技術文章 » Velero系列文章(四):使用Velero進行生產遷移實戰

Velero系列文章(四):使用Velero進行生產遷移實戰

2022-12-12 12:01:05

概述

目的

通過 velero 工具, 實現以下整體目標:

  • 特定 namespace 在B A兩個叢集間做遷移;

具體目標為:

  1. 在B A叢集上建立 velero (包括 restic )
  2. 備份 B叢集 特定 namespace : caseycui2020:
    1. 備份resources - 如deployments, configmaps等;
      1. 備份前, 排除特定secrets的yaml.
    2. 備份volume資料; (通過restic實現)
      1. 通過"選擇性啟用" 的方式, 只備份特定的pod volume
  3. 遷移特定 namespace 到 A叢集 : caseycui2020:
    1. 遷移resources - 通過include的方式, 僅遷移特定resources;
    2. 遷移volume資料. (通過restic 實現)

安裝

  1. 在您的本地目錄中建立特定於Velero的憑證檔案(credentials-velero):

    使用的是xsky的物件儲存: (公司的netapp的物件儲存不相容)

    [default]
aws_access_key_id = xxxxxxxxxxxxxxxxxxxxxxxx
aws_secret_access_key = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

  2. (openshift) 需要先建立 namespace : velero: oc new-project velero

  3. 預設情況下,使用者維度的openshift namespace 不會在叢集中的所有節點上排程Pod。

    要在所有節點上計劃namespace,需要一個註釋:

    oc annotate namespace velero openshift.io/node-selector=""

    這應該在安裝velero之前完成。

  4. 啟動伺服器和儲存服務。 在Velero目錄中,執行:

    velero install \
    --provider aws \
    --plugins velero/velero-plugin-for-aws:v1.0.0 \
    --bucket velero \
    --secret-file ./credentials-velero \
    --use-restic \
    --use-volume-snapshots=true \
    --backup-location-config region="default",s3ForcePathStyle="true",s3Url="http://glacier.ewhisper.cn",insecureSkipTLSVerify="true",signatureVersion="4" \
    --snapshot-location-config region="default"

    建立的內容包括:

    CustomResourceDefinition/backups.velero.io: attempting to create resource
CustomResourceDefinition/backups.velero.io: created
CustomResourceDefinition/backupstoragelocations.velero.io: attempting to create resource
CustomResourceDefinition/backupstoragelocations.velero.io: created
CustomResourceDefinition/deletebackuprequests.velero.io: attempting to create resource
CustomResourceDefinition/deletebackuprequests.velero.io: created
CustomResourceDefinition/downloadrequests.velero.io: attempting to create resource
CustomResourceDefinition/downloadrequests.velero.io: created
CustomResourceDefinition/podvolumebackups.velero.io: attempting to create resource
CustomResourceDefinition/podvolumebackups.velero.io: created
CustomResourceDefinition/podvolumerestores.velero.io: attempting to create resource
CustomResourceDefinition/podvolumerestores.velero.io: created
CustomResourceDefinition/resticrepositories.velero.io: attempting to create resource
CustomResourceDefinition/resticrepositories.velero.io: created
CustomResourceDefinition/restores.velero.io: attempting to create resource
CustomResourceDefinition/restores.velero.io: created
CustomResourceDefinition/schedules.velero.io: attempting to create resource
CustomResourceDefinition/schedules.velero.io: created
CustomResourceDefinition/serverstatusrequests.velero.io: attempting to create resource
CustomResourceDefinition/serverstatusrequests.velero.io: created
CustomResourceDefinition/volumesnapshotlocations.velero.io: attempting to create resource
CustomResourceDefinition/volumesnapshotlocations.velero.io: created
Waiting for resources to be ready in cluster...
Namespace/velero: attempting to create resource
Namespace/velero: created
ClusterRoleBinding/velero: attempting to create resource
ClusterRoleBinding/velero: created
ServiceAccount/velero: attempting to create resource
ServiceAccount/velero: created
Secret/cloud-credentials: attempting to create resource
Secret/cloud-credentials: created
BackupStorageLocation/default: attempting to create resource
BackupStorageLocation/default: created
VolumeSnapshotLocation/default: attempting to create resource
VolumeSnapshotLocation/default: created
Deployment/velero: attempting to create resource
Deployment/velero: created
DaemonSet/restic: attempting to create resource
DaemonSet/restic: created
Velero is installed! ⛵ Use 'kubectl logs deployment/velero -n velero' to view the status.

  5. (openshift) 將velero ServiceAccount新增到privilegedSCC:

    $ oc adm policy add-scc-to-user privileged -z velero -n velero

  6. (openshift) 對於OpenShift版本> = 4.1,修改DaemonSet yaml以請求privileged模式:

    @@ -67,3 +67,5 @@ spec:
              value: /credentials/cloud
            - name: VELERO_SCRATCH_DIR
              value: /scratch
+          securityContext:
+            privileged: true

    或:

    oc patch ds/restic \
  --namespace velero \
  --type json \
  -p '[{"op":"add","path":"/spec/template/spec/containers/0/securityContext","value": { "privileged": true}}]'

備份 - B叢集

備份叢集級別的特定資源

velero backup create <backup-name> --include-cluster-resources=true  --include-resources deployments,configmaps

檢視備份

velero backup describe YOUR_BACKUP_NAME

備份特定 namespace caseycui2020

排除特定資源

標籤為velero.io/exclude-from-backup=true的資源不包括在備份中,即使它包含匹配的選擇器標籤也是如此。

通過這種方式, 不需要備份的secret 等資源通過velero.io/exclude-from-backup=true 標籤(label)進行排除.

通過這種方式排除的secret部分範例如下:

builder-dockercfg-jbnzr
default-token-lshh8
pipeline-token-xt645

使用restic 備份Pod Volume