IBM Support

Kubernetes backup and restore requirements: IBM Spectrum Protect Plus V10.1.6

Preventive Service Planning


Abstract

This document details the Kubernetes backup and restore requirements for IBM Spectrum Protect Plus Version 10.1.6.

Content

This document is divided into linked sections for ease of navigation. Use the following links to jump to the section of the document that you require:


General

Beginning with IBM Spectrum Protect Plus V10.1.5, support was added to protect persistent volumes that are attached to containers in Kubernetes clusters by using the Kubernetes command line. In IBM Spectrum Protect Plus V10.1.6, backup support for containers is extended to the IBM Spectrum Protect Plus user interface.

Before you deploy IBM Spectrum Protect Plus V10.1.6 Kubernetes Backup Support in the Kubernetes environment, ensure that the system environment meets the requirements.

In V10.1.6, Kubernetes Backup Support is available only in English.



 


Configuration

Application versions

Docker containers are supported in Kubernetes Backup Support.


 

Operating systems

Table 1. Coverage matrix for supported operating systems on Linux® x86_64

IBM Spectrum Protect Plus RHEL 7.6 RHEL 7.7 RHEL 7.8
 V10.1.5 --
 V10.1.6


 

Additional requirements

IBM Spectrum Protect Plus V10.1.6 supports the following software and systems:

  • Kubernetes v1.18 and later patches and updates
  • Kubernetes v1.17 and later patches and updates
  • Kubernetes v1.16 and later patches and updates
  • Ceph Container Storage Interface (CSI) driver 1.2, 2.0, and 2.1 with Rados Block Device (RBD) storage
  • Helm v2.16.1 and later
    Restriction: Helm v3 is not supported.

If you are using the following Kubernetes and Ceph CSI driver versions, use IBM Spectrum Protect Plus V10.1.5:

  • Kubernetes v1.13 and later patches and updates
  • Kubernetes v1.14 and later patches and updates
  • Kubernetes v1.15 and later patches and updates
  • Ceph CSI driver 1.1 with RBD storage

For information about Kubernetes releases, see Kubernetes Release Versioning

To install and configure container backup support, you must deploy the Kubernetes Backup Support software in the Kubernetes environment. For instructions, see Installing Kubernetes Backup Support


 

Restrictions

  • Backup operations for raw block volumes are not supported.
  • To ensure that a restore request works correctly, do not manually delete any snapshots of volumes that are protected by Kubernetes Backup Support.
  • You cannot restore a snapshot or copy backup to a different namespace or cluster.
  • You cannot restore a snapshot or copy backup to the original persistent volume.
  • You can restore a snapshot or copy backup only to a new persistent volume. The persistent volume claim (PVC) for the new volume is automatically created during the restore operation.
  • A rollback to a previous version of Kubernetes Backup Support is not supported. In other words, you cannot use Kubernetes Backup Support V10.1.5 to restore data that was backed up by Kubernetes Backup Support V10.1.6.
  • Upgrading the product from Kubernetes Backup Support V10.1.5 is not supported.
  • Due to underlying changes in the BaaSReq object in Kubernetes Backup Support V10.1.6, you cannot use Kubernetes Backup Support V10.1.6 to restore data that was backed up by Kubernetes Backup Support V10.1.5.



 


Software

Cluster prerequisites

Ensure that the following cluster prerequisites are met:
  • Kubernetes Backup Support protects only persistent storage that was allocated by a storage plug-in that supports the CSI.
  • You must be running a Kubernetes cluster with CSI support.
  • Persistent storage must be provided by the CSI driver, which must support CSI snapshot capabilities.
  • CSI snapshot support must be enabled on the kubectl command line.
  • The Kubernetes command line tool kubectl must be accessible on the installation host and in the local path.
  • Only formatted volumes can be mounted to the data mover for copy operations.
  • Optional: To help optimize product performance and scalability, ensure that Kubernetes Metrics Server v0.3.5 or later is installed and running on your cluster. For instructions, see Verifying whether the metrics server is running 
  • For Kubernetes v1.16, copy backup and snapshot restore operations require the VolumeSnapshotDataSource alpha feature to be enabled. To enable the VolumeSnapshotDataSource alpha feature, you must patch the Kubernetes scheduler, controller, and API server. For instructions, see Enabling the VolumeSnapshotDataSource feature
  • A storage class must be defined for the persistent volumes that are being protected.
  • The target image registry must be accessible from the Kubernetes cluster. The target image registry can be a local image registry or an external image registry. For an external image registry, you can configure the image pull secret to secure your environment.  For instructions, see Creating an image-pull secret for use with an external registry
  • The host that is used to install Kubernetes Backup Support must be using a kubeconfig file with cluster-admin privileges, KUBECONFIG, and the Helm client must be installed.
  • To create new cluster-wide resources, you must be logged in to the target cluster as a user with cluster-admin privileges.
  • Ensure that Kubernetes Backup Support secrets that include user IDs, passwords, and keys are encrypted at rest in the etcd distributed key-value store. For more information, see Encrypting Secret Data at Rest
     


 

Helm prerequisites

  • The Helm tool must be configured on the target cluster so that a new deployment can be run with the helm command line. Deploying a package with Helm enables cluster-wide role-based access control (RBAC) rules and role bindings to be generated.
  • For the Kubernetes cluster, to install Helm as root user with the Kubernetes administrative user account, run the following script, which is included in the installation package:
    ./helm_install_k8s.sh


 

IBM Spectrum Protect Plus prerequisites

External, non-container components such as IBM Spectrum Protect Plus and the IBM Spectrum Protect Plus vSnap server must be provisioned and configured by the IBM Spectrum Protect Plus administrator:

  • An administrative account for Kubernetes Backup Support must be configured on IBM Spectrum Protect Plus.
    This administrative account can be configured as a global Lightweight Directory Access Protocol (LDAP) account in the data center. This global account is required for access to all external components that Kubernetes Backup Support operates with.
    You must specify this account name in the BAAS_ADMIN parameter in the baas_config.cfg configuration file before you deploy Kubernetes Backup Support. The baas_config.cfg is located in the installer directory. For instructions, see Installing and deploying Kubernetes Backup Support images
  • An IBM Spectrum Protect Plus instance must be deployed and licensed as a VMware virtual appliance.
    Network connectivity must exist to and from the target cluster. The IBM Spectrum Protect Plus Internet Protocol (IP) address and port number must be specified in the baas_config.cfg file before you deploy Kubernetes Backup Support. Only one port (443) can be specified for use with all IBM Spectrum Protect Plus instances.
  • An IBM Spectrum Protect Plus vSnap instance must be deployed as a VMware virtual appliance.
    • Network connectivity must exist to and from the target Kubernetes cluster and IBM Spectrum Protect Plus vSnap instance.
    • The vSnap instance must be configured as an external vSnap server for storing backups. For instructions, see Installing vSnap servers
    • If backups are encrypted at rest, ensure that enough capacity is allocated for encryption on the vSnap server.



 


Authentication and privileges

  • Ensure that you specify the username for the IBM Spectrum Protect Plus administrative account in the baas_config.cfg configuration file. For more information, see Installing and deploying Kubernetes Backup Support images
  • To access the device that is associated with the persistent volume, the data mover container must be a privileged container.
  • Depending on their role, enterprise application developers and backup administrators interact with different user interfaces to protect persistent data in containers, as described in User roles



 


Prerequisites and Operations

Prerequisites


 

Operations

Before you start a backup or restore operation:

  • After Kubernetes Backup Support is installed, the application host for the Kubernetes Backup Support container is automatically registered upon startup of the cluster host in Kubernetes. When a cluster is registered with IBM Spectrum Protect Plus, an inventory of the resources in the cluster is automatically captured, enabling you to complete backup and restore jobs, and run reports.
  • To protect persistent volumes that are attached to a Kubernetes cluster, create service level agreement (SLA) policies and create jobs for backup and restore operations in the IBM Spectrum Protect Plus user interface.  If you do not plan to use the default SLA policy for containers, ensure that you configure an SLA policy. For instructions, see Creating an SLA policy for Kubernetes clusters
  • Ensure that appropriate roles and resource groups are assigned to the user who runs the backup job. Before an IBM Spectrum Protect Plus user can implement backup and restore operations, roles and resource groups must be assigned to the user. For instructions, see Managing user access
  • Backup requests are directed to PVCs for the volumes that you want to protect. Before you schedule a backup job, take the following actions:
    • Ensure that the PVC exists within the specified namespace.
    • Ensure that the PVC is formatted. PVCs must be formatted before they can be backed up. For a PVC to be formatted correctly, it must be mounted and written to. Backup operations of raw block volumes are not supported.
    • Determine which SLA policy to assign to PVCs. For instructions about viewing the available SLA policies, see SLA policies
    • If a PVC is associated with multiple SLA policies, ensure that the policies are not scheduled to run concurrently. Either schedule the SLA policies to run with a significant amount of time between them, or combine them into a single SLA policy.

Review the following information about creating backup and restore jobs:



 


Connectivity

Ensure that the following connectivity requirements are met:

  • The secure file transfer protocol (SFTP) subsystem for Secure Shell (SSH) is enabled.
  • The Secure Shell (SSH) service is running on Kubernetes NodePort services.
  • Firewalls are configured to allow IBM Spectrum Protect Plus to connect data mover containers by using SSH over the NodePort port range of the Kubernetes cluster. The NodePort service allows the specific port in the NodePort range to be determined by Kubernetes at run time.
  • IBM Spectrum Protect Plus uses the Network File System (NFS) protocol to mount storage volumes for backup and restore operations. Ensure that the native Linux NFS client is installed on the proxy host server.
  • All servers, proxies, applications, and hypervisors that are added to the IBM Spectrum Protect Plus environment must be registered by using a Domain Name System (DNS) name or Internet Protocol (IP) address.
  • If DNS names are used, they must be resolvable over the network by the IBM Spectrum Protect Plus virtual appliance server and the vSnap server. All IBM Spectrum Protect Plus components must also be resolvable by their DNS names.
  • If DNS is not available, you must add the server to the /etc/hosts file on the IBM Spectrum Protect Plus virtual appliance by using the command line.



 


Ports

The following ports are used by IBM Spectrum Protect Plus agents.

Table 2. Communication ports when the target is an IBM Spectrum Protect Plus agent
Port Protocol Initiator Target Description
Assigned by the NodePort service in Kubernetes Transmission Control Protocol (TCP) IBM Spectrum Protect Plus virtual appliance1 Kubernetes Used by IBM Spectrum Protect Plus to connect to the data mover container to deploy and run agents

1 Refers to the IBM Spectrum Protect Plus server, which is a component of the IBM Spectrum Protect Plus virtual appliance, as described in Product components

For SSH connections between containers in the Kubernetes environment, port 22 is used. For all other connections, whether on the Kubernetes hosts or outside the cluster, the port that the NodePort service assigned at run time is used.

Table 3. Communication ports when the initiator is the IBM Spectrum Protect Plus agent
Port Protocol Initiator Target Description
111 TCP Kubernetes vSnap server Allows Open Network Computing (ONC) clients to discover ports for communication with ONC servers
443 TCP Kubernetes vSnap server Used for IBM Spectrum Protect Plus issued commands to run backup, restore, inventory, and other configuration operations
2049 TCP Kubernetes vSnap server Used for NFS data transfer to and from vSnap servers
20048 TCP Kubernetes vSnap server Mounts vSnap file systems on clients such as the VMware vStorage API for Data Protection (VADP) proxy, application servers, and virtualization datastores



 

[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSNQFQ","label":"IBM Spectrum Protect Plus"},"Component":"Not Applicable","Platform":[{"code":"PF016","label":"Linux"}],"Version":"10.1.6","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}}]

Document Information

Modified date:
09 June 2020

UID

ibm12489223