error="read |0: file already closed"The release notes for Migration Toolkit for Containers (MTC) describe new features and enhancements, deprecated features, and known issues.
The MTC enables you to migrate application workloads between OKD clusters at the granularity of a namespace.
MTC provides a web console and an API, based on Kubernetes custom resources, to help you control the migration and minimize application downtime.
For information on the support policy for MTC, see OpenShift Application and Cluster Migration Solutions, part of the Red Hat OKD Life Cycle Policy.
Migration Toolkit for Containers (MTC) 1.8.10 has the following major resolved issues:
migmigration failed to clean up stale virt-handler pods for stopped VMsWith this release, migmigration object no longer fails to clean up stale virt-handler pods for stopped virtual machines (VMs) in an Azure Red Hat OpenShift (ARO) cluster with MTC Operator and Red Hat OpenShift Data Foundation (ODF) storage cluster-CEPH RBD virtualization. This resolution addresses an issue where migration failure occurred due to an attempt to clean up non-existent virt-handler pods during live migration when the VM was stopped and no VMI existed. As a result, stopped VMs no longer prevent successful migration. (MIG-1762)
Migration Toolkit for Containers (MTC) 1.8.9 has the following major resolved issues:
Before this update, deleting the MigPlan triggered unnecessary virtual machine (VM) migrations. This caused the VMs to resume, leading to migration failures. This release introduces a fix that prevents VMs from migrating when the MigPlan is actively removed. As a result, VMs no longer unintentionally migrate when MigPlans are deleted, ensuring a stable environment for users. (MIG-1749)
Before this update, the virt-launcher pod stalled after migrating a VM due to pod anti-affinity conflicts with bound volumes. This resulted in a failed VM migration, causing the virt-launcher pod to get stuck. This release resolves the pod anti-affinity issue, allowing for scheduling on different nodes. As a result, you can now migrate VMs from hostpath-csi-basic to hostpath-csi-pvc-block without pods getting stuck in a pending state, thereby improving the overall migration process efficiency. (MIG-1750)
Before this update, the missing Min spec in a LimitRange within the openshift-migration namespace caused a panic in the migration-controller pod, disrupting the user experience and preventing successful volume migration. With this release, the migration-controller pod no longer crashes when encountering a LimitRange set to Nil. As a result, rsync pods now comply with the specified limits, improving the migration process stability and eliminating crashloopbacks in source namespaces.
Migration Toolkit for Containers (MTC) 1.8.8 has the following major resolved issues:
There was an error in detecting the status of storage live migration. This update resolves the issue. (MIG-1746)
Migration Toolkit for Containers (MTC) 1.8.7 has the following major resolved issues:
Prepare phase on OKD 4.19 due to incompatible OADP version and outdated DPA specificationWhen running migrations use MTC 1.8.7 on OKD 4.19, the process halts in the Prepare phase and the migration plan enters in the Suspended phase.
The root cause is the deployment of an incompatible OADP version, earlier than 1.5.0, whose DataProtectionApplication (DPA) specification format is incompatible with OKD. (MIG-1735)
file already closed error when using the new AWS plugin in MTCDuring stage or full migrations, the backup process intermittently fails for MTC with OADP on OKD clusters configured with the new Amazon Web Services (AWS) plugin. You can see the following error in Velero logs:
error="read |0: file already closed"As a workaround, use the legacy AWS plugin by performing following actions:
Set velero_use_legacy_aws: true in the MigrationController custom resource (CR).
Restart the MTC Operator to apply changes.
Validate the AWS credentials for the cloud-credentials secret.
MTC version 1.8.6 and later do not support multiple migration plans for a single namespace.
VM storage migration feature changes from Technology Preview (TP) status to being Generally Available (GA).
MTC 1.8.6 has the following major resolved issues:
When searching for a namespace in the Select Namespace step of the migration plan wizard, the user interface (UI) fails and disappears after clicking Search. The browser console shows a JavaScript error indicating that an undefined value has been accessed. This issue has been resolved in MTC 1.8.6. (MIG-1704)
In MTC, when creating a migration plan, the UI remains on Persistent Volumes and you cannot continue. This issue occurs due to a critical reconciliation failure and returns a 404 API error when you attempt to fetch the migration plan from the backend. These issues cause the migration plan to remain in a Not Ready state, and you are prevented from continuing. This issue has been resolved in MTC 1.8.6. (MIG-1705)
StageBackup phaseWhen migrating a Django and PostgreSQL application, the migration becomes fails to complete after the StageBackup phase. Even though all the pods in the source namespace are healthy before the migration begins, after the migration and when terminating the pods on the source cluster, the Django pod fails with a CrashLoopBackOff error. This issue has been resolved in MTC 1.8.6. (MIG-1707)
After running a migration using MTC, the UI incorrectly indicates that the migration was successful, with the status shown as Migration succeeded. However, the Direct Volume Migration (DVM) phase failed. This misleading status appears on both the Migration and the Migration Details pages. This issue has been resolved in MTC 1.8.6. (MIG-1711)
When a migration plan includes a namespace that does not have any persistent volume claims (PVCs), the Persistent Volumes selection page remains indefinitely with the following message shown: Discovering persistent volumes attached to source projects…. The page never completes loading, preventing you from proceeding with the migration. This issue has been resolved in MTC 1.8.6. (MIG-1713)
MTC 1.8.6 has the following known issues:
There is a discrepancy in the reporting of namespace migration status following a rollback and subsequent re-migration attempt when the migration plan is deliberately faulted. Although the Distributed Volume Migration (DVM) phase correctly registers a failure, this failure is not consistently reflected in the user interface (UI) or the migration plan’s YAML representation.
This issue is not only limited to unusual or unexpected cases. In certain circumstances, such as when network restrictions are applied that cause the DVM phase to fail, the UI still reports the migration status as successful. This behavior is similar to what was previously observed in MIG-1711 but occurs under different conditions. (MIG-1719)
Migration Toolkit for Containers (MTC) 1.8.5 has the following technical changes:
FIPS is a set of computer security standards developed by the United States federal government in accordance with the Federal Information Security Management Act (FISMA).
Starting with version 1.8.5, MTC is designed for FIPS compliance.
For more information, see the list of MTC 1.8.5 resolved issues in Jira.
MTC 1.8.5 has the following known issues:
The associated Security Context Constraints (SCCs) for service accounts in OpenShift Container Platform 4.12 cannot be migrated. This issue is planned to be resolved in a future release of MTC. (MIG-1454)
statefulset.spec.volumeClaimTemplates[].spec.storageClassName on storage class conversionWhile running a Storage Class conversion for a StatefulSet application, MTC updates the persistent volume claims (PVC) references in .spec.volumeClaimTemplates[].metadata.name to use the migrated PVC names. MTC does not update spec.volumeClaimTemplates[].spec.storageClassName, which causes the application to scale up. Additionally, new replicas consume PVCs created under the old Storage Class instead of the migrated Storage Class. (MIG-1660)
When running a StorageClass conversion on more than one application, MTC scales down all the applications in the cutover phase, including those not involved in the migration. (MIG-1661)
MigPlan cannot be edited to have the same target namespace as the source cluster after it is changedAfter changing the target namespace to something different from the source namespace while creating a MigPlan in the MTC UI, you cannot edit the MigPlan again to make the target namespace the same as the source namespace. (MIG-1600)
When migrating an application that includes BuildConfig from the source to the target cluster, the builder pod encounters an error, failing to push the image to the image registry.
(BZ#2234781)
When creating a new state migration plan that results in a conflict error, the error is cleared shortly after it is displayed. (BZ#2144299)
PvCapacityAdjustmentRequired warning not displayed after setting pv_resizing_thresholdThe PvCapacityAdjustmentRequired warning does not appear in the migration plan after the pv_resizing_threshold is adjusted. (BZ#2270160)
For a complete list of all known issues, see the list of MTC 1.8.5 known issues in Jira.
Migration Toolkit for Containers (MTC) 1.8.4 has the following technical changes:
MTC 1.8.4 extends its dependency resolution to include support for using OpenShift API for Data Protection (OADP) 1.4.
MTC 1.8.4 adds support for KubeVirt Virtual Machines (VMs) with Direct Volume Migration (DVM).
MTC 1.8.4 has the following major resolved issues:
There is a bug in the python3-openshift package that installing OpenShift Virtualization exposes, with an exception, ValueError: too many values to unpack, returned during the task. Earlier versions of MTC are impacted, while MTC 1.8.4 has implemented a workaround. Updating to MTC 1.8.4 means you are no longer affected by this issue. (OCPBUGS-38116)
When trying to create a migration plan from the MTC UI, the migration plan wizard becomes stuck at the Namespaces step. This issue has been resolved in MTC 1.8.4. (MIG-1597)
During the migration of an application, all the necessary steps, including the backup, DVM, and restore, are successfully completed. However, the migration is marked as unsuccessful with the error message no matches for kind Virtual machine in version kubevirt/v1. (MIG-1594)
On performing a migration from source cluster to target cluster, with the target namespace different from the source namespace, the DVM fails. (MIG-1592)
When using Direct Image Migration (DIM), if a label selector is set on the migration plan, DIM does not respect it and attempts to migrate all imagestreams in the namespace. (MIG-1533)
MTC 1.8.4 has the following known issues:
The associated Security Context Constraints (SCCs) for service accounts in OpenShift Container Platform 4.12 cannot be migrated. This issue is planned to be resolved in a future release of MTC. (MIG-1454).
The DVM phase fails due to the Rsync pod failing to start, because of a permission issue.
When migrating an application including BuildConfig from source to target cluster, the builder pod results in error, failing to push the image to the image registry.
When creating a new state migration plan that results in a conflict error, that error is cleared shorty after it is displayed.
The PvCapacityAdjustmentRequired warning fails to appear in the migration plan after the pv_resizing_threshold is adjusted.
Migration Toolkit for Containers (MTC) 1.8.3 has the following technical changes:
MTC 1.8.3 adds support to OpenShift API for Data Protection (OADP) as a dependency of MTC 1.8.z.
MTC 1.8.3 has the following major resolved issues:
protobuf module causes unmarshal function to enter infinite loopIn previous releases of MTC, a vulnerability was found in Golang’s protobuf module, where the unmarshal function entered an infinite loop while processing certain invalid inputs. Consequently, an attacker provided carefully constructed invalid inputs, which caused the function to enter an infinite loop.
With this update, the unmarshal function works as expected.
For more information, see CVE-2024-24786.
In previous releases of MTC, a vulnerability was discovered in Axios 1.5.1 that inadvertently revealed a confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to the host, allowing attackers to view sensitive information.
For more information, see CVE-2023-45857.
In previous releases of MTC, some files did not migrate when deploying an application with a route. The Restic backup did not function as expected when the quiesce option was unchecked for the source workload.
This issue has been resolved in MTC 1.8.3.
For more information, see BZ#2242064.
Migration Controller fails to install due to an unsupported value error in VeleroThe MigrationController failed to install due to an unsupported value error in Velero. Updating OADP 1.3.0 to OADP 1.3.1 resolves this problem. For more information, see BZ#2267018.
This issue has been resolved in MTC 1.8.3.
For a complete list of all resolved issues, see the list of MTC 1.8.3 resolved issues in Jira.
Migration Toolkit for Containers (MTC) 1.8.3 has the following known issues:
There is a bug in the python3-openshift package that installing OpenShift Virtualization exposes, with an exception, ValueError: too many values to unpack, returned during the task. MTC 1.8.4 has implemented a workaround. Updating to MTC 1.8.4 means you are no longer affected by this issue. (OCPBUGS-38116)
The associated Security Context Constraints (SCCs) for service accounts in OpenShift Container Platform version 4.12 cannot be migrated. This issue is planned to be resolved in a future release of MTC. (MIG-1454).
For a complete list of all known issues, see the list of MTC 1.8.3 known issues in Jira.
This release has the following major resolved issues:
In previous releases of Migration Toolkit for Containers (MTC), after editing the replication repository, adding a custom CA certificate, successfully connecting the repository, and triggering a migration, a failure occurred during the backup phase.
In previous releases of (MTC), versions before 4.1.3 of the tough-cookie package used in MTC were vulnerable to prototype pollution. This vulnerability occurred because CookieJar did not handle cookies properly when the value of the rejectPublicSuffixes was set to false.
For more details, see (CVE-2023-26136)
In previous releases of (MTC), versions of the semver package before 7.5.2, used in MTC, were vulnerable to Regular Expression Denial of Service (ReDoS) from the function newRange, when untrusted user data was provided as a range.
For more details, see (CVE-2022-25883)
MTC 1.8.2 has the following known issues:
There is a bug in the python3-openshift package that installing OpenShift Virtualization exposes, with an exception, ValueError: too many values to unpack, returned during the task. MTC 1.8.4 has implemented a workaround. Updating to MTC 1.8.4 means you are no longer affected by this issue. (OCPBUGS-38116)
Migration Toolkit for Containers (MTC) 1.8.1 has the following major resolved issues:
A flaw was found in handling multiplexed streams in the HTTP/2 protocol, which is used by MTC. A client could repeatedly make a request for a new multiplex stream and immediately send an RST_STREAM frame to cancel it. This creates additional workload for the server in terms of setting up and dismantling streams, while avoiding any server-side limitations on the maximum number of active streams per connection, resulting in a denial of service due to server resource consumption. (BZ#2245079)
It is advised to update to MTC 1.8.1 or later, which resolve this issue.
For more details, see (CVE-2023-39325) and (CVE-2023-44487)
Migration Toolkit for Containers (MTC) 1.8.1 has the following known issues:
There is a bug in the python3-openshift package that installing OpenShift Virtualization exposes. An exception, ValueError: too many values to unpack, is returned during the task. MTC 1.8.4 has implemented a workaround. Updating to MTC 1.8.4 means you are no longer affected by this issue. (OCPBUGS-38116)
Migration Toolkit for Containers (MTC) 1.8.0 has the following resolved issues:
In previous releases, an indirect migration became stuck at the backup stage, due to InvalidImageName error.
((BZ#2233097))
In previous releases, on performing an indirect migration, the migration became stuck at the Stage Restore step, waiting for the podvolumerestore to be completed. ((BZ#2233868))
In previous releases, on migrating an application to the target cluster, the migrated application failed to pull the image from the internal image registry resulting in an application failure. ((BZ#2233103))
In previous releases, on an Azure cluster, when backing up to Azure storage, the migration failed at the Backup stage. ((BZ#2238974))
MTC 1.8.0 has the following known issues:
There is a bug in the python3-openshift package that installing OpenShift Virtualization exposes, with an exception ValueError: too many values to unpack returned during the task. MTC 1.8.4 has implemented a workaround. Updating to MTC 1.8.4 means you are no longer affected by this issue. (OCPBUGS-38116)
In this release, on upgrading the MTC Operator from 1.7.x to 1.8.x, the old Restic pods are not being removed. Therefore after the upgrade, both Restic and node-agent pods are visible in the namespace. ((BZ#2236829))
In this release, on migrating an application including a BuildConfig from a source to target cluster, builder pod results in error, failing to push the image to the image registry. ((BZ#2234781))
In this release, after enabling Require SSL verification and adding content to the CA bundle file for an MCG NooBaa bucket in MigStorage, the connection fails as expected. However, when reverting these changes by removing the CA bundle content and clearing Require SSL verification, the connection still fails. The issue is only resolved by deleting and re-adding the repository. ((BZ#2240052))
In (MTC), after editing the replication repository, adding a custom CA certificate, successfully connecting the repository, and triggering a migration, a failure occurs during the backup phase.
This issue is resolved in MTC 1.8.2.
Versions before 4.1.3 of the tough-cookie package, used in MTC, are vulnerable to prototype pollution. This vulnerability occurs because CookieJar does not handle cookies properly when the value of the rejectPublicSuffixes is set to false.
This issue is resolved in MTC 1.8.2.
For more details, see (CVE-2023-26136)
In previous releases of (MTC), versions of the semver package before 7.5.2, used in MTC, are vulnerable to Regular Expression Denial of Service (ReDoS) from the function newRange, when untrusted user data is provided as a range.
This issue is resolved in MTC 1.8.2.
For more details, see (CVE-2022-25883)
This release has the following technical changes:
Migration from OKD 3 to OKD 4 requires a legacy Migration Toolkit for Containers Operator and Migration Toolkit for Containers 1.7.x.
Migration from MTC 1.7.x to MTC 1.8.x is not supported.
You must use MTC 1.7.x to migrate anything with a source of OKD 4.9 or earlier.
MTC 1.7.x must be used on both source and destination.
Migration Toolkit for Containers (MTC) 1.8.x only supports migrations from OKD 4.10 or later to OKD 4.10 or later. For migrations only involving cluster versions 4.10 and later, either 1.7.x or 1.8.x might be used. However, but it must be the same MTC 1.Y.z on both source and destination.
Migration from source MTC 1.7.x to destination MTC 1.8.x is unsupported.
Migration from source MTC 1.8.x to destination MTC 1.7.x is unsupported.
Migration from source MTC 1.7.x to destination MTC 1.7.x is supported.
Migration from source MTC 1.8.x to destination MTC 1.8.x is supported.
MTC 1.8.x by default installs OADP 1.2.x.
Upgrading from MTC 1.7.x to MTC 1.8.0, requires manually changing the OADP channel to 1.2. If this is not done, the upgrade of the Operator fails.