Preventive Service Planning
Abstract
This document details the container backup and restore requirements for IBM Spectrum Protect Plus 10.1.10.
Content
This document is divided into linked sections. Use the following links to go to the section of the document that you require.
- General
- Configuration
- Software
- Connectivity
- Authentication and privileges
- Prerequisites and operations
- Ports
- Hardware
Beginning with IBM Spectrum Protect Plus 10.1.5, support was added to protect persistent volume claims that are attached to containers in Kubernetes clusters. Operations were initiated by using the Kubernetes command line.
In IBM Spectrum Protect Plus 10.1.10, for Kubernetes deployments, Ingress is now the preferred load balancer and default setting for external communication between the IBM Spectrum Protect Plus server and the Container Backup Support agent.
Applications | |
Docker client | 17.09.00 and later |
CRI-O(1) | 1.21 or later updates (Beginning with 10.1.10) |
Note: (1) CRI-O follows the Kubernetes release cycles. For more information, see compatibility matrix between CRI-O and Kubernetes.
Supported architecture for all in Container Backup Support levels is AMD64.
Operating environment | |
Red Hat OpenShift Container Platform (OCP)(1) |
4.7 or later updates (Beginning with 10.1.8) 4.8 or later updates (Beginning with 10.1.8 ifix2) 4.9 or later updates (Beginning with 10.1.9 ifix3) 4.10 or later updates (Beginning with 10.1.10.2) |
Red Hat OpenShift Data Foundation (ODF)(2) (formerly Red Hat OpenShift Container Storage (OCS)) |
4.7 or later updates (Beginning with 10.1.8 patch1) 4.8 or later updates (Beginning with 10.1.8 ifix2) 4.9 or later updates (Beginning with 10.1.9 ifix3) |
Operating environment support | |
Red Hat OpenShift | Deployed in a private cloud environment |
Red Hat OpenShift | Deployed in Microsoft Azure Red Hat OpenShift service or Deployed in Azure cloud (customer managed) |
Note:
- (1) For Red Hat OpenShift Container Platform 4.6, use IBM Spectrum Protect Plus 10.1.8.
(2) For Red Hat OpenShift Data Foundation 4.6, use IBM Spectrum Protect Plus 10.1.9.
Red Hat OpenShift Container Platform levels supported in earlier IBM Spectrum Protect Plus reached end of life, see Red Hat OpenShift Container Platform Life Cycle Policy - Velero is used to protect cluster-scoped and namespace-scoped resources. Red Hat OpenShift API for Data Protection (OADP) operator, which comprises Velero, is included in IBM Spectrum Protect Plus 10.1.9 and later.
Storage | Storage version | Corresponding CSI Driver | CSI Driver Version |
External Ceph file system (CephFS) | Red Hat OpenShift recommended version(1) (Beginning with 10.1.8) | Ceph Container Storage Interface (CSI) driver with Ceph FS storage |
Installed with OCS, or v3.2.2 or later (2)(Beginning with 10.1.10) |
Ceph Rados Block Device (RBD) | Red Hat OpenShift recommended version(1) (Beginning with 10.1.7) | Ceph Container Storage Interface (CSI) driver with Rados Block Device | Installed with OCS, or v3.2.2 or later (2)(Beginning with 10.1.10) |
IBM block storage | n/a | IBM block storage CSI for virtualized storage(3) |
1.6 or later (Beginning with 10.1.8 ifix2) 1.7 or later (Beginning with 10.1.9) 1.8 or later (Beginning with 10.1.10) |
IBM Spectrum Scale | 5.1.1 or later updates (Beginning with 10.1.8) | IBM Spectrum Scale CSI driver(4) | 2.2.0 or later updates (Beginning with 10.1.8) |
Hitachi NAS (HNAS) | n/a | Hitachi NAS CSI Driver for Kubernetes | v1.1.1 or later (Beginning with 10.1.9) |
NetApp storage | n/a | CSI Trident for Kubernetes(5) | v21 or later (Beginning with 10.1.9) |
Note:
- (1) If you use Rook.io to install Ceph Storage Cluster, use the Rook.io Cloud Native Storage 1.4 or later.
- (2) For Ceph CSI driver for RBD, CephFS, see Ceph CSI readme file. Due to vulnerabilities in earlier levels, install Ceph-CSI driver v3.2.2 or later level.
- (3) For IBM block storage CSI driver supported orchestration platforms, see under IBM block storage CSI driver>Release Notes>Compatibility and requirements.
Note: For a table of IBM block storage CSI driver lifecycle, see Lifecycle and support matrix. - (4) For IBM Spectrum Scale backups: Snapshots can be created only from independent fileset-based persistent volume claims (PVCs). PVCs that are based on lightweight directories and dependent file sets are not supported. These types of PVCs are automatically filtered and are not displayed in the container inventory in the IBM Spectrum Protect Plus user interface.
- (5) ONTAP driver must support VolumeMode Filesystem. VolumeMode Block is not supported.
Operating environment | |
Kubernetes(1) |
1.21 or later updates (Beginning with 10.1.8 patch1) 1.22 or later updates (Beginning with 10.1.9) 1.23 or later updates (Beginning with 10.1.10) |
Operating environment support | |
Kubernetes | Deployed in a private cloud environment |
More tools | |
Velero to protect cluster-scoped and namespace-scoped resources (2)(3)(4) | 1.7.1 or later updates (Beginning with 10.1.9) 1.8.0 or later updates (Beginning with 10.1.10) |
Notes:
- (1) Kubernetes levels supported in earlier IBM Spectrum Protect Plus reached end of life, see Kubernetes Patch Releases
- (2) For instructions on installing Velero, see: Installing and configuring Velero.
Note: For supported Kubernetes versions for each Velero version, see Velero compatibility matrix - (3) If an instance of Velero is already installed in the cluster, you must install and configure another instance of Velero. For more information, see Installing a second instance of Velero.
- (4) For Velero versions supported in earlier IBM Spectrum Protect Plus levels, search for container backup and restore requirements under IBM Spectrum Protect Plus - All Requirements Doc.
Storage | Storage version | Corresponding CSI Driver | CSI Driver Version |
External Ceph file system (CephFS) | On Ceph Storage Cluster 15.2.8 or later (1) (Beginning with 10.1.8) | Ceph Container Storage Interface (CSI) driver with Ceph FS storage |
v3.2.2 or later (2)(Beginning with 10.1.10) |
Ceph Rados Block Device (RBD)(3) | On Ceph Storage Cluster 15.2.8 or later (1) (Beginning with 10.1.10) | Ceph Container Storage Interface (CSI) driver with Rados Block Device (RBD) storage |
v3.2.2 or later (2)(Beginning with 10.1.10) |
IBM block storage | n/a | IBM block storage CSI for virtualized storage(4) |
1.6 or later (Beginning with 10.1.8 ifix2) 1.7 or later (Beginning with 10.1.9) 1.8 or later (Beginning with 10.1.10) |
IBM Spectrum Scale | 5.1.1 or later updates (Beginning with 10.1.8) | IBM Spectrum Scale CSI driver(5) | 2.2.0 or later updates (Beginning with 10.1.8) |
Hitachi NAS (HNAS) | n/a | Hitachi NAS CSI Driver for Kubernetes | v1.1.1 or later (Beginning with 10.1.9) |
NetApp storage | n/a | CSI Trident for Kubernetes(6) | v21 or later (Beginning with 10.1.9) |
Note:
- In previous levels Helm was used for installation of Container Backup Support. Beginning with IBM Spectrum Protect Plus 10.1.9, Helm is not part of the installation process.
- (1) If you use Rook.io to install Ceph Storage Cluster, use the Rook.io Cloud Native Storage 1.4 or later.
- (2) For Ceph CSI driver for RBD, CephFS, see Ceph CSI readme file. Due to vulnerabilities in earlier levels, install Ceph-CSI driver v3.2.2 or later level.
- (3) Ceph levels supported in earlier IBM Spectrum Protect Plus reached end of life. For Ceph lifecycle, see Ceph Releases.
- (4) For IBM block storage CSI driver supported orchestration platforms, see under IBM block storage CSI driver>Release Notes>Compatibility and requirements.
Note: For a table of IBM block storage CSI driver lifecycle, see Lifecycle and support matrix. - (5) For IBM Spectrum Scale backups: Snapshots can be created only from independent fileset-based persistent volume claims (PVCs). PVCs that are based on lightweight directories and dependent file sets are not supported. These types of PVCs are automatically filtered and are not displayed in the container inventory in the IBM Spectrum Protect Plus user interface.
- (6) ONTAP driver must support VolumeMode Filesystem. VolumeMode Block is not supported.
To install and configure container backup support, you must deploy the Container Backup Support software in the Kubernetes or Red Hat OpenShift cluster environment. For instructions, see Installing Container Backup Support.
Cloud storage for direct backup operations
The following cloud storage systems are supported for container workloads:
- Amazon Simple Storage Service (Amazon S3)
- IBM Cloud® Object Storage (including IBM Cloud Object Storage Systems)
Note: For IBM Cloud Object Storage, retention enabled vaults are not supported. - Microsoft Azure Blob storage
- S3 compatible storage
Note: For S3 compatible storage, generic S3 support is based on external certification processes. For the list of supported S3 compatible providers, see Does IBM Spectrum Protect Plus support S3 compatible Object Storage?
You can copy snapshot data to cloud storage for longer-term data protection. Cloud storage can be selected as the primary backup location for container workloads.
For more information, see:
- Backing up Red Hat OpenShift container data directly to cloud storage
- Backing up Kubernetes container data directly to cloud storage
Cloud storage requirements for certificates, network, and cloud providers for container workloads, see System requirements: IBM Spectrum Protect Plus 10.1.10.
The following restrictions apply to Kubernetes and Red Hat OpenShift environments:
- Back up operations for raw block device volumes (volumeMode 'Block') are not supported.
- To ensure that a snapshot restore operation request works correctly, do not manually delete any snapshots of volumes that are protected by Container Backup Support.
- You cannot restore a snapshot backup to a different cluster or namespace.
- Container Backup Support protects only persistent storage that was allocated by a storage plug-in that supports the CSI specification.
- Only formatted volumes can be mounted to the data mover for copy operations.
- The Container Backup Support component is available only in English.
- For IBM Cloud Object Storage, retention enabled vaults are not supported.
- Command-line tool:
- Kubernetes environment: The Kubernetes command line tool
kubectl
must be accessible on the installation host and in the local path. - Red Hat OpenShift environment: The Red Hat OpenShift command line tool
oc
must be accessible on the installation host and in the local path.
- Kubernetes environment: The Kubernetes command line tool
- Tips for collecting metrics and improving performance:
- On Kubernetes environment: To help optimize product performance and scalability, ensure that Kubernetes Metrics Server is installed and running on your cluster. For more information, see Compatibility Matrix. Also, for installation instructions, see Verifying whether the metrics server is running.
- In an Red Hat OpenShift environment: The Kubernetes Metrics Server is included and augmented with Prometheus and Prometheus-Adapter for custom metrics. Prometheus and Prometheus-Adapter are part of the Red Hat OpenShift Cluster Monitoring Operator. Ensure that the Red Hat OpenShift Cluster Monitoring Operator is installed and running in the environment.
- CSI external-snapshotter:
- Kubernetes 1.20 and later environment: The CSI external-snapshotter v4.0.0 or later is required for snapshots of volumes on a storage system.
- Red Hat OpenShift environment: The external-snapshotter is part of the installation package. Ensure that the cluster operator csi-snapshot-controller is in the Available: True state.
- A storage class and must be defined for the persistent volumes that are being protected.
- The target image registry must be accessible from the Kubernetes or Red Hat OpenShift cluster. The target image registry can be a local image registry or an external image registry.
- The host that is used to install Container Backup Support must be using a kubeconfig file with cluster-admin privileges, KUBECONFIG
. - To create new cluster-wide resources, you must be logged in to the target cluster as a user with
cluster-admin
privileges. - Ensure that Container Backup Support secrets that include user IDs, passwords, and keys are encrypted at rest in the
etcd
distributed key-value store. For more information, see Encrypting Secret Data at Rest
IBM Spectrum Protect Plus prerequisites
The IBM Spectrum Protect Plus server must be provisioned and configured by the IBM Spectrum Protect Plus administrator:
- An administrative account for Container Backup Support must be configured on IBM Spectrum Protect Plus.
This administrative account can be configured as a global Lightweight Directory Access Protocol (LDAP) account in the data center. This global account is required for access to all external components that interact with Container Backup Support. - An IBM Spectrum Protect Plus instance must be deployed in a container environment or as a VMware virtual appliance. Network connectivity must exist to and from the target cluster. The IBM Spectrum Protect Plus Internet Protocol (IP) address and port number must be specified in the baas-values-cr.yaml file before you deploy Container Backup Support. Only one port (443) can be specified for use with all IBM Spectrum Protect Plus instances.
- Optional: For copy backup and copy restore operations, the IBM Spectrum Protect Plus vSnap server must be provisioned and configured by the IBM Spectrum Protect Plus administrator. An IBM Spectrum Protect Plus vSnap instance must be deployed as a VMware virtual appliance and configured to store backups:
- Network connectivity must exist to and from the target Kubernetes or Red Hat OpenShift cluster and the IBM Spectrum Protect Plus vSnap instance.
- If backups are encrypted at rest, ensure that enough capacity is allocated for encryption on the vSnap server.
Ensure that the following connectivity requirements are met:
- All servers, proxies, applications, and hypervisors that are added to the IBM Spectrum Protect Plus environment must be registered by using a Fully Qualified Domain Name (FQDN) name or Internet Protocol (IP) address.
- If FQDN names are used, they must be resolvable over the network by the IBM Spectrum Protect Plus server and the vSnap server. All IBM Spectrum Protect Plus components must also be resolvable by their DNS names.
- If FQDN is not available, you must add the server to the
/etc/hosts
file on the IBM Spectrum Protect Plus server by using the command line. -
Managing connection performance in Red Hat OpenShift
The default number of Ingress controller pods to handle routes is two. Larger Red Hat OpenShift clusters require more Ingress controller pods to handle routes. When the number of Ingress controller pods is insufficient, you might experience connections being dropped from the IBM Spectrum Protect Plus to the agent, which is the most common symptom. Other symptoms include the results of the test connection job being unavailable where it sometimes fails and sometimes succeeds. You might also experience a failure to retrieve job logs from the agent at the end of a job resulting in error CTGGA3200.
This issue can be resolved by scaling the number of Ingress controller pods that handle routes, for more information see Scaling an Ingress controller. The maximum number of Ingress controller pods that you can scale is equal to the number of worker nodes. If the number of Ingress pod replicas is increased beyond the number of worker nodes, the Ingress controller pods will not start until more Red Hat OpenShift worker nodes are added to the cluster. Each additional Ingress controller pod requests 0.1 CPU resources and 256MB of memory.
- During the installation, specify the username for the IBM Spectrum Protect Plus administrator with the containers role. For more information, see Setting up the installation variables.
- The data mover runs as a privileged container to access the device location on the host system of the volume that is being protected. The application agent also runs as a privileged container to gain access to the sudo command to set up the data mover user account in the container at run time. The application agent accesses no host resources.
- Depending on their role, enterprise application developers and backup administrators interact with different user interfaces to protect persistent data in containers, as described in User roles.
Ensure that the Software, Connectivity, and Authentication and privileges requirements are met before you start to install Container Backup Support on a Kubernetes or Red Hat OpenShift cluster as described in Installing Container Backup Support.
Before you start a backup or restore operation, ensure that your system meets the following requirements:
- After Container Backup Support is installed, the application host for the Container Backup Support container is automatically registered upon startup of the cluster host in Kubernetes or Red Hat OpenShift. When a cluster is registered with IBM Spectrum Protect Plus, an inventory of the resources in the cluster is automatically captured, by enabling to complete backup and restore jobs and to run reports. If the automatic registration is not successful and your cluster does not appear in the IBM Spectrum Protect Plus user interface, you must manually register the cluster. For instructions, see Registering a Kubernetes cluster or Registering an Red Hat OpenShift cluster.
- You can use IBM Spectrum Protect Plus vSnap server or you can use directly a cloud storage system as the primary storage for backing up Kubernetes container data. For instructions, see Managing backup storage.
- If you do not plan to use the default SLA policy for containers, ensure that you configure an SLA policy. For instructions, see Creating an SLA policy for containers.
- Assign appropriate roles and resource groups to users who running backup and restore operations. Grant users access to resources and roles by using the Accounts pane.
Review the following information about creating backup and restore jobs:
- You can use the IBM Spectrum Protect Plus user interface to back up or restore Kubernetes persistent volumes, namespace-scoped resources, and cluster-scoped resources. For instructions, see Backing up and restoring Kubernetes clusters.
- You can use the IBM Spectrum Protect Plus user interface to back up or restore Red Hat OpenShift resources such as persistent volumes, project-scoped resources, and cluster-scoped resources. For instructions, see Backing up and restoring Red Hat OpenShift clusters.
For an overview about protecting containers with IBM Spectrum Protect Plus, see Protecting containers.
The following ports are used by IBM Spectrum Protect Plus agents.
Port | Protocol | Initiator | Target | Description |
---|---|---|---|---|
443 | Transmission Control Protocol (TCP) | IBM Spectrum Protect Plus server | Container backup support agent | Used by IBM Spectrum Protect Plus to connect to the data mover container to run agents. Also used for REST API connections to the container backup support agent. Optional for Kubernetes environments only: If NodePort is selected during installation time, port 31245 is used for REST API connections. |
Note: Since NodePort is no longer the default, Ingress controller must be installed configured. For more information, see the topic For Kubernetes: Configuring Container Backup Support to use an Ingress controller.
Port | Protocol | Initiator | Target | Description |
---|---|---|---|---|
111 | TCP and User Datagram Protocol (UDP) | Container backup support agent | vSnap server | Used for NFS data transfer to and from file systems mounted from vSnap servers during backup and restore operations |
443 | TCP | Container backup support agent | IBM Spectrum Protect Plus server | Used for IBM Spectrum Protect Plus issued commands to run backup, restore, inventory, and other operations |
2049 | TCP and UDP | Container backup support agent | vSnap server | Used for NFS data transfer to and from file systems mounted from vSnap servers during backup and restore operations |
20048 | TCP and UDP | Container backup support agent | vSnap server | Used for NFS data transfer to and from file systems mounted from vSnap servers during backup and restore operations |
The required system resources are based on the default installation parameters.
Table 8. Minimum resource requirements for Container Backup Support
Component | Replica | CPU (request) | CPU (limit) | Memory (request) | Memory (limit) |
Baas-spp-agent | 1 | 2 | 3 | 1250Mi | 2500Mi |
Baas-datamover | 1 | 100m | 500m | 500Mi | 1000Mi |
Baas-kafka | 1 | 300m | 2 | 400Mi | 1Gi |
Baas-scheduler | 1 | 100m | 750m | 150Mi | 500Mi |
Baas-controller | 1 | 250m | 1 | 50Mi | 250Mi |
Baas-MinIO | 1 | 100m | 3 | 600Mi | 3Gi |
Baas-transaction-manager | 3 | 200m | 1 | 100Mi | 500Mi |
Baas-transaction-manager-worker | 3 | 200m | 2 | 250Mi | 500Mi |
Baas-transaction-manager-redis | 3 | 50m | 200 m | 50Mi | 250Mi |
Baas-strimzi-cluster-operator | 1 | 200m | 1 | 384Mi | 384Mi |
Baas-entity-operator | 1 | 300m | 2 | 400Mi | 1Gi |
Baas-zookeeper | 1 | 300m | 2 | 400Mi | 1Gi |
Oadp-operator (Red Hat OpenShift environment) | 1 | 500m | 1 | 128Mi | 512Mi |
Velero (Red Hat OpenShift environment) | 1 | 500m | 1 | 512Mi | 1Gi |
Note:
- Beginning with IBM Spectrum Protect Plus 10.1.8 the baas-entity-operator is a requirement for Kubernetes and Red Hat OpenShift environment.
- Beginning with IBM Spectrum Protect Plus 10.1.9 the component Baas-cert-monitor (Kubernetes environment) and the component Amq-streams-cluster-operator (Red Hat OpenShift environment) are not required anymore.
- Beginning with IBM Spectrum Protect Plus 10.1.9 the component oadp-operator and the component Velero required for Red Hat OpenShift environment.
Tip: The CPU resource is measured in Kubernetes cpu units. Memory is specified in units of bytes. For more information about CPU units and memory, see the Managing Resources for Containers
Related Information
Was this topic helpful?
Document Information
Modified date:
28 April 2022
UID
ibm16554488