CSI Backup
Portworx Backup deprecated support for cloud-native drivers in version 2.7.0 and later to streamline the backup creation process involving multiple drivers. Portworx Backup internally uses either the CSI driver, the KDMP driver, or both to create backups and offers users more flexibility in the backup creation process.
Using Portworx Backup, you can offload CSI snapshots to any object store (S3 and others) or NFS-based backup locations. CSI snapshots are crash-consistent by default. To achieve application-consistent snapshots, configure pre-exec and post-exec rules to pause the application before the backup and resume normal operations afterward. This helps to:
- Back up any container-native persistent storage
- Keep copies of your backup data in multiple storage locations
- Recover data from an off-site copy in the event of a storage failure
- Maintain compliance for backup recovery teams
Create a CSI backup
To create a CSI backup (with or without the local snapshot being offloaded to the backup location) of your namespace with local snapshot, perform the following steps:
-
Log in to the Portworx Backup web console.
-
From the home page, click the Clusters icon in the left navigation pane.
- Choose the application cluster that contains the namespace to be backed up:
- Navigate to Applications tab.
-
Select the namespace(s) you want to back up. You can create a namespace or VM backup on this page.
-
For a namespace backup, you will see the following options:
-
Search by namespace name: this search field allows you to filter the namespaces by their names
-
All resources: this drop-down allows you to select the required resources or all the resources along with a search option to traverse the list with the resource name. After selection of resources, you can select individual resources of a resource group by navigating to Vertical ellipsis > Select Resources (gets enabled after you select one or more resources) under Resources column provided at the end of each namespace in the Portworx Backup web console.
notePortworx Backup web console displays selected resource count under RESOURCES column.
-
Add namespace label: allows you to add labels for the namespaces to search them with the applied labels at a later point in time. For more information, see Backup using namespace labels.
-
Add resource label: allows you to add labels for the resources to search them with the applied labels at a later point in time. For more information, see Backup using resource labels.
-
NAME: allows you to back up all namespaces in the current page you are in
notePortworx Backup allows you to select multiple namespaces of a cluster from different pages and then back up the chosen namespaces in a single click.
-
-
For a VM backup, you will see the following options:
-
Search by VM name: allows you to search the VM by its name
-
Filter by namespace: allows you to filter the VM by the namespace where the VM resides. In addition, it also provides Select All option to select all the namespaces where the VMs that you want to back up reside
-
Add namespace label: takes the search string you provide in this field, displays the VMs with the specified namespace labels, and includes them in the backup. In addition, future VMs created with these namespace labels are included if a backup schedule is associated while creating a backup. For more information, see Backup using namespace labels.
-
-
-
Click Backup. (This example assumes you are creating a namespace backup.)
-
In the Create Backup window, specify the following:
-
Enter name for Backup: provide a relevant name for your backup
-
Backup location: choose the backup location (object store or NFS) from the drop-down where you want to store your backups.
noteBackup location drop-down displays only the successfully validated object store or NFS backup locations.
-
Cross Cloud Backup/Restore: this option is disabled by default. Ensure it remains disabled if you want to map your VSC with your storage provisioner.
-
Snapshot Class Mapping: facilitates mapping of storage provisioner for Portworx and non-Portworx environments
If there are multiple snapshot classes in the cluster for the same provisioner, the drop-down lists all the available volume snapshot classes.
noteIf you do not map CSI provisioner(s) with a volume snapshot class, Portworx Backup automatically detects the default VSC, creates a backup, and offloads the CSI snapshots to the backup location.
Portworx Backup creates a backup using different drivers based on the options you provided for the CSI backup. For more information on the type of backup triggered for different combinations of CSI Provisioner and Volume snapshot class, see Backup type matrix.
-
CSI Provisioner: Portworx or CSI-based (for non-Portworx environment) or provisioners associated with the applications are listed here. Provisioners can be:
-
Portworx: creates a Portworx cloud snapshot regardless of whether the Offload CSI snapshots to backup location option is selected
-
Non-Portworx (CSI-based): creates a CSI snapshot if Offload CSI snapshots to backup location is not selected
-
Non-Portworx (CSI-based): creates a CSI snapshot and KDMP backup if Offload CSI snapshots to backup location is selected
noteWhen you select a namespace to back up, Portworx Backup auto-detects all the provisioners associated with the applications installed on that namespace and lists them here.
-
-
Volume snapshot class: lists all the volume snapshot class (VSC) resources. The default VSC is selected if no value is specified, and there is only one default VSC per provisioner. If there are multiple snapshot classes in the cluster for the same provisioner, the drop-down lists all available volume snapshot classes.
This field can have the following values:
-
Disabled: for Portworx provisioner
For non-Portworx provisioner:
-
No VSC available (disabled): if no VSC is available
-
Default VSC (auto-populated): if default VSC is available
-
Non-default single VSC (auto-populated): if only one VSC is available
-
Non-default multiple VSCs: if multiple VSCs are available
For more information, see Backup type matrix.
In a VMware vSphere environment (OCP or non-OCP) with CSI driver, you can take only three snapshots for vSphere volumes by default. To take a snapshot of the fourth volume, you must delete one of the existing three snapshots. To override this default behavior, update the
global-max-snapshots-per-block-volumeconfiguration parameter. See the following topics to update the parameter:-
For OCP clusters, see Changing the maximum number of snapshots for vSphere.
-
For non-OCP clusters, see Configure Maximum Number of Snapshots per Volume.
notePortworx Backup supports only one-to-one mapping of CSI provisioner with volume snapshot class.
-
-
Offload CSI snapshots to backup location: this option is enabled by default to secure your backups.
- Selected: offloads the CSI snapshot to the backup location, uses both CSI driver and KDMP driver in this case
- Deselected: does not offload the snapshots to your backup location, only uses CSI driver and not KDMP driver
For more information on types of backup supported by Portworx Backup, see Backup types by driver.
-
-
Backup type: allows you to choose the type of backup required (manual or scheduled backup)
-
On a schedule: can create a manual or scheduled backup
-
Disabled: creates a manual backup immediately after you click Create
-
Enabled: displays Choose a Schedule Policy option
-
For more information, see Scheduled backup.
-
-
Choose a Schedule Policy: associate a schedule policy with your backup to automate the process of backup creation. Portworx Backup supports hourly, weekly, and monthly scheduled backup runs or allows you to create the backup at the specified time.
-
Pre-exec rule: select a rule from the drop-down to execute before the backup is created
-
Post-exec rule: select a post rule you want to execute after the backup is created
-
Backup Labels: any labels that you want to add to the backup you are going to create for quick search when required
-
NAMESPACES LIST: Lists all the namespaces selected for backup creation
-
-
Click Create.
Portworx Backup creates a CSI backup with snapshot class mapping options you have provided for the backup.
Object store (S3 and others) and NFS-based backup targets support generic, manual, and scheduled backups.
If CSI snapshot backups of PVCs fail with snapshot timeout error (snapshot timeout out after 5m0s), then navigate to the kdmp-config configmap and modify the default value of SNAPSHOT_TIMEOUT key to the required value based on your configuration as shown below:SNAPSHOT_TIMEOUT: "<desired-timeout-value>"
For example, update the key to SNAPSHOT_TIMEOUT: "30m" to set the timeout value to 30 minutes. For more information, see the Configure kdmp-config ConfigMap parameters.
Configure a 3-2-1 backup strategy
To configure a 3-2-1 backup strategy, create a backup with the CSI-based provisioner with the following settings while creating a CSI Backup:
- Cross Cloud Backup/Restore: disable this toggle
- Snapshot Class Mapping: map your provisioner to a Volume Snapshot Class (VSC). This mapping is required when your storage provider supports CSI snapshots and you want Portworx Backup to use a specific VSC instead of the default.
If no VSC is available for your provisioner, skip this mapping. In that case, Portworx Backup performs a direct KDMP backup. - Offload CSI snapshots to backup location: enable this option
This configuration:
- Creates a local snapshot (Copy 2)
- Offloads the snapshot to the backup location (Copy 3)
- Keeps the original data on PVs (Copy 1)
Failure behavior
The 3-2-1 strategy involves two sequential operations: a CSI snapshot (Copy 2) followed by a KDMP offload to the backup location (Copy 3). Each operation can fail independently:
| Failure scenario | Outcome | What to do |
|---|---|---|
| CSI snapshot fails | The backup is marked as failed. No offload is attempted. Copy 1 (original data) is unaffected. | Retry the backup. Check CSI driver logs and ensure the VSC is correctly mapped. |
| CSI snapshot succeeds, KDMP offload fails | The local snapshot (Copy 2) exists but is not persisted to the backup location. The backup is marked as failed. The local snapshot may be cleaned up depending on the storage provider. | Retry the backup. The offload is re-attempted from the beginning; no partial-success resume is supported. |
| Partial offload (network interruption) | The backup is marked as failed. Data in the backup location may be incomplete and is not usable for restore. | Retry the backup to produce a complete, valid copy at the backup location. |
Portworx Backup does not support partial-success semantics. A backup is considered successful only when both the local snapshot and the offload to the backup location complete successfully. There is no automatic rollback of the local snapshot if the offload fails.
If a partial offload occurs (for example, due to a network interruption), any partial objects written to the backup location are not automatically cleaned up. These orphaned objects remain in the backup location until the next successful backup overwrites or replaces them, or until you manually remove them from the backup location.
Extending the 3-2-1 backup strategy with multiple backup locations
You can enhance the 3-2-1 strategy by using multiple backup locations (for example, different regions or providers):
- Configure two backup locations pointing to different regions or providers. For more information, see Configure backup locations.
- Create two scheduled backups targeting the same workloads (same namespaces or applications) — one for each location. Each scheduled backup must use the same 3-2-1 settings:
- Cross Cloud Backup/Restore: Disabled
- Snapshot Class Mapping: Configured (if your provisioner supports CSI snapshots)
- Offload CSI snapshots to backup location: Enabled.
For more information, see Create a scheduled backup.
This results in:
- Original data (Copy 1)
- Local snapshot (Copy 2, required)
- Multiple offloaded backup copies in different locations (Copy 3+)
This setup exceeds the 3-2-1 baseline and improves resilience through geographic redundancy.