IBM Support

Container backup and restore requirements: IBM Spectrum Protect Plus 10.1.9

Preventive Service Planning


Abstract

This document details the container backup and restore requirements for IBM Spectrum Protect Plus 10.1.9.

Content

This document is divided into linked sections. Use the following links to go to the section of the document that you require.



 

General

Beginning with IBM Spectrum Protect Plus 10.1.5, support was added to protect persistent volume claims that are attached to containers in Kubernetes clusters. Operations were initiated by using the Kubernetes command line. In IBM Spectrum Protect Plus 10.1.6, backup support for containers was extended to the IBM Spectrum Protect Plus user interface. In addition, the Container Backup Support package was made available for download from the IBM Helm Charts Repository by using the IBM Entitled Registry.

In IBM Spectrum Protect Plus 10.1.7, support was added to protect container clusters on Red Hat® OpenShift® Container Platform. In addition, container backup support was extended to protect Red Hat OpenShift and Kubernetes cluster-scoped and namespace-scoped resources. Container backup support was extended to include the IBM block storage Container Storage Interface (CSI) driver 1.2.0.

In IBM Spectrum Protect Plus 10.1.8, support was added to protect Red Hat OpenShift Container Platform and Kubernetes container data with added Ceph File System (CephFS) support. In addition, container backup support was extended to protect Red Hat OpenShift Container Platform and Kubernetes container data with IBM Spectrum Scale. Before you deploy IBM Spectrum Protect Plus 10.1.8 Container Backup Support in the Red Hat OpenShift or Kubernetes environment, ensure that the system environment meets the requirements and any prerequisite software is up to date, with all security-related patches applied.

In IBM Spectrum Protect Plus 10.1.9, you can back up Red Hat OpenShift or Kubernetes container data directly to object storage in the cloud without using an IBM Spectrum Protect Plus vSnap server as intermediary storage. In addition, you can install Container Backup Support by using an operator in an online environment. On Red Hat OpenShift clusters, you can install the Container Backup Support operator and instance by using the Red Hat OpenShift web console or command line. On Kubernetes clusters, you can install the Container Backup Support operator and instance at the command line. You can also install Container Backup Support by using an operator in an airgap environment.  In the Kubernetes environment, the cert-manager is used now to manage security certificates.



 

Configuration

Application versions

Docker containers version 17.09.00 and later are supported in Container Backup Support.


 

Supported Architecture

Supported architecture for all in Container Backup Support levels is AMD64.


 

Cluster requirements

Table 1. Coverage matrix for supported software and systems to protect Red Hat OpenShift environments that are attached to clusters
Operating environment

Red Hat OpenShift Container Platform (OCP)(1)		 4.7 or later updates (Beginning with 10.1.8)
4.8 or later updates (Beginning with 10.1.8 ifix2)
4.9 or later updates (Beginning with 10.1.9 ifix3)
Red Hat OpenShift Data Foundation (ODF)
(formerly Red Hat OpenShift Container Storage (OCS))		 4.6 or later updates (Beginning with 10.1.7)
4.7 or later updates (Beginning with 10.1.8 patch1)
4.8 or later updates (Beginning with 10.1.8 ifix2)
4.9 or later updates (Beginning with 10.1.9 ifix3)
Operating environment support
Red Hat OpenShift Deployed in a private cloud environment
Red Hat OpenShift Deployed in Microsoft Azure RedHat OpenShift service or
Deployed in Azure cloud (customer managed)

Note:

  • (1)For Red Hat OpenShift Container Platform 4.6, use IBM Spectrum Protect Plus 10.1.8.
    Red Hat OpenShift Container Platform levels supported in earlier IBM Spectrum Protect Plus reached end of life, see Red Hat OpenShift Container Platform Life Cycle Policy
  • Red Hat OpenShift API for Data Protection (OADP) to install Velero, is included in the IBM Spectrum Protect Plus 10.1.9.
  • Velero to protect cluster-scoped and namespace-scoped resources, is included in the IBM Spectrum Protect Plus 10.1.9.

 
Table 2. Coverage matrix persistent storage types that are supported for backup and recovery operations for PersistentVolume (PV) resources in an Red Hat OpenShift environment
Storage Storage version Corresponding CSI Driver CSI Driver Version
External Ceph File System (CephFS)
- External Mode		 Red Hat OpenShift recommended version*
(Beginning with 10.1.8)		 Ceph Container Storage Interface (CSI) driver
with Ceph FS storage		 Installed with OCS, or
3.1.0 or later (Beginning with 10.1.8)
Ceph Rados Block Device (RBD)
- External Mode		 Red Hat OpenShift recommended version*
(Beginning with 10.1.7)		 Ceph Container Storage Interface (CSI) driver with Rados Block Device Installed with OCS, or
3.0 or later (Beginning with 10.1.7)
IBM block storage n/a IBM block storage CSI
for virtualized storage(2)		 1.3 or later (Beginning with 10.1.7)
1.6 or later (Beginning with 10.1.8 ifix2)
1.7 or later (Beginning with 10.1.9)
IBM Spectrum Scale 5.1.1 or later updates
(Beginning with 10.1.8)		 IBM Spectrum Scale CSI driver(3) 2.2.0 or later updates
(Beginning with 10.1.8)
Hitachi NAS (HNAS) n/a Hitachi NAS CSI Driver for Kubernetes v1.1.1 or later (Beginning with 10.1.9)
NetApp storage (3a) n/a CSI Trident for Kubernetes (3b) v21 or later (Beginning with 10.1.9)

Note:

  • *If you use Rock.io to install Ceph Storage Cluster, use the Rook.io Cloud Native Storage 1.4 or later.
  • (2) For IBM block storage CSI driver supported orchestration platforms, see under IBM block storage CSI driver>Release Notes>Compatibility and requirements.
  • (3) For IBM Spectrum Scale backups: Snapshots can be created only from independent fileset-based persistent volume claims (PVCs). PVCs that are based on lightweight directories and dependent file sets are not supported. These types of PVCs are automatically filtered and are not displayed in the container inventory in the IBM Spectrum Protect Plus user interface.
  • (3a) Copy to vSnap is not supported; copy to object storage is supported.
  • (3b) ONTAP driver must support VolumeMode "Filesystem"; VolumeMode "Block" is not supported.

 
Table 3. Coverage matrix for supported software and systems to protect Kubernetes environments that are attached to clusters
Operating environment

Kubernetes(4)		 1.20 or later updates (Beginning with 10.1.8)
1.21 or later updates (Beginning with 10.1.8 patch1)
1.22 or later updates (Beginning with 10.1.9)
Operating environment support
Kubernetes Deployed in a private cloud environment
More tools
Velero to protect cluster-scoped and namespace-scoped resources (5)(6)(7) 1.6.0 or later updates (Beginning with 10.1.8 patch1)
1.7.1 or later updates (Beginning with 10.1.9)

Notes:

  • (4) Kubernetes levels supported in earlier IBM Spectrum Protect Plus reached end of life,  see Kubernetes Patch Releases
  • (5) For instructions on installing Velero, see: Installing and configuring Velero.
  • (6) If an instance of Velero is already installed in the cluster, you must install and configure another instance of Velero. For more information, see Installing a second instance of Velero.
  • (7) For Velero versions:
    • 1.4.2, 1.4.3, 1.5.1 use IBM Spectrum Protect Plus 10.1.7.
    • 1.5.2 use IBM Spectrum Protect Plus 10.1.8.
Table 4. Coverage matrix persistent storage types that are supported for backup and recovery operations for PersistentVolume (PV) resources in a Kubernetes environment
Storage Storage version Corresponding CSI Driver CSI Driver Version
External Ceph File System (CephFS)
- External Mode		 On Ceph Storage Cluster 15.2.8 or later * (Beginning with 10.1.8) with Ceph FS storage 3.1.0 or later (Beginning with 10.1.8)
Ceph Rados Block Device (RBD)
- External Mode		 On Ceph Storage Cluster 14.2.2 or later * (Beginning with 10.1.7) Ceph Container Storage Interface (CSI) driver
with Rados Block Device (RBD) storage (8)		 3.0 or later (Beginning with 10.1.7)
IBM block storage n/a IBM block storage CSI
for virtualized storage(9)		 1.3 or later (Beginning with 10.1.8)
1.6 or later (Beginning with 10.1.8 ifix2)
1.7 or later (Beginning with 10.1.9)
IBM Spectrum Scale 5.1.1 or later updates (Beginning with 10.1.8) IBM Spectrum Scale CSI driver(10) 2.2.0 or later updates (Beginning with 10.1.8)
Hitachi NAS (HNAS) n/a Hitachi NAS CSI Driver for Kubernetes v1.1.1 or later (Beginning with 10.1.9)
NetApp storage (10a) n/a CSI Trident for Kubernetes (10b) v21 or later (Beginning with 10.1.9)

Note:

  • Beginning with IBM Spectrum protect Plus 10.1.9, Helm is not required for installation of Container Backup Support.
  • *If you use Rock.io to install Ceph Storage Cluster, use the Rook.io Cloud Native Storage 1.4 or later.
  • (8) For CSI driver 1.2, 2.0, and 2.1, use IBM Spectrum Protect Plus 10.1.6.
  • (9) For IBM block storage CSI driver supported orchestration platforms, see under IBM block storage CSI driver>Release Notes>Compatibility and requirements.
  • (10) For IBM Spectrum Scale backups: Snapshots can be created only from independent fileset-based persistent volume claims (PVCs). PVCs that are based on lightweight directories and dependent file sets are not supported. These types of PVCs are automatically filtered and are not displayed in the container inventory in the IBM Spectrum Protect Plus user interface.
  • (10a) Copy to vSnap is not supported; copy to object storage is supported.
  • (10b) ONTAP driver must support VolumeMode "Filesystem"; VolumeMode "Block" is not supported.

To install and configure container backup support, you must deploy the Container Backup Support software in the Kubernetes or Red Hat OpenShift cluster environment. For instructions, see Installing Container Backup Support.


 

Cloud storage for direct backup operations

The following cloud storage systems are supported for container workloads:

  • Amazon Simple Storage Service (Amazon S3)
  • IBM Cloud® Object Storage
    Note: For IBM Cloud Object Storage, retention enabled vaults are not supported.
  • Microsoft Azure Blob storage
  • S3 compatible storage
    Note: For S3 compatible storage, generic S3 support is based on external certification processes. For the list of supported S3 compatible providers, see Does IBM Spectrum Protect Plus support S3 compatible Object Storage?

You can copy snapshot data to cloud storage for longer-term data protection. Cloud storage can be selected as the primary backup location for container workloads.
For more information, see:

Could storage requirements for certificates, network, and cloud providers for container workloads, see System requirements: IBM Spectrum Protect Plus 10.1.9.


 

Restrictions

The following restrictions apply to Kubernetes and Red Hat OpenShift environments:

  • Back up operations for raw block device volumes (volumeMode 'Block') are not supported.
  • To ensure that a snapshot restore operation request works correctly, do not manually delete any snapshots of volumes that are protected by Container Backup Support.
  • You cannot restore a snapshot backup to a different cluster or namespace.
  • Container Backup Support protects only persistent storage that was allocated by a storage plug-in that supports the CSI.
  • Only formatted volumes can be mounted to the data mover for copy operations.
  • The Container Backup Support component is available only in English.
  • For IBM Cloud Object Storage, retention enabled vaults are not supported.



 

Software

Cluster prerequisites

  • Command-line tool:
    • Kubernetes environment: The Kubernetes command line tool kubectl must be accessible on the installation host and in the local path.
    • Red Hat OpenShift environment: The OpenShift command line tool oc must be accessible on the installation host and in the local path.
  • Tips for collecting metrics and improving performance:
    • On Kubernetes environment: To help optimize product performance and scalability, ensure that Kubernetes Metrics Server v0.3.5 or later is installed and running on your cluster. For instructions, see Verifying whether the metrics server is running.
    • In an Red Hat OpenShift environment: The Kubernetes Metrics Server is included and augmented with Prometheus and Prometheus-Adapter for custom metrics. Prometheus and Prometheus-Adapter are part of the OpenShift Cluster Monitoring Operator. Ensure that the OpenShift Cluster Monitoring Operator is installed and running in the environment.
  • CSI external-snapshotter:
  • Kubernetes 1.20 and later environment: The CSI external-snapshotter v4.0.0 or later is required for snapshots of volumes on a storage system.
  • Red Hat OpenShift environment: The external-snapshotter is part of the installation package. Ensure that the cluster operator csi-snapshot-controller is in the Available: True state.
  • A storage class must be defined for the persistent volumes that are being protected.
  • The target image registry must be accessible from the Kubernetes or OpenShift cluster. The target image registry can be a local image registry or an external image registry.
  • The host that is used to install Container Backup Support must be using a kubeconfig file with cluster-admin privileges, KUBECONFIG.
  • To create new cluster-wide resources, you must be logged in to the target cluster as a user with cluster-admin privileges.
  • Ensure that Container Backup Support secrets that include user IDs, passwords, and keys are encrypted at rest in the etcd distributed key-value store. For more information, see Encrypting Secret Data at Rest


 

IBM Spectrum Protect Plus prerequisites

The IBM Spectrum Protect Plus server and the IBM Spectrum Protect Plus vSnap server must be provisioned and configured by the IBM Spectrum Protect Plus administrator:

  • An administrative account for Container Backup Support must be configured on IBM Spectrum Protect Plus.
    This administrative account can be configured as a global Lightweight Directory Access Protocol (LDAP) account in the data center. This global account is required for access to all external components that interact with Container Backup Support.
  • An IBM Spectrum Protect Plus instance must be deployed in a container environment or as a VMware virtual appliance. Network connectivity must exist to and from the target cluster. The IBM Spectrum Protect Plus Internet Protocol (IP) address and port number must be specified in the baas-values-cr.yaml file before you deploy Container Backup Support. Only one port (443) can be specified for use with all IBM Spectrum Protect Plus instances.
  • Optional: For copy backup and copy restore operations, the IBM Spectrum Protect Plus vSnap server must be provisioned and configured by the IBM Spectrum Protect Plus administrator. An IBM Spectrum Protect Plus vSnap instance must be deployed as a VMware virtual appliance and configured to store backups:
    • Network connectivity must exist to and from the target Kubernetes or OpenShift cluster and the IBM Spectrum Protect Plus vSnap instance.
    • If backups are encrypted at rest, ensure that enough capacity is allocated for encryption on the vSnap server.



 

Connectivity

Ensure that the following connectivity requirements are met:

  • All servers, proxies, applications, and hypervisors that are added to the IBM Spectrum Protect Plus environment must be registered by using a Fully Qualified Domain Name (FQDN) name or Internet Protocol (IP) address.
  • If FQDN names are used, they must be resolvable over the network by the IBM Spectrum Protect Plus server and the vSnap server. All IBM Spectrum Protect Plus components must also be resolvable by their DNS names.
  • If FQDN is not available, you must add the server to the /etc/hosts file on the IBM Spectrum Protect Plus server by using the command line.



 

Authentication and privileges

  • During the installation, specify the username for the IBM Spectrum Protect Plus administrator with the containers role. For more information, see Setting up the installation variables.
  • The data mover runs as a privileged container to access the device location on the host system of the volume that is being protected. The application agent also runs as a privileged container to gain access to the sudo command to set up the data mover user account in the container at run time. The application agent accesses no host resources.
  • Depending on their role, enterprise application developers and backup administrators interact with different user interfaces to protect persistent data in containers, as described in User roles.



 

Prerequisites and operations

Prerequisites

Ensure that the Software, Connectivity, and Authentication and privileges requirements are met before you start to install Container Backup Support on a Kubernetes or Red Hat OpenShift cluster as described in Installing Container Backup Support.


 

Operations

Before you start a backup or restore operation, ensure that your system meets the following requirements:

  • After Container Backup Support is installed, the application host for the Container Backup Support container is automatically registered upon startup of the cluster host in Kubernetes or OpenShift. When a cluster is registered with IBM Spectrum Protect Plus, an inventory of the resources in the cluster is automatically captured, by enabling to complete backup and restore jobs and to run reports. If the automatic registration is not successful and your cluster does not appear in the IBM Spectrum Protect Plus user interface, you must manually register the cluster. For instructions, see  Registering a Kubernetes cluster or Registering an OpenShift cluster.
  • You can use IBM Spectrum Protect Plus vSnap server or you can use directly a cloud storage system as the primary storage for backing up Kubernetes container data. For instructions, see Managing backup storage.
  • If you do not plan to use the default SLA policy for containers, ensure that you configure an SLA policy. For instructions, see Creating an SLA policy for containers.
  • Assign appropriate roles and resource groups to users who running backup and restore operations. Grant users access to resources and roles by using the Accounts pane.

Review the following information about creating backup and restore jobs:

  • You can use the IBM Spectrum Protect Plus user interface to back up or restore Kubernetes persistent volumes, namespace-scoped resources, and cluster-scoped resources. For instructions, see Backing up and restoring Kubernetes clusters.
  • You can use the IBM Spectrum Protect Plus user interface to back up or restore OpenShift resources such as persistent volumes, project-scoped resources, and cluster-scoped resources. For instructions, see Backing up and restoring OpenShift clusters.

For an overview about protecting containers with IBM Spectrum Protect Plus, see Protecting containers.



 

Ports

The following ports are used by IBM Spectrum Protect Plus agents.

Table 3. Communication ports when the target is an IBM Spectrum Protect Plus agent
Port Protocol Initiator Target Description
Assigned by the NodePort service in Kubernetes Transmission Control Protocol (TCP) IBM Spectrum Protect Plus server Kubernetes or OpenShift agent Used by IBM Spectrum Protect Plus to connect to the data mover container to deploy and run agents

Note: By default, port 31245 is used for REST API connections to the Kubernetes or OpenShift agent containers.



 

Table 4. Communication ports when the initiator is the IBM Spectrum Protect Plus agent
Port Protocol Initiator Target Description
111 TCP and User Datagram Protocol (UDP) Kubernetes or OpenShift agent vSnap server Used for NFS data transfer to and from file systems mounted from vSnap servers during backup and restore operations
443 TCP Kubernetes or OpenShift agent IBM Spectrum Protect Plus server Used for IBM Spectrum Protect Plus issued commands to run backup, restore, inventory, and other operations
2049 TCP and UDP Kubernetes or OpenShift agent vSnap server Used for NFS data transfer to and from file systems mounted from vSnap servers during backup and restore operations
20048 TCP and UDP Kubernetes or OpenShift agent vSnap server Used for NFS data transfer to and from file systems mounted from vSnap servers during backup and restore operations



 

Hardware

The required system resources are based on the default installation parameters.

Table 5. Minimum resource requirements for Container Backup Support

Component Replica CPU (request) CPU (limit) Memory (request) Memory (limit)
Baas-spp-agent 1 2 3 800Mi 1000Mi
Baas-datamover 1 100m 500m 500Mi 1000Mi
Baas-kafka 1 300m 2 400Mi 1Gi
Baas-scheduler 1 100m 750m 150Mi 500Mi
Baas-controller 1 250m 1 50Mi 250Mi
Baas-MinIO 1 100m 3 600Mi 3Gi
Baas-transaction-manager 3 200m 1 100Mi 500Mi
Baas-transaction-manager-worker 3 200m 2 250Mi 500Mi
Baas-transaction-manager-redis 3 50m 200 m 50Mi 250Mi
Baas-strimzi-cluster-operator 1 200m 1 384Mi 384Mi
Baas-entity-operator 1 300m 2 400Mi 1Gi
Baas-zookeeper 1 300m 2 400Mi 1Gi
Oadp-operator (Red Hat OpenShift environment) 1 500m 1 128Mi 512Mi
Velero (Red Hat OpenShift environment) 1 500m 1 256Mi 512Mi

Note:

  • Beginning with IBM Spectrum Protect Plus 10.1.8 the baas-entity-operator is a requirement for Kubernetes and OpenShift environment.
  • Beginning with IBM Spectrum Protect Plus 10.1.9 the component Baas-cert-monitor (Kubernetes environment) and the component Amq-streams-cluster-operator (OpenShift environment) are not required anymore.
  • Beginning with IBM Spectrum Protect Plus 10.1.9 the component oadp-operator and the component Velero required for OpenShift environment.


Tip: The CPU resource is measured in Kubernetes cpu units. Memory is specified in units of bytes. For more information about CPU units and memory, see the Managing Resources for Containers



 

[{"Type":"MASTER","Line of Business":{"code":"LOB26","label":"Storage"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSNQFQ","label":"IBM Spectrum Protect Plus"},"ARM Category":[{"code":"a8m3p000000h9Z4AAI","label":"HW\/SW Requirements"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"10.1.9"}]

Document Information

Modified date:
02 March 2022

UID

ibm16509824

Page Feedback