Velero系列文章（四）：使用Velero进行生产迁移实战

概述

目的

通过 velero 工具, 实现以下整体目标:

• 特定 namespace 在B A两个集群间做迁移;

具体目标为:

1. 在B A集群上创建 velero (包括 restic )
2. 备份 B集群 特定 namespace : caseycui2020:
   1. 备份resources - 如deployments, configmaps等;
      1. 备份前, 排除特定secrets的yaml.
   2. 备份volume数据; (通过restic实现)
      1. 通过"选择性启用" 的方式, 只备份特定的pod volume
3. 迁移特定 namespace 到 A集群 : caseycui2020:
   1. 迁移resources - 通过include的方式, 仅迁移特定resources;
   2. 迁移volume数据. (通过restic 实现)

安装

1. 在您的本地目录中创建特定于Velero的凭证文件（credentials-velero):

   使用的是xsky的对象存储: (公司的netapp的对象存储不兼容)

   [default]
   aws_access_key_id = xxxxxxxxxxxxxxxxxxxxxxxx
   aws_secret_access_key = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
   

2. (openshift) 需要先创建 namespace : velero: oc new-project velero

3. 默认情况下，用户维度的openshift namespace 不会在集群中的所有节点上调度Pod。

   要在所有节点上计划namespace，需要一个注释：

   oc annotate namespace velero openshift.io/node-selector=""
   

   这应该在安装velero之前完成。

4. 启动服务器和存储服务。 在Velero目录中，运行：

   velero install \
       --provider aws \
       --plugins velero/velero-plugin-for-aws:v1.0.0 \
       --bucket velero \
       --secret-file ./credentials-velero \
       --use-restic \
       --use-volume-snapshots=true \
       --backup-location-config region="default",s3ForcePathStyle="true",s3Url="http://glacier.ewhisper.cn",insecureSkipTLSVerify="true",signatureVersion="4" \
       --snapshot-location-config region="default"
   

   创建的内容包括:

   CustomResourceDefinition/backups.velero.io: attempting to create resource
   CustomResourceDefinition/backups.velero.io: created
   CustomResourceDefinition/backupstoragelocations.velero.io: attempting to create resource
   CustomResourceDefinition/backupstoragelocations.velero.io: created
   CustomResourceDefinition/deletebackuprequests.velero.io: attempting to create resource
   CustomResourceDefinition/deletebackuprequests.velero.io: created
   CustomResourceDefinition/downloadrequests.velero.io: attempting to create resource
   CustomResourceDefinition/downloadrequests.velero.io: created
   CustomResourceDefinition/podvolumebackups.velero.io: attempting to create resource
   CustomResourceDefinition/podvolumebackups.velero.io: created
   CustomResourceDefinition/podvolumerestores.velero.io: attempting to create resource
   CustomResourceDefinition/podvolumerestores.velero.io: created
   CustomResourceDefinition/resticrepositories.velero.io: attempting to create resource
   CustomResourceDefinition/resticrepositories.velero.io: created
   CustomResourceDefinition/restores.velero.io: attempting to create resource
   CustomResourceDefinition/restores.velero.io: created
   CustomResourceDefinition/schedules.velero.io: attempting to create resource
   CustomResourceDefinition/schedules.velero.io: created
   CustomResourceDefinition/serverstatusrequests.velero.io: attempting to create resource
   CustomResourceDefinition/serverstatusrequests.velero.io: created
   CustomResourceDefinition/volumesnapshotlocations.velero.io: attempting to create resource
   CustomResourceDefinition/volumesnapshotlocations.velero.io: created
   Waiting for resources to be ready in cluster...
   Namespace/velero: attempting to create resource
   Namespace/velero: created
   ClusterRoleBinding/velero: attempting to create resource
   ClusterRoleBinding/velero: created
   ServiceAccount/velero: attempting to create resource
   ServiceAccount/velero: created
   Secret/cloud-credentials: attempting to create resource
   Secret/cloud-credentials: created
   BackupStorageLocation/default: attempting to create resource
   BackupStorageLocation/default: created
   VolumeSnapshotLocation/default: attempting to create resource
   VolumeSnapshotLocation/default: created
   Deployment/velero: attempting to create resource
   Deployment/velero: created
   DaemonSet/restic: attempting to create resource
   DaemonSet/restic: created
   Velero is installed! ⛵ Use 'kubectl logs deployment/velero -n velero' to view the status.
   

5. (openshift) 将velero ServiceAccount添加到privilegedSCC：

   $ oc adm policy add-scc-to-user privileged -z velero -n velero
   

6. (openshift) 对于OpenShift版本> = 4.1，修改DaemonSet yaml以请求privileged模式：

   @@ -67,3 +67,5 @@ spec:
                 value: /credentials/cloud
               - name: VELERO_SCRATCH_DIR
                 value: /scratch
   +          securityContext:
   +            privileged: true
   

   或:

   oc patch ds/restic \
     --namespace velero \
     --type json \
     -p '[{"op":"add","path":"/spec/template/spec/containers/0/securityContext","value": { "privileged": true}}]'
   

备份 - B集群

备份集群级别的特定资源

velero backup create <backup-name> --include-cluster-resources=true  --include-resources deployments,configmaps

查看备份

velero backup describe YOUR_BACKUP_NAME

备份特定 namespace caseycui2020

排除特定资源

标签为velero.io/exclude-from-backup=true的资源不包括在备份中，即使它包含匹配的选择器标签也是如此。

通过这种方式, 不需要备份的secret 等资源通过velero.io/exclude-from-backup=true 标签(label)进行排除.

通过这种方式排除的secret部分示例如下:

builder-dockercfg-jbnzr
default-token-lshh8
pipeline-token-xt645

使用restic 备份Pod Volume

标签：实战,Velero,caseycui2020,velero,--,create,io,迁移,openshift
From： https://www.cnblogs.com/east4ming/p/16975290.html