IBM Support

Container backup and restore requirements: IBM Spectrum Protect Plus V10.1.7

Preventive Service Planning


Abstract

This document details the container backup and restore requirements for IBM Spectrum Protect Plus Version 10.1.7.

Content

This document is divided into linked sections for ease of navigation. Use the following links to navigate to the section of the document that you require:



 


General

Beginning with IBM Spectrum Protect Plus V10.1.5, support was added to protect persistent volume claims that are attached to containers in Kubernetes clusters. Operations were initiated by using the Kubernetes command line. In IBM Spectrum Protect Plus V10.1.6, backup support for containers was extended to the IBM Spectrum Protect Plus user interface. In addition the Container Backup Support package was made available for download from the IBM Helm Charts Repository by using the IBM Entitled Registry.

In IBM Spectrum Protect Plus V10.1.7, support was added to protect container clusters on Red Hat OpenShift Container Platform. In addition, container backup support was extended to protect Red Hat OpenShift and Kubernetes cluster-scoped and namespace-scoped resources. Container backup support was extended to include the IBM block storage Container Storage Interface (CSI) driver 1.2.0.

Before you deploy IBM Spectrum Protect Plus V10.1.7 Container Backup Support in the Red Hat OpenShift or Kubernetes environment, ensure that the system environment meets the requirements.

NOTE:

  • You can use IBM Spectrum Virtualize with the IBM Block CSI Driver snapshot functionality only for non-production, internal development and test environments, and for other internal, non-production activities. At the time of publication, the CSI snapshot functionality was in beta testing. For more information, see Kubernetes Feature Gates. IBM Spectrum Virtualize includes IBM FlashSystem family members that are built with IBM Spectrum Virtualize.



 


Configuration

Application versions

Docker containers v17.09.00 and later are supported in Container Backup Support.


 

Operating systems

Table 1. Coverage matrix for supported Linux® x86_64 operating systems

IBM Spectrum Protect Plus RHEL 7.6 RHEL 7.7 RHEL 7.8
 V10.1.5 --
 V10.1.6
 V10.1.7


 

Cluster requirements

  • To protect Kubernetes resources that are attached to clusters, you must correctly configure the storage environment. The following software and systems are supported with IBM Spectrum Protect Plus V10.1.7:
    • Kubernetes V1.19 and later patches and updates
    • Kubernetes V1.18 and later patches and updates
    • Kubernetes V1.17 and later patches and updates
    • Ceph Container Storage Interface (CSI) driver 3.0 with Rados Block Device (RBD) storage
    • IBM block storage CSI 1.2 or later for virtualized storage
    • External Ceph RBD cluster 14.2.2 and later
    • Helm V3.3 and later
      Tip: If the Helm V3.3.3 installation process fails during version validation, see the guidance in Warning after upgrading to 3.3.3. The workaround is to install a later version of Helm.
    • Rook.io Ceph Storage V1.4 and later
    • Velero V1.4.2, V1.4.3, or V1.5.1, to protect cluster-scoped and namespace-scoped resources
      Important: If an instance of Velero is already installed in the cluster, you must install and configure another instance of Velero V1.4.2, V1.4.3, or V1.5.1. For more information and instructions, see Installing a second instance of Velero
    For information about Kubernetes releases, see Kubernetes Release Versioning

    Note: about previously supported versions with IBM Spectrum Protect Plus V10.1.6:
    • Kubernetes v1.16 has reached end of life. For details, see Kubernetes Patch Releases
    • Helm v2.16 supports only Kubernetes v1.15 and later levels and v1.16 and later levels. For more information, see Helm Version Support Policy
    • For CSI driver 1.2, 2.0, and 2.1, use IBM Spectrum Protect Plus V10.1.6.
       
  • For OpenShift environments, the following software and systems are supported with IBM Spectrum Protect Plus V10.1.7:
    • OpenShift Container Platform (OCP) V4.5 and later
      Restriction: OCP V4.5 cannot be installed from the web console. Use the command line to install OCP V4.5.
    • OpenShift Container Storage (OCS) V4.6 and later
    • IBM block storage CSI driver 1.3 or later for virtualized storage
    • External Ceph RBD cluster V14.2.2 and later
    • Helm v3.3 and later
      Tip: If the Helm V3.3.3 installation process fails during version validation, see the guidance in Warning after upgrading to 3.3.3. The workaround is to install a later version of Helm.
    • Rook.io Ceph Storage V1.4 and later
    • Velero V1.4.2, V1.4.3, or V1.5.1, to protect cluster-scoped and namespace-scoped resources
      Important: If an instance of Velero is already installed in the cluster, you must install and configure another instance of Velero V1.4.2, V1.4.3, or V1.5.1. For more information and instructions, see Installing a second instance of Velero
    • OpenShift API for Data Protection (OADP) V0.1.0, V0.1.1, or V0.1.2 to install Velero tool
      For instructions, see Installing and configuring Velero by using the OADP Operator

    For information about OpenShift releases, see Red Hat OpenShift Container Platform Life Cycle Policy

To install and configure container backup support, you must deploy the Container Backup Support software in the Kubernetes or OpenShift cluster environment. For instructions, see Installing Container Backup Support
 


 

Restrictions

The following restrictions apply to Kubernetes and OpenShift environments:

  • Backup operations for raw block volumes are not supported.
  • To ensure that a snapshot restore operation request works correctly, do not manually delete any snapshots of volumes that are protected by Container Backup Support.
  • You cannot restore a snapshot backup to a different cluster or namespace.
  • Container Backup Support protects only persistent storage that was allocated by a storage plug-in that supports the CSI.
  • Only formatted volumes can be mounted to the data mover for copy operations.
  • The Container Backup Support component is available only in English.



 


Software

Cluster prerequisites

  • Command line tool:
    • Kubernetes environment: The Kubernetes command line tool kubectl must be accessible on the installation host and in the local path.
    • OpenShift environment: The OpenShift command line tool oc must be accessible on the installation host and in the local path.
  • Tips for collecting metrics and improving performance:
    • On Kubernetes environment: To help optimize product performance and scalability, ensure that Kubernetes Metrics Server v0.3.5 or later is installed and running on your cluster. For instructions, see Verifying whether the metrics server is running
    • In an OpenShift environment: The Kubernetes Metrics Server is included and augmented with Prometheus and Prometheus-Adapter for custom metrics.
  • CSI external-snapshotter:
    • Kubernetes environment: The CSI external-snapshotter v2.1.1 or later is required for snapshots of volumes on a storage system.
    • OpenShift environment: The external-snapshotter is part of the installation package. Ensure that the cluster operator csi-snapshot-controller is in the Available: True state.
  • A storage class must be defined for the persistent volumes that are being protected.
  • The target image registry must be accessible from the Kubernetes or OpenShift cluster. The target image registry can be a local image registry or an external image registry.
  • The host that is used to install Container Backup Support must be using a kubeconfig file with cluster-admin privileges, KUBECONFIG, and the Helm client must be installed.
  • To create new cluster-wide resources, you must be logged in to the target cluster as a user with cluster-admin privileges.
  • Ensure that Container Backup Support secrets that include user IDs, passwords, and keys are encrypted at rest in the etcd distributed key-value store. For more information, see Encrypting Secret Data at Rest


 

Helm prerequisites

  • Helm 3 is an application package manager that runs on Kubernetes or OpenShift®. Helm is designed to simplify the definition, storage, and management of applications. The installation process for Container Backup Support uses a Helm 3 chart. The installation script that is provided with the installation package requires that the Helm 3 binary file is renamed to helm3. For instructions, see Installing Helm 3 and renaming the binary file
  • The Helm tool must be configured on the target cluster so that a new deployment can be run with the helm command line. Deploying a package with Helm enables cluster-wide role-based access control (RBAC) rules and role bindings to be generated.


 

IBM Spectrum Protect Plus prerequisites

The IBM Spectrum Protect Plus server and the IBM Spectrum Protect Plus vSnap server must be provisioned and configured by the IBM Spectrum Protect Plus administrator:

  • An administrative account for Container Backup Support must be configured on IBM Spectrum Protect Plus.
    This administrative account can be configured as a global Lightweight Directory Access Protocol (LDAP) account in the data center. This global account is required for access to all external components that interact with Container Backup Support.
    You must specify this account name in the SPP_ADMIN_USERNAME parameter in the baas_options.sh configuration file before you deploy Container Backup Support. The baas_options.sh file is in the installation directory. For instructions, see Installing Container Backup Support
  • An IBM Spectrum Protect Plus instance must be deployed in a container environment or as a VMware virtual appliance. Network connectivity must exist to and from the target cluster. The IBM Spectrum Protect Plus Internet Protocol (IP) address and port number must be specified in the baas-values.yaml file before you deploy Container Backup Support. Only one port (443) can be specified for use with all IBM Spectrum Protect Plus instances.
  • An IBM Spectrum Protect Plus vSnap instance must be deployed as a VMware virtual appliance and configured to store backups:
    • Network connectivity must exist to and from the target Kubernetes or OpenShift cluster and IBM Spectrum Protect Plus vSnap instance.
    • If backups are encrypted at rest, ensure that enough capacity is allocated for encryption on the vSnap server.



 


Connectivity

Ensure that the following connectivity requirements are met:

  • The Secure Shell (SSH) service is running on Kubernetes NodePort services.
  • Firewalls are configured to allow IBM Spectrum Protect Plus to connect data mover containers by using SSH over the NodePort port range of the Kubernetes or OpenShift cluster. The NodePort service allows the specific port in the NodePort range to be determined by Kubernetes or OpenShift  at run time.
  • All servers, proxies, applications, and hypervisors that are added to the IBM Spectrum Protect Plus environment must be registered by using a Domain Name System (DNS) name or Internet Protocol (IP) address.
  • If DNS names are used, they must be resolvable over the network by the IBM Spectrum Protect Plus server and the vSnap server. All IBM Spectrum Protect Plus components must also be resolvable by their DNS names.
  • If DNS is not available, you must add the server to the /etc/hosts file on the IBM Spectrum Protect Plus server by using the command line.



 


Authentication and privileges

  • Specify the username for the IBM Spectrum Protect Plus administrator with the containers role in the baas_options.sh configuration file. For more information, see Setting up the installation variables
  • The data mover runs as a privileged container to access the device location on the host system of the volume that is being protected. The application agent also runs as a privileged container to gain access to the sudo command to set up the data mover user account in the container at run time. The application agent accesses no host resources.
  • Depending on their role, enterprise application developers and backup administrators interact with different user interfaces to protect persistent data in containers, as described in User roles



 


Prerequisites and operations

Prerequisites

Ensure that the Software, Connectivity, and Authentication and privileges requirements are met before you start to install Container Backup Support on a Kubernetes or Red Hat OpenShift cluster as described in Installing Container Backup Support


 

Operations

Before you start a backup or restore operation, ensure that your system meets the following requirements:

  • After Container Backup Support is installed, the application host for the Container Backup Support container is automatically registered upon startup of the cluster host in Kubernetes or OpenShift. When a cluster is registered with IBM Spectrum Protect Plus, an inventory of the resources in the cluster is automatically captured, enabling you to complete backup and restore jobs and to run reports. If the automatic registration is not successful and your cluster does not appear in the IBM Spectrum Protect Plus user interface, you must manually register the cluster. For instructions, see  Registering a Kubernetes cluster or Registering an OpenShift cluster
  • If you do not plan to use the default SLA policy for containers, ensure that you configure an SLA policy. For instructions, see Creating an SLA policy for containers
  • Assign appropriate roles and resource groups to users who will be running backup and restore operations. Grant users access to resources and roles by using the Accounts pane.

Review the following information about creating backup and restore jobs:

  • You can use the IBM Spectrum Protect Plus user interface to back up or restore Kubernetes persistent volumes, namespace-scoped resources, and cluster-scoped resources. For instructions, see Backing up and restoring Kubernetes clusters
  • You can use the IBM Spectrum Protect Plus user interface to backup or restore OpenShift resources such as persistent volumes, project-scoped resources, and cluster-scoped resources. For instructions, see Backing up and restoring OpenShift clusters

For an overview about protecting containers with IBM Spectrum Protect Plus, see Protecting containers


Ports

The following ports are used by IBM Spectrum Protect Plus agents.

Table 2. Communication ports when the target is an IBM Spectrum Protect Plus agent
Port Protocol Initiator Target Description
Assigned by the NodePort service in Kubernetes Transmission Control Protocol (TCP) IBM Spectrum Protect Plus server Kubernetes or OpenShift agent Used by IBM Spectrum Protect Plus to connect to the data mover container to deploy and run agents

For SSH connections between containers in the Kubernetes or OpenShift environment, port 22 is used. For all other connections, whether on the Kubernetes or OpenShift hosts or outside the cluster, the port that the NodePort service assigns at run time is used.


 

Table 3. Communication ports when the initiator is the IBM Spectrum Protect Plus agent
Port Protocol Initiator Target Description
111 TCP Kubernetes or OpenShift agent vSnap server Used for NFS data transfer to and from file systems mounted from vSnap servers during backup and restore operations
443 TCP Kubernetes or OpenShift agent IBM Spectrum Protect Plus server Used for IBM Spectrum Protect Plus issued commands to run backup, restore, inventory, and other operations
2049 TCP Kubernetes or OpenShift agent vSnap server Used for NFS data transfer to and from file systems mounted from vSnap servers during backup and restore operations
20048 TCP Kubernetes or OpenShift agent vSnap server Used for NFS data transfer to and from file systems mounted from vSnap servers during backup and restore operations



 


Hardware

The required system resources are based on the default installation parameters. By default, when you use the Helm chart for installation, you start with the containers and required resources that are listed in the table.

Table 4. Minimum resource requirements for Container Backup Support

Component Replica CPU (request) CPU (limit) Memory (request) Memory (limit)
baas-spp-agent 1 2m 3 800Mi 1000Mi
baas-cert-monitor* 1 250m 1 50Mi 250Mi
baas-datamover 1 100m 500m 500Mi 1000Mi
baas-kafka 1 300m 2 400Mi 1Gi
baas-scheduler 1 100m 750m 150Mi 500Mi
baas-controller 1 250m 1 50Mi 250Mi
baas-MinIO 1 100m 3 600Mi 3Gi
baas-transaction-manager 3 200m 1 100Mi 500Mi
baas-transaction-manager-worker 3 200m 2 250Mi 500Mi
baas-transaction-manager-redis 3 50m 200 m 50Mi 250Mi
baas-strimzi-cluster-operator* 1 200m 1 384Mi 384Mi
baas-entity-operator** 1 300m 2 400Mi 1Gi
baas-zookeeper 1 300m 2 400Mi 1Gi

* This row is applicable only in an Kubernetes environment.
** This row is applicable only in an OpenShift environment.


Tip: The CPU resource is measured in Kubernetes cpu units. Memory is specified in units of bytes. For more information about CPU units and memory, see the Managing Resources for Containers



 

[{"Type":"MASTER","Line of Business":{"code":"LOB26","label":"Storage"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSNQFQ","label":"IBM Spectrum Protect Plus"},"ARM Category":[{"code":"a8m3p000000h9Z4AAI","label":"HW\/SW Requirements"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"10.1.7"}]

Document Information

Modified date:
22 June 2021

UID

ibm16325259

Page Feedback