Customers are rapidly modernizing their applications by containerizing them. These container applications may be currently deployed in VMware environments. However, customers can find themselves in a situation where some of the applications running on VMs cannot be containerized for various reasons (may be because it is a third-party application which does not have a containerized version). OpenShift Virtualization provides a great solution for them, where they can run their containerized applications, as well as their VMs, on the same OpenShift Cluster and use a single management tool to manage both the containers as well the VMs. The VMs in OpenShift Virtualization use the same container paradigm and persistent storage paradigm, making the skillsets reusable.

In a previous video, I showed how to migrate a VM from VMware to OpenShift Virtualization platform using the Migration Toolkit for Virtualization (MTV). When you migrate the VMs, the storage for the VMs in VMware are moved to volumes in ONTAP storage integrated with NetApp Astra Trident. In this blog, I will show you how to protect the VM metadata and its disk data in persistent volumes by backing up the VM to Object Storage and restoring it when needed.

OpenShift API for Data Protection (OADP) can be used to perform Backup and Restore of VMs. Red Hat OpenShift has leveraged the use of the open-source plugin Velero, integrated with CSI storage drivers and exposing the Velero APIs for easy backup and restore, disaster recovery, and migration of  Kubernetes cluster resources and persistent volumes.

In this blog, I will show you how to

1. install the OADP Operator
2. configure Velero for backing up to  ONTAP Object Storage
3. create a backup of a VM on-demand
4. Restore a VM from a backup
5. delete backups and restores

Here is the architecture for this demonstration:

Prerequisites:

For the example in this blog,

• I created an OCP cluster 4.14 and installed OpenShift Virtualization on it.
• I installed Astra Trident 24.02, created the Trident Backend object and the Storage class Object. I also created the VolumeSnapShotClass using Trident.
• I created a VM using the available RHEL 9 template in OpenShift Virtualization.
• To store the backups of the VMs, I configured Object Storage in ONTAP and created the user credentials with Access Key and Secret Access Key.

1. Installing OADP operator

Installing the OADP operator is quite straightforward. Simply look for the operator in the OperatorHub and select it. Keep all the defaults and click on Install. The operator is installed in openshift-adp namespace.

Before configuring the Velero plugin (default used by OADP operator for backups and restores), two other configurations need to be completed:

1. Create a secret for the S3 user credentials.
2. Enable CSI for Velero Snapshots and set deletion policy for the trident-snapshotclass to Retain.

a. Create a secret for the S3 user credentials

To create a secret from the web console, select Secrets, then click on Key/Value Secret. Provide the values for the credential name, key and the value as shown. Be sure to use the Access Key Id and Secret Access Key of your S3 user. Name the secret appropriately. In the sample below, a secret with ONTAP S3 user credentials named ontap-s3-credentials is created.

b. Enable CSI for Velero Snapshots

The Velero CSI plugins, to backup CSI backed PVCs, will choose the VolumeSnapshotClass in the cluster that has velero.io/csi-volumesnapshot-class label set on it. For this, you must

• have the trident-snapshotclass object created.
• edit the label of the trident-snapshotclass object and set it to
  velero.io/csi-volumesnapshot-class=true as shown below.
• ensure that the snapshots can persist even if the VolumeSnapshot objects are deleted. This can be done by setting the deletionPolicy to Retain. If not, deleting a namespace will completely lose all PVCs ever backed up in it.

  Ensure that the DataProtectionApplication is created and is in condition:Reconciled.

2. Configuring Velero for Backups

To configure Velero, select Installed Operators from the menu item under Operators, click on OADP operator, and then select the DataProtectionApplication tab. Click on Create DataProtectionApplication. In the form view, provide a name for the DataProtection Application or use the default name.

Here is a sample spec you can replace in the YAML view. ONTAP S3 (with its credentials and other access information as shown in the yaml) is configured as the default BackupLocation for velero. The backups will be stored in the folder velero/demobackup/.

DataProtectionApplication Custom Resource (CR) is created and is in condition:Reconciled. A corresponding BackupStorage location  will be  created as well and is in Available state.

3.  Creating an On-Demand Backup of a VM

If you want to backup a VM when it is in the Running state, then you must install the QEMU guest agent on that virtual machine. If you install the VM using an existing template, then QEMU agent is installed automatically. QEMU allows the guest agent to quiesce in-flight data in the guest OS during the snapshot process,  and avoid possible data corruption. If you do not have QEMU installed, you can stop the virtual machine before taking a backup.                  

To create an on-demand backup of the VM and its disks, click on Backup tab. This creates a Backup Custom Resource (CR). I have provided a sample yaml for the Backup CR. Using this yaml, a snapshot of the persistent volumes backing the disks will be created using the CSI. A backup of the VM along with the snapshot of its disks are stored in the backup location specified in the yaml. The backup will remain in the system for 30 days as specified in the ttl. Once the backup completes, its phase will show as completed. If you want to set additional parameters, review the  documentation.

You can inspect the backup in the Object storage with the help of an S3 browser application. The velero bucket contains the folder demobackup in which the backups are placed.

4. Restoring a VM 

To restore from the backup that you just created, you need to create a Restore Custom Resource (CR). You need to provide it a name, provide the name of the backup that you want to restore from and set the restorePVs to true, to restore its persistent disks. Additional parameters can be set as shown in the documentation. Click on Create button.

When the phase shows completed, you can see that the virtual machines have been restored to the state when the snapshot was taken. (If the backup was created with the VM in running state, restoring the VM from the backup will start the restored VM and bring it to a running state). The VM is restored to the same namespace.

5. Deleting the backups and restores

You can delete a Backup CR without deleting the Object Storage data by using the OC CLI tool.

oc delete backup <backup_CR_name> -n <velero_namespace>

If you want the delete the Backup CR and delete the associated object storage data, you can do so by using the Velero CLI tool. Download the CLI as given in the instructions in the Velero documentation.

Execute the following delete command using the Velero CLI

velero backup delete <backup_CR_name> -n <velero_namespace>

You can use OC command, UI, or the Velero CLI to delete the Restore CR.

oc delete backup <backup_CR_name> -n <velero_namespace>

velero restore delete restore --namespace openshift-adp

Summary:

In this blog you have seen a demonstration of how to install the OADP operator, configure Velero and perform a Backup and Restore of VMs in OpenShift Virtualization to ONTAP S3. For additional details about how to use NetApp StorageGRID S3 as the backupStorageLocation in Velero, how to create backups on a schedule, how to restore to a different namespace or to a different storage class, please refer to the NetApp Solutions documentation.