Overview of Container Backup Support

IBM Spectrum® Protect Plus Container Backup Support protects data of persistent volumes, namespace-scoped resources, and cluster-scoped resources that are associated with containers in a Kubernetes or Red Hat® OpenShift® environment. You can run snapshot backup operations to create locally stored snapshots on the cluster, or you can run backup copies to a vSnap server or object storage on the cloud for longer-term retention.

Data of persistent volumes, namespace-scoped resources, and cluster-scoped resources can be protected by using a container service level agreement (SLA) policy that specifies how often snapshot and copy backups are created and how long they are retained. If data on the original volume is damaged or lost, the volume can be restored from either the snapshot or copy backups on the vSnap server or object storage. If data in any resource is damaged or lost, that data can also be restored.

Supported storage types

Container Backup Support protects volume data that was allocated by a storage plug-in that supports the Container Storage Interface (CSI) provided for Kubernetes. Container Backup Support is fully tested with Ceph® RADOS Block Device (RBD), Ceph File System (CephFS), IBM Spectrum Scale, and IBM Spectrum Virtualize storage environments. The CSI plug-in provides snapshot capabilities that are used for backup operations.

For persistent volumes with a block-based storage type, such as Ceph RBD and IBM Spectrum Virtualized, block-based copy backup and restore operations are performed. For persistent volumes with a file system-based storage type, such as CephFS and IBM Spectrum Scale, file-based, incremental copy backup and restore operations are performed. During incremental backups, only new and changed data is copied to the IBM Spectrum Protect Plus vSnap server.

For IBM Spectrum Scale backup operations, snapshots can be created only from independent fileset-based persistent volume claims (PVCs). PVCs that are based on lightweight directories and dependent file sets are not supported. These types of PVCs are automatically filtered and are not displayed in the container inventory in the IBM Spectrum Protect Plus user interface.

Supported cloud storage systems

You can back up Red Hat OpenShift or Kubernetes container data directly to object storage in the cloud without using the IBM Spectrum Protect Plus vSnap server as intermediary storage. The backup operations to cloud storage are independent of a vSnap server, so the installation of a vSnap server is not required unless you want to create additional backup copies on the vSnap server.

The following cloud storage systems are supported for container workloads:
  • Amazon Simple Storage Service (Amazon S3)
  • IBM Cloud® Object Storage
  • Microsoft Azure Blob storage
  • S3 compatible storage
Limitations:
  • For IBM Cloud Object Storage, support for retention-enabled vaults is not available.
  • For S3 compatible storage, generic S3 support is based on external certification processes. For the list of supported S3 compatible providers, see technote 1087149.

To back up container data directly to cloud storage, you must register your cloud storage system as a cloud storage provider for backups. Then, create an SLA policy that specifies object storage as the primary backup storage type, and associate the SLA to the PVCs, namespace-scoped resources, or cluster-scoped resources that you want to protect.

Deployment overview

Container Backup Support can be deployed on a private cloud environment on a Red Hat OpenShift Container Platform or Kubernetes cluster. In addition, Container Backup Support can run on Red Hat OpenShift Container Platform that is deployed in Microsoft Azure Red Hat OpenShift service or in Azure cloud that is customer-managed.

Operator Lifecyle Manager is used to install, manage, and upgrade the Container Backup Support operator. The operator watches for events on the ibmsppc custom resource and reacts with specific actions on the Container Backup Support operator.

The following figure shows how Container Backup Support is deployed in the Red Hat OpenShift environment:
Figure 1. Red Hat OpenShift deployment diagram
Red Hat OpenShift deployment diagram
The following figure shows how Container Backup Support is deployed in the Kubernetes environment:
Figure 2. Kubernetes deployment diagram
Kubernetes deployment diagram

If you want to deploy Container Backup Support as a snapshot-only solution, the installation of the IBM Spectrum Protect Plus vSnap server is not required. When a schedule is run, snapshots are saved only on the storage system in your cluster; data is not copied to the vSnap server. With a snapshot-only deployment, data cannot be restored to another cluster.

Data mover container

Two types of data movers are deployed with IBM Spectrum Protect Plus. One is deployed as a container in a namespace where persistent volume claims (PVCs) exist. The other type, MinIO for resources, is deployed to the BaaS namespace. Data mover containers communicate with the IBM Spectrum Protect Plus instance outside of the Kubernetes or Red Hat OpenShift environment for copy backup support as follows:
  • The first type of data mover is deployed in the application namespaces.
  • The second type of data mover is deployed in the BaaS namespace and copies resource data from MinIO to the vSnap server.

Container Backup Support uses PVCs to identify the persistent volumes to back up. For copy backup operations, when a schedule is run, snapshots and copy backups of a PVC are created at the time intervals that are specified by the SLA. The data mover copies the data and records the snapshot backups in the IBM Spectrum Protect Plus Jobs and Operations window. Snapshots that are created by on-demand backups are also recorded in IBM Spectrum Protect Plus.

Kafka cluster

The Kafka cluster handles messaging operations between the application agent and data movers. The Kafka cluster is managed by the Strimzi operator, which implements clusters of Apache Kafka. An operator is a container that configures, installs, maintains, and uninstalls, in this case, the Apache Kafka containers.

For example, the Kafka cluster is described by the following pods:

baas-entity-operator-c99f4c49b-p9v9c                3/3     Running            1          24m
baas-kafka-0                                        2/2     Running            0          23m
baas-zookeeper-0                                    1/1     Running            0          23m
baas-zookeeper-1                                    1/1     Running            0          35m
baas-zookeeper-2                                    1/1     Running            0          30m
strimzi-cluster-operator-v0.24.0-5c5cdcb4d4-ffbjt   1/1     Running            0          24m

The Kafka cluster consists of three zookeeper pods that form the storage system for Kafka, and a single Kafka application pod that sends and retrieves messages. The entity-operator pod is installed by the cluster-operator pod to manage local changes to the cluster. The cluster-operator pod is the only deployment that is described in the installation. The cluster-operator pod is called strimzi-cluster-operator.

The Strimzi operator is installed a part of the Container Backup Support product. When you update Container Backup Support, Strimzi is updated automatically.

Multitenancy support

Container Backup Support manages backup and restore operations by using custom resources. All backup and restore objects belong to a Kubernetes or Red Hat OpenShift namespace. The cluster administrator can restrict access to these objects. With controlled access, multiple users can run backup and restore requests in the same Kubernetes or Red Hat OpenShift cluster. The backup and restore objects inherit a namespace from the PVC that identifies the persistent volume for backup and restore operations. For more information about multitenancy, see Security features in Container Backup Support.

Red Hat OpenShift Virtualization support

In Red Hat OpenShift clusters with the Red Hat OpenShift Virtualization feature, virtual machines (VMs) that are running within a Red Hat OpenShift container are protected during Container Backup Support backup jobs. The VMs must be allocated on storage that supports CSI.

All backup operations are PVC-based. VMs are protected as part of PVC backup jobs. The backup operation has no explicit knowledge of workloads that are running within the PVC. To back up or restore a VM, use Container Backup Support to back up or restore the relevant PVC. You can also back up and restore cluster-scoped or namespace-scoped resources. Custom resource data for VMs is saved during resource backup jobs.

Important: For data to be consistent, the VMs must be powered off before a backup or restore job begins. After you restore a PVC, use the restored PVC as the source to re-create the VM. For more information, see Preparing to restore persistent volumes that have VMs on OpenShift clusters.