backup: veeam kvm integration

[shwstppr]

Description

Design spec: https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=421954133

This PR introduces the initial implementation of Veeam integration support for KVM in CloudStack by adding a UHAPI-compatible server and image server components.

Veeam Backup & Replication interacts with virtualization platforms using its Universal Hypervisor API (UHAPI). To enable backup and restore workflows for CloudStack-managed KVM environments, this change introduces a UHAPI server that exposes CloudStack resources through a UHAPI-compatible interface.

In addition to the control plane APIs, an image server component is introduced to handle the data transfer operations required during backup and restore workflows.

Architecture

The integration consists of two main components:

1. UHAPI Server (Control Plane) named CloudStack Veeam Control Service

A lightweight UHAPI server runs inside the CloudStack management server and exposes endpoints under:

/ovirt-engine
    - /api - For APIs
    - /sso - For authentication
    - /services/pki-resource - For certificates

This server provides inventory discovery APIs required by Veeam and translates CloudStack resources into the structures expected by UHAPI.

The server:

• exposes infrastructure inventory
• handles authentication and session tokens
• maps CloudStack resources to UHAPI-compatible representations

2. Image Server (Data Plane) named CloudStack Image Service

A separate image server component is introduced to handle backup and restore data transfer operations.

This component:

• serves disk image data during backup
• receives image data during restore operations
• exposes endpoints used by Veeam worker components
• integrates with CloudStack storage to read and write VM disk data

The separation between both these components server ensures that:

• metadata APIs and control operations remain lightweight
• bulk image transfer operations are handled independently

Documentation PR: apache/cloudstack-documentation#642

Co-authored by @abh1sar @weizhouapache

Types of changes

• Breaking change (fix or feature that would cause existing functionality to change)
• New feature (non-breaking change which adds functionality)
• Bug fix (non-breaking change which fixes an issue)
• Enhancement (improves an existing feature and functionality)
• Cleanup (Code refactoring and cleanup, that may add test cases)
• Build/CI
• Test (unit or integration test code)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

• Major
• Minor

Bug Severity

• BLOCKER
• Critical
• Major
• Minor
• Trivial

Screenshots (if appropriate):

How Has This Been Tested?

How did you try to break this feature and the system with this change?

[jochemkalsbeek287]

If the service is running (checkResult == null) but the control socket is not ready, the code falls through, calls resetService, and then skips the start block because checkResult != null is false. It then waits up to 10 seconds for a socket that will never become ready because nothing restarted the service. The service is left in a broken state.

[abh1sar]

Thanks for your comment @jochemkalsbeek287
If the service is running but the control socket is not ready, it means that it is an intermittent state - the service was just started, so the control socket is not ready yet.
It's bound to get ready after the 10 second wait.

If there is an error in the image server code which causes the control socket to not open, that will cause it to fail. Image server will be restarted in the next attempt.

[shwstppr]

@blueorangutan package

[blueorangutan]

@shwstppr a [SL] Jenkins job has been kicked to build packages. It will be bundled with no SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 17647

[shwstppr]

@blueorangutan test

[blueorangutan]

@shwstppr a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

[github-actions]

This pull request has merge conflicts. Dear author, please fix the conflicts and sync your branch with the base branch.

[blueorangutan]

[SF] Trillian test result (tid-15987)
Environment: kvm-ol8 (x2), zone: Advanced Networking with Mgmt server ol8
Total time taken: 50128 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr12991-t15987-kvm-ol8.zip
Smoke tests completed. 151 look OK, 0 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File

[shwstppr]

@blueorangutan package

[blueorangutan]

@shwstppr a [SL] Jenkins job has been kicked to build packages. It will be bundled with no SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 17665

[weizhouapache]

@shwstppr
is /etc/cloudstack/agent/cloud.ca.crt used ?

[shwstppr]

@abh1sar can tell better but I think yes we use cloud certificates for image server.
To the Veeam worker VM, we just pass the Root CA from the MS

[abh1sar]

that's right. Is it ok to show the file names?

[weizhouapache]

got it, the control service and image service use the same Root CA (these key/cert are generated from it too), right ?

[abh1sar]

No, control service uses the certificate configured for the management server by the operator.
Image service uses the internal CA.
control service CA can be different for example in case when multiple management servers are behind LB and that LB has its own SSL config.

[weizhouapache]

This API is intended for testing only and is disabled by default.

this sentence exists in all APIs in this folder. is this correct ? @abh1sar

[abh1sar]

yes Wei, I don't want to expose these APIs to end users. Only Veeam control service uses them.
But they are useful in testing. For example, we can run integration tests using these even without veeam.
Any better way to handle this?

[weizhouapache]

maybe add a global setting and expose them only when the setting is set to true ?

[abh1sar]

yes, the global setting is already there expose.kvm.backup.export.service.apis

[weizhouapache]

maybe rename to KVM_BLANK_VM_TEMPLATE_NAME or so

[weizhouapache]

maybe only the last two are needed

    'ImageTransfer' : 'Backup and Recovery',
    'VmCheckpoint' : 'Backup and Recovery',

[weizhouapache]

remove it ?

[weizhouapache]

overall LGTM
left some minor comments and questions.

great job @shwstppr @abh1sar !