Veritas NetBackup™ for OpenStack Administrator's Guide

Last Published:
Product(s): NetBackup (8.2)

Adding OpenStack credentials in NetBackup

To establish a seamless communication between OpenStack and NetBackup for backup and restore operations, you must add and update OpenStack credentials in the NetBackup master server.

You need to first create a credentials file for storing the Keystone and project information. This file is used as an input when you run the tpconfig command to add credentials in NetBackup master server.

You can use the following backup host deployment models to protect OpenStack:

For more information, See Managing backup hosts.

The credential file differs based on the backup host deployment model.

Local admin backup host deployment

In this deployment model, backup hosts are deployed for each tenant or project.

To create a credentials file for storing and entering Keystone and project information

  1. Login to the NetBackup master server.
  2. On the OpenStack server, use the following steps to get the information that you need to create the credential file:
    • cat ~/keystonerc_admin

      unset OS_SERVICE_TOKEN
      export OS_USERNAME=admin1
      export OS_PASSWORD='aae1113cd1482a'
      export OS_REGION_NAME=RegionOne
      export OS_AUTH_URL=http://10.217.34.248:5000/v3 
      export PS1='[\u@\h \W(keystone_admin)]\$ '
      export OS_PROJECT_NAME=admin
      export OS_USER_DOMAIN_NAME=Default
      export OS_PROJECT_DOMAIN_NAME=Default
      export OS_IDENTITY_API_VERSION=3
      
    • You required the following variables:

      • OS_USERNAME

      • OS_PASSWORD

      • OS_USER_DOMAIN_NAME

      • OS_AUTH_URL

      • OS_PROJECT_NAME

      • OS_PROJECT_DOMAIN_NAME

      • ProjectUUID

        For ProjectUUID: openstack project list | grep OS_PROJECT_NAME | awk '{print $2}'

        The output will be ProjectUUID of the PROJECT.

      • IPAddress

        Get IP Address of the OpenStack Controller Node. The IP address is used in credential file and in policy as name of client.

      • EndPoint

        This value is required for communication. EndPoint examples are internal, public, admin.

    • Sample credential file format for local admin backup host deployment:

      {
      "IPAddress_management_interface":"EndPoint",
      "IPAddress_volume_api_version":"3",
      "IPAddress_ep_keystone":"OS_AUTH_URL",
      "IPAddress_os_access_protocol":"http://",
      "IPAddress_domain_id":"OS_PROJECT_DOMAIN_NAME",
      "IPAddress_auth_sub_url":"auth/tokens", 
      "IPAddress_ProjectUUID ": {"keystone_user":"OS_USERNAME","keystone_password":"OS_PASSWORD","keystone_user_domain_name":"OS_USER_DOMAIN_NAME", "project_domain_name":"OS_PROJECT_DOMAIN_NAME", "project_name":"OS_PROJECT_NAME","user_role":"member"},
      "IPAddress_admin": {"keystone_user":"OS_USERNAME","keystone_password":"OS_PASSWORD","keystone_user_domain_name":"OS_USER_DOMAIN_NAME", "project_domain_name":"OS_PROJECT_DOMAIN_NAME", "project_name":"OS_PROJECT_NAME","user_role":"member"} 
      }

      Sample values for the variables:

      IPAddress = 10.217.34.248
      EndPoint = internal
      ProjectUUID = 9c43b3b5d55c414497fb46f7141c604d
      OS_AUTH_URL = http://10.217.34.248:5000/v3
      OS_PROJECT_DOMAIN_NAME = Default
      OS_USERNAME = admin
      OS_PASSWORD = aaeaa1113cd1482a
      OS_USER_DOMAIN_NAME = Default
      OS_PROJECT_DOMAIN_NAME = Default

      Sample credential file using the sample values for local admin backup host deployment:

      {
      "10.217.34.248_management_interface":"internal",
      "10.217.34.248_volume_api_version":"3",
      "10.217.34.248_ep_keystone":"http://10.217.34.248:5000/v3",
      "10.217.34.248_os_access_protocol":"http://",
      "10.217.34.248_domain_id":"default",
      "10.217.34.248_auth_sub_url":"auth/tokens",
      "10.217.34.248_9c43b3b5d55c414497fb46f7141c604d": {"keystone_user":"admin","keystone_password":"aaeaa1113cd1482a","keystone_user_domain_name":"Default", "project_domain_name":"Default", "project_name":"admin"},
      "10.217.34.248_admin": {"keystone_user":"admin","keystone_password":"aaeaa1113cd1482a","keystone_user_domain_name":"Default", "project_domain_name":"Default", "project_name":"admin"}
      }
    • Add the credentials file in the /usr/openv/var/global folder on your NetBackup master server.

  3. Whitelist the file path of the creds file. Run the following command:

    bpsetconfig -h masterserver

    BPCD_WHITELIST_PATH = /usr/openv/var/global/

    For UNIX: <ctl-z>

    For Windows: <ctl-d>

    The BPCD_WHITELIST_PATH = install_dir\NetBackup\var\global\ entry is set in bp.conf file.

    Note:

    Whitelisting is not required for media server to be able to use as backup host.

Global admin backup host deployment

In this deployment model, all the backup hosts are part of a single tenant or project.

To create a credentials file for storing and entering Keystone and project information

  1. Login to the NetBackup master server.
  2. On the OpenStack server, use the following steps to get the information that you need to create the credential file:
    • You required the following variables:

      • OS_USERNAME

      • OS_PASSWORD

      • OS_PROJECT_NAME

      • OS_PROJECT_DOMAIN_NAME

      • ProjectUUID

        For ProjectUUID: openstack project list | grep OS_PROJECT_NAME | awk '{print $2}'

        The output will be ProjectUUID of the PROJECT.

      • IPAddress

        Get IP Address of the OpenStack Controller Node. The IP address is used in credential file and in policy as name of client.

    • Sample credential file format for local admin backup host deployment:

      {
      " IPAddress _g_backup_admin_name":"GA_USERNAME",
      " IPAddress _g_backup_admin_domain_name":"GA_PROJECT_DOMAIN_NAME",
      " IPAddress _g_backup_admin_password":"GA_PASSWORD ",
      " IPAddress _g_backup_admin_project_name":"GA_PROJECT_NAME",
      " IPAddress _g_backup_admin_project_id":"ProjectUUID ",
      " IPAddress _g_backup_admin_project_domain_name":"GA_PROJECT_DOMAIN_NAME ",
      
      "IPAddress_management_interface":"EndPoint",
      "IPAddress_volume_api_version":"3",
      "IPAddress_ep_keystone":"OS_AUTH_URL",
      "IPAddress_os_access_protocol":"http://",
      "IPAddress_domain_id":"OS_PROJECT_DOMAIN_NAME",
      "IPAddress_auth_sub_url":"auth/tokens", 
      "IPAddress_ProjectUUID ": {"keystone_user":"OS_USERNAME","keystone_password":"OS_PASSWORD","keystone_user_domain_name":"OS_USER_DOMAIN_NAME", "project_domain_name":"OS_PROJECT_DOMAIN_NAME", "project_name":"OS_PROJECT_NAME","user_role":"member"},
      "IPAddress_admin": {"keystone_user":"OS_USERNAME","keystone_password":"OS_PASSWORD","keystone_user_domain_name":"OS_USER_DOMAIN_NAME", "project_domain_name":"OS_PROJECT_DOMAIN_NAME", "project_name":"OS_PROJECT_NAME","user_role":"member"} 
      }
      

      Sample values for the variables:

      IPAddress = 10.217.34.248
      EndPoint = internal
      ProjectUUID = 9c43b3b5d55c414497fb46f7141c604d
      OS_AUTH_URL = http://10.217.34.248:5000/v3
      OS_PROJECT_DOMAIN_NAME = Default
      OS_USERNAME = admin
      OS_PASSWORD = aaeaa1113cd1482a
      OS_USER_DOMAIN_NAME = Default
      

      Sample credential file using the sample values for local admin backup host deployment:

      {
      "10.217.34.248_g_backup_admin_name":"admin",
      "10.217.34.248_g_backup_admin_domain_name":"Default",
      "10.217.34.248_g_backup_admin_password":"aaeaa1113cd1482a",
      "10.217.34.248_g_backup_admin_project_name":"admin",
      "10.217.34.248_g_backup_admin_project_id":"9a6de296541c4a62891dbea0b2aeed05",
      "10.217.34.248_g_backup_admin_project_domain_name":"Default",
      "10.217.34.248_management_interface":"internal",
      "10.217.34.248_volume_api_version":"3",
      "10.217.34.248_ep_keystone":"http://10.217.34.248:5000/v3",
      "10.217.34.248_os_access_protocol":"http://",
      "10.217.34.248_domain_id":"default",
      "10.217.34.248_auth_sub_url":"auth/tokens",
      "10.217.34.248_9a6de296541c4a62891dbea0b2aeed05": {"keystone_user":"admin","keystone_password":"aaeaa1113cd1482a","keystone_user_domain_name":"Default", "project_domain_name":"Default", "project_name":"admin", "backuptime_az":"nova"},
      "10.217.34.248_admin": {"keystone_user":"admin","keystone_password":"aaeaa1113cd1482a","keystone_user_domain_name":"Default", "project_domain_name":"Default", "project_name":"admin", "backuptime_az":"nova"},
      "10.217.34.248_12c3cbcaf92b4e13a8c3bb4f74efe513": {"keystone_user":"demo","keystone_password":"5a7499ff22f04729","keystone_user_domain_name":"Default", "project_domain_name":"Default", "project_name":"demo", "backuptime_az":"nova", "user_role":"member"},
      "10.217.34.248_demo": {"keystone_user":"demo","keystone_password":"5a7499ff22f04729","keystone_user_domain_name":"Default", "project_domain_name":"Default", "project_name":"demo", "backuptime_az":"nova", "user_role":"member"}
      }
      
    • Add the credentials file in the /usr/openv/var/global folder on your NetBackup master server.

  3. Whitelist the file path of the creds file. Run the following command:

    bpsetconfig -h masterserver

    BPCD_WHITELIST_PATH = /usr/openv/var/global/

    For UNIX: <ctl-z>

    For Windows: <ctl-d>

    The BPCD_WHITELIST_PATH = install_dir\NetBackup\var\global\ entry is set in bp.conf file.

    Note:

    Whitelisting is not required for media server to be able to use as backup host.

To add credentials in NetBackup

  1. Run tpconfig command from the following directory paths:

    On UNIX systems, /usr/openv/volmgr/bin/

    On Windows systems, install_path\Volmgr\bin\

  2. Run the ./tpconfig -add -application_server_user_id user ID -application_type openstack -application_server IP Address -password password -application_server_conf /path to creds file -requiredport Port Number

    Ensure that the host name of the backup host is the same as the display name of the backup host used in OpenStack.

  3. Run the tpconfig -dappservers command to verify if the NetBackup master server has the OpenStack credentials added.

    The following entry is added in the existing local admin entries when the credential file is added.

    "user_role":"admin"

    This entry is optional for admin users but required for non-admin users.

You can mix the two backup host deployment models and create a hybrid deployment model. In this hybrid model, you can have a global admin credentials in credential file and few tenants without member_role users. In that case, they will be admin of that project.

About the backup admin role

The backup administrator role lets the user run backup and restore jobs. Use this role to create a user who can be the backup administrator of a given tenant or project. You can also use this role to create users of the type global admin.

Note:

Backup admin is a recommended role but is not mandatory to protect OpenStack.