Creating an offline backup of Cloud Pak for Data 4.8.0-4.8.4

You can create offline backups of a Cloud Pak for Data 4.8.0-4.8.4 instance with the Cloud Pak for Data OpenShift® APIs for Data Protection (OADP) backup and restore utility.

Before you begin

To create Restic backups, if Cloud Pak for Data is installed on NFS, NFS storage must be configured with no_root_squash.

About this task

Permissions needed for this task
If you are running the utility in Kubernetes mode, log in as a user with cluster administrator rights.

If you are running the utility in REST mode, make sure that the REST client is configured so that a Cloud Pak for Data administrator can run backup and checkpoint commands.

Backups are taken at the Cloud Pak for Data instance (tenant) level.

When backup commands are run, some pods remain in a Running state. These running pods do not affect the backup process, and you do not need to manually shut them down.

4.8.0 If Watson™ Machine Learning Accelerator is installed, this service must be excluded every time you create a backup. For details, see Unable to back up Watson Machine Learning Accelerator.

Note: The storage provider that you use to store backups might limit the number of snapshots that you can take per volume. For more information, consult your storage provider documentation.

For more information about the OADP backup and restore utility, including a list of commands that you can run, see the cpd-cli oadp reference documentation.

Best practice: You can run the commands in this task exactly as written if you set up environment variables. For instructions, see Setting up installation environment variables.

Ensure that you source the environment variables before you run the commands in this task.

Procedure

  1. Log in to Red Hat® OpenShift Container Platform as a cluster administrator.
    ${OC_LOGIN}
    Remember: OC_LOGIN is an alias for the oc login command.
  2. Check that the primary instance of every EDB Postgres cluster is in sync with its replicas.
    1. Run the following command:
      cpd-cli oadp backup precheck \
      --tenant-operator-namespace=${PROJECT_CPD_INST_OPERATORS} \
      --verbose
    2. If the output of the command shows that a primary instance is not in sync with a replica, delete the replica and its associated PVC.

    For more information about the command, see oadp backup precheck.

  3. If you did not set up installation environment variables, set the environment variable for the Cloud Pak for Data version that you are using:
    export VERSION=<Cloud Pak for Data_version>
  4. Generate the cpd-operators ConfigMap.

    This ConfigMap captures the required Kubernetes objects that you will need when you restore the operators.

    ./cpd-operators.sh backup \
    --foundation-namespace ${PROJECT_CPD_INST_OPERATORS} \
    --operators-namespace ${PROJECT_CPD_INST_OPERATORS} \
    --backup-iam-data
  5. Create a backup of Cloud Pak for Data operators and EDB Postgres cluster resources, and provide a name for the backup.

    The --tenant-operator-namespace parameter specifies the instance (tenant) operator project, and will implicitly include other instance projects (control plane and any tethered projects). If you want to back up only specific projects, use the --include-namespaces parameter instead, and specify the list of projects that you want to back up.

    Note: The --tenant-operator-namespace and --include-namespaces parameters are mutually exclusive.
    cpd-cli oadp backup create <backup-name1> \
    --tenant-operator-namespace ${PROJECT_CPD_INST_OPERATORS} \
    --include-resources='namespaces,operatorgroups,roles,rolebindings,serviceaccounts,customresourcedefinitions.apiextensions.k8s.io,securitycontextconstraints.security.openshift.io,configmaps,namespacescopes,commonservices,clusters.postgresql.k8s.enterprisedb.io' \
    --skip-hooks \
    --log-level=debug \
    --verbose
    In an air-gapped environment, additionally specify the appropriate --image-prefix.
    The cluster pulls images from the IBM Entitled Registry
    Restriction: This option is available only if the cluster can connect to the internet.
    4.8.0-4.8.3:
    cpd-cli oadp backup create <backup-name1> \
    --tenant-operator-namespace ${PROJECT_CPD_INST_OPERATORS} \
    --include-resources='namespaces,operatorgroups,roles,rolebindings,serviceaccounts,customresourcedefinitions.apiextensions.k8s.io,securitycontextconstraints.security.openshift.io,configmaps,namespacescopes,commonservices,clusters.postgresql.k8s.enterprisedb.io' \
    --skip-hooks \
    --image-prefix=registry.redhat.io/ubi8 \
    --log-level=debug \
    --verbose
    4.8.4 or later:
    cpd-cli oadp backup create <backup-name1> \
    --tenant-operator-namespace ${PROJECT_CPD_INST_OPERATORS} \
    --include-resources='namespaces,operatorgroups,roles,rolebindings,serviceaccounts,customresourcedefinitions.apiextensions.k8s.io,securitycontextconstraints.security.openshift.io,configmaps,namespacescopes,commonservices,clusters.postgresql.k8s.enterprisedb.io' \
    --skip-hooks \
    --image-prefix=registry.redhat.io/ubi9 \
    --log-level=debug \
    --verbose

    The cluster pulls images from a private container registry
    Restriction: This option is available only if an administrator moved the backup and restore images to the private container registry. For details, see Moving images for the cpd-cli to the private container registry.
    4.8.0-4.8.3:
    cpd-cli oadp backup create <backup-name1> \
    --tenant-operator-namespace ${PROJECT_CPD_INST_OPERATORS} \
    --include-resources='namespaces,operatorgroups,roles,rolebindings,serviceaccounts,customresourcedefinitions.apiextensions.k8s.io,securitycontextconstraints.security.openshift.io,configmaps,namespacescopes,commonservices,clusters.postgresql.k8s.enterprisedb.io' \
    --skip-hooks \
    --image-prefix=${PRIVATE_REGISTRY_LOCATION}/ubi8 \
    --log-level=debug \
    --verbose
    4.8.4 or later:
    cpd-cli oadp backup create <backup-name1> \
    --tenant-operator-namespace ${PROJECT_CPD_INST_OPERATORS} \
    --include-resources='namespaces,operatorgroups,roles,rolebindings,serviceaccounts,customresourcedefinitions.apiextensions.k8s.io,securitycontextconstraints.security.openshift.io,configmaps,namespacescopes,commonservices,clusters.postgresql.k8s.enterprisedb.io' \
    --skip-hooks \
    --image-prefix=${PRIVATE_REGISTRY_LOCATION}/ubi9 \
    --log-level=debug \
    --verbose

  6. Create a backup of Kubernetes resources and volume data (excluding EDB Postgres clusters), and provide a name for the backup.

    The following command creates a restic backup. You can restore only a restic backup to a different cluster.

    cpd-cli oadp backup create <backup-name2> \
    --tenant-operator-namespace ${PROJECT_CPD_INST_OPERATORS} \
    --exclude-tenant-operator-namespace=true \
    --exclude-resources='event,event.events.k8s.io,imagetags.openshift.io,operatorgroups,roles,rolebindings,serviceaccounts,customresourcedefinitions.apiextensions.k8s.io,securitycontextconstraints.security.openshift.io,catalogsources.operators.coreos.com,subscriptions.operators.coreos.com,clusterserviceversions.operators.coreos.com,installplans.operators.coreos.com,operandconfig,operandregistry,operandrequest,clients.oidc.security.ibm.com,authentication.operator.ibm.com,namespacescopes,commonservices,clusters.postgresql.k8s.enterprisedb.io,certificaterequests.cert-manager.io,orders.acme.cert-manager.io,challenges.acme.cert-manager.io' \
    --default-volumes-to-restic \
    --snapshot-volumes=false \
    --cleanup-completed-resources \
    --log-level=debug \
    --verbose
    In an air-gapped environment, additionally specify the appropriate --image-prefix.
    The cluster pulls images from the IBM Entitled Registry
    Restriction: This option is available only if the cluster can connect to the internet.
    4.8.0-4.8.3:
    cpd-cli oadp backup create <backup-name2> \
    --tenant-operator-namespace ${PROJECT_CPD_INST_OPERATORS} \
    --exclude-tenant-operator-namespace=true \
    --exclude-resources='event,event.events.k8s.io,imagetags.openshift.io,operatorgroups,roles,rolebindings,serviceaccounts,customresourcedefinitions.apiextensions.k8s.io,securitycontextconstraints.security.openshift.io,catalogsources.operators.coreos.com,subscriptions.operators.coreos.com,clusterserviceversions.operators.coreos.com,installplans.operators.coreos.com,operandconfig,operandregistry,operandrequest,clients.oidc.security.ibm.com,authentication.operator.ibm.com,namespacescopes,commonservices,clusters.postgresql.k8s.enterprisedb.io,certificaterequests.cert-manager.io,orders.acme.cert-manager.io,challenges.acme.cert-manager.io' \
    --default-volumes-to-restic \
    --snapshot-volumes=false \
    --cleanup-completed-resources \
    --image-prefix=registry.redhat.io/ubi8 \
    --log-level=debug \
    --verbose
    4.8.4 or later:
    cpd-cli oadp backup create <backup-name2> \
    --tenant-operator-namespace ${PROJECT_CPD_INST_OPERATORS} \
    --exclude-tenant-operator-namespace=true \
    --exclude-resources='event,event.events.k8s.io,imagetags.openshift.io,operatorgroups,roles,rolebindings,serviceaccounts,customresourcedefinitions.apiextensions.k8s.io,securitycontextconstraints.security.openshift.io,catalogsources.operators.coreos.com,subscriptions.operators.coreos.com,clusterserviceversions.operators.coreos.com,installplans.operators.coreos.com,operandconfig,operandregistry,operandrequest,clients.oidc.security.ibm.com,authentication.operator.ibm.com,namespacescopes,commonservices,clusters.postgresql.k8s.enterprisedb.io,certificaterequests.cert-manager.io,orders.acme.cert-manager.io,challenges.acme.cert-manager.io' \
    --default-volumes-to-restic \
    --snapshot-volumes=false \
    --cleanup-completed-resources \
    --image-prefix=registry.redhat.io/ubi9 \
    --log-level=debug \
    --verbose

    The cluster pulls images from a private container registry
    Restriction: This option is available only if an administrator moved the backup and restore images to the private container registry. For details, see Moving images for the cpd-cli to the private container registry.
    4.8.0-4.8.3:
    cpd-cli oadp backup create <backup-name2> \
    --tenant-operator-namespace ${PROJECT_CPD_INST_OPERATORS} \
    --exclude-tenant-operator-namespace=true \
    --exclude-resources='event,event.events.k8s.io,imagetags.openshift.io,operatorgroups,roles,rolebindings,serviceaccounts,customresourcedefinitions.apiextensions.k8s.io,securitycontextconstraints.security.openshift.io,catalogsources.operators.coreos.com,subscriptions.operators.coreos.com,clusterserviceversions.operators.coreos.com,installplans.operators.coreos.com,operandconfig,operandregistry,operandrequest,clients.oidc.security.ibm.com,authentication.operator.ibm.com,namespacescopes,commonservices,clusters.postgresql.k8s.enterprisedb.io,certificaterequests.cert-manager.io,orders.acme.cert-manager.io,challenges.acme.cert-manager.io' \
    --default-volumes-to-restic \
    --snapshot-volumes=false \
    --cleanup-completed-resources \
    --image-prefix=${PRIVATE_REGISTRY_LOCATION}/ubi8 \
    --log-level=debug \
    --verbose
    4.8.4 or later:
    cpd-cli oadp backup create <backup-name2> \
    --tenant-operator-namespace ${PROJECT_CPD_INST_OPERATORS} \
    --exclude-tenant-operator-namespace=true \
    --exclude-resources='event,event.events.k8s.io,imagetags.openshift.io,operatorgroups,roles,rolebindings,serviceaccounts,customresourcedefinitions.apiextensions.k8s.io,securitycontextconstraints.security.openshift.io,catalogsources.operators.coreos.com,subscriptions.operators.coreos.com,clusterserviceversions.operators.coreos.com,installplans.operators.coreos.com,operandconfig,operandregistry,operandrequest,clients.oidc.security.ibm.com,authentication.operator.ibm.com,namespacescopes,commonservices,clusters.postgresql.k8s.enterprisedb.io,certificaterequests.cert-manager.io,orders.acme.cert-manager.io,challenges.acme.cert-manager.io' \
    --default-volumes-to-restic \
    --snapshot-volumes=false \
    --cleanup-completed-resources \
    --image-prefix=${PRIVATE_REGISTRY_LOCATION}/ubi9 \
    --log-level=debug \
    --verbose

  7. Check the status of the backup:
    cpd-cli oadp backup status <backup-name> \
    --details

    In the output, check that the Phase is Completed, and that the Resource List contains a VolumeSnapshot for each PVC.

    A list of completed restic backups appears at the end of the output. For example:
    Restic Backups:
    
    Completed:
    
    cpd-instance/cpdbr-vol-mnt: export-zen-minio-0-vol, export-zen-minio-1-vol, export-zen-minio-2-vol, ibm-zen-cs-mongo-backup-vol, ibm-zen-objectstore-backup-pvc-vol
    
    cpd-instance/zen-metastore-edb-2: pgdata 
  8. To view a list of existing backups, run the following command:
    cpd-cli oadp backup list
  9. To view backup logs, run the following command:
    cpd-cli oadp backup logs <backup-name>
  10. To delete a backup for cleanup purposes, run the following command:
    cpd-cli oadp backup delete <backup-name>

What to do next

If a backup fails, you must return Cloud Pak for Data to a good state before you can retry a backup. Run the following command:
cpd-cli oadp backup posthooks --hook-kind=br --tenant-operator-namespace=${PROJECT_CPD_INST_OPERATORS}

If you have services that connect to an external database, such as for business intelligence (BI) reporting, it is recommended that you also back up the database. Backing up the external database ensures data consistency if the Cloud Pak for Data backup is later restored. For example, you need to restore an older Cloud Pak for Data backup instead of the most recent backup. The external database is synchronized with the most recent Cloud Pak for Data backup, so it has data that is not in the backup that you want to restore. To maintain data consistency, you need to restore the external database backup that was taken at the same time as the Cloud Pak for Data backup.