×

The release notes for Migration Toolkit for Containers (MTC) describe new features and enhancements, deprecated features, and known issues.

The MTC enables you to migrate application workloads between OKD clusters at the granularity of a namespace.

You can migrate from OKD 3 to 4.12 and between OKD 4 clusters.

MTC provides a web console and an API, based on Kubernetes custom resources, to help you control the migration and minimize application downtime.

For information on the support policy for MTC, see OpenShift Application and Cluster Migration Solutions, part of the Red Hat OKD Life Cycle Policy.

Migration Toolkit for Containers 1.8.3 release notes

Technical changes

Migration Toolkit for Containers (MTC) 1.8.3 has the following technical changes:

OADP 1.3 is now supported

MTC 1.8.3 adds support to OpenShift API for Data Protection (OADP) as a dependency of MTC 1.8.z.

Resolved issues

This release has the following major resolved issues:

CVE-2024-24786: Flaw in Golang protobuf module causes unmarshal function to enter infinite loop

In previous releases of MTC, a vulnerability was found in Golang’s protobuf module, where the unmarshal function entered an infinite loop while processing certain invalid inputs. Consequently, an attacker provided carefully constructed invalid inputs, which caused the function to enter an infinite loop.

With this update, the unmarshal function works as expected.

For more information, see CVE-2024-24786.

CVE-2023-45857: Axios Cross-Site Request Forgery Vulnerability

In previous releases of MTC, a vulnerability was discovered in Axios 1.5.1 that inadvertently revealed a confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to the host, allowing attackers to view sensitive information.

For more information, see CVE-2023-45857.

Restic backup does not work properly when the source workload is not quiesced

In previous releases of MTC, some files did not migrate when deploying an application with a route. The Restic backup did not function as expected when the quiesce option was unchecked for the source workload.

This issue has been resolved in MTC 1.8.3.

For more information, see BZ#2242064.

The Migration Controller fails to install due to an unsupported value error in Velero

The MigrationController failed to install due to an unsupported value error in Velero. Updating OADP 1.3.0 to OADP 1.3.1 resolves this problem. For more information, see BZ#2267018.

This issue has been resolved in MTC 1.8.3.

For a complete list of all resolved issues, see the list of MTC 1.8.3 resolved issues in Jira.

Known issues

MTC has the following known issues:

The associated SCC for service account cannot be migrated in OpenShift Container Platform 4.12

The associated Security Context Constraints (SCCs) for service accounts in OpenShift Container Platform version 4.12 cannot be migrated. This issue is planned to be resolved in a future release of MTC. (MIG-1454).

For a complete list of all known issues, see the list of MTC 1.8.3 known issues in Jira.

Migration Toolkit for Containers 1.8.2 release notes

Resolved issues

This release has the following major resolved issues:

Backup phase fails after setting custom CA replication repository

In previous releases of Migration Toolkit for Containers (MTC), after editing the replication repository, adding a custom CA certificate, successfully connecting the repository, and triggering a migration, a failure occurred during the backup phase.

CVE-2023-26136: tough-cookie package before 4.1.3 are vulnerable to Prototype Pollution

In previous releases of (MTC), versions before 4.1.3 of the tough-cookie package used in MTC were vulnerable to prototype pollution. This vulnerability occurred because CookieJar did not handle cookies properly when the value of the rejectPublicSuffixes was set to false.

For more details, see (CVE-2023-26136)

CVE-2022-25883 openshift-migration-ui-container: nodejs-semver: Regular expression denial of service

In previous releases of (MTC), versions of the semver package before 7.5.2, used in MTC, were vulnerable to Regular Expression Denial of Service (ReDoS) from the function newRange, when untrusted user data was provided as a range.

For more details, see (CVE-2022-25883)

Known issues

There are no major known issues in this release.

Migration Toolkit for Containers 1.8.1 release notes

Resolved issues

This release has the following major resolved issues:

CVE-2023-39325: golang: net/http, x/net/http2: rapid stream resets can cause excessive work

A flaw was found in handling multiplexed streams in the HTTP/2 protocol, which is used by Migration Toolkit for Containers (MTC). A client could repeatedly make a request for a new multiplex stream and immediately send an RST_STREAM frame to cancel it. This creates additional workload for the server in terms of setting up and dismantling streams, while avoiding any server-side limitations on the maximum number of active streams per connection, resulting in a denial of service due to server resource consumption. (BZ#2245079)

It is advised to update to MTC 1.8.1 or later, which resolve this issue.

For more details, see (CVE-2023-39325) and (CVE-2023-44487)

Known issues

There are no major known issues in this release.

Migration Toolkit for Containers 1.8.0 release notes

Resolved issues

This release has the following resolved issues:

Indirect migration is stuck on backup stage

In previous releases, an indirect migration became stuck at the backup stage, due to InvalidImageName error. (BZ#2233097)

PodVolumeRestore remain In Progress keeping the migration stuck at Stage Restore

In previous releases, on performing an indirect migration, the migration became stuck at the Stage Restore step, waiting for the podvolumerestore to be completed. (BZ#2233868)

Migrated application unable to pull image from internal registry on target cluster

In previous releases, on migrating an application to the target cluster, the migrated application failed to pull the image from the internal image registry resulting in an application failure. (BZ#2233103)

Migration failing on Azure due to authorization issue

In previous releases, on an Azure cluster, when backing up to Azure storage, the migration failed at the Backup stage. (BZ#2238974)

Known issues

This release has the following known issues:

Old Restic pods are not getting removed on upgrading MTC 1.7.x → 1.8.x

In this release, on upgrading the MTC Operator from 1.7.x to 1.8.x, the old Restic pods are not being removed. Therefore after the upgrade, both Restic and node-agent pods are visible in the namespace. (BZ#2236829)

Migrated builder pod fails to push to image registry

In this release, on migrating an application including a BuildConfig from a source to target cluster, builder pod results in error, failing to push the image to the image registry. (BZ#2234781)

[UI] CA bundle file field is not properly cleared

In this release, after enabling Require SSL verification and adding content to the CA bundle file for an MCG NooBaa bucket in MigStorage, the connection fails as expected. However, when reverting these changes by removing the CA bundle content and clearing Require SSL verification, the connection still fails. The issue is only resolved by deleting and re-adding the repository. (BZ#2240052)

Backup phase fails after setting custom CA replication repository

In (MTC), after editing the replication repository, adding a custom CA certificate, successfully connecting the repository, and triggering a migration, a failure occurs during the backup phase.

This issue is resolved in MTC 1.8.2.

CVE-2023-26136: tough-cookie package before 4.1.3 are vulnerable to Prototype Pollution

Versions before 4.1.3 of the tough-cookie package, used in MTC, are vulnerable to prototype pollution. This vulnerability occurs because CookieJar does not handle cookies properly when the value of the rejectPublicSuffixes is set to false.

This issue is resolved in MTC 1.8.2.

For more details, see (CVE-2023-26136)

CVE-2022-25883 openshift-migration-ui-container: nodejs-semver: Regular expression denial of service

In previous releases of (MTC), versions of the semver package before 7.5.2, used in MTC, are vulnerable to Regular Expression Denial of Service (ReDoS) from the function newRange, when untrusted user data is provided as a range.

This issue is resolved in MTC 1.8.2.

For more details, see (CVE-2022-25883)

Technical changes

This release has the following technical changes:

  • Migration from OKD 3 to OKD 4 requires a legacy Migration Toolkit for Containers (MTC) Operator and MTC 1.7.x.

  • Migration from MTC 1.7.x to MTC 1.8.x is not supported.

  • You must use MTC 1.7.x to migrate anything with a source of OKD 4.9 or earlier.

    • MTC 1.7.x must be used on both source and destination.

  • MTC 1.8.x only supports migrations from OKD 4.10 or later to OKD 4.10 or later. For migrations only involving cluster versions 4.10 and later, either 1.7.x or 1.8.x might be used. However, but it must be the same MTC 1.Y.z on both source and destination.

    • Migration from source MTC 1.7.x to destination MTC 1.8.x is unsupported.

    • Migration from source MTC 1.8.x to destination MTC 1.7.x is unsupported.

    • Migration from source MTC 1.7.x to destination MTC 1.7.x is supported.

    • Migration from source MTC 1.8.x to destination MTC 1.8.x is supported.

  • MTC 1.8.x by default installs OADP 1.2.x.

  • Upgrading from MTC 1.7.x to MTC 1.8.0, requires manually changing the OADP channel to 1.2. If this is not done, the upgrade of the Operator fails.