×

You can install the OpenShift API for Data Protection (OADP) with OKD Virtualization by installing the OADP Operator and configuring a backup location. Then, you can install the Data Protection Application.

Back up and restore virtual machines by using the OpenShift API for Data Protection.

OpenShift API for Data Protection with OKD Virtualization supports the following backup and restore storage options:

  • Container Storage Interface (CSI) backups

  • Container Storage Interface (CSI) backups with DataMover

The following storage options are excluded:

  • File system backup and restore

  • Volume snapshot backups and restores

To install the OADP Operator in a restricted network environment, you must first disable the default OperatorHub sources and mirror the Operator catalog. See Using Operator Lifecycle Manager on restricted networks for details.

Installing and configuring OADP with OKD Virtualization

As a cluster administrator, you install OADP by installing the OADP Operator.

The Operator installs Velero 1.14.

Prerequisites
  • Access to the cluster as a user with the cluster-admin role.

Procedure
  1. Install the OADP Operator according to the instructions for your storage provider.

  2. Install the Data Protection Application (DPA) with the kubevirt and openshift OADP plugins.

  3. Back up virtual machines by creating a Backup custom resource (CR).

    Red Hat support is limited to only the following options:

    • CSI backups

    • CSI backups with DataMover.

You restore the Backup CR by creating a Restore CR.

Installing the Data Protection Application

You install the Data Protection Application (DPA) by creating an instance of the DataProtectionApplication API.

Prerequisites
  • You must install the OADP Operator.

  • You must configure object storage as a backup location.

  • If you use snapshots to back up PVs, your cloud provider must support either a native snapshot API or Container Storage Interface (CSI) snapshots.

  • If the backup and snapshot locations use the same credentials, you must create a Secret with the default name, cloud-credentials.

    If you do not want to specify backup or snapshot locations during the installation, you can create a default Secret with an empty credentials-velero file. If there is no default Secret, the installation will fail.

Procedure
  1. Click OperatorsInstalled Operators and select the OADP Operator.

  2. Under Provided APIs, click Create instance in the DataProtectionApplication box.

  3. Click YAML View and update the parameters of the DataProtectionApplication manifest:

    apiVersion: oadp.openshift.io/v1alpha1
    kind: DataProtectionApplication
    metadata:
      name: <dpa_sample>
      namespace: openshift-adp (1)
    spec:
      configuration:
        velero:
          defaultPlugins:
            - kubevirt (2)
            - gcp (3)
            - csi (4)
            - openshift (5)
          resourceTimeout: 10m (6)
        nodeAgent: (7)
          enable: true (8)
          uploaderType: kopia (9)
          podConfig:
            nodeSelector: <node_selector> (10)
      backupLocations:
        - velero:
            provider: gcp (11)
            default: true
            credential:
              key: cloud
              name: <default_secret> (12)
            objectStorage:
              bucket: <bucket_name> (13)
              prefix: <prefix> (14)
    1 The default namespace for OADP is openshift-adp. The namespace is a variable and is configurable.
    2 The kubevirt plugin is mandatory for OKD Virtualization.
    3 Specify the plugin for the backup provider, for example, gcp, if it exists.
    4 The csi plugin is mandatory for backing up PVs with CSI snapshots. The csi plugin uses the Velero CSI beta snapshot APIs. You do not need to configure a snapshot location.
    5 The openshift plugin is mandatory.
    6 Specify how many minutes to wait for several Velero resources before timeout occurs, such as Velero CRD availability, volumeSnapshot deletion, and backup repository availability. The default is 10m.
    7 The administrative agent that routes the administrative requests to servers.
    8 Set this value to true if you want to enable nodeAgent and perform File System Backup.
    9 Enter kopia as your uploader to use the Built-in DataMover. The nodeAgent deploys a daemon set, which means that the nodeAgent pods run on each working node. You can configure File System Backup by adding spec.defaultVolumesToFsBackup: true to the Backup CR.
    10 Specify the nodes on which Kopia are available. By default, Kopia runs on all nodes.
    11 Specify the backup provider.
    12 Specify the correct default name for the Secret, for example, cloud-credentials-gcp, if you use a default plugin for the backup provider. If specifying a custom name, then the custom name is used for the backup location. If you do not specify a Secret name, the default name is used.
    13 Specify a bucket as the backup storage location. If the bucket is not a dedicated bucket for Velero backups, you must specify a prefix.
    14 Specify a prefix for Velero backups, for example, velero, if the bucket is used for multiple purposes.
  4. Click Create.

Verification
  1. Verify the installation by viewing the OpenShift API for Data Protection (OADP) resources by running the following command:

    $ oc get all -n openshift-adp
    Example output
    NAME                                                     READY   STATUS    RESTARTS   AGE
    pod/oadp-operator-controller-manager-67d9494d47-6l8z8    2/2     Running   0          2m8s
    pod/node-agent-9cq4q                                     1/1     Running   0          94s
    pod/node-agent-m4lts                                     1/1     Running   0          94s
    pod/node-agent-pv4kr                                     1/1     Running   0          95s
    pod/velero-588db7f655-n842v                              1/1     Running   0          95s
    
    NAME                                                       TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)    AGE
    service/oadp-operator-controller-manager-metrics-service   ClusterIP   172.30.70.140    <none>        8443/TCP   2m8s
    service/openshift-adp-velero-metrics-svc                   ClusterIP   172.30.10.0      <none>        8085/TCP   8h
    
    NAME                        DESIRED   CURRENT   READY   UP-TO-DATE   AVAILABLE   NODE SELECTOR   AGE
    daemonset.apps/node-agent    3         3         3       3            3           <none>          96s
    
    NAME                                                READY   UP-TO-DATE   AVAILABLE   AGE
    deployment.apps/oadp-operator-controller-manager    1/1     1            1           2m9s
    deployment.apps/velero                              1/1     1            1           96s
    
    NAME                                                           DESIRED   CURRENT   READY   AGE
    replicaset.apps/oadp-operator-controller-manager-67d9494d47    1         1         1       2m9s
    replicaset.apps/velero-588db7f655                              1         1         1       96s
  2. Verify that the DataProtectionApplication (DPA) is reconciled by running the following command:

    $ oc get dpa dpa-sample -n openshift-adp -o jsonpath='{.status}'
    Example output
    {"conditions":[{"lastTransitionTime":"2023-10-27T01:23:57Z","message":"Reconcile complete","reason":"Complete","status":"True","type":"Reconciled"}]}
  3. Verify the type is set to Reconciled.

  4. Verify the backup storage location and confirm that the PHASE is Available by running the following command:

    $ oc get backupStorageLocation -n openshift-adp
    Example output
    NAME           PHASE       LAST VALIDATED   AGE     DEFAULT
    dpa-sample-1   Available   1s               3d16h   true

If you run a backup of a Microsoft Windows virtual machine (VM) immediately after the VM reboots, the backup might fail with a PartiallyFailed error. This is because, immediately after a VM boots, the Microsoft Windows Volume Shadow Copy Service (VSS) and Guest Agent (GA) service are not ready. The VSS and GA service being unready causes the backup to fail. In such a case, retry the backup a few minutes after the VM boots.

Configuring the DPA with client burst and QPS settings

The burst setting determines how many requests can be sent to the velero server before the limit is applied. After the burst limit is reached, the queries per second (QPS) setting determines how many additional requests can be sent per second.

You can set the burst and QPS values of the velero server by configuring the Data Protection Application (DPA) with the burst and QPS values. You can use the dpa.configuration.velero.client-burst and dpa.configuration.velero.client-qps fields of the DPA to set the burst and QPS values.

Prerequisites
  • You have installed the OADP Operator.

Procedure
  • Configure the client-burst and the client-qps fields in the DPA as shown in the following example:

    Example Data Protection Application
    apiVersion: oadp.openshift.io/v1alpha1
    kind: DataProtectionApplication
    metadata:
      name: test-dpa
      namespace: openshift-adp
    spec:
      backupLocations:
        - name: default
          velero:
            config:
              insecureSkipTLSVerify: "true"
              profile: "default"
              region: <bucket_region>
              s3ForcePathStyle: "true"
              s3Url: <bucket_url>
            credential:
              key: cloud
              name: cloud-credentials
            default: true
            objectStorage:
              bucket: <bucket_name>
              prefix: velero
            provider: aws
      configuration:
        nodeAgent:
          enable: true
          uploaderType: restic
        velero:
          client-burst: 500 (1)
          client-qps: 300 (2)
          defaultPlugins:
            - openshift
            - aws
            - kubevirt
    1 Specify the client-burst value. In this example, the client-burst field is set to 500.
    2 Specify the client-qps value. In this example, the client-qps field is set to 300.

Configuring node agents and node labels

The DPA of OADP uses the nodeSelector field to select which nodes can run the node agent. The nodeSelector field is the simplest recommended form of node selection constraint.

Any label specified must match the labels on each node.

The correct way to run the node agent on any node you choose is for you to label the nodes with a custom label:

$ oc label node/<node_name> node-role.kubernetes.io/nodeAgent=""

Use the same custom label in the DPA.spec.configuration.nodeAgent.podConfig.nodeSelector, which you used for labeling nodes. For example:

configuration:
  nodeAgent:
    enable: true
    podConfig:
      nodeSelector:
        node-role.kubernetes.io/nodeAgent: ""

The following example is an anti-pattern of nodeSelector and does not work unless both labels, 'node-role.kubernetes.io/infra: ""' and 'node-role.kubernetes.io/worker: ""', are on the node:

    configuration:
      nodeAgent:
        enable: true
        podConfig:
          nodeSelector:
            node-role.kubernetes.io/infra: ""
            node-role.kubernetes.io/worker: ""

About incremental back up support

OADP supports incremental backups of block and Filesystem persistent volumes for both containerized, and OKD Virtualization workloads. The following table summarizes the support for File System Backup (FSB), Container Storage Interface (CSI), and CSI Data Mover:

Table 1. OADP backup support matrix for containerized workloads
Volume mode FSB - Restic FSB - Kopia CSI CSI Data Mover

Filesystem

S [1], I [2]

S [1], I [2]

S [1]

S [1], I [2]

Block

N [3]

N [3]

S [1]

S [1], I [2]

Table 2. OADP backup support matrix for OKD Virtualization workloads
Volume mode FSB - Restic FSB - Kopia CSI CSI Data Mover

Filesystem

N [3]

N [3]

S [1]

S [1], I [2]

Block

N [3]

N [3]

S [1]

S [1], I [2]

  1. Backup supported

  2. Incremental backup supported

  3. Not supported

The CSI Data Mover backups use Kopia regardless of uploaderType.

Red Hat only supports the combination of OADP versions 1.3.0 and later, and OKD Virtualization versions 4.14 and later.

OADP versions before 1.3.0 are not supported for back up and restore of OKD Virtualization.