Creating an online backup with the Cloud Pak for Data OADP backup and restore utility

You can create online backups of a Cloud Pak for Data instance with the Cloud Pak for Data OpenShift® APIs for Data Protection (OADP) backup and restore utility.

Before you begin

Online backup has the following requirements:

Online backup and restore of a deployment that is running service versions from different Cloud Pak for Data releases is not supported.
The Cloud Pak for Data control plane is installed in a single project (namespace).
For more information, see Installing the IBM Cloud Pak for Data control plane.
The Cloud Pak for Data instance is installed in zero or more tethered projects.
For more information about tethered projects, see Tethering projects to the IBM Cloud Pak for Data control plane.
The minimum deployment profile of IBM Cloud Pak foundational services is Small.
For more information about sizing IBM Cloud Pak foundational services, see Hardware requirements and recommendations for foundational services.
The Cloud Pak for Data OADP backup and restore utility is installed and configured.
For more information, see Installing Cloud Pak for Data OADP backup and restore utility components.

If the IBM Knowledge Catalog service is installed, and a lineage data import job is running at the same time as you are creating a backup, the job might fail. In this case, rerun the job.

About this task

Permissions needed for this task: If you are running the utility in Kubernetes mode, log in as a user with cluster administrator rights.
If you are running the utility in REST mode, make sure that the REST client is configured so that a Cloud Pak for Data administrator can run backup and checkpoint commands.

Backups are taken at the Cloud Pak for Data instance (tenant) level.

If service-related custom resources are manually placed into maintenance mode prior to creating an online backup, those custom resources will remain in the same state if the backup is restored. Taking these services out of maintenance mode must be done manually after the restore.

Note: The storage provider that you use to store backups might limit the number of snapshots that you can take per volume. For more information, consult your storage provider documentation.

For more information about the OADP backup and restore utility, including a list of commands that you can run, see the cpd-cli oadp reference documentation.

Best practice: You can run the commands in this task exactly as written if you set up environment variables. For instructions, see Setting up installation environment variables.

Ensure that you source the environment variables before you run the commands in this task.

Procedure

If you are running the backup and restore utility in Kubernetes mode, log in to Red Hat® OpenShift Container Platform as a cluster administrator:
```
${OC_LOGIN}
```
Remember: OC_LOGIN is an alias for the oc login command.

Ensure that the expected EDB Postgres replica PVCs are included in the backup:

oc label pvc,pods -l k8s.enterprisedb.io/cluster,velero.io/exclude-from-backup=true velero.io/exclude-from-backup- -n ${PROJECT_CPD_INST_OPERANDS}

Check that the primary instance of every EDB Postgres cluster is in sync with its replicas.
1. Run the following command:
```
cpd-cli oadp backup precheck \
--tenant-operator-namespace=${PROJECT_CPD_INST_OPERATORS} \
--verbose
```
2. If the output of the command shows that a primary instance is not in sync with a replica, delete the replica and its associated PVC.
For more information about the command, see oadp backup precheck.
If you did not set up installation environment variables, set the environment variable for the Cloud Pak for Data version that you are using:
```
export VERSION=<Cloud Pak for Data_version>
```

5.0.0- 5.0.2 If watsonx Orchestrate is installed, back up the MongoDB database.

Specify a name for the backup.

For example:

export MONGO_BACKUP_NAME='mongodb-backup-01'

Run the backup job:

cat <<EOF | oc apply -n ${PROJECT_CPD_INST_OPERANDS} -f  -
apiVersion: batch/v1
kind: Job
metadata:
  name: mongo-backup
  namespace: ${PROJECT_CPD_INST_OPERANDS}
spec:
  template:
    metadata:
      labels:
        wo.watsonx.ibm.com/cr-name: wo
    spec:
      containers:
      - name: backup
        image: cp.icr.io/cp/watsonx-orchestrate/ibm-watsonx-orchestrate-onprem-utils@sha256:d3adacdcb34824faa845ade0880bdbc984f7caa311f0460f7ad16b9e4f7b4d1c
        workingDir: /mongodb-backup-restore
        command: ["./mongo.sh", "backup", "--name", $MONGO_BACKUP_NAME]
        volumeMounts:
          - name: mongo-backups
            mountPath: /mongodb-backup-restore/dumps
          - name: mongo-credentials
            mountPath: /secrets/mongo
      restartPolicy: Never
      volumes:
        - name: mongo-backups
          persistentVolumeClaim: 
            claimName: pvc-wo-mongo-backups
        - name: mongo-credentials
          secret:
            secretName: wo-watson-orchestrate-mongo-secret
  backoffLimit: 4
EOF

Validate that the backup is complete.

oc get job mongo-backup -n ${PROJECT_CPD_INST_OPERANDS}

Patch the MongoDB secret:

oc label secret -n ${PROJECT_CPD_INST_OPERATORS} ${PROJECT_CPD_INST_OPERANDS}-mongodb-wo-mongo-ops-manager-admin-key icpdsupport/ignore-on-nd-backup=true

oc label secret -n ${PROJECT_CPD_INST_OPERATORS} ${PROJECT_CPD_INST_OPERANDS}-mongodb-wo-mongo-ops-manager-admin-key velero.io/exclude-from-backup=true

Generate the cpd-operators ConfigMap.
This ConfigMap captures the required Kubernetes objects that you will need when you restore the operators.
```
./cpd-operators.sh backup \
--foundation-namespace ${PROJECT_CPD_INST_OPERATORS} \
--operators-namespace ${PROJECT_CPD_INST_OPERATORS} \
--backup-iam-data
```
Note: IBM Cloud Pak foundational services operators are installed in the same namespace as Cloud Pak for Data operators.
Run checkpoint hooks.
The --tenant-operator-namespace parameter specifies the instance (tenant) operator project, and will implicitly include other instance projects (control plane and any tethered projects). If you want to back up only specific projects, use the --include-namespaces parameter instead, and specify the list of projects that you want to back up.

Note: The --tenant-operator-namespace and --include-namespaces parameters are mutually exclusive.
```
cpd-cli oadp checkpoint create \
--tenant-operator-namespace ${PROJECT_CPD_INST_OPERATORS} \
--log-level=debug \
--verbose
```

Create a backup of Cloud Pak for Data Persistent Volume Claims (PVCs) and volume data, and provide a name for the backup:

cpd-cli oadp backup create <volume-backup-name> \
--tenant-operator-namespace ${PROJECT_CPD_INST_OPERATORS} \
--include-resources='namespaces,persistentvolumeclaims,persistentvolumes,volumesnapshot,volumesnapshotcontent,customresourcedefinitions.apiextensions.k8s.io' \
--selector='icpdsupport/empty-on-nd-backup notin (true),icpdsupport/ignore-on-nd-backup notin (true)' \
--hook-kind=checkpoint \
--snapshot-volumes \
--log-level=debug \
--verbose

Create a backup of Kubernetes resources, and provide a name for the backup:

cpd-cli oadp backup create <kub-resource-backup> \
--tenant-operator-namespace ${PROJECT_CPD_INST_OPERATORS} \
--exclude-resources='event,event.events.k8s.io,imagetags.openshift.io,pod,subscriptions.operators.coreos.com,clusterserviceversions.operators.coreos.com,installplans.operators.coreos.com,clients.oidc.security.ibm.com,authentication.operator.ibm.com,challenges.acme.cert-manager.io,orders.acme.cert-manager.io,certificaterequests.cert-manager.io' \
--selector='icpdsupport/empty-on-nd-backup notin (true),icpdsupport/ignore-on-nd-backup notin (true)' \
--hook-kind=checkpoint \
--skip-hooks \
--log-level=debug \
--verbose

If watsonx Orchestrate is installed, back up App Connect resources.
1. If you haven't already done so, download and extract the contents of backup-script.zip.
  
  For details, see Downloading the Cloud Pak for Data backup and restore scripts.
2. Open the backup-script.sh file in an editor.
3. Change spec.storageLocation to the object storage where you are storing your Cloud Pak for Data backups.
  Tip: To obtain the backup storage location, run the following command:
```
oc get backupStorageLocation -n <OADP_operator_project>
```
4. Run the following command, specifying a name for the backup:
```
./backup-script.sh ${PROJECT_IBM_APP_CONNECT} <appconnect_backup_name>
```
Check the status of the backup:
```
cpd-cli oadp backup status <backup-name> \
--details
```
In the output, check that the Phase is Completed, and that the Resource List contains a VolumeSnapshot for each PVC.
To view a list of existing checkpoints, run the following command:
```
cpd-cli oadp checkpoint list
```
To view a list of existing backups, run the following command:
```
cpd-cli oadp backup list
```
To view backup logs, run the following command:
```
cpd-cli oadp backup logs <backup-name>
```
To delete a backup for cleanup purposes, run the following command:
```
cpd-cli oadp backup delete <backup-name>
```

Results

Two OADP backups are created: a volume backup and a Kubernetes resources backup.

What to do next

If a backup fails, you must return Cloud Pak for Data to a good state before you can retry a backup. Run the following command:

cpd-cli oadp backup posthooks --hook-kind=checkpoint --tenant-operator-namespace=${PROJECT_CPD_INST_OPERATORS}

If you have services that connect to an external database, such as for business intelligence (BI) reporting, it is recommended that you also back up the database. Backing up the external database ensures data consistency if the Cloud Pak for Data backup is later restored. For example, you need to restore an older Cloud Pak for Data backup instead of the most recent backup. The external database is synchronized with the most recent Cloud Pak for Data backup, so it has data that is not in the backup that you want to restore. To maintain data consistency, you need to restore the external database backup that was taken at the same time as the Cloud Pak for Data backup.