Manually installing and configuring the OpenShift API for Data Protection backup and restore utility for use with Portworx asynchronous data replication

If the OpenShift API for Data Protection (OADP) operator is already installed on your cluster, or if you use object storage that is not S3-compatible or does not use an S3 style path, you can manually install and configure OADP for use with Portworx asynchronous data replication.

Installation phase
  • You are not here. Setting up a client workstation
  • You are not here. Setting up a cluster
  • You are not here. Collecting required information
  • You are not here. Preparing to run installs in a restricted network
  • You are not here. Preparing to run installs from a private container registry
  • You are here icon. Preparing the cluster for IBM Software Hub
  • You are not here. Preparing to install an instance of IBM Software Hub
  • You are not here. Installing an instance of IBM Software Hub
  • You are not here. Setting up the control plane
  • You are not here. Installing solutions and services
Who needs to complete this task?

Cluster administrator A cluster administrator must complete this task.

When do you need to complete this task?
Complete this task if any of the following statements are true:
  • The OADP operator is already installed on your cluster.
  • You use object storage that is not S3-compatible.
  • You use object storage that does not use an S3 style path.

Icon representing back up and restore Restore If you plan to restore IBM Software Hub to a different cluster, you must also complete this task on the target cluster.

Before you begin

You must have object storage set up before you complete this task. For more information, see Setting up S3-compatible object storage for backups.

Best practice: You can run the commands in this task exactly as written if you set up environment variables. For instructions, see Setting up installation environment variables.

Ensure that you source the environment variables before you run the commands in this task.

About this task

If you plan to use Portworx asynchronous data replication, you must install the OADP operator and configure a Data Protection Application to connect to your S3-compatible object storage.

Procedure

  1. Log in to Red Hat® OpenShift Container Platform as a cluster administrator. 
    ${OC_LOGIN}
    Remember: OC_LOGIN is an alias for the oc login command.
  2. If you are using Portworx Enterprise Version 3.3 or later:
    1. Pin the Stork Version to 23.7.3: 
      oc patch storagecluster  -n ${PROJECT_PX_ADMIN_NS} \
$(oc get storagecluster -n ${PROJECT_PX_ADMIN_NS} \
--no-headers | awk '{print $1}' | head -1) \
--type merge \
--patch '{"spec": {"stork": {"image": "docker.io/openstorage/stork:23.7.3"}}}'
    2. Give the kube-system:stork service account the edit cluster role: 
      oc adm policy add-cluster-role-to-user edit \
system:serviceaccount:kube-system:stork
  3. If the OADP operator is not installed, create the project where you plan to install the OADP operator: 
    oc new-project ${OADP_PROJECT}
  4. Annotate the OADP project: 
    oc annotate namespace ${OADP_PROJECT} openshift.io/node-selector=""

    The annotation ensure that Kopia pods can be scheduled on all nodes

  5. If the OADP operator is not installed, install it.
    For more information, see Installing OADP:
  6. Configure the OADP operator.
    For more information, see Configuring OADP with AWS S3 compatible storage:
  7. Install and configure the Data Protection Application (DPA) custom resource.

    The YAML file in the following oc apply command shows the recommended DPA configuration.

    Review the following guidance to determine if you need to adjust the contents of the YAML file before you run the command:

    • If you use Amazon S3 object storage, you can remove the s3ForcePathStyle: "true" entry from the spec.backupLocations.velero.config section.
    • If you want to connect to your object storage natively, rather than by using S3 protocols, update the provider: aws entry in the spec.backupLocations.velero section. For more information about supported providers, see the OADP Application backup and restore section in the Red Hat OpenShift Container Platform documentation.
    • If you want to run offline backups, remove the csi entry from the spec.configuration.velero.defaultPlugins section.
    • If your object store uses a self-signed certificate, add the caCert entry to the spec.backupLocations.velero.objectStorage section. For example:
              objectStorage:
          bucket: ${BUCKET_NAME}
          prefix: ${BUCKET_PREFIX}
          caCert: <base64-encoded-certificate-string>
    cat << EOF | oc apply -f -
apiVersion: oadp.openshift.io/v1alpha1
kind: DataProtectionApplication
metadata:
  name: dpa-sample
  namespace: ${OADP_PROJECT}
spec:
  backupImages: false
  backupLocations:
    - velero:                            
        accessMode: ReadWrite
        config:
          region: ${REGION}
          s3ForcePathStyle: "true"       # Remove this line if you use AWS S3 object storage. 
          s3Url: ${S3_URL}
        credential:
          key: ${ACCESS_KEY_ID}
          name: ${SECRET_ACCESS_KEY}
        default: true
        objectStorage:
          bucket: ${BUCKET_NAME}
          prefix: ${BUCKET_PREFIX}
        provider: aws
  configuration:
    nodeAgent:
      enable: true
      podConfig:
        resourceAllocations:
          limits:
            cpu: "${NODE_AGENT_POD_CPU_LIMIT}"
            memory: 32Gi
          requests:
            cpu: 500m
            memory: 256Mi
        tolerations:
        - effect: NoSchedule
          key: icp4data
          operator: Exists
      timeout: 72h
      uploaderType: kopia
      defaultPlugins:
      - aws
      - openshift
      - csi                               
    velero:
      customPlugins:
      - image: icr.io/cpopen/cpfs/cpfs-oadp-plugins:latest
        name: cpfs-oadp-plugin
      - image: icr.io/cpopen/cpd/cpdbr-velero-plugin:${VERSION}
        name: cpdbr-velero-plugin
      - image: icr.io/cpopen/cpd/swhub-velero-plugin:${VERSION}
        name: swhub-velero-plugin
      - image: icr.io/db2u/db2u-velero-plugin:${VERSION}
        name: db2u-velero-plugin
      defaultPlugins:
      - aws
      - openshift
      - csi
      podConfig:
        resourceAllocations:
          limits:
            cpu: "${KOPIA_POD_CPU_LIMIT}"
            memory: 4Gi
          requests:
            cpu: 500m
            memory: 256Mi
      resourceTimeout: 60m
EOF
    • If node agent backups or restores fail (indicated by pod volume timeout errors in the Kopia log), increase the node agent timeout (spec.configuration.nodeAgent.timeout). The default value is 72 hours (72h).
    • If node agent volume backups fail or hang on large volumes (indicated by node agent pod containers restarting due to an OOMKilled error), increase the node agent memory limit (spec.configuration.nodeAgent.podConfig.resourceAllocations.limits.memory). The default value is 32 gibibytes (32Gi)
  8. Confirm that the velero and node-agent pods are running in the ${OADP_PROJECT} project: 
    oc get pods \
-n ${OADP_PROJECT}

    The node-agent DaemonSet creates one node-agent pod for each worker node in the cluster. For example, on a cluster with 9 nodes, ensure that there are 9 node-agent pods:

    NAME                                                    READY   STATUS    RESTARTS   AGE
openshift-adp-controller-manager-678f6998bf-fnv8p       2/2     Running   0          55m
node-agent-455wd                                        1/1     Running   0          49m
node-agent-5g4n8                                        1/1     Running   0          49m
node-agent-6z9v2                                        1/1     Running   0          49m
node-agent-722x8                                        1/1     Running   0          49m
node-agent-c8qh4                                        1/1     Running   0          49m
node-agent-lcqqg                                        1/1     Running   0          49m
node-agent-v6gbj                                        1/1     Running   0          49m
node-agent-xb9j8                                        1/1     Running   0          49m
node-agent-zjngp                                        1/1     Running   0          49m
velero-7d847d5bb7-zm6vd                                 1/1     Running   0          49m
  9. Verify that the backup storage location PHASE is Available: 
    cpd-cli oadp backup-location list \
--namespace=${OADP_PROJECT}

    For example:

    NAME           PROVIDER    BUCKET             PREFIX              PHASE        LAST VALIDATED      ACCESS MODE
dpa-sample-1   aws         ${BUCKET_NAME}     ${BUCKET_PREFIX}    Available    <timestamp>

What to do next