Preventive Service Planning
Abstract
This document details the container backup and restore requirements for IBM Spectrum Protect Plus Version 10.1.8.
Content
This document is divided into linked sections for ease of navigation. Use the following links to navigate to the section of the document that you require:
- General
- Configuration
- Software
- Connectivity
- Authentication and privileges
- Prerequisites and operations
- Ports
- Hardware
General
Beginning with IBM Spectrum Protect Plus V10.1.5, support was added to protect persistent volume claims that are attached to containers in Kubernetes clusters. Operations were initiated by using the Kubernetes command line. In IBM Spectrum Protect Plus V10.1.6, backup support for containers was extended to the IBM Spectrum Protect Plus user interface. In addition, the Container Backup Support package was made available for download from the IBM Helm Charts Repository by using the IBM Entitled Registry.
In IBM Spectrum Protect Plus V10.1.7, support was added to protect container clusters on Red Hat® OpenShift® Container Platform. In addition, container backup support was extended to protect Red Hat OpenShift and Kubernetes cluster-scoped and namespace-scoped resources. Container backup support was extended to include the IBM block storage Container Storage Interface (CSI) driver 1.2.0.
In IBM Spectrum Protect Plus V10.1.8, support was added to protect Red Hat OpenShift Container Platform and Kubernetes container data with added Ceph File System (CephFS) support. In addition, container backup support was extended to protect Red Hat OpenShift Container Platform and Kubernetes container data with IBM Spectrum Scale.
Before you deploy IBM Spectrum Protect Plus V10.1.8 Container Backup Support in the Red Hat OpenShift or Kubernetes environment, ensure that the system environment meets the requirements and any prerequisite software is up to date, with all security-related patches applied.
Configuration
Application versions
Docker containers v17.09.00 and later are supported in Container Backup Support.
Operating systems
Table 1. Coverage matrix for supported Linux® x86_64 operating systems for Kubernetes environments
| IBM Spectrum Protect Plus | RHEL 7.6 & 7.7 | RHEL 7.8 | RHEL 7.9 | RHEL 8.0 & 8.1 & 8.2 & 8.3 |
| V10.1.8 |  Beginning with V10.1.5 |
Beginning with V10.1.6 |
Beginning with V10.1.7 |
Beginning with V10.1.8 |
Cluster requirements
Table 2. Coverage matrix for supported software and systems to protect Kubernetes or OpenShift environments that are attached to clusters
| IBM Spectrum Protect Plus cluster requirements | Kubernetes environments | OpenShift environments |
| Kubernetes(1) | V1.18 or later updates V1.19 or later updates V1.20 or later updates V1.21 or later updates (Beginning with V10.1.8 patch1) |
-- |
| OpenShift Container Platform (OCP)(2)(3) | -- | V4.5 or later updates (Beginning with V10.1.7) V4.6 or later updates (Beginning with V10.1.7) V4.7 or later updates (Beginning with V10.1.8) V4.8 or later updates (Beginning with V10.1.8 ifix2) |
| OpenShift Data Foundation (ODF) (formerly OpenShift Container Storage (OCS)) | -- | V4.6 or later updates (Beginning with V10.1.7) V4.7 or later updates (Beginning with V10.1.8 patch1) V4.8 or later updates (Beginning with V10.1.8 ifix2) |
| OpenShift API for Data Protection (4) to install Velero tool | -- | V0.1.0, V0.1.1, V0.1.2 (Beginning with V10.1.7) V0.2.0 & V0.2.1 (Beginning with V10.1.8) |
| Helm(5) | V3.3 or later (Beginning with V10.1.7) | V3.3 or later (Beginning with V10.1.7) |
| Velero to protect cluster-scoped and namespace-scoped resources (6)(7) | V1.4.2, V1.4.3, V1.5.1 (Beginning with V10.1.7) V1.5.2 (Beginning with V10.1.8) V1.6.0 or later updates (Beginning with V10.1.8 patch1) |
Installation by using OADP operator only (Beginning with V10.1.7) |
| Rook.io Ceph Storage | V1.4 or later (Beginning with V10.1.7) | V1.4 orlater (Beginning with V10.1.7) |
| External Ceph File System (CephFS) | On Ceph Storage Cluster V15.2.8 or later (Beginning with V10.1.8) | OpenShift recommended version (Beginning with V10.1.8) |
| External Ceph Rados Block Device (RBD) | On Ceph Storage Cluster V14.2.2 or later (Beginning with V10.1.7) | OpenShift recommended version (Beginning with V10.1.7) |
| Ceph Container Storage Interface (CSI) driver with Rados Block Device (RBD) storage (8) |
V3.0 (Beginning with V10.1.7) | (Installed with OCS) |
| Ceph Container Storage Interface (CSI) driver with Ceph FS storage |
V3.1.0 (Beginning with V10.1.8) | (Installed with OCS) |
| IBM block storage CSI for virtualized storage(9) |
V1.3 or later (Beginning with V10.1.8) V1.6 or later (Beginning with V10.1.8 ifix2) |
V1.3 or later (Beginning with V10.1.7) V1.6 or later (Beginning with V10.1.8 ifix2) |
| IBM Spectrum Scale CSI driver(10) | V2.2.0 or later updates (Beginning with V10.1.8) | V2.2.0 or later updates (Beginning with V10.1.8) |
| IBM Spectrum Scale | V5.1.1 or later updates (Beginning with V10.1.8) | V5.1.1 or later updates (Beginning with V10.1.8) |
- (1) Kubernetes levels supported in earlier IBM Spectrum Protect Plus reached end of life, see Kubernetes Patch Releases
- (2)For more information about OpenShift releases, see Red Hat OpenShift Container Platform Life Cycle Policy
- (3)OpenShift Container Platform (OCP) V4.6 support started with OCS V4.6.12 because of issue BZ - 1915007
- (4)To install the OADP operator on OCP 4.5 follow the procedure described in https://github.com/konveyor/oadp-operator/blob/master/docs/olm.md
- (5)For more information about which Helm level support which Kubernetes level, see Helm Version Support Policy
If the Helm V3.3.3 installation process fails during version validation, see the guidance in Warning after upgrading to 3.3.3. The workaround is to install a later version of Helm. -
(6)For instructions on installing Velero, see:
- For OpenShift: Installing and configuring Velero by using the OADP Operator
For details about version mapping between OADP and velero, see velero-version-relationship - For Kubernetes: Installing and configuring Velero
- For OpenShift: Installing and configuring Velero by using the OADP Operator
- (7)If an instance of Velero is already installed in the cluster, you must install and configure another instance of Velero. For more information and instructions, see Installing a second instance of Velero
- (8)For CSI driver 1.2, 2.0, and 2.1, use IBM Spectrum Protect Plus V10.1.6.
- (9)For IBM block storage CSI driver supported orchestration platforms, see under IBM block storage CSI driver>Release Notes>Compatibility and requirements
- (10)For IBM Spectrum Scale backups: Snapshots can be created only from independent fileset-based persistent volume claims (PVCs). PVCs that are based on lightweight directories and dependent file sets are not supported. These types of PVCs are automatically filtered and are not displayed in the container inventory in the IBM Spectrum Protect Plus user interface.
To install and configure container backup support, you must deploy the Container Backup Support software in the Kubernetes or OpenShift cluster environment. For instructions, see Installing Container Backup Support
Restrictions
The following restrictions apply to Kubernetes and OpenShift environments:
- OCP V4.5 cannot be installed from the web console. Use the command line to install OCP V4.5.
- Back up operations for raw block device volumes (volumeMode 'Block') are not supported.
- To ensure that a snapshot restore operation request works correctly, do not manually delete any snapshots of volumes that are protected by Container Backup Support.
- You cannot restore a snapshot backup to a different cluster or namespace.
- Container Backup Support protects only persistent storage that was allocated by a storage plug-in that supports the CSI.
- Only formatted volumes can be mounted to the data mover for copy operations.
- The Container Backup Support component is available only in English.
Software
Cluster prerequisites
- Command line tool:
- Kubernetes environment: The Kubernetes command line tool
kubectlmust be accessible on the installation host and in the local path. - OpenShift environment: The OpenShift command line tool
ocmust be accessible on the installation host and in the local path.
- Kubernetes environment: The Kubernetes command line tool
- Tips for collecting metrics and improving performance:
- On Kubernetes environment: To help optimize product performance and scalability, ensure that Kubernetes Metrics Server v0.3.5 or later is installed and running on your cluster. For instructions, see Verifying whether the metrics server is running
- In an OpenShift environment: The Kubernetes Metrics Server is included and augmented with Prometheus and Prometheus-Adapter for custom metrics. Prometheus and Prometheus-Adapter are part of the OpenShift Cluster Monitoring Operator. Ensure that the OpenShift Cluster Monitoring Operator is installed and running in the environment.
- CSI external-snapshotter:
- Kubernetes 1.17-1.19 environment: The CSI external-snapshotter v2.1.1 or later is required for snapshots of volumes on a storage system.
- Kubernetes 1.20 and later environment: The CSI external-snapshotter v4.0.0 or later is required for snapshots of volumes on a storage system.
- OpenShift environment: The external-snapshotter is part of the installation package. Ensure that the cluster operator csi-snapshot-controller is in the Available: True state.
- A storage class must be defined for the persistent volumes that are being protected.
- The target image registry must be accessible from the Kubernetes or OpenShift cluster. The target image registry can be a local image registry or an external image registry.
- The host that is used to install Container Backup Support must be using a kubeconfig file with cluster-admin privileges, KUBECONFIG, and the Helm client must be installed.
- To create new cluster-wide resources, you must be logged in to the target cluster as a user with
cluster-adminprivileges. - Ensure that Container Backup Support secrets that include user IDs, passwords, and keys are encrypted at rest in the
etcddistributed key-value store. For more information, see Encrypting Secret Data at Rest
Helm prerequisites
- Helm 3 is an application package manager that runs on Kubernetes or OpenShift®. Helm is designed to simplify the definition, storage, and management of applications. The installation process for Container Backup Support uses a Helm 3 chart. The installation script that is provided with the installation package requires that the Helm 3 binary file is renamed to helm3. For instructions, see Installing Helm 3 and renaming the binary file
- The Helm tool must be configured on the target cluster so that a new deployment can be run with the
helmcommand line. Deploying a package with Helm enables cluster-wide role-based access control (RBAC) rules and role bindings to be generated.
IBM Spectrum Protect Plus prerequisites
The IBM Spectrum Protect Plus server and the IBM Spectrum Protect Plus vSnap server must be provisioned and configured by the IBM Spectrum Protect Plus administrator:
- An administrative account for Container Backup Support must be configured on IBM Spectrum Protect Plus.
This administrative account can be configured as a global Lightweight Directory Access Protocol (LDAP) account in the data center. This global account is required for access to all external components that interact with Container Backup Support.
You must specify this account name in theSPP_ADMIN_USERNAMEparameter in thebaas_options.shconfiguration file before you deploy Container Backup Support. Thebaas_options.shfile is in the installation directory. For instructions, see Setting up the installation variables - An IBM Spectrum Protect Plus instance must be deployed in a container environment or as a VMware virtual appliance. Network connectivity must exist to and from the target cluster. The IBM Spectrum Protect Plus Internet Protocol (IP) address and port number must be specified in the baas-values.yaml file before you deploy Container Backup Support. Only one port (443) can be specified for use with all IBM Spectrum Protect Plus instances.
- Optional: For copy backup and copy restore operations, the IBM Spectrum Protect Plus vSnap server must be provisioned and configured by the IBM Spectrum Protect Plus administrator. An IBM Spectrum Protect Plus vSnap instance must be deployed as a VMware virtual appliance and configured to store backups:
- Network connectivity must exist to and from the target Kubernetes or OpenShift cluster and the IBM Spectrum Protect Plus vSnap instance.
- If backups are encrypted at rest, ensure that enough capacity is allocated for encryption on the vSnap server.
Connectivity
Ensure that the following connectivity requirements are met:
- The Secure Shell (SSH) service is running on Kubernetes NodePort services.
- Firewalls are configured to allow IBM Spectrum Protect Plus to connect data mover containers by using SSH over the NodePort port range of the Kubernetes or OpenShift cluster. The NodePort service allows the specific port in the NodePort range to be determined by Kubernetes or OpenShift at run time.
- All servers, proxies, applications, and hypervisors that are added to the IBM Spectrum Protect Plus environment must be registered by using a Fully Qualified Domain Name (FQDN) name or Internet Protocol (IP) address.
- If FQDN names are used, they must be resolvable over the network by the IBM Spectrum Protect Plus server and the vSnap server. All IBM Spectrum Protect Plus components must also be resolvable by their DNS names.
- If FQDN is not available, you must add the server to the
/etc/hostsfile on the IBM Spectrum Protect Plus server by using the command line.
Authentication and privileges
- Specify the username for the IBM Spectrum Protect Plus administrator with the containers role in the
baas_options.shconfiguration file. For more information, see Setting up the installation variables - The data mover runs as a privileged container to access the device location on the host system of the volume that is being protected. The application agent also runs as a privileged container to gain access to the sudo command to set up the data mover user account in the container at run time. The application agent accesses no host resources.
- Depending on their role, enterprise application developers and backup administrators interact with different user interfaces to protect persistent data in containers, as described in User roles
Prerequisites and operations
Prerequisites
Ensure that the Software, Connectivity, and Authentication and privileges requirements are met before you start to install Container Backup Support on a Kubernetes or Red Hat OpenShift cluster as described in Installing Container Backup Support
Operations
Before you start a backup or restore operation, ensure that your system meets the following requirements:
- After Container Backup Support is installed, the application host for the Container Backup Support container is automatically registered upon startup of the cluster host in Kubernetes or OpenShift. When a cluster is registered with IBM Spectrum Protect Plus, an inventory of the resources in the cluster is automatically captured, by enabling to complete backup and restore jobs and to run reports. If the automatic registration is not successful and your cluster does not appear in the IBM Spectrum Protect Plus user interface, you must manually register the cluster. For instructions, see Registering a Kubernetes cluster or Registering an OpenShift cluster
- If you do not plan to use the default SLA policy for containers, ensure that you configure an SLA policy. For instructions, see Creating an SLA policy for containers
- Assign appropriate roles and resource groups to users who running backup and restore operations. Grant users access to resources and roles by using the Accounts pane.
Review the following information about creating backup and restore jobs:
- You can use the IBM Spectrum Protect Plus user interface to back up or restore Kubernetes persistent volumes, namespace-scoped resources, and cluster-scoped resources. For instructions, see Backing up and restoring Kubernetes clusters
- You can use the IBM Spectrum Protect Plus user interface to backup or restore OpenShift resources such as persistent volumes, project-scoped resources, and cluster-scoped resources. For instructions, see Backing up and restoring OpenShift clusters
For an overview about protecting containers with IBM Spectrum Protect Plus, see Protecting containers
Ports
The following ports are used by IBM Spectrum Protect Plus agents.
| Port | Protocol | Initiator | Target | Description |
|---|---|---|---|---|
| Assigned by the NodePort service in Kubernetes | Transmission Control Protocol (TCP) | IBM Spectrum Protect Plus server | Kubernetes or OpenShift agent | Used by IBM Spectrum Protect Plus to connect to the data mover container to deploy and run agents Note: By default, port 30001 is used for SSH connections to the Kubernetes or OpenShift agent containers. This port is configurable and is port-forwarded to port 22. This port is used only when a containerized IBM Spectrum Protect Plus server opens an SSH connection to the Kubernetes or OpenShift agent container. SSH connections are never used within the Container Backup Support containers. |
| Port | Protocol | Initiator | Target | Description |
|---|---|---|---|---|
| 111 | TCP and User Datagram Protocol (UDP) | Kubernetes or OpenShift agent | vSnap server | Used for NFS data transfer to and from file systems mounted from vSnap servers during backup and restore operations |
| 443 | TCP | Kubernetes or OpenShift agent | IBM Spectrum Protect Plus server | Used for IBM Spectrum Protect Plus issued commands to run backup, restore, inventory, and other operations |
| 2049 | TCP and UDP | Kubernetes or OpenShift agent | vSnap server | Used for NFS data transfer to and from file systems mounted from vSnap servers during backup and restore operations |
| 20048 | TCP and UDP | Kubernetes or OpenShift agent | vSnap server | Used for NFS data transfer to and from file systems mounted from vSnap servers during backup and restore operations |
Hardware
The required system resources are based on the default installation parameters. By default, when you use the Helm chart for installation, you start with the containers and required resources that are listed in the table.
Table 5. Minimum resource requirements for Container Backup Support
| Component | Replica | CPU (request) | CPU (limit) | Memory (request) | Memory (limit) |
| Baas-spp-agent | 1 | 2m | 3 | 800Mi | 1000Mi |
| Baas-cert-monitor* | 1 | 250m | 1 | 50Mi | 250Mi |
| Baas-datamover | 1 | 100m | 500m | 500Mi | 1000Mi |
| Baas-kafka | 1 | 300m | 2 | 400Mi | 1Gi |
| Baas-scheduler | 1 | 100m | 750m | 150Mi | 500Mi |
| Baas-controller | 1 | 250m | 1 | 50Mi | 250Mi |
| Baas-MinIO | 1 | 100m | 3 | 600Mi | 3Gi |
| Baas-transaction-manager | 3 | 200m | 1 | 100Mi | 500Mi |
| Baas-transaction-manager-worker | 3 | 200m | 2 | 250Mi | 500Mi |
| Baas-transaction-manager-redis | 3 | 50m | 200 m | 50Mi | 250Mi |
| Baas-strimzi-cluster-operator (Kubernetes environment) Amq-streams-cluster-operator (OpenShift environment) |
1 | 200m | 1 | 384Mi | 384Mi |
| Baas-entity-operator | 1 | 300m | 2 | 400Mi | 1Gi |
| Baas-zookeeper | 1 | 300m | 2 | 400Mi | 1Gi |
* Applicable only in a Kubernetes environment.
Note: Beginning with IBM Spectrum Protect Plus V10.1.8 the baas-entity-operator is a requirement for Kubernetes and OpenShift environment.
Tip: The CPU resource is measured in Kubernetes cpu units. Memory is specified in units of bytes. For more information about CPU units and memory, see the Managing Resources for Containers
Related Information
Was this topic helpful?
Document Information
Modified date:
30 August 2021
UID
ibm16422823