- Documentation
- OKD Latest
- Migration
- Migrating from OpenShift Container Platform 3
- Troubleshooting
×
- Welcome
- What's new?
- Architecture
-
Installing
-
Installing on AWS
- Configuring an AWS account
- Installing a cluster quickly on AWS
- Installing a cluster on AWS with customizations
- Installing a cluster on AWS with network customizations
- Installing a cluster on AWS into an existing VPC
- Installing a private cluster on AWS
- Installing a cluster on AWS using CloudFormation templates
- Installing a cluster on AWS in a restricted network
- Uninstalling a cluster on AWS
-
Installing on Azure
- Configuring an Azure account
- Installing a cluster quickly on Azure
- Installing a cluster on Azure with customizations
- Installing a cluster on Azure with network customizations
- Installing a cluster on Azure into an existing VNet
- Installing a private cluster on Azure
- Installing a cluster on Azure using ARM templates
- Uninstalling a cluster on Azure
-
Installing on GCP
- Configuring a GCP project
- Installing a cluster quickly on GCP
- Installing a cluster on GCP with customizations
- Installing a cluster on GCP with network customizations
- Installing a cluster on GCP into an existing VPC
- Installing a private cluster on GCP
- Installing a cluster on GCP using Deployment Manager templates
- Installing a cluster on GCP using Deployment Manager templates and a shared VPC
- Restricted network GCP installation
- Uninstalling a cluster on GCP
- Installing on bare metal
-
Installing on OpenStack
- Installing a cluster on OpenStack with customizations
- Installing a cluster on OpenStack with Kuryr
- Installing a cluster on OpenStack on your own infrastructure
- Installing a cluster on OpenStack with Kuryr on your own infrastructure
- Uninstalling a cluster on OpenStack
- Uninstalling a cluster on OpenStack from your own infrastructure
- Installing on RHV
-
Installing on vSphere
- Installing a cluster on vSphere
- Installing a cluster on vSphere with customizations
- Installing a cluster on vSphere with user-provisioned infrastructure
- Installing a cluster on vSphere with user-provisioned infrastructure and network customizations
- Restricted network vSphere installation with user-provisioned infrastructure
- Uninstalling a cluster on vSphere that uses installer-provisioned infrastructure
- Troubleshooting installation issues
- Installation configuration
-
Installing on AWS
- Updating clusters
- Support
- Web console
-
Security
-
Container security
- Understanding container security
- Understanding host and VM security
- Hardening Fedora CoreOS
- Understanding compliance
- Securing container content
- Using container registries securely
- Securing the build process
- Deploying containers
- Securing the container platform
- Securing networks
- Securing attached storage
- Monitoring cluster events and logs
- Configuring certificates
- Certificate types and descriptions
- Allowing JavaScript-based access to the API server from additional hosts
- Encrypting etcd data
- Scanning pods for vulnerabilities
-
Container security
-
Authentication and authorization
- Understanding authentication
- Configuring the internal OAuth server
- Understanding identity provider configuration
-
Configuring identity providers
- Configuring an HTPasswd identity provider
- Configuring a Keystone identity provider
- Configuring an LDAP identity provider
- Configuring a basic authentication identity provider
- Configuring a request header identity provider
- Configuring a GitHub or GitHub Enterprise identity provider
- Configuring a GitLab identity provider
- Configuring a Google identity provider
- Configuring an OpenID Connect identity provider
- Using RBAC to define and apply permissions
- Removing the kubeadmin user
- Configuring the user agent
- Understanding and creating service accounts
- Using service accounts in applications
- Using a service account as an OAuth client
- Scoping tokens
- Using bound service account tokens
- Managing Security Context Constraints
- Impersonating the system:admin user
- Syncing LDAP groups
-
Networking
- Understanding networking
- Accessing hosts
- Understanding the Cluster Network Operator
- Understanding the DNS Operator
- Understanding the Ingress Operator
- Configuring network policy
- Using SCTP
-
Multiple networks
- Understanding multiple networks
- Attaching a Pod to an additional network
- Removing a Pod from an additional network
- Configuring a bridge network
- Configuring a host-device network
- Configuring an ipvlan network
- Configuring a macvlan network with basic customizations
- Configuring a macvlan network
- Editing an additional network
- Removing an additional network
- Configuring PTP
- Hardware networks
-
OpenShift SDN default CNI network provider
- About the OpenShift SDN default CNI network provider
- Configuring egress IPs for a project
- Configuring an egress firewall for a project
- Editing an egress firewall for a project
- Removing an egress firewall from a project
- Enabling multicast for a project
- Disabling multicast for a project
- Configuring multitenant isolation
- Configuring kube-proxy
- OVN-Kubernetes default CNI network provider
- Configuring Routes
- Configuring ingress cluster traffic
- Configuring the cluster-wide proxy
- Configuring a custom PKI
- Load balancing on OpenStack
-
Storage
- Understanding persistent storage
-
Configuring persistent storage
- Persistent storage using Amazon EFS
- Persistent storage using AWS Elastic Block Store
- Persistent storage using Azure Disk
- Persistent storage using Azure File
- Persistent storage using Cinder
- Persistent storage using Fibre Channel
- Persistent storage using FlexVolume
- Persistent storage using GCE Persistent Disk
- Persistent storage using hostPath
- Persistent Storage using iSCSI
- Persistent storage using local volumes
- Persistent storage using NFS
- Persistent storage using Red Hat OpenShift Container Storage
- Persistent storage using VMware vSphere
- Using Container Storage Interface (CSI)
- Expanding persistent volumes
- Dynamic provisioning
- Registry
-
Operators
- Understanding Operators
- Common terms
- Packaging formats
- Understanding Operator Lifecycle Manager (OLM)
- Understanding OperatorHub
- Adding Operators to a cluster
- Configuring proxy support
- Deleting Operators from a cluster
- Creating applications from installed Operators
- Viewing Operator status
- Creating policy for Operator installations and upgrades
- Managing admission webhooks in OLM
- Managing custom catalogs
- Using OLM on restricted networks
- CRDs
-
Operator SDK
- Getting started with the Operator SDK
- Creating Ansible-based Operators
- Creating Helm-based Operators
- Generating a ClusterServiceVersion (CSV)
- Working with bundle images
- Validating Operators using the scorecard
- Configuring built-in monitoring with Prometheus
- Configuring leader election
- Operator SDK CLI reference
- Migrating to Operator SDK v0.1.0
- Appendices
- Red Hat Operators
-
Builds
- Understanding image builds
- Understanding build configurations
- Creating build inputs
- Managing build output
- Using build strategies
- Custom image builds with Buildah
- Performing basic builds
- Triggering and modifying builds
- Performing advanced builds
- Using Red Hat subscriptions in builds
- Securing builds by strategy
- Build configuration resources
- Troubleshooting builds
- Setting up additional trusted certificate authorities for builds
- Pipelines
- Images
- Applications
- Machine management
-
Nodes
-
Working with pods
- About Pods
- Viewing Pods
- Configuring a cluster for Pods
- Automatically scaling pods with the Horizontal Pod Autoscaler
- Automatically adjust pod resource levels with the Vertical Pod Autoscaler
- Providing sensitive data to Pods
- Using Device Manager to make devices available to nodes
- Including pod priority in Pod scheduling decisions
- Placing pods on specific nodes using node selectors
-
Controlling pod placement onto nodes (scheduling)
- About pod placement using the scheduler
- Configuring the default scheduler to control pod placement
- Placing pods relative to other pods using pod affinity and anti-affinity rules
- Controlling pod placement on nodes using node affinity rules
- Placing pods onto overcommited nodes
- Controlling pod placement using node taints
- Placing pods on specific nodes using node selectors
- Evicting pods using the descheduler
- Using Jobs and DaemonSets
-
Working with nodes
- Viewing and listing the nodes in your cluster
- Working with nodes
- Managing Nodes
- Managing the maximum number of Pods per Node
- Using the Node Tuning Operator
- Understanding node rebooting
- Freeing node resources using garbage collection
- Allocating resources for nodes
- Viewing node audit logs
- Machine Config Daemon metrics
-
Working with containers
- Using containers
- Using Init Containers to perform tasks before a pod is deployed
- Using volumes to persist container data
- Mapping volumes using projected volumes
- Allowing containers to consume API objects
- Copying files to or from a container
- Executing remote commands in a container
- Using port forwarding to access applications in a container
- Using sysctls in containers
- Working with clusters
-
Working with pods
-
Logging
- About cluster logging
- Installing cluster logging
-
Configuring your cluster logging deployment
- About the Cluster Logging Custom Resource
- Configuring the logging collector
- Configuring the log store
- Configuring the log visualizer
- Configuring cluster logging storage
- Configuring CPU and memory limits for cluster logging components
- Using tolerations to control cluster logging pod placement
- Moving the cluster logging resources with node selectors
- Configuring systemd-journald for cluster logging
- Configuring the log curator
- Maintenance and support
- Viewing cluster logs
- Forwarding logs to third party systems
- Updating cluster logging
- Troubleshooting cluster logging
- Exported fields
- Monitoring
-
Scalability and performance
- Recommended installation practices
- Recommended host practices
- Recommended cluster scaling practices
- Using the Node Tuning Operator
- Using Cluster Loader
- Using CPU Manager
- Using Topology Manager
- Scaling the Cluster Monitoring Operator
- Planning your environment according to object maximums
- Optimizing storage
- Optimizing routing
- What huge pages do and how they are consumed by apps
- Using ArgoCD
- Backup and restore
-
Migration
-
Migrating from OpenShift Container Platform 3
- About migrating from OpenShift Container Platform 3 to 4
- Planning your migration from OpenShift Container Platform 3 to 4
- Migration tools and prerequisites
- Deploying the Cluster Application Migration tool
- Configuring a replication repository
- Migrating applications with the CAM web console
- Migrating control plane settings with the Control Plane Migration Assistant
- Troubleshooting
-
Migrating from OpenShift Container Platform 3
-
CLI tools
- OpenShift CLI (oc)
-
Developer CLI (odo)
- Understanding odo
- odo architecture
- Installing odo
- Using odo in a restricted environment
- Creating a single-component application with odo
- Creating a multicomponent application with odo
- Creating an application with a database
- Creating applications by using devfiles
- Using sample applications
- Creating instances of services managed by Operators
- Debugging applications in odo
- Managing environment variables in odo
- Configuring the odo CLI
- odo CLI reference
- odo release notes
- Helm CLI
- Knative CLI (kn) for use with OpenShift Serverless
- Pipelines CLI (tkn)
-
API reference
- Common object reference
-
Authorization APIs
- About Authorization APIs
- LocalResourceAccessReview [authorization.openshift.io/v1]
- LocalSubjectAccessReview [authorization.openshift.io/v1]
- ResourceAccessReview [authorization.openshift.io/v1]
- SelfSubjectRulesReview [authorization.openshift.io/v1]
- SubjectAccessReview [authorization.openshift.io/v1]
- SubjectRulesReview [authorization.openshift.io/v1]
- TokenReview [authentication.k8s.io/v1]
- LocalSubjectAccessReview [authorization.k8s.io/v1]
- SelfSubjectAccessReview [authorization.k8s.io/v1]
- SelfSubjectRulesReview [authorization.k8s.io/v1]
- SubjectAccessReview [authorization.k8s.io/v1]
- Autoscale APIs
-
Config APIs
- About Config APIs
- APIServer [config.openshift.io/v1]
- Authentication [config.openshift.io/v1]
- Build [config.openshift.io/v1]
- ClusterOperator [config.openshift.io/v1]
- ClusterVersion [config.openshift.io/v1]
- Console [config.openshift.io/v1]
- DNS [config.openshift.io/v1]
- FeatureGate [config.openshift.io/v1]
- Image [config.openshift.io/v1]
- Infrastructure [config.openshift.io/v1]
- Ingress [config.openshift.io/v1]
- Network [config.openshift.io/v1]
- OAuth [config.openshift.io/v1]
- OperatorHub [config.openshift.io/v1]
- Project [config.openshift.io/v1]
- Proxy [config.openshift.io/v1]
- Scheduler [config.openshift.io/v1]
- Console APIs
- Extension APIs
-
Image APIs
- About Image APIs
- Image [image.openshift.io/v1]
- ImageSignature [image.openshift.io/v1]
- ImageStreamImage [image.openshift.io/v1]
- ImageStreamImport [image.openshift.io/v1]
- ImageStreamMapping [image.openshift.io/v1]
- ImageStream [image.openshift.io/v1]
- ImageStreamTag [image.openshift.io/v1]
- ImageTag [image.openshift.io/v1]
-
Machine APIs
- About Machine APIs
- ContainerRuntimeConfig [machineconfiguration.openshift.io/v1]
- ControllerConfig [machineconfiguration.openshift.io/v1]
- KubeletConfig [machineconfiguration.openshift.io/v1]
- MachineConfigPool [machineconfiguration.openshift.io/v1]
- MachineConfig [machineconfiguration.openshift.io/v1]
- MachineHealthCheck [machine.openshift.io/v1beta1]
- Machine [machine.openshift.io/v1beta1]
- MachineSet [machine.openshift.io/v1beta1]
- Metadata APIs
- Monitoring APIs
-
Network APIs
- About Network APIs
- ClusterNetwork [network.openshift.io/v1]
- Endpoints [core/v1]
- EndpointSlice [discovery.k8s.io/v1beta1]
- EgressNetworkPolicy [network.openshift.io/v1]
- HostSubnet [network.openshift.io/v1]
- Ingress [networking.k8s.io/v1beta1]
- NetNamespace [network.openshift.io/v1]
- NetworkAttachmentDefinition [k8s.cni.cncf.io/v1]
- NetworkPolicy [networking.k8s.io/v1]
- Route [route.openshift.io/v1]
- Service [core/v1]
- Node APIs
- OAuth APIs
-
Operator APIs
- About Operator APIs
- Authentication [operator.openshift.io/v1]
- Console [operator.openshift.io/v1]
- Config [imageregistry.operator.openshift.io/v1]
- Config [samples.operator.openshift.io/v1]
- CSISnapshotController [operator.openshift.io/v1]
- DNS [operator.openshift.io/v1]
- DNSRecord [ingress.operator.openshift.io/v1]
- Etcd [operator.openshift.io/v1]
- ImageContentSourcePolicy [operator.openshift.io/v1alpha1]
- ImagePruner [imageregistry.operator.openshift.io/v1]
- IngressController [operator.openshift.io/v1]
- KubeAPIServer [operator.openshift.io/v1]
- KubeControllerManager [operator.openshift.io/v1]
- KubeScheduler [operator.openshift.io/v1]
- KubeStorageVersionMigrator [operator.openshift.io/v1]
- Network [operator.openshift.io/v1]
- OpenShiftAPIServer [operator.openshift.io/v1]
- OpenShiftControllerManager [operator.openshift.io/v1]
- ServiceCA [operator.openshift.io/v1]
- ServiceCatalogAPIServer [operator.openshift.io/v1]
- ServiceCatalogControllerManager [operator.openshift.io/v1]
-
OperatorHub APIs
- About OperatorHub APIs
- CatalogSourceConfig [operators.coreos.com/v1]
- CatalogSource [operators.coreos.com/v1alpha1]
- ClusterServiceVersion [operators.coreos.com/v1alpha1]
- InstallPlan [operators.coreos.com/v1alpha1]
- OperatorGroup [operators.coreos.com/v1]
- OperatorSource [operators.coreos.com/v1]
- PackageManifest [packages.operators.coreos.com/v1]
- Subscription [operators.coreos.com/v1alpha1]
- Policy APIs
- Project APIs
- RBAC APIs
- Role APIs
- Schedule and quota APIs
-
Security APIs
- About Security APIs
- CertificateSigningRequest [certificates.k8s.io/v1beta1]
- CredentialsRequest [cloudcredential.openshift.io/v1]
- PodSecurityPolicyReview [security.openshift.io/v1]
- PodSecurityPolicySelfSubjectReview [security.openshift.io/v1]
- PodSecurityPolicySubjectReview [security.openshift.io/v1]
- RangeAllocation [security.openshift.io/v1]
- Secret [core/v1]
- SecurityContextConstraints [security.openshift.io/v1]
- ServiceAccount [core/v1]
-
Storage APIs
- About Storage APIs
- CSIDriver [storage.k8s.io/v1beta1]
- CSINode [storage.k8s.io/v1]
- PersistentVolumeClaim [core/v1]
- StorageClass [storage.k8s.io/v1]
- VolumeAttachment [storage.k8s.io/v1]
- VolumeSnapshot [snapshot.storage.k8s.io/v1beta1]
- VolumeSnapshotClass [snapshot.storage.k8s.io/v1beta1]
- VolumeSnapshotContent [snapshot.storage.k8s.io/v1beta1]
- Template APIs
- User and group APIs
-
Workloads APIs
- About Workloads APIs
- BuildConfig [build.openshift.io/v1]
- Build [build.openshift.io/v1]
- CronJob [batch/v1beta1]
- DaemonSet [apps/v1]
- Deployment [apps/v1]
- DeploymentConfig [apps.openshift.io/v1]
- Job [batch/v1]
- Pod [core/v1]
- ReplicationController [core/v1]
- PersistentVolume [core/v1]
- ReplicaSet [apps/v1]
- StatefulSet [apps/v1]
Troubleshooting
You can view the migration Custom Resources (CRs) and download logs to troubleshoot a failed migration.
If the application was stopped during the failed migration, you must roll it back manually in order to prevent data corruption.
|
Manual rollback is not required if the application was not stopped during migration, because the original application is still running on the source cluster. |
Viewing migration Custom Resources
The Cluster Application Migration (CAM) tool creates the following Custom Resources (CRs):
MigCluster (configuration, CAM cluster): Cluster definition
MigStorage (configuration, CAM cluster): Storage definition
MigPlan (configuration, CAM cluster): Migration plan
The MigPlan CR describes the source and target clusters, repository, and namespace(s) being migrated. It is associated with 0, 1, or many MigMigration CRs.
|
Deleting a MigPlan CR deletes the associated MigMigration CRs. |
BackupStorageLocation (configuration, CAM cluster): Location of Velero backup objects
VolumeSnapshotLocation (configuration, CAM cluster): Location of Velero volume snapshots
MigMigration (action, CAM cluster): Migration, created during migration
A MigMigration CR is created every time you stage or migrate data. Each MigMigration CR is associated with a MigPlan CR.
Backup (action, source cluster): When you run a migration plan, the MigMigration CR creates two Velero backup CRs on each source cluster:
-
Backup CR #1 for Kubernetes objects
-
Backup CR #2 for PV data
Restore (action, target cluster): When you run a migration plan, the MigMigration CR creates two Velero restore CRs on the target cluster:
-
Restore CR #1 (using Backup CR #2) for PV data
-
Restore CR #2 (using Backup CR #1) for Kubernetes objects
Procedure
-
Get the CR name:
$ oc get <migration_cr> -n openshift-migration (1)
1 Specify the migration CR, for example, migmigration.The output is similar to the following:
NAME AGE 88435fe0-c9f8-11e9-85e6-5d593ce65e10 6m42s
-
View the CR:
$ oc describe <migration_cr> <88435fe0-c9f8-11e9-85e6-5d593ce65e10> -n openshift-migration
The output is similar to the following examples.
MigMigration example
name: 88435fe0-c9f8-11e9-85e6-5d593ce65e10
namespace: openshift-migration
labels: <none>
annotations: touch: 3b48b543-b53e-4e44-9d34-33563f0f8147
apiVersion: migration.openshift.io/v1alpha1
kind: MigMigration
metadata:
creationTimestamp: 2019-08-29T01:01:29Z
generation: 20
resourceVersion: 88179
selfLink: /apis/migration.openshift.io/v1alpha1/namespaces/openshift-migration/migmigrations/88435fe0-c9f8-11e9-85e6-5d593ce65e10
uid: 8886de4c-c9f8-11e9-95ad-0205fe66cbb6
spec:
migPlanRef:
name: socks-shop-mig-plan
namespace: openshift-migration
quiescePods: true
stage: false
status:
conditions:
category: Advisory
durable: True
lastTransitionTime: 2019-08-29T01:03:40Z
message: The migration has completed successfully.
reason: Completed
status: True
type: Succeeded
phase: Completed
startTimestamp: 2019-08-29T01:01:29Z
events: <none>
Velero backup CR #2 example (PV data)
apiVersion: velero.io/v1
kind: Backup
metadata:
annotations:
openshift.io/migrate-copy-phase: final
openshift.io/migrate-quiesce-pods: "true"
openshift.io/migration-registry: 172.30.105.179:5000
openshift.io/migration-registry-dir: /socks-shop-mig-plan-registry-44dd3bd5-c9f8-11e9-95ad-0205fe66cbb6
creationTimestamp: "2019-08-29T01:03:15Z"
generateName: 88435fe0-c9f8-11e9-85e6-5d593ce65e10-
generation: 1
labels:
app.kubernetes.io/part-of: migration
migmigration: 8886de4c-c9f8-11e9-95ad-0205fe66cbb6
migration-stage-backup: 8886de4c-c9f8-11e9-95ad-0205fe66cbb6
velero.io/storage-location: myrepo-vpzq9
name: 88435fe0-c9f8-11e9-85e6-5d593ce65e10-59gb7
namespace: openshift-migration
resourceVersion: "87313"
selfLink: /apis/velero.io/v1/namespaces/openshift-migration/backups/88435fe0-c9f8-11e9-85e6-5d593ce65e10-59gb7
uid: c80dbbc0-c9f8-11e9-95ad-0205fe66cbb6
spec:
excludedNamespaces: []
excludedResources: []
hooks:
resources: []
includeClusterResources: null
includedNamespaces:
- sock-shop
includedResources:
- persistentvolumes
- persistentvolumeclaims
- namespaces
- imagestreams
- imagestreamtags
- secrets
- configmaps
- pods
labelSelector:
matchLabels:
migration-included-stage-backup: 8886de4c-c9f8-11e9-95ad-0205fe66cbb6
storageLocation: myrepo-vpzq9
ttl: 720h0m0s
volumeSnapshotLocations:
- myrepo-wv6fx
status:
completionTimestamp: "2019-08-29T01:02:36Z"
errors: 0
expiration: "2019-09-28T01:02:35Z"
phase: Completed
startTimestamp: "2019-08-29T01:02:35Z"
validationErrors: null
version: 1
volumeSnapshotsAttempted: 0
volumeSnapshotsCompleted: 0
warnings: 0
Velero restore CR #2 example (Kubernetes resources)
apiVersion: velero.io/v1
kind: Restore
metadata:
annotations:
openshift.io/migrate-copy-phase: final
openshift.io/migrate-quiesce-pods: "true"
openshift.io/migration-registry: 172.30.90.187:5000
openshift.io/migration-registry-dir: /socks-shop-mig-plan-registry-36f54ca7-c925-11e9-825a-06fa9fb68c88
creationTimestamp: "2019-08-28T00:09:49Z"
generateName: e13a1b60-c927-11e9-9555-d129df7f3b96-
generation: 3
labels:
app.kubernetes.io/part-of: migration
migmigration: e18252c9-c927-11e9-825a-06fa9fb68c88
migration-final-restore: e18252c9-c927-11e9-825a-06fa9fb68c88
name: e13a1b60-c927-11e9-9555-d129df7f3b96-gb8nx
namespace: openshift-migration
resourceVersion: "82329"
selfLink: /apis/velero.io/v1/namespaces/openshift-migration/restores/e13a1b60-c927-11e9-9555-d129df7f3b96-gb8nx
uid: 26983ec0-c928-11e9-825a-06fa9fb68c88
spec:
backupName: e13a1b60-c927-11e9-9555-d129df7f3b96-sz24f
excludedNamespaces: null
excludedResources:
- nodes
- events
- events.events.k8s.io
- backups.velero.io
- restores.velero.io
- resticrepositories.velero.io
includedNamespaces: null
includedResources: null
namespaceMapping: null
restorePVs: true
status:
errors: 0
failureReason: ""
phase: Completed
validationErrors: null
warnings: 15
Downloading migration logs
You can download the Velero, Restic, and Migration controller logs in the CAM web console to troubleshoot a failed migration.
Procedure
-
Log in to the CAM console.
-
Click Plans to view the list of migration plans.
-
Click the Options menu
of a specific migration plan and select Logs. -
Click Download Logs to download the logs of the Migration controller, Velero, and Restic for all clusters.
-
To download a specific log:
-
Specify the log options:
-
Cluster: Select the source, target, or CAM host cluster.
-
Log source: Select Velero, Restic, or Controller.
-
Pod source: Select the Pod name, for example,
controller-manager-78c469849c-v6wcfThe selected log is displayed.
You can clear the log selection settings by changing your selection.
-
-
Click Download Selected to download the selected log.
-
Optionally, you can access the logs by using the CLI, as in the following example:
$ oc get pods -n openshift-migration | grep controller controller-manager-78c469849c-v6wcf 1/1 Running 0 4h49m $ oc logs controller-manager-78c469849c-v6wcf -f -n openshift-migration
Updating deprecated API GroupVersionKinds
In OKD Latest, some API GroupVersionKinds (GVKs) that are used by OKD 3.x are deprecated.
If your source cluster uses deprecated GVKs, the following warning is displayed when you create a migration plan: Some namespaces contain GVKs incompatible with destination cluster. You can click See details to view the namespace and the incompatible GVKs.
|
This warning does not block the migration. |
During migration, the deprecated GVKs are saved in the Velero Backup Custom Resource (CR) #1 for Kubernetes objects. You can download the Backup CR, extract the deprecated GVK yaml files, and update them with the oc convert command. Then you create the updated GVKs on the target cluster.
Procedure
-
Run the migration plan.
-
View the MigPlan CR:
$ oc describe migplan <migplan_name> -n openshift-migration (1)
1 Specify the name of the migration plan. The output is similar to the following:
metadata: ... uid: 79509e05-61d6-11e9-bc55-02ce4781844a (1) status: ... conditions: - category: Warn lastTransitionTime: 2020-04-30T17:16:23Z message: 'Some namespaces contain GVKs incompatible with destination cluster. See: `incompatibleNamespaces` for details' status: "True" type: GVKsIncompatible incompatibleNamespaces: - gvks: - group: batch kind: cronjobs (2) version: v2alpha1 - group: batch kind: scheduledjobs (2) version: v2alpha11 Record the MigPlan UID. 2 Record the deprecated GVKs. -
Get the MigMigration name associated with the MigPlan UID:
$ oc get migmigration -o json | jq -r '.items[] | select(.metadata.ownerReferences[].uid=="<migplan_uid>") | .metadata.name' (1)
1 Specify the MigPlan UID. -
Get the MigMigration UID associated with the MigMigration name:
$ oc get migmigration <migmigration_name> -o jsonpath='{.metadata.uid}' (1)1 Specify the MigMigration name. -
Get the Velero Backup name associated with the MigMigration UID:
$ oc get backup.velero.io --selector migration-initial-backup="<migmigration_uid>" -o jsonpath={.items[*].metadata.name} (1)1 Specify the MigMigration UID. -
Download the contents of the Velero Backup to your local machine:
-
For AWS S3:
$ aws s3 cp s3://<bucket_name>/velero/backups/<backup_name> <backup_local_dir> --recursive (1)
1 Specify the bucket, backup name, and your local backup directory name. -
For GCP:
$ gsutil cp gs://<bucket_name>/velero/backups/<backup_name> <backup_local_dir> --recursive (1)
1 Specify the bucket, backup name, and your local backup directory name. -
For Azure:
$ azcopy copy 'https://velerobackups.blob.core.windows.net/velero/backups/<backup_name>' '<backup_local_dir>' --recursive (1)
1 Specify the backup name and your local backup directory name.
-
-
Extract the Velero Backup archive file:
$ tar -xfv <backup_local_dir>/<backup_name>.tar.gz -C <backup_local_dir>
-
Run
oc convertin offline mode on each deprecated GVK:$ oc convert <backup_local_dir>/resources/<gvk>.json (1)
1 Specify the deprecated GVK. -
Create the converted GVK on the target cluster:
$ oc create -f <gvk>.json (1)
1 Specify the converted GVK.
Error messages
Restic timeout error message in the Velero Pod log
If a migration fails because Restic times out, the following error appears in the Velero Pod log:
level=error msg="Error backing up item" backup=velero/monitoring error="timed out waiting for all PodVolumeBackups to complete" error.file="/go/src/github.com/heptio/velero/pkg/restic/backupper.go:165" error.function="github.com/heptio/velero/pkg/restic.(*backupper).BackupPodVolumes" group=v1
The default value of restic_timeout is one hour. You can increase this parameter for large migrations, keeping in mind that a higher value may delay the return of error messages.
Procedure
-
In the OKD web console, navigate to Operators → Installed Operators.
-
Click Cluster Application Migration Operator.
-
In the MigrationController tab, click migration-controller.
-
In the YAML tab, update the following parameter value:
spec: restic_timeout: 1h (1)1 Valid units are h(hours),m(minutes), ands(seconds), for example,3h30m15s. -
Click Save.
ResticVerifyErrors in the MigMigration Custom Resource
If data verification fails when migrating a PV with the filesystem data copy method, the following error appears in the MigMigration Custom Resource (CR):
status:
conditions:
- category: Warn
durable: true
lastTransitionTime: 2020-04-16T20:35:16Z
message: There were verify errors found in 1 Restic volume restores. See restore `<registry-example-migration-rvwcm>`
for details (1)
status: "True"
type: ResticVerifyErrors (2)
| 1 | The error message identifies the Restore CR name. |
| 2 | ResticErrors also appears. ResticErrors is a general error warning that includes verification errors. |
|
A data verification error does not cause the migration process to fail. |
You can check the target cluster’s Restore CR to identify the source of the data verification error.
Procedure
-
Log in to the target cluster.
-
View the Restore CR:
$ oc describe <registry-example-migration-rvwcm> -n openshift-migration
The output identifies the PV with
PodVolumeRestoreerrors:status: phase: Completed podVolumeRestoreErrors: - kind: PodVolumeRestore name: <registry-example-migration-rvwcm-98t49> namespace: openshift-migration podVolumeRestoreResticErrors: - kind: PodVolumeRestore name: <registry-example-migration-rvwcm-98t49> namespace: openshift-migration -
View the
PodVolumeRestoreCR:$ oc describe <migration-example-rvwcm-98t49>
The output identifies the Restic Pod that logged the errors:
completionTimestamp: 2020-05-01T20:49:12Z errors: 1 resticErrors: 1 ... resticPod: <restic-nr2v5>
-
View the Restic Pod log:
$ oc logs -f restic-nr2v5
Manually rolling back a migration
If your application was stopped during a failed migration, you must roll it back manually in order to prevent data corruption in the PV.
This procedure is not required if the application was not stopped during migration, because the original application is still running on the source cluster.
Procedure
-
On the target cluster, switch to the migrated project:
$ oc project <project>
-
Get the deployed resources:
$ oc get all
-
Delete the deployed resources to ensure that the application is not running on the target cluster and accessing data on the PVC:
$ oc delete <resource_type>
-
To stop a DaemonSet without deleting it, update the
nodeSelectorin the YAML file:apiVersion: apps/v1 kind: DaemonSet metadata: name: hello-daemonset spec: selector: matchLabels: name: hello-daemonset template: metadata: labels: name: hello-daemonset spec: nodeSelector: role: worker (1)1 Specify a nodeSelectorvalue that does not exist on any node. -
Update each PV’s reclaim policy so that unnecessary data is removed. During migration, the reclaim policy for bound PVs is
Retain, to ensure that data is not lost when an application is removed from the source cluster. You can remove these PVs during rollback.apiVersion: v1 kind: PersistentVolume metadata: name: pv0001 spec: capacity: storage: 5Gi accessModes: - ReadWriteOnce persistentVolumeReclaimPolicy: Retain (1) ... status: ...1 Specify RecycleorDelete. -
On the source cluster, switch to your migrated project:
$ oc project <project_name>
-
Obtain the project’s deployed resources:
$ oc get all
-
Start one or more replicas of each deployed resource:
$ oc scale --replicas=1 <resource_type>/<resource_name>
-
Update the
nodeSelectorof a DaemonSet to its original value, if you changed it during the procedure.
Gathering data for a customer support case
If you open a customer support case, you can run the must-gather tool with the openshift-migration-must-gather-rhel8 image to collect information about your cluster and upload it to the Red Hat Customer Portal.
The openshift-migration-must-gather-rhel8 image collects logs and Custom Resource data that are not collected by the default must-gather image.
Procedure
-
Navigate to the directory where you want to store the
must-gatherdata. -
Run the
oc adm must-gathercommand:$ oc adm must-gather --image=registry.redhat.io/rhcam-1-2/openshift-migration-must-gather-rhel8
The
must-gathertool collects the cluster information and stores it in amust-gather.local.<uid>directory. -
Remove authentication keys and other sensitive information from the
must-gatherdata. -
Create an archive file containing the contents of the
must-gather.local.<uid>directory:$ tar cvaf must-gather.tar.gz must-gather.local.<uid>/
You can attach the compressed file to your customer support case on the Red Hat Customer Portal.
Known issues
This release has the following known issues:
-
During migration, the Cluster Application Migration (CAM) tool preserves the following namespace annotations:
-
openshift.io/sa.scc.mcs -
openshift.io/sa.scc.supplemental-groups -
openshift.io/sa.scc.uid-rangeThese annotations preserve the UID range, ensuring that the containers retain their file system permissions on the target cluster. There is a risk that the migrated UIDs could duplicate UIDs within an existing or future namespace on the target cluster. (BZ#1748440)
-
-
If an AWS bucket is added to the CAM web console and then deleted, its status remains
Truebecause the MigStorage CR is not updated. (BZ#1738564) -
Most cluster-scoped resources are not yet handled by the CAM tool. If your applications require cluster-scoped resources, you may have to create them manually on the target cluster.
-
If a migration fails, the migration plan does not retain custom PV settings for quiesced pods. You must manually roll back the migration, delete the migration plan, and create a new migration plan with your PV settings. (BZ#1784899)
-
If a large migration fails because Restic times out, you can increase the
restic_timeoutparameter value (default:1h) in the Migration controller CR. -
If you select the data verification option for PVs that are migrated with the filesystem copy method, performance is significantly slower. Velero generates a checksum for each file and checks it when the file is restored.
-
In the current release (CAM 1.2), you cannot migrate from OKD 3.7 to Latest because certain API
GroupVersionKinds(GVKs) that are used by the source cluster are deprecated. You can manually update the GVKs after migration. (BZ#1817251) -
If you cannot install CAM 1.2 on an OKD 3 cluster, download the current
operator.ymlfile, which fixes this problem. (BZ#1843059)