NetBackup™ Deployment Guide for Kubernetes Clusters

Last Published:
Product(s): NetBackup & Alta Data Protection (11.0.0.1)
  1. Introduction
    1. About Cloud Scale deployment
      1.  
        Decoupling of NetBackup web services from primary server
      2.  
        Decoupling of NetBackup Policy and Job Management from primary server
      3.  
        Logging feature (fluentbit) in Cloud Scale
    2.  
      About NetBackup Snapshot Manager
    3.  
      Required terminology
    4.  
      User roles and permissions
  2. Section I. Configurations
    1. Prerequisites
      1.  
        Preparing the environment for NetBackup installation on Kubernetes cluster
      2.  
        Prerequisites for Snapshot Manager (AKS/EKS)
      3. Prerequisites for Kubernetes cluster configuration
        1.  
          Config-Checker utility
        2.  
          Data-Migration for AKS
        3.  
          Webhooks validation for EKS
      4. Prerequisites for Cloud Scale configuration
        1.  
          Cluster specific settings
        2.  
          Cloud specific settings
      5.  
        Prerequisites for deploying environment operators
      6.  
        Prerequisites for using private registry
    2. Recommendations and Limitations
      1.  
        Recommendations of NetBackup deployment on Kubernetes cluster
      2.  
        Limitations of NetBackup deployment on Kubernetes cluster
      3.  
        Recommendations and limitations for Cloud Scale deployment
    3. Configurations
      1.  
        Contents of the TAR file
      2.  
        Initial configurations
      3.  
        Configuring the environment.yaml file
      4.  
        Configuring an External Certificate Authority for Web UI port 443
      5. Loading docker images
        1.  
          Installing the docker images for NetBackup
        2.  
          Installing the docker images for Snapshot Manager
        3.  
          Installing the docker images and binaries for MSDP Scaleout
      6.  
        Configuring NetBackup IT Analytics for NetBackup deployment
      7. Configuring NetBackup
        1. Primary and media server CR
          1.  
            After installing primary server CR
          2.  
            After Installing the media server CR
        2.  
          Elastic media server
    4. Configuration of key parameters in Cloud Scale deployments
      1.  
        Tuning touch files
      2.  
        Setting maximum jobs per client
      3.  
        Setting maximum jobs per media server
      4.  
        Enabling intelligent catalog archiving
      5.  
        Enabling security settings
      6.  
        Configuring email server
      7.  
        Reducing catalog storage management
      8.  
        Configuring zone redundancy
      9.  
        Enabling client-side deduplication capabilities
      10.  
        Parameters for logging (fluentbit)
      11.  
        Managing media server configurations in Web UI
  3. Section II. Deployment
    1. Deploying Cloud Scale
      1.  
        How to deploy Cloud Scale
      2.  
        Deploying the operators
      3.  
        Deploying fluentbit for logging
      4. Deploying Postgres
        1.  
          Enable request logging, update configuration, and copying files from/to PostgreSQL pod
      5. Deploying Cloud Scale environment
        1.  
          Installing Cloud Scale environment
        2. Single node Cloud Scale Technology deployment
          1.  
            Steps to deploy Cloud Scale in single node
      6.  
        Verifying Cloud Scale deployment
      7. Post Cloud Scale deployment tasks
        1.  
          Restarting Cloud Scale Technology services
  4. Section III. Monitoring and Management
    1. Monitoring NetBackup
      1.  
        Monitoring the application health
      2.  
        Telemetry reporting
      3.  
        About NetBackup operator logs
      4.  
        Monitoring Primary/Media server CRs
      5.  
        Expanding storage volumes
      6. Allocating static PV for Primary and Media pods
        1.  
          Expanding log volumes for primary pods
        2.  
          Recommendation for media server volume expansion
        3.  
          (AKS-specific) Allocating static PV for Primary and Media pods
        4.  
          (EKS-specific) Allocating static PV for Primary and Media pods
    2. Monitoring Snapshot Manager
      1.  
        Overview
      2.  
        Configuration parameters
    3. Monitoring fluentbit
      1.  
        Monitoring fluentbit for logging
    4. Monitoring MSDP Scaleout
      1.  
        About MSDP Scaleout status and events
      2.  
        Monitoring with Amazon CloudWatch
      3.  
        Monitoring with Azure Container insights
      4.  
        The Kubernetes resources for MSDP Scaleout and MSDP operator
    5. Managing NetBackup
      1.  
        Managing NetBackup deployment using VxUpdate
      2.  
        Updating the Primary/Media server CRs
      3.  
        Migrating the cloud node for primary or media servers
      4.  
        Migrating cpServer controlPlane node
    6. Managing the Load Balancer service
      1.  
        About the Load Balancer service
      2.  
        Notes for Load Balancer service
      3.  
        Opening the ports from the Load Balancer service
      4.  
        Steps for upgrading Cloud Scale from multiple media load balancer to none
    7. Managing PostrgreSQL DBaaS
      1.  
        Changing database server password in DBaaS
      2.  
        Updating database certificate in DBaaS
    8. Managing logging
      1.  
        Viewing NetBackup logs
      2.  
        Extracting NetBackup logs
    9. Performing catalog backup and recovery
      1.  
        Backing up a catalog
      2. Restoring a catalog
        1.  
          Primary server corrupted
        2.  
          MSDP-X corrupted
        3.  
          MSDP-X and Primary server corrupted
  5. Section IV. Maintenance
    1. PostgreSQL DBaaS Maintenance
      1.  
        Configuring maintenance window for PostgreSQL database in AWS
      2.  
        Setting up alarms for PostgreSQL DBaaS instance
    2. Patching mechanism for primary, media servers, fluentbit pods, and postgres pods
      1.  
        Overview
      2.  
        Patching of primary containers
      3.  
        Patching of media containers
      4.  
        Patching of fluentbit collector pods
      5.  
        Update containerized PostgreSQL pod
    3. Upgrading
      1. Upgrading Cloud Scale Technology
        1.  
          Prerequisites for Cloud Scale Technology upgrade
        2.  
          Upgrade the cluster
        3.  
          Upgrade the add-ons
        4.  
          Upgrade the operators
        5.  
          Upgrade fluentbit
        6.  
          Upgrade PostgreSQL database
        7.  
          Create db-cert bundle
        8.  
          Upgrade Cloud Scale
    4. Cloud Scale Disaster Recovery
      1.  
        Cluster backup
      2.  
        Environment backup
      3.  
        Cluster recovery
      4.  
        Cloud Scale recovery
      5.  
        Environment Disaster Recovery
      6.  
        DBaaS Disaster Recovery
    5. Uninstalling
      1.  
        Uninstalling NetBackup environment and the operators
      2.  
        Uninstalling Postgres using Helm charts
      3.  
        Uninstalling fluentbit using Helm charts
      4.  
        Uninstalling Snapshot Manager from Kubernetes cluster
      5. Uninstalling MSDP Scalout from Kubernetes cluster
        1.  
          Cleaning up MSDP Scaleout
        2.  
          Cleaning up the MSDP Scaleout operator
    6. Troubleshooting
      1. Troubleshooting AKS and EKS issues
        1.  
          View the list of operator resources
        2.  
          View the list of product resources
        3.  
          View operator logs
        4.  
          View primary logs
        5.  
          Socket connection failure
        6.  
          Resolving an issue where external IP address is not assigned to a NetBackup server's load balancer services
        7.  
          Resolving the issue where the NetBackup server pod is not scheduled for long time
        8.  
          Resolving an issue where the Storage class does not exist
        9.  
          Resolving an issue where the primary server or media server deployment does not proceed
        10.  
          Resolving an issue of failed probes
        11.  
          Resolving issues when media server PVs are deleted
        12.  
          Resolving an issue related to insufficient storage
        13.  
          Resolving an issue related to invalid nodepool
        14.  
          Resolve an issue related to KMS database
        15.  
          Resolve an issue related to pulling an image from the container registry
        16.  
          Resolving an issue related to recovery of data
        17.  
          Check primary server status
        18.  
          Pod status field shows as pending
        19.  
          Ensure that the container is running the patched image
        20.  
          Getting EEB information from an image, a running container, or persistent data
        21.  
          Resolving the certificate error issue in NetBackup operator pod logs
        22.  
          Pod restart failure due to liveness probe time-out
        23.  
          NetBackup messaging queue broker take more time to start
        24.  
          Host mapping conflict in NetBackup
        25.  
          Issue with capacity licensing reporting which takes longer time
        26.  
          Local connection is getting treated as insecure connection
        27.  
          Backing up data from Primary server's /mnt/nbdata/ directory fails with primary server as a client
        28.  
          Storage server not supporting Instant Access capability on Web UI after upgrading NetBackup
        29.  
          Taint, Toleration, and Node affinity related issues in cpServer
        30.  
          Operations performed on cpServer in environment.yaml file are not reflected
        31.  
          Elastic media server related issues
        32.  
          Failed to register Snapshot Manager with NetBackup
        33.  
          Post Kubernetes cluster restart, flexsnap-listener pod went into CrashLoopBackoff state or pods were unable to connect to flexsnap-rabbitmq
        34.  
          Post Kubernetes cluster restart, issues observed in case of containerized Postgres deployment
        35.  
          Request router logs
        36.  
          Issues with NBPEM/NBJM
        37.  
          Issues with logging feature for Cloud Scale
        38.  
          The flexsnap-listener pod is unable to communicate with RabbitMQ
        39.  
          Job remains in queue for long time
        40.  
          Extracting logs if the nbwsapp or log-viewer pods are down
      2. Troubleshooting AKS-specific issues
        1.  
          Data migration unsuccessful even after changing the storage class through the storage yaml file
        2.  
          Host validation failed on the target host
        3.  
          Primary pod goes in non-ready state
      3. Troubleshooting EKS-specific issues
        1.  
          Resolving the primary server connection issue
        2.  
          NetBackup Snapshot Manager deployment on EKS fails
        3.  
          Wrong EFS ID is provided in environment.yaml file
        4.  
          Primary pod is in ContainerCreating state
        5.  
          Webhook displays an error for PV not found
      4.  
        Troubleshooting issue for bootstrapper pod
  6. Appendix A. CR template
    1.  
      Secret
    2. MSDP Scaleout CR
      1.  
        MSDP Scaleout CR template for AKS
      2.  
        MSDP Scaleout CR template for EKS
  7. Appendix B. MSDP Scaleout
    1.  
      About MSDP Scaleout
    2.  
      Prerequisites for MSDP Scaleout (AKS\EKS)
    3.  
      Limitations in MSDP Scaleout
    4. MSDP Scaleout configuration
      1.  
        Initializing the MSDP operator
      2.  
        Configuring MSDP Scaleout
      3.  
        Configuring the MSDP cloud in MSDP Scaleout
      4.  
        Using MSDP Scaleout as a single storage pool in NetBackup
      5.  
        Using S3 service in MSDP Scaleout
      6.  
        Enabling MSDP S3 service after MSDP Scaleout is deployed
    5.  
      Installing the docker images and binaries for MSDP Scaleout (without environment operators or Helm charts)
    6.  
      Deploying MSDP Scaleout
    7. Managing MSDP Scaleout
      1.  
        Adding MSDP engines
      2.  
        Adding data volumes
      3. Expanding existing data or catalog volumes
        1.  
          Manual storage expansion
      4.  
        MSDP Scaleout scaling recommendations
      5. MSDP Cloud backup and disaster recovery
        1.  
          About the reserved storage space
        2. Cloud LSU disaster recovery
          1.  
            Recovering MSDP S3 IAM configurations from cloud LSU
      6.  
        MSDP multi-domain support
      7.  
        Configuring Auto Image Replication
      8. About MSDP Scaleout logging and troubleshooting
        1.  
          Collecting the logs and the inspection information
    8. MSDP Scaleout maintenance
      1.  
        Pausing the MSDP Scaleout operator for maintenance
      2.  
        Logging in to the pods
      3.  
        Reinstalling MSDP Scaleout operator
      4.  
        Migrating the MSDP Scaleout to another node pool

Configuring an External Certificate Authority for Web UI port 443

During Cloud Scale installation, a Cloud Scale environment is configured to use a certificate issued by the NetBackup Certificate Authority for Web UI (port 443). The following sections provide the steps to replace the default certificate with an External Certificate Authority (ECA) on Cloud Scale.

Prerequisites

Ensure that all the following files are available and ready before proceeding:

  • ca.pem: A PEM-formatted file, containing the Root CA certificate from which the Web UI certificate was issued.

  • cert.pem: A PEM-formatted file, that includes the Web UI certificate chain, consisting of the leaf certificate and any intermediate CA certificates.

  • privatekey.pem: PKCS #8 PEM-formatted file, containing the encrypted private key for the Web UI certificate.

  • passphrase.txt,: A plaintext file, containing the passphrase used to encrypt the private key. Ensure that the plaintext file contains only a single line with the passphrase and does not end with a new line.

Basic sanity verification for ca.pem, cert.pem, privatekey.pem and passphrase.txt, files:

  1. Execute the following commands and ensure that the output of both the commands result in a matching value for cert.pem and privatekey.pem files:

    $ openssl x509 -noout -modulus -in cert.pem | openssl sha256

    $ openssl rsa -noout -modulus -in privatekey.pem -passin file:passphrase.txt | openssl sha256

  2. Check the validity of the certificate and presence of the primary server name in the certificate by executing the following command to list the certificate details:

    $ openssl x509 -text -in cert.pem -noout

    Verify the Not Before and Not After fields display the certificate is valid and has not expired. Confirm that the primary server name appears in the X509v3 Subject Alternative Name. If X509v3 Subject Alternative Name is missing, then confirm that the primary server name appears in the Subject as a CN.

  3. Execute the following command to verify that a complete certificate chain exists in cert.pem and ca.pem files:

    $ openssl verify -CAfile ca.pem -untrusted cert.pem cert.pem

    cert.pem: OK

Configuring an external certificate

Perform the steps described in the following procedure to configure external certificate for the first time.

Configure an external certificate for the first time

  1. Log in to the host where the Kubernetes cluster is managed and has the kubectl command.
  2. Execute the following commands to create the tpcredentials directory and copy the artifacts into the primary pod:

    $ kubectl exec -it <primary_pod_name> -n <namespace> -- mkdir -p /usr/openv/var/global/wsl/credentials/tpcredentials

    $ kubectl cp <path_to_ca.pem> <primary_pod_name>:/usr/openv/var/global/wsl/credentials/tpcredentials/ca.pem -n <namespace>

    $ kubectl cp <path_to_cert.pem> <primary_pod_name>:/usr/openv/var/global/wsl/credentials/tpcredentials/cert.pem -n <namespace>

    $ kubectl cp <path_to_privatekey.pem> <primary_pod_name>:/usr/openv/var/global/wsl/credentials/tpcredentials/privatekey.pem -n <namespace>

    $ kubectl cp <path_to_passphrase.txt> <primary_pod_name>:/usr/openv/var/global/wsl/credentials/tpcredentials/passphrase.txt -n <namespace>

  3. Restart the nbwsapp pod.

    Use the following commands to list all the pods from the namespace, then select the nbwsapp pod and delete it.

    $ kubectl get pods -n <namespace>

    $ kubectl delete pod <nbwsapp_pod_name> -n <namespace>

  4. Use the following command to ensure that the nbwsapp pod is up and running:

    $ kubectl get pods -n <namespace> | grep nbwsapp

    <nbwsapp_pod_name>                        4/4     Running   0          9m44s
  5. Execute the following commands to create the keystore:

    $ kubectl exec -it <nbwsapp_pod_name> -n <namespace> -- bash

    $ cp /usr/openv/var/global/wsl/credentials/tpcredentials/passphrase.txt /usr/openv/var/global/wsl/credentials/tpcredentials/jkskey

    $ /usr/openv/netbackup/bin/goodies/vxsslcmd pkcs12 -export -inkey /usr/openv/var/global/wsl/credentials/tpcredentials/privatekey.pem -in /usr/openv/var/global/wsl/credentials/tpcredentials/cert.pem -out /tmp/cert.p12 -passin file:/usr/openv/var/global/wsl/credentials/tpcredentials/passphrase.txt -passout file:/usr/openv/var/global/wsl/credentials/tpcredentials/jkskey -name eca

    Note:

    Ignore the following error message if displayed by the last command above:

    unable to write 'random state'

    $ ls -l /tmp/cert.p12

    -rw-r--r-- 1 nbwebsvc nbwebgrp   4420 Sep 20 19:44 cert.p12

    $ export KEYSTORE_PASS=$(cat /usr/openv/var/global/wsl/credentials/tpcredentials/jkskey)

    $ /usr/lib/jvm/jre/bin/keytool -storetype BCFKS -providerpath /usr/openv/wmc/webserver/lib/ccj.jar -providerclass com.safelogic.cryptocomply.jcajce.provider.CryptoComplyFipsProvider -importkeystore -srckeystore /tmp/cert.p12 -srcstoretype pkcs12 -srcstorepass ${KEYSTORE_PASS} -destkeystore /tmp/nbwebservice.bcfks -deststorepass ${KEYSTORE_PASS}

    Importing keystore /tmp/cert.p12 to /tmp/nbwebservice.bcfks...
Entry for alias eca successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled

    $ mv /tmp/nbwebservice.bcfks /usr/openv/var/global/wsl/credentials/tpcredentials/

  6. The new certificate will be automatically applied within 30 minutes, or you can restart the requestrouter pod to apply it immediately by using the following commands:

    $ kubectl get pods -n <namespace>

    $ kubectl delete pod <requestrouter_pod_name> -n <namespace>

Renewal or replacement of external certificate

Use the following steps to replace the existing external certificate with a new external certificate:

  1. Log in to the host where the Kubernetes cluster is managed and has the kubectl command.

  2. Execute the following commands to copy the new artifacts into the primary pod:

    $ kubectl exec -it <primary_pod_name> -n <namespace> -- mkdir -p /usr/openv/var/global/wsl/credentials/tpcredentials

    $ kubectl cp <path_to_ca.pem> <primary_pod_name>:/usr/openv/var/global/wsl/credentials/tpcredentials/ca.pem -n <namespace>

    $ kubectl cp <path_to_cert.pem> <primary_pod_name>:/usr/openv/var/global/wsl/credentials/tpcredentials/cert.pem -n <namespace>

    $ kubectl cp <path_to_privatekey.pem> <primary_pod_name>:/usr/openv/var/global/wsl/credentials/tpcredentials/privatekey.pem -n <namespace>

    $ kubectl cp <path_to_passphrase.txt> <primary_pod_name>:/usr/openv/var/global/wsl/credentials/tpcredentials/passphrase.txt -n <namespace>

    $ kubectl exec -it <primary_pod_name> -n <namespace> -- mkdir -p /usr/openv/var/global/wsl/credentials/tpcredentials/backup

    $ kubectl exec -it <primary_pod_name> -n <namespace> -- mv /usr/openv/var/global/wsl/credentials/tpcredentials/nbwebservice.bcfks /usr/openv/var/global/wsl/credentials/tpcredentials/backup/

  3. Restart the nbwsapp pod.

    List all the pods from the namespace, select the nbwsapp pod and delete it.

    $ kubectl get pods -n <namespace>

    $ kubectl delete pod <nbwsapp_pod_name> -n <namespace>

  4. Ensure that nbwsapp pod is up and running:

    $ kubectl get pods -n <namespace> | grep nbwsapp

    <nbwsapp_pod_name>                        4/4     Running   0          9m44s

  5. Execute the following commands to create the keystore:

    $ kubectl exec -it <nbwsapp_pod_name> -n <namespace> -- bash

    $ chmod 2750 /usr/openv/var/global/wsl/credentials/tpcredentials/backup/

    $ /usr/openv/netbackup/bin/goodies/vxsslcmd pkcs12 -export -inkey /usr/openv/var/global/wsl/credentials/tpcredentials/privatekey.pem -in /usr/openv/var/global/wsl/credentials/tpcredentials/cert.pem -out /tmp/cert.p12 -passin file:/usr/openv/var/global/wsl/credentials/tpcredentials/passphrase.txt -passout file:/usr/openv/var/global/wsl/credentials/tpcredentials/jkskey -name eca

    Note:

    Ignore the following message from last command if it is seen:

    unable to write 'random state'

    $ ls -l /tmp/cert.p12

    -rw-r--r-- 1 nbwebsvc nbwebgrp   4420 Sep 20 19:44 cert.p12

    $ export KEYSTORE_PASS=$(cat /usr/openv/var/global/wsl/credentials/tpcredentials/jkskey)

    $ /usr/lib/jvm/jre/bin/keytool -storetype BCFKS -providerpath /usr/openv/wmc/webserver/lib/ccj.jar -providerclass com.safelogic.cryptocomply.jcajce.provider.CryptoComplyFipsProvider -importkeystore -srckeystore /tmp/cert.p12 -srcstoretype pkcs12 -srcstorepass ${KEYSTORE_PASS} -destkeystore /tmp/nbwebservice.bcfks -deststorepass ${KEYSTORE_PASS}

    Importing keystore /tmp/cert.p12 to /tmp/nbwebservice.bcfks...
Entry for alias eca successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled

    $ mv /tmp/nbwebservice.bcfks /usr/openv/var/global/wsl/credentials/tpcredentials/

  6. The new certificate will be automatically applied within 30 minutes, or you can restart the requestrouter pod to apply it immediately.

    $ kubectl get pods -n <namespace>

    $ kubectl delete pod <requestrouter_pod_name> -n <namespace>

Removing the external certificate

Perform the following steps to remove the external certificate for the Web UI (port 443) and replace it with the NetBackup Certificate Authority issued certificate:

  1. Log in to the host where the Kubernetes cluster is managed and has the kubectl command.

  2. Execute the following commands to remove the ECAs:

    $ kubectl exec -it <primary_pod_name> -n <namespace> -- rm -f /usr/openv/var/global/wsl/credentials/tpcredentials/ca.pem

    $ kubectl exec -it <primary_pod_name> -n <namespace> -- rm -f /usr/openv/var/global/wsl/credentials/tpcredentials/cert.pem

    $ kubectl exec -it <primary_pod_name> -n <namespace> -- rm -f /usr/openv/var/global/wsl/credentials/tpcredentials/privatekey.pem

    $ kubectl exec -it <primary_pod_name> -n <namespace> -- rm -f /usr/openv/var/global/wsl/credentials/tpcredentials/passphrase.txt

    $ kubectl exec -it <primary_pod_name> -n <namespace> -- rm -f /usr/openv/var/global/wsl/credentials/tpcredentials/nbwebservice.bcfks

    $ kubectl exec -it <primary_pod_name> -n <namespace> -- rm -f /usr/openv/var/global/wsl/credentials/tpcredentials/jkskey

    $ kubectl exec -it <primary_pod_name> -n <namespace> -- rm -rf /usr/openv/var/global/wsl/credentials/tpcredentials

  3. Restart the requestrouter pod.

    List all of the pods from the namespace, select the requestrouter pod and delete it.

    $ kubectl get pods -n <namespace>

    $ kubectl delete pod <requestrouter_pod_name> -n <namespace>

Note:

No certificate configuration is required after completing a disaster recovery of the Cloud Scale environment, as the process automatically restores external certificates.