#1 Global Leader in Data Resilience

How to Enable Changed Block Tracking for Guest Cluster on vSphere with Tanzu

KB ID: 4599
Product: Veeam Kasten for Kubernetes
Published: 2024-06-10
Last Modified: 2024-06-11
mailbox
Get weekly article updates
By subscribing, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.
This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply except as noted in our Privacy Policy.

Cheers for trusting us with the spot in your mailbox!

Now you’re less likely to miss what’s been brewing in our knowledge base with this weekly digest

error icon

Oops! Something went wrong.

Please, try again later.

Purpose

Changed Block Tracking is a VMware feature that tracks changes in virtual disks. Veeam Kasten for Kubernetes uses this feature in vSphere with Tanzu Guest Clusters to efficiently back up Persistent Volumes.

Enabling Changed Block Tracking in each Supervisor Cluster where Veeam Kasten for Kubernetes will be used is recommended.  Once it has been enabled on a Supervisor Cluster, all Guest Clusters will be automatically configured for CBT.

 

CBT is typically enabled on virtual machines via the vCenter UI; however, security constraints in the vSphere with Tanzu Supervisor Cluster prevent this. The Velero vSphere Operator is used as the special path to enable this feature on vSphere with Tanzu clusters. Veeam Kasten for Kubernetes doesn’t use Velero to perform actual backup; it is only required to enable the Changed Block Tracking feature on VMs provisioned via vSphere with Tanzu.

Requirements

Prerequisites

  • vSphere 7.0.3 or higher
  • Tanzu Advanced
  • Linux system with network connectivity to vCenter

Solution

Steps

  1. Enable the Velero vSphere Operator
  2. Log in to the vCenter UI
  3. Select the Supervisor Cluster
  4. Go to the “Configure” tab
  5. Go to Services under Supervisor Services
  6. Enable the Velero vSphere Operator

It will prompt for a repository endpoint, username, and password. For an "air-gapped" environment using a private repository for containers, supply the parameters here.  To download the necessary containers from the Internet, leave the fields blank.

Patch VM Operator Config Map

In vSphere 7.0.3 and higher, the VM Operator does not allow the Velero vSphere Operator service account to enable changed block tracking on VMs.  To use CBT, the vmware-system-tkg-system-service-accounts config map needs to be modified.

  1. Determine the namespace of the Velero vSphere Operator

    From the vCenter UI, the Velero vSphere Operator namespace will be visible as a namespace in the Supervisor cluster.  The name will begin with svc-velero-vsphere

    The namespace can also be found using kubectl from the Supervisor Cluster.

    This information will be used in step 4.
kubectl get ns | grep 'svc-velero-vsphere'
  1. Login to vCenter Service Appliance using ssh.

    If ssh access to VCSA is not enabled, please follow VMware Documentation to 'Enable or Disable SSH and Bash Shell Access'.
  2. Decrypt the password for the Supervisor Control Plane VM
    /usr/lib/vmware-wcp/decryptK8Pwd.py

    The output will show the password and IP address of the Supervisor Control Plane VM.  For multiple Supervisor Clusters, select the appropriate one from the list.
    Read key from file
    Connected to PSQL
    Cluster: domain-c106:6519bc6a-e519-4df9-84e1-da0a75598c05
    IP: <Supervisor Control Plane IP>
    PWD: <Supervisor Control Plane VM password>
    

    Connect over SSH to the Supervisor Control Plane VM (This can be performed from the VCSA shell or another system that has connectivity).

    Use the password obtained above to login.

ssh root@<Supervisor Control Plane IP>
  1. Add the default service account for the Velero vSphere Operator’s namespace to the config map.
    Use the Velero vSphere Operator namespace name obtained in step 1.
kubectl patch -n vmware-system-tkg cm vmware-system-tkg-system-service-accounts --type merge -p '{"data":{"system.serviceaccount.<velero operator namespace>.default": "true"}}'
  1. Restart the TKG Controller Manager
kubectl rollout restart deployment vmware-system-tkg-controller-manager -n vmware-system-tkg

Logging in to vSphere with Tanzu

Follow the instructions here on logging into the vSphere with Tanzu using the kubectl command and vSphere plugin.

Install the Velero vSphere Operator CLI

Reference the Velero Plugin for vSphere Install Documentation

Enable Changed Block Tracking (CBT) by Installing Velero With the Appropriate Options

Veeam Kasten for Kubernetes only leverages Velero to interact with the Velero vSphere Operator to be able to enable CBT and does not use Velero for any part of the backup or restore process.

Part 1: Create a namespace for the tool via the vSphere UI
  1. Go to Workload Management, select the Namespaces tab
  2. Click “New Namespace”
  3. Using the vsphere-backup-infra namespace for this install is recommended, as this is not going to be a fully configured Velero install and will not be used (or work) for any actual backup operations using Velero.
Part 2: Use Velero Plugin to Enable CBT

Run the following velero-sphere command to enable CBT on guest cluster VMs:

velero-vsphere install --namespace vsphere-backup-infra --version v1.5.1 --plugins vsphereveleroplugin/velero-plugin-for-vsphere:1.1.0 --no-secret --use-volume-snapshots=false --no-default-backup-location --enable-cbt-in-guests

This “installation” of Velero is only used to enable CBT.  This is the minimum install with only the Velero Plugin for vSphere and no other options. 

If Velero is already installed in Supervisor Cluster, enable CBT with this command, where <guest cluster namespace> is the name of the Guest Cluster. This commands needs to be executed while connected to the Supervisor Cluster:

velero-vsphere configure --enable-cbt-in-guests -n <guest cluster namespace>

How to Verify Changed Block Tracking (CBT) has Been Enabled

A Guest Cluster runs on multiple VMs managed by the Supervisor Cluster.  Verify that CBT has been turned on for those VMs by checking the status.changeblocktracking field of the virtualmachine resource in the Supervisor Cluster namespace where the Guest Cluster was created.

While connected to the Supervisor cluster:

  1. List VMs
kubectl get -n <guest cluster namespace> virtualmachine
  1. Check the virtual machines using the following command.
    This will return true if Changed Block Tracking has been successfully enabled on the VM.
kubectl get -n <guest cluster namespace> virtualmachine <guest cluster worker node VM name> -o jsonpath='{.status.changeBlockTracking}'
To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

Spelling error in text

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply except as noted in our Privacy Policy.
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

Oops! Something went wrong.

Please, try again later.

You have selected too large block!

Please try select less.

KB Feedback/Suggestion

This form is only for KB Feedback/Suggestions, if you need help with the software open a support case

By submitting, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.
This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply except as noted in our Privacy Policy.
Verify your email to continue your product download
We've sent a verification code to:
  • Incorrect verification code. Please try again.
An email with a verification code was just sent to
Didn't receive the code? Click to resend in sec
Didn't receive the code? Click to resend
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

error icon

Oops! Something went wrong.

Please, try again later.