaa.ymlapiVersion: noobaa.io/v1alpha1 kind: NooBaa metadata: name: <noobaa> namespace: openshift-storage spec: dbResources: requests: cpu: 0.51 memory: 1Gi coreResources: requests: cpu: 0.52 memory: 1GiCreate the
object:NooBaa$ oc create -f noobaa.ymlCreate the
CR configuration file,BackingStore, with the following content:bs.ymlapiVersion: noobaa.io/v1alpha1 kind: BackingStore metadata: finalizers: - noobaa.io/finalizer labels: app: noobaa name: <mcg_backing_store> namespace: openshift-storage spec: pvPool: numVolumes: 31 resources: requests: storage: <volume_size>2 storageClass: <storage_class>3 type: pv-poolCreate the
object:BackingStore$ oc create -f bs.ymlCreate the
CR configuration file,BucketClass, with the following content:bc.ymlapiVersion: noobaa.io/v1alpha1 kind: BucketClass metadata: labels: app: noobaa name: <mcg_bucket_class> namespace: openshift-storage spec: placementPolicy: tiers: - backingStores: - <mcg_backing_store> placement: SpreadCreate the
object:BucketClass$ oc create -f bc.ymlCreate the
CR configuration file,ObjectBucketClaim, with the following content:obc.ymlapiVersion: objectbucket.io/v1alpha1 kind: ObjectBucketClaim metadata: name: <bucket> namespace: openshift-storage spec: bucketName: <bucket>1 storageClassName: <storage_class> additionalConfig: bucketclass: <mcg_bucket_class>- 1
- Record the bucket name for adding the replication repository to the MTC web console.
Create the
object:ObjectBucketClaim$ oc create -f obc.ymlWatch the resource creation process to verify that the
status isObjectBucketClaim:Bound$ watch -n 30 'oc get -n openshift-storage objectbucketclaim migstorage -o yaml'This process can take five to ten minutes.
Obtain and record the following values, which are required when you add the replication repository to the MTC web console:
S3 endpoint:
$ oc get route -n openshift-storage s3S3 provider access key:
$ oc get secret -n openshift-storage migstorage \ -o go-template='{{ .data.AWS_ACCESS_KEY_ID }}' | base64 --decodeS3 provider secret access key:
$ oc get secret -n openshift-storage migstorage \ -o go-template='{{ .data.AWS_SECRET_ACCESS_KEY }}' | base64 --decode
4.2.5.3. Creating a secret for backup and snapshot locations
You create a
SecretThe default name of the
Secretcloud-credentialsPrerequisites
- Your object storage and cloud storage must use the same credentials.
- You must configure object storage for Velero.
-
You must create a file for the object storage in the appropriate format.
credentials-velero
Procedure
Create a
with the default name:Secret$ oc create secret generic cloud-credentials -n openshift-adp --from-file cloud=credentials-velero
The
Secretspec.backupLocations.credentialDataProtectionApplication4.2.5.3.1. Configuring secrets for different backup and snapshot location credentials
If your backup and snapshot locations use different credentials, you create two
Secret-
Backup location with a custom name. The custom name is specified in the
Secretblock of thespec.backupLocationscustom resource (CR).DataProtectionApplication -
Snapshot location with the default name,
Secret. Thiscloud-credentialsis not specified in theSecretCR.DataProtectionApplication
Procedure
-
Create a file for the snapshot location in the appropriate format for your cloud provider.
credentials-velero Create a
for the snapshot location with the default name:Secret$ oc create secret generic cloud-credentials -n openshift-adp --from-file cloud=credentials-velero-
Create a file for the backup location in the appropriate format for your object storage.
credentials-velero Create a
for the backup location with a custom name:Secret$ oc create secret generic <custom_secret> -n openshift-adp --from-file cloud=credentials-veleroAdd the
with the custom name to theSecretCR, as in the following example:DataProtectionApplicationapiVersion: oadp.openshift.io/v1alpha1 kind: DataProtectionApplication metadata: name: <dpa_sample> namespace: openshift-adp spec: configuration: velero: defaultPlugins: - aws - openshift restic: enable: true backupLocations: - velero: config: profile: "default" region: minio s3Url: <url> insecureSkipTLSVerify: "true" s3ForcePathStyle: "true" provider: aws default: true credential: key: cloud name: <custom_secret>1 objectStorage: bucket: <bucket_name> prefix: <prefix>- 1
- Backup location
Secretwith custom name.
4.2.5.4. Configuring the Data Protection Application
You can configure Velero resource allocations and enable self-signed CA certificates.
4.2.5.4.1. Setting Velero CPU and memory resource allocations
You set the CPU and memory resource allocations for the
VeleroDataProtectionApplicationPrerequisites
- You must have the OpenShift API for Data Protection (OADP) Operator installed.
Procedure
Edit the values in the
block of thespec.configuration.velero.podConfig.ResourceAllocationsCR manifest, as in the following example:DataProtectionApplicationapiVersion: oadp.openshift.io/v1alpha1 kind: DataProtectionApplication metadata: name: <dpa_sample> spec: ... configuration: velero: podConfig: resourceAllocations: limits: cpu: "1"1 memory: 512Mi2 requests: cpu: 500m3 memory: 256Mi4
4.2.5.4.2. Enabling self-signed CA certificates
You must enable a self-signed CA certificate for object storage by editing the
DataProtectionApplicationcertificate signed by unknown authorityPrerequisites
- You must have the OpenShift API for Data Protection (OADP) Operator installed.
Procedure
Edit the
parameter andspec.backupLocations.velero.objectStorage.caCertparameters of thespec.backupLocations.velero.configCR manifest:DataProtectionApplicationapiVersion: oadp.openshift.io/v1alpha1 kind: DataProtectionApplication metadata: name: <dpa_sample> spec: ... backupLocations: - name: default velero: provider: aws default: true objectStorage: bucket: <bucket> prefix: <prefix> caCert: <base64_encoded_cert_string>1 config: insecureSkipTLSVerify: "false"2 ...
4.2.5.5. Installing the Data Protection Application
You install the Data Protection Application (DPA) by creating an instance of the
DataProtectionApplicationPrerequisites
- You must install the OADP Operator.
- You must configure object storage as a backup location.
- If you use snapshots to back up PVs, your cloud provider must support either a native snapshot API or Container Storage Interface (CSI) snapshots.
-
If the backup and snapshot locations use the same credentials, you must create a with the default name,
Secret.cloud-credentials If the backup and snapshot locations use different credentials, you must create two
:Secrets-
with a custom name for the backup location. You add this
Secretto theSecretCR.DataProtectionApplication - with the default name,
Secret, for the snapshot location. Thiscloud-credentialsis not referenced in theSecretCR.DataProtectionApplicationNoteIf you do not want to specify backup or snapshot locations during the installation, you can create a default
with an emptySecretfile. If there is no defaultcredentials-velero, the installation will fail.Secret
-
Procedure
-
Click Operators
Installed Operators and select the OADP Operator. - Under Provided APIs, click Create instance in the DataProtectionApplication box.
Click YAML View and update the parameters of the
manifest:DataProtectionApplicationapiVersion: oadp.openshift.io/v1alpha1 kind: DataProtectionApplication metadata: name: <dpa_sample> namespace: openshift-adp spec: configuration: velero: defaultPlugins: - aws - openshift1 restic: enable: true2 backupLocations: - velero: config: profile: "default" region: minio s3Url: <url>3 insecureSkipTLSVerify: "true" s3ForcePathStyle: "true" provider: aws default: true credential: key: cloud name: cloud-credentials4 objectStorage: bucket: <bucket_name>5 prefix: <prefix>6 - 1
- The
openshiftplugin is mandatory in order to back up and restore namespaces on an OpenShift Container Platform cluster. - 2
- Set to
falseif you want to disable the Restic installation. Restic deploys a daemon set, which means that each worker node hasResticpods running. You configure Restic for backups by addingspec.defaultVolumesToRestic: trueto theBackupCR. - 3
- Specify the URL of the S3 endpoint.
- 4
- If you do not specify this value, the default name,
cloud-credentials, is used. If you specify a custom name, the custom name is used for the backup location. - 5
- Specify a bucket as the backup storage location. If the bucket is not a dedicated bucket for Velero backups, you must specify a prefix.
- 6
- Specify a prefix for Velero backups, for example,
velero, if the bucket is used for multiple purposes.
- Click Create.
Verify the installation by viewing the OADP resources:
$ oc get all -n openshift-adpExample output
NAME READY STATUS RESTARTS AGE pod/oadp-operator-controller-manager-67d9494d47-6l8z8 2/2 Running 0 2m8s pod/oadp-velero-sample-1-aws-registry-5d6968cbdd-d5w9k 1/1 Running 0 95s pod/restic-9cq4q 1/1 Running 0 94s pod/restic-m4lts 1/1 Running 0 94s pod/restic-pv4kr 1/1 Running 0 95s pod/velero-588db7f655-n842v 1/1 Running 0 95s NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/oadp-operator-controller-manager-metrics-service ClusterIP 172.30.70.140 <none> 8443/TCP 2m8s service/oadp-velero-sample-1-aws-registry-svc ClusterIP 172.30.130.230 <none> 5000/TCP 95s NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE daemonset.apps/restic 3 3 3 3 3 <none> 96s NAME READY UP-TO-DATE AVAILABLE AGE deployment.apps/oadp-operator-controller-manager 1/1 1 1 2m9s deployment.apps/oadp-velero-sample-1-aws-registry 1/1 1 1 96s deployment.apps/velero 1/1 1 1 96s NAME DESIRED CURRENT READY AGE replicaset.apps/oadp-operator-controller-manager-67d9494d47 1 1 1 2m9s replicaset.apps/oadp-velero-sample-1-aws-registry-5d6968cbdd 1 1 1 96s replicaset.apps/velero-588db7f655 1 1 1 96s
4.2.5.5.1. Enabling CSI in the DataProtectionApplication CR
You enable the Container Storage Interface (CSI) in the
DataProtectionApplicationPrerequisites
- The cloud provider must support CSI snapshots.
Procedure
Edit the
CR, as in the following example:DataProtectionApplicationapiVersion: oadp.openshift.io/v1alpha1 kind: DataProtectionApplication ... spec: configuration: velero: defaultPlugins: - openshift - csi1 featureFlags: - EnableCSI2
4.2.6. Installing and configuring the OpenShift API for Data Protection with OpenShift Container Storage
You install the OpenShift API for Data Protection (OADP) with OpenShift Container Storage (OCS) by installing the OADP Operator and configuring a backup location and a snapshot location. Then, you install the Data Protection Application.
You can configure Multicloud Object Gateway or any S3-compatible object storage as a backup location in the
DataProtectionApplicationThe
CloudStorageFor more information about the support scope of Red Hat Technology Preview features, see https://access.redhat.com/support/offerings/techpreview/.
If the cloud provider has a native snapshot API, you can configure cloud storage as a snapshot location in the
DataProtectionApplicationTo install the OADP Operator in a restricted network environment, you must first disable the default OperatorHub sources and mirror the Operator catalog. For details, see Using Operator Lifecycle Manager on restricted networks.
4.2.6.1. Installing the OADP Operator
You install the OpenShift API for Data Protection (OADP) Operator on OpenShift Container Platform 4.8 by using Operator Lifecycle Manager (OLM).
The OADP Operator installs Velero 1.7.
Prerequisites
-
You must be logged in as a user with privileges.
cluster-admin
Procedure
-
In the OpenShift Container Platform web console, click Operators
OperatorHub. - Use the Filter by keyword field to find the OADP Operator.
- Select the OADP Operator and click Install.
-
Click Install to install the Operator in the project.
openshift-adp -
Click Operators
Installed Operators to verify the installation.
After you install the OADP Operator, you configure object storage as a backup location and cloud storage as a snapshot location, if the cloud provider supports a native snapshot API.
If the cloud provider does not support snapshots or if your storage is NFS, you can create backups with Restic. Restic does not require a snapshot location.
4.2.6.2. Creating a secret for backup and snapshot locations
You create a
SecretThe default name of the
Secretcloud-credentialsPrerequisites
- Your object storage and cloud storage must use the same credentials.
- You must configure object storage for Velero.
-
You must create a file for the object storage in the appropriate format.
credentials-velero
Procedure
Create a
with the default name:Secret$ oc create secret generic cloud-credentials -n openshift-adp --from-file cloud=credentials-velero
The
Secretspec.backupLocations.credentialDataProtectionApplication4.2.6.2.1. Configuring secrets for different backup and snapshot location credentials
If your backup and snapshot locations use different credentials, you create two
Secret-
Backup location with a custom name. The custom name is specified in the
Secretblock of thespec.backupLocationscustom resource (CR).DataProtectionApplication -
Snapshot location with the default name,
Secret. Thiscloud-credentialsis not specified in theSecretCR.DataProtectionApplication
Procedure
-
Create a file for the snapshot location in the appropriate format for your cloud provider.
credentials-velero Create a
for the snapshot location with the default name:Secret$ oc create secret generic cloud-credentials -n openshift-adp --from-file cloud=credentials-velero-
Create a file for the backup location in the appropriate format for your object storage.
credentials-velero Create a
for the backup location with a custom name:Secret$ oc create secret generic <custom_secret> -n openshift-adp --from-file cloud=credentials-veleroAdd the
with the custom name to theSecretCR, as in the following example:DataProtectionApplicationapiVersion: oadp.openshift.io/v1alpha1 kind: DataProtectionApplication metadata: name: <dpa_sample> namespace: openshift-adp spec: configuration: velero: defaultPlugins: - csi - openshift featureFlags: - EnableCSI restic: enable: true backupLocations: - velero: provider: gcp default: true credential: key: cloud name: <custom_secret>1 objectStorage: bucket: <bucket_name> prefix: <prefix>- 1
- Backup location
Secretwith custom name.
4.2.6.3. Configuring the Data Protection Application
You can configure Velero resource allocations and enable self-signed CA certificates.
4.2.6.3.1. Setting Velero CPU and memory resource allocations
You set the CPU and memory resource allocations for the
VeleroDataProtectionApplicationPrerequisites
- You must have the OpenShift API for Data Protection (OADP) Operator installed.
Procedure
Edit the values in the
block of thespec.configuration.velero.podConfig.ResourceAllocationsCR manifest, as in the following example:DataProtectionApplicationapiVersion: oadp.openshift.io/v1alpha1 kind: DataProtectionApplication metadata: name: <dpa_sample> spec: ... configuration: velero: podConfig: resourceAllocations: limits: cpu: "1"1 memory: 512Mi2 requests: cpu: 500m3 memory: 256Mi4
4.2.6.3.2. Enabling self-signed CA certificates
You must enable a self-signed CA certificate for object storage by editing the
DataProtectionApplicationcertificate signed by unknown authorityPrerequisites
- You must have the OpenShift API for Data Protection (OADP) Operator installed.
Procedure
Edit the
parameter andspec.backupLocations.velero.objectStorage.caCertparameters of thespec.backupLocations.velero.configCR manifest:DataProtectionApplicationapiVersion: oadp.openshift.io/v1alpha1 kind: DataProtectionApplication metadata: name: <dpa_sample> spec: ... backupLocations: - name: default velero: provider: aws default: true objectStorage: bucket: <bucket> prefix: <prefix> caCert: <base64_encoded_cert_string>1 config: insecureSkipTLSVerify: "false"2 ...
4.2.6.4. Installing the Data Protection Application
You install the Data Protection Application (DPA) by creating an instance of the
DataProtectionApplicationPrerequisites
- You must install the OADP Operator.
- You must configure object storage as a backup location.
- If you use snapshots to back up PVs, your cloud provider must support either a native snapshot API or Container Storage Interface (CSI) snapshots.
-
If the backup and snapshot locations use the same credentials, you must create a with the default name,
Secret.cloud-credentials If the backup and snapshot locations use different credentials, you must create two
:Secrets-
with a custom name for the backup location. You add this
Secretto theSecretCR.DataProtectionApplication - with the default name,
Secret, for the snapshot location. Thiscloud-credentialsis not referenced in theSecretCR.DataProtectionApplicationNoteIf you do not want to specify backup or snapshot locations during the installation, you can create a default
with an emptySecretfile. If there is no defaultcredentials-velero, the installation will fail.Secret
-
Procedure
-
Click Operators
Installed Operators and select the OADP Operator. - Under Provided APIs, click Create instance in the DataProtectionApplication box.
Click YAML View and update the parameters of the
manifest:DataProtectionApplicationapiVersion: oadp.openshift.io/v1alpha1 kind: DataProtectionApplication metadata: name: <dpa_sample> namespace: openshift-adp spec: configuration: velero: defaultPlugins: - gcp <.> - csi <.> - openshift1 restic: enable: true2 backupLocations: - velero: provider: gcp3 default: true credential: key: cloud name: <default_secret>4 objectStorage: bucket: <bucket_name>5 prefix: <prefix>6 - 1
- Specify the default plugin for the backup provider, for example,
gcp, if appropriate. - 2
- Specify the
csidefault plugin if you use CSI snapshots to back up PVs. Thecsiplugin uses the Velero CSI beta snapshot APIs. You do not need to configure a snapshot location. - 3
- The
openshiftplugin is mandatory in order to back up and restore namespaces on an OpenShift Container Platform cluster. - 4
- Set to
falseif you want to disable the Restic installation. Restic deploys a daemon set, which means that each worker node hasResticpods running. You configure Restic for backups by addingspec.defaultVolumesToRestic: trueto theBackupCR. - 5
- Specify the backup provider.
- 6
- If you use a default plugin for the backup provider, you must specify the correct default name for the
Secret, for example,cloud-credentials-gcp. If you specify a custom name, the custom name is used for the backup location. If you do not specify aSecretname, the default name is used. - Specify a bucket as the backup storage location. If the bucket is not a dedicated bucket for Velero backups, you must specify a prefix.
- Specify a prefix for Velero backups, for example,
velero, if the bucket is used for multiple purposes.
- Click Create.
Verify the installation by viewing the OADP resources:
$ oc get all -n openshift-adpExample output
NAME READY STATUS RESTARTS AGE pod/oadp-operator-controller-manager-67d9494d47-6l8z8 2/2 Running 0 2m8s pod/oadp-velero-sample-1-aws-registry-5d6968cbdd-d5w9k 1/1 Running 0 95s pod/restic-9cq4q 1/1 Running 0 94s pod/restic-m4lts 1/1 Running 0 94s pod/restic-pv4kr 1/1 Running 0 95s pod/velero-588db7f655-n842v 1/1 Running 0 95s NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/oadp-operator-controller-manager-metrics-service ClusterIP 172.30.70.140 <none> 8443/TCP 2m8s service/oadp-velero-sample-1-aws-registry-svc ClusterIP 172.30.130.230 <none> 5000/TCP 95s NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE daemonset.apps/restic 3 3 3 3 3 <none> 96s NAME READY UP-TO-DATE AVAILABLE AGE deployment.apps/oadp-operator-controller-manager 1/1 1 1 2m9s deployment.apps/oadp-velero-sample-1-aws-registry 1/1 1 1 96s deployment.apps/velero 1/1 1 1 96s NAME DESIRED CURRENT READY AGE replicaset.apps/oadp-operator-controller-manager-67d9494d47 1 1 1 2m9s replicaset.apps/oadp-velero-sample-1-aws-registry-5d6968cbdd 1 1 1 96s replicaset.apps/velero-588db7f655 1 1 1 96s
4.2.6.4.1. Enabling CSI in the DataProtectionApplication CR
You enable the Container Storage Interface (CSI) in the
DataProtectionApplicationPrerequisites
- The cloud provider must support CSI snapshots.
Procedure
Edit the
CR, as in the following example:DataProtectionApplicationapiVersion: oadp.openshift.io/v1alpha1 kind: DataProtectionApplication ... spec: configuration: velero: defaultPlugins: - openshift - csi1 featureFlags: - EnableCSI2
4.2.7. Uninstalling the OpenShift API for Data Protection
You uninstall the OpenShift API for Data Protection (OADP) by deleting the OADP Operator. See Deleting Operators from a cluster for details.
4.3. Backing up and restoring
4.3.1. Backing up applications
You back up applications by creating a Backup custom resource (CR).
The
BackupThe
CloudStorageFor more information about the support scope of Red Hat Technology Preview features, see https://access.redhat.com/support/offerings/techpreview/.
If your cloud provider has a native snapshot API or supports Container Storage Interface (CSI) snapshots, the
BackupIf your cloud provider does not support snapshots or if your applications are on NFS data volumes, you can create backups by using Restic.
You can create backup hooks to run commands before or after the backup operation.
You can schedule backups by creating a Schedule CR instead of a
Backup4.3.1.1. Creating a Backup CR
You back up Kubernetes images, internal images, and persistent volumes (PVs) by creating a
BackupPrerequisites
- You must install the OpenShift API for Data Protection (OADP) Operator.
-
The CR must be in a
DataProtectionApplicationstate.Ready Backup location prerequisites:
- You must have S3 object storage configured for Velero.
-
You must have a backup location configured in the CR.
DataProtectionApplication
Snapshot location prerequisites:
- Your cloud provider must have a native snapshot API or support Container Storage Interface (CSI) snapshots.
-
For CSI snapshots, you must create a CR to register the CSI driver.
VolumeSnapshotClass -
You must have a volume location configured in the CR.
DataProtectionApplication
Procedure
Retrieve the
CRs:backupStorageLocations$ oc get backupStorageLocationsExample output
NAME PHASE LAST VALIDATED AGE DEFAULT velero-sample-1 Available 11s 31mCreate a
CR, as in the following example:BackupapiVersion: velero.io/v1 kind: Backup metadata: name: <backup> labels: velero.io/storage-location: default namespace: openshift-adp spec: hooks: {} includedNamespaces: - <namespace>1 storageLocation: <velero-sample-1>2 ttl: 720h0m0sVerify that the status of the
CR isBackup:Completed$ oc get backup -n openshift-adp <backup> -o jsonpath='{.status.phase}'
4.3.1.2. Backing up persistent volumes with CSI snapshots
You back up persistent volumes with Container Storage Interface (CSI) snapshots by creating a
VolumeSnapshotClassBackupPrerequisites
- The cloud provider must support CSI snapshots.
-
You must enable CSI in the CR.
DataProtectionApplication
Procedure
Create a
CR, as in the following examples:VolumeSnapshotClassCeph RBD
apiVersion: snapshot.storage.k8s.io/v1 kind: VolumeSnapshotClass deletionPolicy: Retain metadata: name: <volume_snapshot_class_name> labels: velero.io/csi-volumesnapshot-class: "true" snapshotter: openshift-storage.rbd.csi.ceph.com driver: openshift-storage.rbd.csi.ceph.com parameters: clusterID: openshift-storage csi.storage.k8s.io/snapshotter-secret-name: rook-csi-rbd-provisioner csi.storage.k8s.io/snapshotter-secret-namespace: openshift-storageCeph FS
apiVersion: snapshot.storage.k8s.io/v1 kind: VolumeSnapshotClass metadata: name: <volume_snapshot_class_name> labels: velero.io/csi-volumesnapshot-class: "true" driver: openshift-storage.cephfs.csi.ceph.com deletionPolicy: Retain parameters: clusterID: openshift-storage csi.storage.k8s.io/snapshotter-secret-name: rook-csi-cephfs-provisioner csi.storage.k8s.io/snapshotter-secret-namespace: openshift-storageOther cloud providers
apiVersion: snapshot.storage.k8s.io/v1 kind: VolumeSnapshotClass metadata: name: <volume_snapshot_class_name> labels: velero.io/csi-volumesnapshot-class: "true" driver: <csi_driver> deletionPolicy: Retain
You can now create a
Backup4.3.1.3. Backing up applications with Restic
You back up Kubernetes resources, internal images, and persistent volumes with Restic by editing the
BackupYou do not need to specify a snapshot location in the
DataProtectionApplicationPrerequisites
- You must install the OpenShift API for Data Protection (OADP) Operator.
-
You must not disable the default Restic installation by setting to
spec.configuration.restic.enablein thefalseCR.DataProtectionApplication -
The CR must be in a
DataProtectionApplicationstate.Ready
Procedure
Edit the
CR, as in the following example:BackupapiVersion: velero.io/v1 kind: Backup metadata: name: <backup> labels: velero.io/storage-location: default namespace: openshift-adp spec: defaultVolumesToRestic: true1 ...- 1
- Add
defaultVolumesToRestic: trueto thespecblock.
4.3.1.4. Creating backup hooks
You create backup hooks to run commands in a container in a pod by editing the
BackupPre hooks run before the pod is backed up. Post hooks run after the backup.
Procedure
Add a hook to the
block of thespec.hooksCR, as in the following example:BackupapiVersion: velero.io/v1 kind: Backup metadata: name: <backup> namespace: openshift-adp spec: hooks: resources: - name: <hook_name> includedNamespaces: - <namespace>1 excludedNamespaces: - <namespace> includedResources: - pods2 excludedResources: [] labelSelector:3 matchLabels: app: velero component: server pre:4 - exec: container: <container>5 command: - /bin/uname6 - -a onError: Fail7 timeout: 30s8 post:9 ...- 1
- Array of namespaces to which the hook applies. If this value is not specified, the hook applies to all namespaces.
- 2
- Currently, pods are the only supported resource.
- 3
- Optional: This hook only applies to objects matching the label selector.
- 4
- Array of hooks to run before the backup.
- 5
- Optional: If the container is not specified, the command runs in the first container in the pod.
- 6
- Array of commands that the hook runs.
- 7
- Allowed values for error handling are
FailandContinue. The default isFail. - 8
- Optional: How long to wait for the commands to run. The default is
30s. - 9
- This block defines an array of hooks to run after the backup, with the same parameters as the pre-backup hooks.
4.3.1.5. Scheduling backups
You schedule backups by creating a
ScheduleBackupLeave enough time in your backup schedule for a backup to finish before another backup is created.
For example, if a backup of a namespace typically takes 10 minutes, do not schedule backups more frequently than every 15 minutes.
Prerequisites
- You must install the OpenShift API for Data Protection (OADP) Operator.
-
The CR must be in a
DataProtectionApplicationstate.Ready
Procedure
Retrieve the
CRs:backupStorageLocations$ oc get backupStorageLocationsExample output
NAME PHASE LAST VALIDATED AGE DEFAULT velero-sample-1 Available 11s 31mCreate a
CR, as in the following example:Schedule$ cat << EOF | oc apply -f - apiVersion: velero.io/v1 kind: Schedule metadata: name: <schedule> namespace: openshift-adp spec: schedule: 0 7 * * *1 template: hooks: {} includedNamespaces: - <namespace>2 storageLocation: <velero-sample-1>3 defaultVolumesToRestic: true4 ttl: 720h0m0s EOFVerify that the status of the
CR isScheduleafter the scheduled backup runs:Completed$ oc get schedule -n openshift-adp <schedule> -o jsonpath='{.status.phase}'
4.3.2. Restoring applications
You restore application backups by creating a Restore custom resources (CRs).
You can create restore hooks to run commands in init containers, before the application container starts, or in the application container itself.
4.3.2.1. Creating a Restore CR
You restore a
BackupRestorePrerequisites
- You must install the OpenShift API for Data Protection (OADP) Operator.
-
The CR must be in a
DataProtectionApplicationstate.Ready -
You must have a Velero CR.
Backup - Adjust the requested size so the persistent volume (PV) capacity matches the requested size at backup time.
Procedure
Create a
CR, as in the following example:RestoreapiVersion: velero.io/v1 kind: Restore metadata: name: <restore> namespace: openshift-adp spec: backupName: <backup>1 excludedResources: - nodes - events - events.events.k8s.io - backups.velero.io - restores.velero.io - resticrepositories.velero.io restorePVs: true- 1
- Name of the
BackupCR.
Verify that the status of the
CR isRestore:Completed$ oc get restore -n openshift-adp <restore> -o jsonpath='{.status.phase}'Verify that the backup resources have been restored:
$ oc get all -n <namespace>1 - 1
- Namespace that you backed up.
4.3.2.2. Creating restore hooks
You create restore hooks to run commands in a container in a pod while restoring your application by editing the
RestoreYou can create two types of restore hooks:
An
hook adds an init container to a pod to perform setup tasks before the application container starts.initIf you restore a Restic backup, the
init container is added before the restore hook init container.restic-wait-
An hook runs commands or scripts in a container of a restored pod.
exec
Procedure
Add a hook to the
block of thespec.hooksCR, as in the following example:RestoreapiVersion: velero.io/v1 kind: Restore metadata: name: <restore> namespace: openshift-adp spec: hooks: resources: - name: <hook_name> includedNamespaces: - <namespace>1 excludedNamespaces: - <namespace> includedResources: - pods2 excludedResources: [] labelSelector:3 matchLabels: app: velero component: server postHooks: - init: initContainers: - name: restore-hook-init image: alpine:latest volumeMounts: - mountPath: /restores/pvc1-vm name: pvc1-vm command: - /bin/ash - -c - exec: container: <container>4 command: - /bin/bash5 - -c - "psql < /backup/backup.sql" waitTimeout: 5m6 execTimeout: 1m7 onError: Continue8 - 1
- Optional: Array of namespaces to which the hook applies. If this value is not specified, the hook applies to all namespaces.
- 2
- Currently, pods are the only supported resource.
- 3
- Optional: This hook only applies to objects matching the label selector.
- 4
- Optional: If the container is not specified, the command runs in the first container in the pod.
- 5
- Array of commands that the hook runs.
- 6
- Optional: If the
waitTimeoutis not specified, the restore waits indefinitely. You can specify how long to wait for a container to start and for preceding hooks in the container to complete. The wait timeout starts when the container is restored and might require time for the container to pull the image and mount the volumes. - 7
- Optional: How long to wait for the commands to run. The default is
30s. - 8
- Allowed values for error handling are
FailandContinue:-
: Only command failures are logged.
Continue -
: No more restore hooks run in any container in any pod. The status of the
FailCR will beRestore.PartiallyFailed
-
4.4. Troubleshooting
You can debug Velero custom resources (CRs) by using the OpenShift CLI tool or the Velero CLI tool. The Velero CLI tool provides more detailed logs and information.
You can check installation issues, backup and restore CR issues, and Restic issues.
You can collect logs, CR information, and Prometheus metric data by using the must-gather tool.
You can obtain the Velero CLI tool by:
- Downloading the Velero CLI tool
- Accessing the Velero binary in the Velero deployment in the cluster
4.4.1. Downloading the Velero CLI tool
You can download and install the Velero CLI tool by following the instructions on the Velero documentation page.
The page includes instructions for:
- macOS by using Homebrew
- GitHub
- Windows by using Chocolatey
Prerequisites
- You have access to a Kubernetes cluster, v1.16 or later, with DNS and container networking enabled.
-
You have installed locally.
kubectl
Procedure
- Open a browser and navigate to "Install the CLI" on the Verleo website.
- Follow the appropriate procedure for macOS, GitHub, or Windows.
Download the Velero version appropriate for your version of OADP, according to the table that follows:
Expand Table 4.2. OADP-Velero version relationship OADP version Velero version 0.2.6
1.6.0
0.5.5
1.7.1
1.0.0
1.7.1
1.0.1
1.7.1
1.0.2
1.7.1
1.0.3
1.7.1
4.4.2. Accessing the Velero binary in the Velero deployment in the cluster
You can use a shell command to access the Velero binary in the Velero deployment in the cluster.
Prerequisites
-
Your custom resource has a status of
DataProtectionApplication.Reconcile complete
Procedure
Enter the following command to set the needed alias:
$ alias velero='oc -n openshift-adp exec deployment/velero -c velero -it -- ./velero'
4.4.3. Debugging Velero resources with the OpenShift CLI tool
You can debug a failed backup or restore by checking Velero custom resources (CRs) and the
VeleroVelero CRs
Use the
oc describeBackupRestore$ oc describe <velero_cr> <cr_name>Velero pod logs
Use the
oc logsVelero$ oc logs pod/<velero>Velero pod debug logs
You can specify the Velero log level in the
DataProtectionApplicationThis option is available starting from OADP 1.0.3.
apiVersion: oadp.openshift.io/v1alpha1
kind: DataProtectionApplication
metadata:
name: velero-sample
spec:
configuration:
velero:
logLevel: warningThe following
logLevel-
trace -
debug -
info -
warning -
error -
fatal -
panic
It is recommended to use
debug4.4.4. Debugging Velero resources with the Velero CLI tool
You can debug
BackupRestoreThe Velero CLI tool provides more detailed information than the OpenShift CLI tool.
Syntax
Use the
oc exec$ oc -n openshift-adp exec deployment/velero -c velero -- ./velero \
<backup_restore_cr> <command> <cr_name>Example
$ oc -n openshift-adp exec deployment/velero -c velero -- ./velero \
backup describe 0e44ae00-5dc3-11eb-9ca8-df7e5254778b-2d8qlHelp option
Use the
velero --help$ oc -n openshift-adp exec deployment/velero -c velero -- ./velero \
--helpDescribe command
Use the
velero describeBackupRestore$ oc -n openshift-adp exec deployment/velero -c velero -- ./velero \
<backup_restore_cr> describe <cr_name>Example
$ oc -n openshift-adp exec deployment/velero -c velero -- ./velero \
backup describe 0e44ae00-5dc3-11eb-9ca8-df7e5254778b-2d8qlLogs command
Use the
velero logsBackupRestore$ oc -n openshift-adp exec deployment/velero -c velero -- ./velero \
<backup_restore_cr> logs <cr_name>Example
$ oc -n openshift-adp exec deployment/velero -c velero -- ./velero \
restore logs ccc7c2d0-6017-11eb-afab-85d0007f5a19-x4lbf4.4.5. Installation issues
You might encounter issues caused by using invalid directories or incorrect credentials when you install the Data Protection Application.
4.4.5.1. Backup storage contains invalid directories
The
VeleroBackup storage contains invalid top-level directoriesCause
The object storage contains top-level directories that are not Velero directories.
Solution
If the object storage is not dedicated to Velero, you must specify a prefix for the bucket by setting the
spec.backupLocations.velero.objectStorage.prefixDataProtectionApplication4.4.5.2. Incorrect AWS credentials
The
oadp-aws-registryInvalidAccessKeyId: The AWS Access Key Id you provided does not exist in our records.The
VeleroNoCredentialProviders: no valid providers in chainCause
The
credentials-veleroSecretSolution
Ensure that the
credentials-veleroExample credentials-velero file
[default]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY4.4.6. Backup and Restore CR issues
You might encounter these common issues with
BackupRestore4.4.6.1. Backup CR cannot retrieve volume
The
BackupInvalidVolume.NotFound: The volume ‘vol-xxxx’ does not existCause
The persistent volume (PV) and the snapshot locations are in different regions.
Solution
-
Edit the value of the key in the
spec.snapshotLocations.velero.config.regionmanifest so that the snapshot location is in the same region as the PV.DataProtectionApplication -
Create a new CR.
Backup
4.4.6.2. Backup CR status remains in progress
The status of a
BackupInProgressCause
If a backup is interrupted, it cannot be resumed.
Solution
Retrieve the details of the
CR:Backup$ oc -n {namespace} exec deployment/velero -c velero -- ./velero \ backup describe <backup>Delete the
CR:Backup$ oc delete backup <backup> -n openshift-adpYou do not need to clean up the backup location because a
CR in progress has not uploaded files to object storage.Backup-
Create a new CR.
Backup
4.4.7. Restic issues
You might encounter these issues when you back up applications with Restic.
4.4.7.1. Restic permission error for NFS data volumes with root_squash enabled
The
Resticcontroller=pod-volume-backup error="fork/exec/usr/bin/restic: permission denied"Cause
If your NFS data volumes have
root_squashResticnfsnobodySolution
You can resolve this issue by creating a supplemental group for
ResticDataProtectionApplication-
Create a supplemental group for on the NFS data volume.
Restic -
Set the bit on the NFS directories so that group ownership is inherited.
setgid Add the
parameter and the group ID to thespec.configuration.restic.supplementalGroupsmanifest, as in the following example:DataProtectionApplicationspec: configuration: restic: enable: true supplementalGroups: - <group_id>1 - 1
- Specify the supplemental group ID.
-
Wait for the pods to restart so that the changes are applied.
Restic
4.4.7.2. Restore CR of Restic backup is "PartiallyFailed", "Failed", or remains "InProgress"
The
RestorePartiallyFailedFailedInProgressIf the status is
PartiallyFailedFailedVelerolevel=error msg="unable to successfully complete restic restores of pod’s volumes"If the status is
InProgressRestoreResticCause
The
DeploymentConfigRestoreRestoreSolution
Create a
CR that excludes theRestore,ReplicationController, andDeploymentConfigresources:TemplateInstances$ velero restore create --from-backup=<backup> -n openshift-adp \1 --include-namespaces <namespace> \2 --exclude-resources replicationcontroller,deploymentconfig,templateinstances.template.openshift.io \ --restore-volumes=trueVerify that the status of the
CR isRestore:Completed$ oc get restore -n openshift-adp <restore> -o jsonpath='{.status.phase}'Create a
CR that includes theRestoreandReplicationControllerresources:DeploymentConfig$ velero restore create --from-backup=<backup> -n openshift-adp \ --include-namespaces <namespace> \ --include-resources replicationcontroller,deploymentconfig \ --restore-volumes=trueVerify that the status of the
CR isRestore:Completed$ oc get restore -n openshift-adp <restore> -o jsonpath='{.status.phase}'Verify that the backup resources have been restored:
$ oc get all -n <namespace>
4.4.7.3. Restic Backup CR cannot be recreated after bucket is emptied
If you create a Restic
BackupBackupBackupThe
veleromsg="Error checking repository for stale locks"Cause
Velero does not create the Restic repository from the
ResticRepository4.4.8. Using the must-gather tool
You can collect logs, metrics, and information about OADP custom resources by using the
must-gatherThe
must-gatherYou can run the
must-gather-
Full data collection collects Prometheus metrics, pod logs, and Velero CR information for all namespaces where the OADP Operator is installed.
must-gather -
Essential data collection collects pod logs and Velero CR information for a specific duration of time, for example, one hour or 24 hours. Prometheus metrics and duplicate logs are not included.
must-gather -
data collection with timeout. Data collection can take a long time if there are many failed
must-gatherCRs. You can improve performance by setting a timeout value.Backup - Prometheus metrics data dump downloads an archive file containing the metrics data collected by Prometheus.
Prerequisites
-
You must be logged in to the OpenShift Container Platform cluster as a user with the role.
cluster-admin -
You must have the OpenShift CLI () installed.
oc
Procedure
-
Navigate to the directory where you want to store the data.
must-gather Run the
command for one of the following data collection options:oc adm must-gatherFull
data collection, including Prometheus metrics:must-gather$ oc adm must-gather --image=registry.redhat.io/oadp/oadp-mustgather-rhel8:v1.0The data is saved as
. You can upload this file to a support case on the Red Hat Customer Portal.must-gather/must-gather.tar.gzEssential
data collection, without Prometheus metrics, for a specific time duration:must-gather$ oc adm must-gather --image=registry.redhat.io/oadp/oadp-mustgather-rhel8:v1.0 \ -- /usr/bin/gather_<time>_essential1 - 1
- Specify the time in hours. Allowed values are
1h,6h,24h,72h, orall, for example,gather_1h_essentialorgather_all_essential.
- data collection with timeout:
must-gather$ oc adm must-gather --image=registry.redhat.io/oadp/oadp-mustgather-rhel8:v1.0 \ -- /usr/bin/gather_with_timeout <timeout>1 - 1
- Specify a timeout value in seconds.
Prometheus metrics data dump:
$ oc adm must-gather --image=registry.redhat.io/oadp/oadp-mustgather-rhel8:v1.0 \ -- /usr/bin/gather_metrics_dumpThis operation can take a long time. The data is saved as
.must-gather/metrics/prom_data.tar.gz
Viewing metrics data with the Prometheus console
You can view the metrics data with the Prometheus console.
Procedure
Decompress the
file:prom_data.tar.gz$ tar -xvzf must-gather/metrics/prom_data.tar.gzCreate a local Prometheus instance:
$ make prometheus-runThe command outputs the Prometheus URL.
Output
Started Prometheus on http://localhost:9090- Launch a web browser and navigate to the URL to view the data by using the Prometheus web console.
After you have viewed the data, delete the Prometheus instance and data:
$ make prometheus-cleanup
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}