Kopia repo configurations ## official documentation kopia client: https://kopia.io/docs/reference/command-line/ kopia common commands: https://kopia.io/docs/reference/command-line/common/ kopia advanced commands: https://kopia.io/docs/reference/command-line/advanced/ ### Executing kopia from Openshift Create a pod that pulls the oadp-1.3+ must-gather image ``` apiVersion: v1 kind: Pod metadata: name: oadp-mustgather-pod labels: purpose: user-interaction spec: containers: - name: oadp-mustgather-container image: registry.redhat.io/oadp/oadp-mustgather-rhel9:v1.3 command: ["sleep"] args: ["infinity"] ``` * NOTE, for kopia to to connect with defaults the SCC must be 'anyuid' ``` oc describe pod/oadp-mustgather-pod | grep scc openshift.io/scc: anyuid ``` * Alternatively one may set the cache directory to /tmp. See: https://kopia.io/docs/advanced/caching/ Now rsh into the running container :) ``` oc -n openshift-adp rsh pod/oadp-mustgather-pod sh-5.1# which kopia /usr/bin/kopia sh-5.1# kopia --help usage: kopia [<flags>] <command> [<args> ...] Kopia - Fast And Secure Open-Source Backup Flags: --[no-]help Show context-sensitive help (also try --help-long and --help-man). --[no-]version Show application version. --log-file=LOG-FILE Override log file. --log-dir="/root/.cache/kopia" Directory where log files should be written. ($KOPIA_LOG_DIR) ``` ### Connecting to kopia repository using `kopia` CLI Once the repository is created by Velero it's possible to connect to it and run number of benchmarks ```shell= export S3_BUCKET=<your bucket name> export S3_REPOSITORY_PATH=<path without S3_BUCKET> #rquires trailing slash / export S3_ACCESS_KEY=<s3 access key> export S3_SECRET_ACCESS_KEY=<s3 secret access key> # Use static-passw0rd as it is hardcoded kopia repository connect s3 \ --bucket="$S3_BUCKET" \ --prefix="$S3_REPOSITORY_PATH" \ --access-key="$S3_ACCESS_KEY" \ --secret-access-key="$S3_SECRET_ACCESS_KEY" \ --password=static-passw0rd ``` * Example: ``` kopia repository connect s3 --bucket="$S3_BUCKET" --prefix="$S3_REPOSITORY_PATH" --access-key="$S3_ACCESS_KEY" --secret-access-key="$S3_SECRET_ACCESS_KEY" --password=static-passw0rd ``` ``` kopia repository connect s3 --bucket cvpbucket2 --prefix "velero/kopia/mysql-persistent/" --access-key=AKIAV --secret-access-key=dfPi --password="static-passw0rd" ``` Once connected get information about kopia repository ```shell= kopia repository status ``` And run number of benchmarks for hashing, encryption and splitter algorithm ```shell= kopia benchmark hashing kopia benchmark encryption kopia benchmark splitter ``` ## Examples Example that presents repository algorithms ```shell= $ kopia repository status [...] Hash: BLAKE2B-256-128 Encryption: AES256-GCM-HMAC-SHA256 Splitter: DYNAMIC-4M-BUZHASH [...] ``` Example for hashing algorithm, you can see that for this machine fastest is ```--block-hash=BLAKE3-256```, which should be 367.5% faster then the one used for repo configuration. ```shell= $ kopia benchmark hashing Benchmarking hash 'BLAKE2B-256' (100 x 1048576 bytes, parallelism 1) Benchmarking hash 'BLAKE2B-256-128' (100 x 1048576 bytes, parallelism 1) Benchmarking hash 'BLAKE2S-128' (100 x 1048576 bytes, parallelism 1) Benchmarking hash 'BLAKE2S-256' (100 x 1048576 bytes, parallelism 1) Benchmarking hash 'BLAKE3-256' (100 x 1048576 bytes, parallelism 1) Benchmarking hash 'BLAKE3-256-128' (100 x 1048576 bytes, parallelism 1) Benchmarking hash 'HMAC-SHA224' (100 x 1048576 bytes, parallelism 1) Benchmarking hash 'HMAC-SHA256' (100 x 1048576 bytes, parallelism 1) Benchmarking hash 'HMAC-SHA256-128' (100 x 1048576 bytes, parallelism 1) Benchmarking hash 'HMAC-SHA3-224' (100 x 1048576 bytes, parallelism 1) Benchmarking hash 'HMAC-SHA3-256' (100 x 1048576 bytes, parallelism 1) Hash Throughput ----------------------------------------------------------------- 0. BLAKE3-256 14.7 GB / second 1. BLAKE3-256-128 14.3 GB / second 2. HMAC-SHA256-128 6.2 GB / second 3. HMAC-SHA224 6.2 GB / second 4. HMAC-SHA256 6 GB / second 5. BLAKE2B-256-128 4 GB / second 6. BLAKE2B-256 3.9 GB / second 7. BLAKE2S-256 2.8 GB / second 8. BLAKE2S-128 2.7 GB / second 9. HMAC-SHA3-224 1.5 GB / second 10. HMAC-SHA3-256 1.4 GB / second ----------------------------------------------------------------- Fastest option for this machine is: --block-hash=BLAKE3-256 ``` Example for splitting algorithm, fastest for this machine is ```--object-splitter=FIXED-4M``` ***NOTE***: Using fixed splitter will require entire file to be re-uploaded if one byte is changed, which may be not ideal for VM. ```shell= $ kopia benchmark splitter [...] 0. FIXED-4M 393.6 TB/s count:128 min:4194304 10th:4194304 25th:4194304 50th:4194304 75th:4194304 90th:4194304 max:4194304 1. FIXED-2M 146.4 TB/s count:256 min:2097152 10th:2097152 25th:2097152 50th:2097152 75th:2097152 90th:2097152 max:2097152 2. FIXED-1M 125.6 TB/s count:512 min:1048576 10th:1048576 25th:1048576 50th:1048576 75th:1048576 90th:1048576 max:1048576 3. FIXED-8M 88.3 TB/s count:64 min:8388608 10th:8388608 25th:8388608 50th:8388608 75th:8388608 90th:8388608 max:8388608 4. FIXED-512K 44.4 TB/s count:1024 min:524288 10th:524288 25th:524288 50th:524288 75th:524288 90th:524288 max:524288 5. FIXED 25.7 TB/s count:128 min:4194304 10th:4194304 25th:4194304 50th:4194304 75th:4194304 90th:4194304 max:4194304 6. FIXED-256K 20 TB/s count:2048 min:262144 10th:262144 25th:262144 50th:262144 75th:262144 90th:262144 max:262144 7. FIXED-128K 11.2 TB/s count:4096 min:131072 10th:131072 25th:131072 50th:131072 75th:131072 90th:131072 max:131072 8. DYNAMIC-1M-BUZHASH 722.8 MB/s count:428 min:9467 10th:612999 25th:766808 50th:1158068 75th:1744194 90th:2097152 max:2097152 9. DYNAMIC 703.3 MB/s count:107 min:9467 10th:2277562 25th:2971794 50th:4747177 75th:7603998 90th:8388608 max:8388608 10. DYNAMIC-128K-BUZHASH 692.1 MB/s count:3183 min:3076 10th:80896 25th:104312 50th:157621 75th:249115 90th:262144 max:262144 11. DYNAMIC-256K-BUZHASH 670.1 MB/s count:1612 min:9467 10th:155695 25th:206410 50th:315497 75th:493851 90th:524288 max:524288 12. DYNAMIC-512K-BUZHASH 668.4 MB/s count:812 min:9467 10th:313948 25th:400696 50th:619560 75th:978932 90th:1048576 max:1048576 13. DYNAMIC-4M-BUZHASH 657.6 MB/s count:107 min:9467 10th:2277562 25th:2971794 50th:4747177 75th:7603998 90th:8388608 max:8388608 14. DYNAMIC-2M-BUZHASH 656 MB/s count:204 min:64697 10th:1210184 25th:1638276 50th:2585985 75th:3944217 90th:4194304 max:4194304 15. DYNAMIC-8M-BUZHASH 532.2 MB/s count:49 min:677680 10th:5260579 25th:6528562 50th:11102775 75th:16777216 90th:16777216 max:16777216 16. DYNAMIC-128K-RABINKARP 136.8 MB/s count:3160 min:9667 10th:80098 25th:106626 50th:162269 75th:250655 90th:262144 max:262144 17. DYNAMIC-8M-RABINKARP 136.1 MB/s count:60 min:1446246 10th:4337385 25th:5293196 50th:8419217 75th:12334953 90th:16777216 max:16777216 18. DYNAMIC-4M-RABINKARP 135 MB/s count:110 min:535925 10th:2242307 25th:2767610 50th:4400962 75th:6813401 90th:8388608 max:8388608 19. DYNAMIC-2M-RABINKARP 134 MB/s count:204 min:535925 10th:1235674 25th:1675441 50th:2525341 75th:3658905 90th:4194304 max:4194304 20. DYNAMIC-256K-RABINKARP 132.8 MB/s count:1575 min:49480 10th:159059 25th:212920 50th:316420 75th:508831 90th:524288 max:524288 21. DYNAMIC-1M-RABINKARP 132.4 MB/s count:391 min:213638 10th:623062 25th:813953 50th:1328673 75th:2097152 90th:2097152 max:2097152 22. DYNAMIC-512K-RABINKARP 129.4 MB/s count:777 min:124727 10th:322811 25th:431615 50th:643713 75th:1048576 90th:1048576 max:1048576 ``` Example for encyption algorithm, you can see that for this machine fastest is ```--encryption=AES256-GCM-HMAC-SHA256```, however difference is marginal ```shell= $ kopia benchmark encryption Benchmarking encryption 'AES256-GCM-HMAC-SHA256'... (1000 x 1048576 bytes, parallelism 1) Benchmarking encryption 'CHACHA20-POLY1305-HMAC-SHA256'... (1000 x 1048576 bytes, parallelism 1) Encryption Throughput ----------------------------------------------------------------- 0. AES256-GCM-HMAC-SHA256 1.3 GB / second 1. CHACHA20-POLY1305-HMAC-SHA256 1.1 GB / second ----------------------------------------------------------------- Fastest option for this machine is: --encryption=AES256-GCM-HMAC-SHA256 ``` # Pull Request and Testing ## Pull Request Downstream only pull request that will be carried over to allow easilly switch between different encryption/hashing/splitting algorithms is available at https://github.com/openshift/velero/pull/334 ## Container image The Velero image built with that pull request is avalable at: quay.io/migi/velero:testing_args_env ## Testing ### NOTE For different algorithms it's mandatory to clean up s3 storage or use different prefix in DPA ### DPA Configuration - Example using `mprycoadp` S3 bucket from AWS within `eu-central-1` region. CLI `aws` is installed on the system and `~/.aws/credentials` files contains: ```shell= [default] aws_access_key_id = aws_secret_access_key = ``` 1. Ensure credentials used in the DPA `hashing-testing-credentials` for s3 are within `openshift-adp` namespace: ```shell= oc create secret generic hashing-testing-credentials --namespace openshift-adp --from-file cloud=~/.aws/credentials ``` DPA requires two additions to change the algorithm(s): - `veleroImageFqin` option in the unsupportedOverrides - `env` variables in the `podConfig` under `velero` config ```yaml= apiVersion: oadp.openshift.io/v1alpha1 kind: DataProtectionApplication metadata: name: dpa-name namespace: openshift-adp spec: unsupportedOverrides: veleroImageFqin: 'quay.io/migi/velero:testing_args_env' configuration: configuration: nodeAgent: enable: true uploaderType: kopia velero: defaultSnapshotMoveData: true podConfig: env: - name: KOPIA_HASHING_ALGORITHM value: BLAKE3-256 [...] ``` ### Case 1: Create backup with different Hashing algorithm 1. DPA: ```yaml= apiVersion: oadp.openshift.io/v1alpha1 kind: DataProtectionApplication metadata: name: velero-sample namespace: openshift-adp spec: unsupportedOverrides: veleroImageFqin: 'quay.io/migi/velero:testing_args_env' configuration: nodeAgent: enable: true uploaderType: kopia velero: defaultSnapshotMoveData: true podConfig: env: - name: KOPIA_HASHING_ALGORITHM value: BLAKE3-256 defaultPlugins: - openshift - aws - csi backupLocations: - velero: config: profile: default region: eu-central-1 credential: key: cloud name: hashing-testing-credentials objectStorage: bucket: mprycoadp prefix: hashingalgorithm default: true provider: aws ``` 2. Created Sample Deployment ```shell= # oadp-operator/tests/e2e/sample-applications/mysql-persistent/ oc apply -f mysql-persistent-csi.yaml -f pvc/default_sc.yaml ``` 3. Ensure s3 backup does not contain any files ```shell= aws s3 rm --recursive s3://mprycoadp/ ``` 4. Create backup `backup.yaml`: ```shell= apiVersion: velero.io/v1 kind: Backup metadata: name: mysql-blake-backup namespace: openshift-adp spec: includedNamespaces: - mysql-persistent storageLocation: velero-sample-1 ``` ```shell= oc apply -f backup.yaml ``` 5. After backup is completed check if kopia repository is on the s3 storage: ```shell= $ aws s3 ls s3://mprycoadp/hashingalgorithm/kopia/mysql-persistent/ 2024-08-07 15:32:26 823 _log_20240807133225_e00c_1723037545_1723037545_1_2f48473a4298fe7dea7850ffedc108124f34419b1b8ccec5965aa40edff6b0f5 2024-08-07 15:32:29 6964 _log_20240807133227_86fa_1723037547_1723037548_1_a12c6af84af9292a5d6a02a02464527a2fac379d5895007e178b486ae0e2d53e 2024-08-07 15:32:25 30 kopia.blobcfg 2024-08-07 15:32:25 1067 kopia.repository 2024-08-07 15:32:29 15880546 p6377a65f1655edfdd80b60caacc3019e-s15455f66b99032a912b 2024-08-07 15:32:28 4330 q396b0a69c58babb34d619a499a2fe69a-s8cc2323062d9fce512b 2024-08-07 15:32:28 13029 q525f125201906e889a62e2a9fa82fc3b-s15455f66b99032a912b 2024-08-07 15:32:26 4330 q995947ba192cc7ea19f9f19d1a9ffa4a-s07ce71aca3045a9312b 2024-08-07 15:32:28 159 xn0_2328a9b7a5319dad95591260f1167755372c2d55cdd02d193a9b1a41f1678b91-s8cc2323062d9fce512b-c1 2024-08-07 15:32:26 159 xn0_6e68373823547b16d1884aafb6a0de131c76a414d8f888a5bdb05ee4b6ef32d2-s07ce71aca3045a9312b-c1 2024-08-07 15:32:29 5075 xn0_a67b12c21f4ce344aebecfdd60e78acfd39e2e12bced167386dda0d378094961-s15455f66b99032a912b-c1 ``` 6. Connect your temp directory to kopia repository, for that you need to install `kopia` CLI on your system and confirm that Hashing algorithm is one from the DPA ```shell= $ export AWS_SECRET_ACCESS_KEY= $ export AWS_ACCES_KEY= $ kopia repository connect s3 \ --bucket=mprycoadp \ --prefix=hashingalgorithm/kopia/mysql-persistent/ \ --password=static-passw0rd \ --access-key="${AWS_ACCES_KEY}" \ --secret-access-key="${SECRET_AWS_ACCES_KEY}" $ kopia repo status [...] Hash: BLAKE3-256 Encryption: AES256-GCM-HMAC-SHA256 Splitter: DYNAMIC-4M-BUZHASH [...] ``` 7. Restore, delete `mysql-persistent` and create `Restore` object on the cluster. ```shell= $ oc delete project mysql-persistent project.project.openshift.io "mysql-persistent" deleted ``` File `restore.yaml`: ```yaml= apiVersion: velero.io/v1 kind: Restore metadata: name: mysql-persistent namespace: openshift-adp spec: backupName: mysql-blake-backup restorePVs: true ``` ```shell= oc apply -f restore.yaml ``` Check if the application was restored ```shell= oc describe restore mysql-persistent -n openshift-adp oc get all -n mysql-persistent ``` >> SUCCESS with restore ### Case 2: Check if it's possible to restore from different hashing 1. DPA: ```yaml= apiVersion: oadp.openshift.io/v1alpha1 kind: DataProtectionApplication metadata: name: velero-sample namespace: openshift-adp spec: unsupportedOverrides: veleroImageFqin: 'quay.io/migi/velero:testing_args_env' configuration: nodeAgent: enable: true uploaderType: kopia velero: defaultSnapshotMoveData: true podConfig: env: - name: KOPIA_HASHING_ALGORITHM value: BLAKE3-256 defaultPlugins: - openshift - aws - csi backupLocations: - velero: config: profile: default region: eu-central-1 credential: key: cloud name: hashing-testing-credentials objectStorage: bucket: mprycoadp prefix: hashingalgorithm default: true provider: aws ``` 2. Delete previous restore ```shell= oc delete restore mysql-persistent -n openshift-adp ``` 3. Re-use previously created `restore.yaml` restore file ```shell= oc apply -f restore.yaml ``` 4. Confirm restore is success ```shell= oc describe restore mysql-persistent -n openshift-adp oc get all -n mysql-persistent ``` >> SUCCESS with restore ### Case 3: Similar to Case 1, but with different splitting, hashing and encyprion algorithms 1. DPA, we will use different s3 prefix: ```yaml= apiVersion: oadp.openshift.io/v1alpha1 kind: DataProtectionApplication metadata: name: velero-sample namespace: openshift-adp spec: unsupportedOverrides: veleroImageFqin: 'quay.io/migi/velero:testing_args_env' configuration: nodeAgent: enable: true uploaderType: kopia velero: defaultSnapshotMoveData: true podConfig: env: - name: KOPIA_HASHING_ALGORITHM value: BLAKE3-256 - name: KOPIA_ENCRYPTION_ALGORITHM value: CHACHA20-POLY1305-HMAC-SHA256 - name: KOPIA_SPLITTER_ALGORITHM value: DYNAMIC-8M-RABINKARP defaultPlugins: - openshift - aws - csi backupLocations: - velero: config: profile: default region: eu-central-1 credential: key: cloud name: hashing-testing-credentials objectStorage: bucket: mprycoadp prefix: allalgorithms default: true provider: aws ``` 2. Remove previous dpa and apply above one 3. Create new `backup-new.yaml` and apply it ``` apiVersion: velero.io/v1 kind: Backup metadata: name: mysql-allalgorithms-backup namespace: openshift-adp spec: includedNamespaces: - mysql-persistent storageLocation: velero-sample-1 ``` ```shell= oc apply -f backup-new.yaml oc describe backup mysql-allalgorithms-backup -n openshift-adp ``` 4. Connect to the repository ```shell= $ kopia repository connect s3 \ --bucket=mprycoadp \ --prefix=allalgorithms/kopia/mysql-persistent/ \ --password=static-passw0rd \ --access-key="${AWS_ACCES_KEY}" \ --secret-access-key="${SECRET_AWS_ACCES_KEY}" $ kopia status [...] Hash: BLAKE3-256 Encryption: CHACHA20-POLY1305-HMAC-SHA256 Splitter: DYNAMIC-8M-RABINKARP [...] ``` 5. Restore, delete `mysql-persistent` and create `Restore` object on the cluster. ```shell= $ oc delete project mysql-persistent project.project.openshift.io "mysql-persistent" deleted ``` File `restore.yaml`: ```yaml= apiVersion: velero.io/v1 kind: Restore metadata: name: mysql-persistent namespace: openshift-adp spec: backupName: mysql-all-backup restorePVs: true ``` ```shell= oc apply -f restore.yaml ``` >> SUCCESS with restore ### Case 4: Similar to Case 2, but restore from backup that used w different splitting, hashing and encyprion algorithms 1. Use the dpa: ```yaml= apiVersion: oadp.openshift.io/v1alpha1 kind: DataProtectionApplication metadata: name: velero-sample namespace: openshift-adp spec: unsupportedOverrides: veleroImageFqin: 'quay.io/migi/velero:testing_args_env' configuration: nodeAgent: enable: true uploaderType: kopia velero: defaultSnapshotMoveData: true defaultPlugins: - openshift - aws - csi backupLocations: - velero: config: profile: default region: eu-central-1 credential: key: cloud name: hashing-testing-credentials objectStorage: bucket: mprycoadp prefix: allalgorithms default: true provider: aws ``` >> SUCCESS with restore ### Case 5: Create second backup with different algorithms in the DPA 1. After restore from Case 4, which was using default algorithms in velero pod: ``` apiVersion: velero.io/v1 kind: Backup metadata: name: mysql-all-backup-second namespace: openshift-adp spec: includedNamespaces: - mysql-persistent storageLocation: velero-sample-1 ``` ```shell= $ oc describe backup mysql-all-backup-second ``` 2. We can see that initial repo encryption/split/hash is preserved ```shell= $ kopia repo status [...] Hash: BLAKE3-256 Encryption: CHACHA20-POLY1305-HMAC-SHA256 Splitter: DYNAMIC-8M-RABINKARP [...] ``` >> Backup succeeded, previous algorhtms are preserved