labels:
migrationcontroller: ebe13bee-c803-47d0-a9e9-83f380328b93
- Documentation
- OKD 4
- Migration Toolkit for Containers
- Migrating from OpenShift Container Platform 3
- Troubleshooting
×
- About
- What's new?
- Architecture
-
Installing
- Installation overview
- Selecting an installation method and preparing a cluster
-
Installing on AWS
- Preparing to install on AWS
- Configuring an AWS account
- Manually creating IAM
- Installing a cluster quickly on AWS
- Installing a cluster on AWS with customizations
- Installing a cluster on AWS with network customizations
- Installing a cluster on AWS into an existing VPC
- Installing a private cluster on AWS
- Installing a cluster on AWS into a government or secret region
- Installing a cluster on AWS using CloudFormation templates
- Installing a cluster on AWS in a restricted network with user-provisioned infrastructure
- Uninstalling a cluster on AWS
-
Installing on Azure
- Configuring an Azure account
- Manually creating IAM
- Installing a cluster quickly on Azure
- Installing a cluster on Azure with customizations
- Installing a cluster on Azure with network customizations
- Installing a cluster on Azure into an existing VNet
- Installing a private cluster on Azure
- Installing a cluster on Azure into a government region
- Installing a cluster on Azure using ARM templates
- Uninstalling a cluster on Azure
-
Installing on GCP
- Configuring a GCP project
- Manually creating IAM
- Installing a cluster quickly on GCP
- Installing a cluster on GCP with customizations
- Installing a cluster on GCP with network customizations
- Installing a cluster on GCP into an existing VPC
- Installing a private cluster on GCP
- Installing a cluster on GCP using Deployment Manager templates
- Installing a cluster on GCP using Deployment Manager templates and a shared VPC
- Installing a cluster on GCP in a restricted network with user-provisioned infrastructure
- Uninstalling a cluster on GCP
- Installing on bare metal
- Deploying installer-provisioned clusters on bare metal
-
Installing on OpenStack
- Installing a cluster on OpenStack with customizations
- Installing a cluster on OpenStack with Kuryr
- Installing a cluster on OpenStack on your own infrastructure
- Installing a cluster on OpenStack with Kuryr on your own infrastructure
- Installing a cluster on OpenStack in a restricted network
- Uninstalling a cluster on OpenStack
- Uninstalling a cluster on OpenStack from your own infrastructure
- Installing on oVirt
-
Installing on vSphere
- Installing a cluster on vSphere
- Installing a cluster on vSphere with customizations
- Installing a cluster on vSphere with network customizations
- Installing a cluster on vSphere with user-provisioned infrastructure
- Installing a cluster on vSphere with user-provisioned infrastructure and network customizations
- Installing a cluster on vSphere in a restricted network with user-provisioned infrastructure
- Uninstalling a cluster on vSphere that uses installer-provisioned infrastructure
- Using the vSphere Problem Detector Operator
- Installing on any platform
- Installation configuration
- Validating an installation
- Troubleshooting installation issues
- Post-installation configuration
- Updating clusters
-
Support
- Remote health monitoring with connected clusters
- Gathering data about your cluster
- Summarizing cluster specifications
-
Troubleshooting
- Troubleshooting installations
- Verifying node health
- Troubleshooting CRI-O container runtime issues
- Troubleshooting operating system issues
- Troubleshooting Operator issues
- Investigating pod issues
- Troubleshooting the Source-to-Image process
- Troubleshooting storage issues
- Troubleshooting Windows container workload issues
- Investigating monitoring issues
- Diagnosing OpenShift CLI (oc) issues
- Web console
-
CLI tools
- OpenShift CLI (oc)
- Developer CLI (odo)
- Helm CLI
- Knative CLI (kn) for use with OpenShift Serverless
- Pipelines CLI (tkn)
- opm CLI
- Operator SDK
-
Security and compliance
- Compliance Operator
- File Integrity Operator
-
Container security
- Understanding container security
- Understanding host and VM security
- Hardening Fedora CoreOS
- Understanding compliance
- Securing container content
- Using container registries securely
- Securing the build process
- Deploying containers
- Securing the container platform
- Securing networks
- Securing attached storage
- Monitoring cluster events and logs
- Configuring certificates
-
Certificate types and descriptions
- User-provided certificates for the API server
- Proxy certificates
- Service CA certificates
- Node certificates
- Bootstrap certificates
- etcd certificates
- OLM certificates
- User-provided certificates for default ingress
- Ingress certificates
- Monitoring and cluster logging Operator component certificates
- Control plane certificates
- Viewing audit logs
- Configuring the audit log policy
- Allowing JavaScript-based access to the API server from additional hosts
- Encrypting etcd data
- Scanning pods for vulnerabilities
-
Authentication and authorization
- Understanding authentication
- Configuring the internal OAuth server
- Configuring OAuth clients
- Managing user-owned OAuth access tokens
- Understanding identity provider configuration
-
Configuring identity providers
- Configuring an HTPasswd identity provider
- Configuring a Keystone identity provider
- Configuring an LDAP identity provider
- Configuring a basic authentication identity provider
- Configuring a request header identity provider
- Configuring a GitHub or GitHub Enterprise identity provider
- Configuring a GitLab identity provider
- Configuring a Google identity provider
- Configuring an OpenID Connect identity provider
- Using RBAC to define and apply permissions
- Removing the kubeadmin user
- Configuring the user agent
- Understanding and creating service accounts
- Using service accounts in applications
- Using a service account as an OAuth client
- Scoping tokens
- Using bound service account tokens
- Managing security context constraints
- Impersonating the system:admin user
- Syncing LDAP groups
- Creating and using config maps
- Managing cloud provider credentials
-
Networking
- Understanding networking
- Accessing hosts
- Understanding the Cluster Network Operator
- Understanding the DNS Operator
- Understanding the Ingress Operator
- Verifying connectivity to an endpoint
- Configuring the node port service range
- Using SCTP
- Configuring PTP hardware
- Network policy
-
Multiple networks
- Understanding multiple networks
- About virtual routing and forwarding
- Attaching a pod to an additional network
- Removing a pod from an additional network
- Configuring a bridge network
- Configuring a host-device network
- Configuring an ipvlan network
- Configuring a macvlan network with basic customizations
- Configuring a macvlan network
- Editing an additional network
- Removing an additional network
- Assigning a secondary network to a VRF
-
Hardware networks
- About Single Root I/O Virtualization (SR-IOV) hardware networks
- Installing the SR-IOV Operator
- Configuring the SR-IOV Operator
- Configuring an SR-IOV network device
- Configuring an SR-IOV Ethernet network attachment
- Configuring an SR-IOV InfiniBand network attachment
- Adding a pod to an SR-IOV network
- Using high performance multicast
- Using DPDK and RDMA
-
OpenShift SDN default CNI network provider
- About the OpenShift SDN default CNI network provider
- Configuring egress IPs for a project
- Configuring an egress firewall for a project
- Viewing an egress firewall for a project
- Editing an egress firewall for a project
- Removing an egress firewall from a project
- Considerations for the use of an egress router pod
- Deploying an egress router pod in redirect mode
- Deploying an egress router pod in HTTP proxy mode
- Deploying an egress router pod in DNS proxy mode
- Configuring an egress router pod destination list from a config map
- Enabling multicast for a project
- Disabling multicast for a project
- Configuring multitenant isolation
- Configuring kube-proxy
-
OVN-Kubernetes default CNI network provider
- About the OVN-Kubernetes network provider
- Migrate from the OpenShift SDN cluster network provider
- Rollback to the OpenShift SDN cluster network provider
- IPsec encryption configuration
- Configuring an egress firewall for a project
- Viewing an egress firewall for a project
- Editing an egress firewall for a project
- Removing an egress firewall from a project
- Configuring an egress IP address
- Assigning an egress IP address
- Considerations for the use of an egress router pod
- Deploying an egress router pod in redirect mode
- Enabling multicast for a project
- Disabling multicast for a project
- Configuring hybrid networking
- Configuring Routes
-
Configuring ingress cluster traffic
- Overview
- Configuring ExternalIPs for services
- Configuring ingress cluster traffic using an Ingress Controller
- Configuring ingress cluster traffic using a load balancer
- Configuring ingress cluster traffic on AWS using a Network Load Balancer
- Configuring ingress cluster traffic using a service external IP
- Configuring ingress cluster traffic using a NodePort
- Kubernetes NMState
- Configuring the cluster-wide proxy
- Configuring a custom PKI
- Load balancing on OpenStack
- Associating secondary interfaces metrics to network attachments
-
Storage
- Understanding ephemeral storage
- Understanding persistent storage
-
Configuring persistent storage
- Persistent storage using Amazon EFS
- Persistent storage using AWS Elastic Block Store
- Persistent storage using Azure Disk
- Persistent storage using Azure File
- Persistent storage using Cinder
- Persistent storage using Fibre Channel
- Persistent storage using FlexVolume
- Persistent storage using GCE Persistent Disk
- Persistent storage using hostPath
- Persistent Storage using iSCSI
- Persistent storage using local volumes
- Persistent storage using NFS
- Persistent storage using Red Hat OpenShift Container Storage
- Persistent storage using VMware vSphere
- Using Container Storage Interface (CSI)
- Expanding persistent volumes
- Dynamic provisioning
- Registry
-
Operators
- Understanding Operators
- User tasks
- Administrator tasks
-
Developing Operators
- About the Operator SDK
- Installing the Operator SDK CLI
- Go-based Operators
- Ansible-based Operators
- Helm-based Operators
- Defining cluster service versions (CSVs)
- Working with bundle images
- Validating Operators using the scorecard
- Configuring built-in monitoring with Prometheus
- Configuring leader election
- Operator SDK CLI reference
- Migrating to Operator SDK v0.1.0
- Red Hat Operators reference
-
CI/CD
-
Builds
- Understanding image builds
- Understanding build configurations
- Creating build inputs
- Managing build output
- Using build strategies
- Custom image builds with Buildah
- Performing basic builds
- Triggering and modifying builds
- Performing advanced builds
- Using Red Hat subscriptions in builds
- Securing builds by strategy
- Build configuration resources
- Troubleshooting builds
- Setting up additional trusted certificate authorities for builds
- Pipelines
- GitOps
-
Builds
-
Images
- Configuring the Cluster Samples Operator
- Using the Cluster Samples Operator with an alternate registry
- Understanding containers, images, and imagestreams
- Creating images
- Managing images
- Managing image streams
- Using image streams with Kubernetes resources
- Triggering updates on image stream changes
- Image configuration resources
- Using templates
- Using Ruby on Rails
- Using images
- Applications
- Machine management
-
Nodes
-
Working with pods
- About Pods
- Viewing Pods
- Configuring a cluster for Pods
- Automatically scaling pods with the horizontal pod autoscaler
- Automatically adjust pod resource levels with the vertical pod autoscaler
- Providing sensitive data to Pods
- Using Device Manager to make devices available to nodes
- Including pod priority in Pod scheduling decisions
- Placing pods on specific nodes using node selectors
-
Controlling pod placement onto nodes (scheduling)
- About pod placement using the scheduler
- Configuring the default scheduler to control pod placement
- Scheduling pods using a scheduler profile
- Placing pods relative to other pods using pod affinity and anti-affinity rules
- Controlling pod placement on nodes using node affinity rules
- Placing pods onto overcommited nodes
- Controlling pod placement using node taints
- Placing pods on specific nodes using node selectors
- Controlling pod placement using pod topology spread constraints
- Evicting pods using the descheduler
- Using Jobs and DaemonSets
- Working with nodes
-
Working with containers
- Using containers
- Using Init Containers to perform tasks before a pod is deployed
- Using volumes to persist container data
- Mapping volumes using projected volumes
- Allowing containers to consume API objects
- Copying files to or from a container
- Executing remote commands in a container
- Using port forwarding to access applications in a container
- Using sysctls in containers
- Working with clusters
- Remote worker nodes on the network edge
-
Working with pods
- Windows Container Support for OpenShift
-
Logging
- Release notes
- About Logging
- Installing Logging
-
Configuring your Logging deployment
- About the Logging custom resource
- Configuring the logging collector
- Configuring the log store
- Configuring the log visualizer
- Configuring Logging storage
- Configuring CPU and memory limits for Logging components
- Using tolerations to control Logging pod placement
- Moving the Logging resources with node selectors
- Configuring systemd-journald for Logging
- Configuring the log curator
- Maintenance and support
- Viewing cluster logs
- Viewing cluster logs in Kibana
- Forwarding logs to third party systems
- Collecting and storing Kubernetes events
- Updating Logging
- Viewing cluster dashboards
- Troubleshooting Logging
- Uninstalling Logging
- Exported fields
- Monitoring
-
Scalability and performance
- Recommended installation practices
- Recommended host practices
- Recommended cluster scaling practices
- Using the Node Tuning Operator
- Using Cluster Loader
- Using CPU Manager
- Using Topology Manager
- Scaling the Cluster Monitoring Operator
- Planning your environment according to object maximums
- Optimizing storage
- Optimizing routing
- Optimizing networking
- What huge pages do and how they are consumed by apps
- Performance Addon Operator for low latency nodes
- Backup and restore
-
Migration Toolkit for Containers
-
Migrating from OpenShift Container Platform 3
- About migrating from OpenShift Container Platform 3 to 4
- Planning your migration from OpenShift Container Platform 3 to 4
- About the Migration Toolkit for Containers
- Deploying the Migration Toolkit for Containers
- Upgrading the Migration Toolkit for Containers
- Configuring a replication repository
- Migrating your applications
- Migrating your control plane settings
- Troubleshooting
-
Migrating from OpenShift Container Platform 3
-
API reference
- API list
- Common object reference
-
Authorization APIs
- About Authorization APIs
- LocalResourceAccessReview [authorization.openshift.io/v1]
- LocalSubjectAccessReview [authorization.openshift.io/v1]
- ResourceAccessReview [authorization.openshift.io/v1]
- SelfSubjectRulesReview [authorization.openshift.io/v1]
- SubjectAccessReview [authorization.openshift.io/v1]
- SubjectRulesReview [authorization.openshift.io/v1]
- TokenReview [authentication.k8s.io/v1]
- LocalSubjectAccessReview [authorization.k8s.io/v1]
- SelfSubjectAccessReview [authorization.k8s.io/v1]
- SelfSubjectRulesReview [authorization.k8s.io/v1]
- SubjectAccessReview [authorization.k8s.io/v1]
- Autoscale APIs
-
Config APIs
- About Config APIs
- APIServer [config.openshift.io/v1]
- Authentication [config.openshift.io/v1]
- Build [config.openshift.io/v1]
- ClusterOperator [config.openshift.io/v1]
- ClusterVersion [config.openshift.io/v1]
- Console [config.openshift.io/v1]
- DNS [config.openshift.io/v1]
- FeatureGate [config.openshift.io/v1]
- HelmChartRepository [helm.openshift.io/v1beta1]
- Image [config.openshift.io/v1]
- Infrastructure [config.openshift.io/v1]
- Ingress [config.openshift.io/v1]
- Network [config.openshift.io/v1]
- OAuth [config.openshift.io/v1]
- OperatorHub [config.openshift.io/v1]
- Project [config.openshift.io/v1]
- Proxy [config.openshift.io/v1]
- Scheduler [config.openshift.io/v1]
- Console APIs
- Extension APIs
-
Image APIs
- About Image APIs
- Image [image.openshift.io/v1]
- ImageSignature [image.openshift.io/v1]
- ImageStreamImage [image.openshift.io/v1]
- ImageStreamImport [image.openshift.io/v1]
- ImageStreamMapping [image.openshift.io/v1]
- ImageStream [image.openshift.io/v1]
- ImageStreamTag [image.openshift.io/v1]
- ImageTag [image.openshift.io/v1]
-
Machine APIs
- About Machine APIs
- ContainerRuntimeConfig [machineconfiguration.openshift.io/v1]
- ControllerConfig [machineconfiguration.openshift.io/v1]
- KubeletConfig [machineconfiguration.openshift.io/v1]
- MachineConfigPool [machineconfiguration.openshift.io/v1]
- MachineConfig [machineconfiguration.openshift.io/v1]
- MachineHealthCheck [machine.openshift.io/v1beta1]
- Machine [machine.openshift.io/v1beta1]
- MachineSet [machine.openshift.io/v1beta1]
- Metadata APIs
-
Monitoring APIs
- About Monitoring APIs
- Alertmanager [monitoring.coreos.com/v1]
- AlertmanagerConfig [monitoring.coreos.com/v1alpha1]
- PodMonitor [monitoring.coreos.com/v1]
- Probe [monitoring.coreos.com/v1]
- Prometheus [monitoring.coreos.com/v1]
- PrometheusRule [monitoring.coreos.com/v1]
- ServiceMonitor [monitoring.coreos.com/v1]
- ThanosRuler [monitoring.coreos.com/v1]
-
Network APIs
- About Network APIs
- ClusterNetwork [network.openshift.io/v1]
- Endpoints [core/v1]
- EndpointSlice [discovery.k8s.io/v1beta1]
- EgressNetworkPolicy [network.openshift.io/v1]
- HostSubnet [network.openshift.io/v1]
- Ingress [networking.k8s.io/v1]
- IngressClass [networking.k8s.io/v1]
- IPPool [whereabouts.cni.cncf.io/v1alpha1]
- NetNamespace [network.openshift.io/v1]
- NetworkAttachmentDefinition [k8s.cni.cncf.io/v1]
- NetworkPolicy [networking.k8s.io/v1]
- PodNetworkConnectivityCheck [controlplane.operator.openshift.io/v1alpha1]
- Route [route.openshift.io/v1]
- Service [core/v1]
- Node APIs
- OAuth APIs
-
Operator APIs
- About Operator APIs
- Authentication [operator.openshift.io/v1]
- CloudCredential [operator.openshift.io/v1]
- ClusterCSIDriver [operator.openshift.io/v1]
- Console [operator.openshift.io/v1]
- Config [operator.openshift.io/v1]
- Config [imageregistry.operator.openshift.io/v1]
- Config [samples.operator.openshift.io/v1]
- CSISnapshotController [operator.openshift.io/v1]
- DNS [operator.openshift.io/v1]
- DNSRecord [ingress.operator.openshift.io/v1]
- Etcd [operator.openshift.io/v1]
- ImageContentSourcePolicy [operator.openshift.io/v1alpha1]
- ImagePruner [imageregistry.operator.openshift.io/v1]
- IngressController [operator.openshift.io/v1]
- KubeAPIServer [operator.openshift.io/v1]
- KubeControllerManager [operator.openshift.io/v1]
- KubeScheduler [operator.openshift.io/v1]
- KubeStorageVersionMigrator [operator.openshift.io/v1]
- Network [operator.openshift.io/v1]
- OpenShiftAPIServer [operator.openshift.io/v1]
- OpenShiftControllerManager [operator.openshift.io/v1]
- OperatorPKI [network.operator.openshift.io/v1]
- ServiceCA [operator.openshift.io/v1]
- Storage [operator.openshift.io/v1]
-
OperatorHub APIs
- About OperatorHub APIs
- CatalogSource [operators.coreos.com/v1alpha1]
- ClusterServiceVersion [operators.coreos.com/v1alpha1]
- InstallPlan [operators.coreos.com/v1alpha1]
- Operator [operators.coreos.com/v1]
- OperatorCondition [operators.coreos.com/v1]
- OperatorGroup [operators.coreos.com/v1]
- PackageManifest [packages.operators.coreos.com/v1]
- Subscription [operators.coreos.com/v1alpha1]
- Policy APIs
- Project APIs
- Provisioning APIs
- RBAC APIs
- Role APIs
-
Schedule and quota APIs
- About Schedule and quota APIs
- AppliedClusterResourceQuota [quota.openshift.io/v1]
- ClusterResourceQuota [quota.openshift.io/v1]
- FlowSchema [flowcontrol.apiserver.k8s.io/v1alpha1]
- LimitRange [core/v1]
- PriorityClass [scheduling.k8s.io/v1]
- PriorityLevelConfiguration [flowcontrol.apiserver.k8s.io/v1alpha1]
- ResourceQuota [core/v1]
-
Security APIs
- About Security APIs
- CertificateSigningRequest [certificates.k8s.io/v1]
- CredentialsRequest [cloudcredential.openshift.io/v1]
- PodSecurityPolicyReview [security.openshift.io/v1]
- PodSecurityPolicySelfSubjectReview [security.openshift.io/v1]
- PodSecurityPolicySubjectReview [security.openshift.io/v1]
- RangeAllocation [security.openshift.io/v1]
- Secret [core/v1]
- SecurityContextConstraints [security.openshift.io/v1]
- ServiceAccount [core/v1]
-
Storage APIs
- About Storage APIs
- CSIDriver [storage.k8s.io/v1]
- CSINode [storage.k8s.io/v1]
- PersistentVolumeClaim [core/v1]
- StorageClass [storage.k8s.io/v1]
- StorageState [migration.k8s.io/v1alpha1]
- StorageVersionMigration [migration.k8s.io/v1alpha1]
- VolumeAttachment [storage.k8s.io/v1]
- VolumeSnapshot [snapshot.storage.k8s.io/v1]
- VolumeSnapshotClass [snapshot.storage.k8s.io/v1]
- VolumeSnapshotContent [snapshot.storage.k8s.io/v1]
- Template APIs
- User and group APIs
-
Workloads APIs
- About Workloads APIs
- BuildConfig [build.openshift.io/v1]
- Build [build.openshift.io/v1]
- CronJob [batch/v1beta1]
- DaemonSet [apps/v1]
- Deployment [apps/v1]
- DeploymentConfig [apps.openshift.io/v1]
- Job [batch/v1]
- Pod [core/v1]
- ReplicationController [core/v1]
- PersistentVolume [core/v1]
- ReplicaSet [apps/v1]
- StatefulSet [apps/v1]
Troubleshooting
- Viewing MTC custom resources
- Using the migration log reader
- Downloading migration logs
- Updating deprecated APIs
- Error messages and resolutions
- Direct volume migration does not complete
- Using the Velero CLI to debug Backup and Restore CRs
- Using
must-gatherto collect data - Rolling back a migration
- Known issues
- Additional resources
You can view the Migration Toolkit for Containers (MTC) custom resources and download logs to troubleshoot a failed migration.
If the application was stopped during the failed migration, you must roll it back manually in order to prevent data corruption.
|
Manual rollback is not required if the application was not stopped during migration because the original application is still running on the source cluster. |
Viewing MTC custom resources
You can view the following Migration Toolkit for Containers (MTC) custom resources (CRs) to troubleshoot a failed migration:
-
MigCluster -
MigStorage -
MigPlan -
BackupStorageLocationThe
BackupStorageLocationCR contains amigrationcontrollerlabel to identify the MTC instance that created the CR: -
VolumeSnapshotLocationThe
VolumeSnapshotLocationCR contains amigrationcontrollerlabel to identify the MTC instance that created the CR:labels: migrationcontroller: ebe13bee-c803-47d0-a9e9-83f380328b93 -
MigMigration -
BackupMTC changes the reclaim policy of migrated persistent volumes (PVs) to
Retainon the target cluster. TheBackupCR contains anopenshift.io/orig-reclaim-policyannotation that indicates the original reclaim policy. You can manually restore the reclaim policy of the migrated PVs. -
Restore
Procedure
-
List the
MigMigrationCRs in theopenshift-migrationnamespace:$ oc get migmigration -n openshift-migrationExample outputNAME AGE 88435fe0-c9f8-11e9-85e6-5d593ce65e10 6m42s -
Inspect the
MigMigrationCR:$ oc describe migmigration 88435fe0-c9f8-11e9-85e6-5d593ce65e10 -n openshift-migrationThe output is similar to the following examples.
MigMigration example outputname: 88435fe0-c9f8-11e9-85e6-5d593ce65e10
namespace: openshift-migration
labels: <none>
annotations: touch: 3b48b543-b53e-4e44-9d34-33563f0f8147
apiVersion: migration.openshift.io/v1alpha1
kind: MigMigration
metadata:
creationTimestamp: 2019-08-29T01:01:29Z
generation: 20
resourceVersion: 88179
selfLink: /apis/migration.openshift.io/v1alpha1/namespaces/openshift-migration/migmigrations/88435fe0-c9f8-11e9-85e6-5d593ce65e10
uid: 8886de4c-c9f8-11e9-95ad-0205fe66cbb6
spec:
migPlanRef:
name: socks-shop-mig-plan
namespace: openshift-migration
quiescePods: true
stage: false
status:
conditions:
category: Advisory
durable: True
lastTransitionTime: 2019-08-29T01:03:40Z
message: The migration has completed successfully.
reason: Completed
status: True
type: Succeeded
phase: Completed
startTimestamp: 2019-08-29T01:01:29Z
events: <none>Velero backup CR #2 example output that describes the PV dataapiVersion: velero.io/v1
kind: Backup
metadata:
annotations:
openshift.io/migrate-copy-phase: final
openshift.io/migrate-quiesce-pods: "true"
openshift.io/migration-registry: 172.30.105.179:5000
openshift.io/migration-registry-dir: /socks-shop-mig-plan-registry-44dd3bd5-c9f8-11e9-95ad-0205fe66cbb6
openshift.io/orig-reclaim-policy: delete
creationTimestamp: "2019-08-29T01:03:15Z"
generateName: 88435fe0-c9f8-11e9-85e6-5d593ce65e10-
generation: 1
labels:
app.kubernetes.io/part-of: migration
migmigration: 8886de4c-c9f8-11e9-95ad-0205fe66cbb6
migration-stage-backup: 8886de4c-c9f8-11e9-95ad-0205fe66cbb6
velero.io/storage-location: myrepo-vpzq9
name: 88435fe0-c9f8-11e9-85e6-5d593ce65e10-59gb7
namespace: openshift-migration
resourceVersion: "87313"
selfLink: /apis/velero.io/v1/namespaces/openshift-migration/backups/88435fe0-c9f8-11e9-85e6-5d593ce65e10-59gb7
uid: c80dbbc0-c9f8-11e9-95ad-0205fe66cbb6
spec:
excludedNamespaces: []
excludedResources: []
hooks:
resources: []
includeClusterResources: null
includedNamespaces:
- sock-shop
includedResources:
- persistentvolumes
- persistentvolumeclaims
- namespaces
- imagestreams
- imagestreamtags
- secrets
- configmaps
- pods
labelSelector:
matchLabels:
migration-included-stage-backup: 8886de4c-c9f8-11e9-95ad-0205fe66cbb6
storageLocation: myrepo-vpzq9
ttl: 720h0m0s
volumeSnapshotLocations:
- myrepo-wv6fx
status:
completionTimestamp: "2019-08-29T01:02:36Z"
errors: 0
expiration: "2019-09-28T01:02:35Z"
phase: Completed
startTimestamp: "2019-08-29T01:02:35Z"
validationErrors: null
version: 1
volumeSnapshotsAttempted: 0
volumeSnapshotsCompleted: 0
warnings: 0Velero restore CR #2 example output that describes the Kubernetes resourcesapiVersion: velero.io/v1
kind: Restore
metadata:
annotations:
openshift.io/migrate-copy-phase: final
openshift.io/migrate-quiesce-pods: "true"
openshift.io/migration-registry: 172.30.90.187:5000
openshift.io/migration-registry-dir: /socks-shop-mig-plan-registry-36f54ca7-c925-11e9-825a-06fa9fb68c88
creationTimestamp: "2019-08-28T00:09:49Z"
generateName: e13a1b60-c927-11e9-9555-d129df7f3b96-
generation: 3
labels:
app.kubernetes.io/part-of: migration
migmigration: e18252c9-c927-11e9-825a-06fa9fb68c88
migration-final-restore: e18252c9-c927-11e9-825a-06fa9fb68c88
name: e13a1b60-c927-11e9-9555-d129df7f3b96-gb8nx
namespace: openshift-migration
resourceVersion: "82329"
selfLink: /apis/velero.io/v1/namespaces/openshift-migration/restores/e13a1b60-c927-11e9-9555-d129df7f3b96-gb8nx
uid: 26983ec0-c928-11e9-825a-06fa9fb68c88
spec:
backupName: e13a1b60-c927-11e9-9555-d129df7f3b96-sz24f
excludedNamespaces: null
excludedResources:
- nodes
- events
- events.events.k8s.io
- backups.velero.io
- restores.velero.io
- resticrepositories.velero.io
includedNamespaces: null
includedResources: null
namespaceMapping: null
restorePVs: true
status:
errors: 0
failureReason: ""
phase: Completed
validationErrors: null
warnings: 15Using the migration log reader
You can use the migration log reader to display a single filtered view of all the migration logs.
Procedure
-
Get the
mig-log-readerpod:$ oc -n openshift-migration get pods | grep log -
Enter the following command to display a single migration log:
$ oc -n openshift-migration logs -f <mig-log-reader-pod> -c color (1)1 The -c plainoption displays the log without colors.
Downloading migration logs
You can download the Velero, Restic, and MigrationController pod logs in the Migration Toolkit for Containers (MTC) web console to troubleshoot a failed migration.
Procedure
-
In the MTC console, click Migration plans to view the list of migration plans.
-
Click the Options menu
of a specific migration plan and select Logs. -
Click Download Logs to download the logs of the
MigrationController,Velero, andResticpods for all clusters.You can download a single log by selecting the cluster, log source, and pod source, and then clicking Download Selected.
You can access a pod log from the CLI by using the
oc logscommand:$ oc logs <pod-name> -f -n openshift-migration (1)1 Specify the pod name.
Updating deprecated APIs
In OKD 4, some APIs that are used by OKD 3.x are deprecated.
If your source cluster uses deprecated APIs, the following warning message is displayed when you create a migration plan in the Migration Toolkit for Containers (MTC):
Some namespaces contain GVKs incompatible with destination clusterYou can click See details to view the namespace and the incompatible APIs. This warning message does not block the migration.
During migration with the Migration Toolkit for Containers (MTC), the deprecated APIs are saved in the Velero Backup #1 for Kubernetes objects. You can download the Velero Backup, extract the deprecated API yaml files, and update them with the oc convert command. Then you can create the updated APIs on the target cluster.
Procedure
-
Run the migration plan.
-
View the
MigPlanCR:$ oc describe migplan <migplan_name> -n openshift-migration (1)1 Specify the name of the migration plan. The output is similar to the following:
metadata: ... uid: 79509e05-61d6-11e9-bc55-02ce4781844a (1) status: ... conditions: - category: Warn lastTransitionTime: 2020-04-30T17:16:23Z message: 'Some namespaces contain GVKs incompatible with destination cluster. See: `incompatibleNamespaces` for details' status: "True" type: GVKsIncompatible incompatibleNamespaces: - gvks: (2) - group: batch kind: cronjobs version: v2alpha1 - group: batch kind: scheduledjobs version: v2alpha11 Record the MigPlanUID.2 Record the deprecated APIs listed in the gvkssection. -
Get the
MigMigrationname associated with theMigPlanUID:$ oc get migmigration -o json | jq -r '.items[] | select(.metadata.ownerReferences[].uid=="<migplan_uid>") | .metadata.name' (1)1 Specify the MigPlanUID. -
Get the
MigMigrationUID associated with theMigMigrationname:$ oc get migmigration <migmigration_name> -o jsonpath='{.metadata.uid}' (1)1 Specify the MigMigrationname. -
Get the
VeleroBackup name associated with theMigMigrationUID:$ oc get backup.velero.io --selector migration-initial-backup="<migmigration_uid>" -o jsonpath={.items[*].metadata.name} (1)1 Specify the MigMigrationUID. -
Download the contents of the
VeleroBackup to your local machine by running the command for your storage provider:-
AWS S3:
$ aws s3 cp s3://<bucket_name>/velero/backups/<backup_name> <backup_local_dir> --recursive (1)1 Specify the bucket, backup name, and your local backup directory name. -
GCP:
$ gsutil cp gs://<bucket_name>/velero/backups/<backup_name> <backup_local_dir> --recursive (1)1 Specify the bucket, backup name, and your local backup directory name. -
Azure:
$ azcopy copy 'https://velerobackups.blob.core.windows.net/velero/backups/<backup_name>' '<backup_local_dir>' --recursive (1)1 Specify the backup name and your local backup directory name.
-
-
Extract the
VeleroBackup archive file:$ tar -xfv <backup_local_dir>/<backup_name>.tar.gz -C <backup_local_dir> -
Run
oc convertin offline mode on each deprecated API:$ oc convert -f <backup_local_dir>/resources/<gvk>.json -
Create the converted API on the target cluster:
$ oc create -f <gvk>.json
Error messages and resolutions
This section describes common error messages you might encounter with the Migration Toolkit for Containers (MTC) and how to resolve their underlying causes.
CA certificate error in the MTC console
If a CA certificate error message is displayed the first time you try to access the MTC console, the likely cause is the use of self-signed CA certificates in one of the clusters.
To resolve this issue, navigate to the oauth-authorization-server URL displayed in the error message and accept the certificate. To resolve this issue permanently, add the certificate to the trust store of your web browser.
If an Unauthorized message is displayed after you have accepted the certificate, navigate to the MTC console and refresh the web page.
OAuth timeout error in the MTC console
If a connection has timed out message is displayed in the MTC console after you have accepted a self-signed certificate, the causes are likely to be the following:
-
Interrupted network access to the OAuth server
-
Interrupted network access to the OKD console
-
Proxy configuration that blocks access to the
oauth-authorization-serverURL. See MTC console inaccessible because of OAuth timeout error for details.
You can determine the cause of the timeout.
Procedure
-
Navigate to the MTC console and inspect the elements with the browser web inspector.
-
Check the
MigrationUIpod log:$ oc logs <MigrationUI_Pod> -n openshift-migration
PodVolumeBackups timeout error in Velero pod log
If a migration fails because Restic times out, the following error is displayed in the Velero pod log.
Example output
level=error msg="Error backing up item" backup=velero/monitoring error="timed out waiting for all PodVolumeBackups to complete" error.file="/go/src/github.com/heptio/velero/pkg/restic/backupper.go:165" error.function="github.com/heptio/velero/pkg/restic.(*backupper).BackupPodVolumes" group=v1The default value of restic_timeout is one hour. You can increase this parameter for large migrations, keeping in mind that a higher value may delay the return of error messages.
Procedure
-
In the OKD web console, navigate to Operators → Installed Operators.
-
Click Migration Toolkit for Containers Operator.
-
In the MigrationController tab, click migration-controller.
-
In the YAML tab, update the following parameter value:
spec: restic_timeout: 1h (1)1 Valid units are h(hours),m(minutes), ands(seconds), for example,3h30m15s. -
Click Save.
ResticVerifyErrors in the MigMigration custom resource
If data verification fails when migrating a persistent volume with the file system data copy method, the following error is displayed in the MigMigration CR.
Example output
status:
conditions:
- category: Warn
durable: true
lastTransitionTime: 2020-04-16T20:35:16Z
message: There were verify errors found in 1 Restic volume restores. See restore `<registry-example-migration-rvwcm>`
for details (1)
status: "True"
type: ResticVerifyErrors (2)| 1 | The error message identifies the Restore CR name. |
| 2 | ResticVerifyErrors is a general error warning type that includes verification errors. |
|
A data verification error does not cause the migration process to fail. |
You can check the Restore CR to identify the source of the data verification error.
Procedure
-
Log in to the target cluster.
-
View the
RestoreCR:$ oc describe <registry-example-migration-rvwcm> -n openshift-migrationThe output identifies the persistent volume with
PodVolumeRestoreerrors.Example outputstatus: phase: Completed podVolumeRestoreErrors: - kind: PodVolumeRestore name: <registry-example-migration-rvwcm-98t49> namespace: openshift-migration podVolumeRestoreResticErrors: - kind: PodVolumeRestore name: <registry-example-migration-rvwcm-98t49> namespace: openshift-migration -
View the
PodVolumeRestoreCR:$ oc describe <migration-example-rvwcm-98t49>The output identifies the
Resticpod that logged the errors.Example outputcompletionTimestamp: 2020-05-01T20:49:12Z errors: 1 resticErrors: 1 ... resticPod: <restic-nr2v5> -
View the
Resticpod log to locate the errors:$ oc logs -f <restic-nr2v5>
Direct volume migration does not complete
If direct volume migration does not complete, the target cluster might not have the same node-selector annotations as the source cluster.
Migration Toolkit for Containers (MTC) migrates namespaces with all annotations in order to preserve security context constraints and scheduling requirements. During direct volume migration, MTC creates Rsync transfer pods on the target cluster in the namespaces that were migrated from the source cluster. If a target cluster namespace does not have the same annotations as the source cluster namespace, the Rsync transfer pods cannot be scheduled. The Rsync pods remain in a Pending state.
You can identify and fix this issue by performing the following procedure.
Procedure
-
Check the status of the
MigMigrationCR:$ oc describe migmigration <pod_name> -n openshift-migrationThe output includes the following status message:
Example output... Some or all transfer pods are not running for more than 10 mins on destination cluster ... -
On the source cluster, obtain the details of a migrated namespace:
$ oc get namespace <namespace> -o yaml (1)1 Specify the migrated namespace. -
On the target cluster, edit the migrated namespace:
$ oc edit namespace <namespace> -
Add missing
openshift.io/node-selectorannotations to the migrated namespace as in the following example:apiVersion: v1 kind: Namespace metadata: annotations: openshift.io/node-selector: "region=east" ... -
Run the migration plan again.
Using the Velero CLI to debug Backup and Restore CRs
You can debug the Backup and Restore custom resources (CRs) and partial migration failures with the Velero command line interface (CLI). The Velero CLI runs in the velero pod.
Velero command syntax
Velero CLI commands use the following syntax:
$ oc exec $(oc get pods -n openshift-migration -o name | grep velero) -- ./velero <resource> <command> <resource_id>You can specify velero-<pod> -n openshift-migration in place of $(oc get pods -n openshift-migration -o name | grep velero).
Help command
The Velero help command lists all the Velero CLI commands:
$ oc exec $(oc get pods -n openshift-migration -o name | grep velero) -- ./velero --helpDescribe command
The Velero describe command provides a summary of warnings and errors associated with a Velero resource:
$ oc exec $(oc get pods -n openshift-migration -o name | grep velero) -- ./velero <resource> describe <resource_id>Example
$ oc exec $(oc get pods -n openshift-migration -o name | grep velero) -- ./velero backup describe 0e44ae00-5dc3-11eb-9ca8-df7e5254778b-2d8qlLogs command
The Velero logs command provides the logs associated with a Velero resource:
velero <resource> logs <resource_id>Example
$ oc exec $(oc get pods -n openshift-migration -o name | grep velero) -- ./velero restore logs ccc7c2d0-6017-11eb-afab-85d0007f5a19-x4lbfDebugging a partial migration failure
You can debug a partial migration failure warning message by using the Velero CLI to examine the Restore custom resource (CR) logs.
A partial failure occurs when Velero encounters an issue that does not cause a migration to fail. For example, if a custom resource definition (CRD) is missing or if there is a discrepancy between CRD versions on the source and target clusters, the migration completes but the CR is not created on the target cluster.
Velero logs the issue as a partial failure and then processes the rest of the objects in the Backup CR.
Procedure
-
Check the status of a
MigMigrationCR:$ oc get migmigration <migmigration> -o yamlExample outputstatus: conditions: - category: Warn durable: true lastTransitionTime: "2021-01-26T20:48:40Z" message: 'Final Restore openshift-migration/ccc7c2d0-6017-11eb-afab-85d0007f5a19-x4lbf: partially failed on destination cluster' status: "True" type: VeleroFinalRestorePartiallyFailed - category: Advisory durable: true lastTransitionTime: "2021-01-26T20:48:42Z" message: The migration has completed with warnings, please look at `Warn` conditions. reason: Completed status: "True" type: SucceededWithWarnings -
Check the status of the
RestoreCR by using the Velerodescribecommand:$ oc exec $(oc get pods -n openshift-migration -o name | grep velero) -n openshift-migration -- ./velero restore describe <restore>Example outputPhase: PartiallyFailed (run 'velero restore logs ccc7c2d0-6017-11eb-afab-85d0007f5a19-x4lbf' for more information) Errors: Velero: <none> Cluster: <none> Namespaces: migration-example: error restoring example.com/migration-example/migration-example: the server could not find the requested resource -
Check the
RestoreCR logs by using the Velerologscommand:$ oc exec $(oc get pods -n openshift-migration -o name | grep velero) -n openshift-migration -- ./velero restore logs <restore>Example outputtime="2021-01-26T20:48:37Z" level=info msg="Attempting to restore migration-example: migration-example" logSource="pkg/restore/restore.go:1107" restore=openshift-migration/ccc7c2d0-6017-11eb-afab-85d0007f5a19-x4lbf time="2021-01-26T20:48:37Z" level=info msg="error restoring migration-example: the server could not find the requested resource" logSource="pkg/restore/restore.go:1170" restore=openshift-migration/ccc7c2d0-6017-11eb-afab-85d0007f5a19-x4lbfThe
RestoreCR log error message,the server could not find the requested resource, indicates the cause of the partially failed migration.
Using must-gather to collect data
You must run the must-gather tool if you open a customer support case on the Red Hat Customer Portal for the Migration Toolkit for Containers (MTC).
The openshift-migration-must-gather-rhel8 image for MTC collects migration-specific logs and data that are not collected by the default must-gather image.
Procedure
-
Navigate to the directory where you want to store the
must-gatherdata. -
Run the
must-gathercommand:$ oc adm must-gather --image=openshift-migration-must-gather-rhel8:v1.4.1 -
Remove authentication keys and other sensitive information.
-
Create an archive file containing the contents of the
must-gatherdata directory:$ tar cvaf must-gather.tar.gz must-gather.local.<uid>/ -
Upload the compressed file as an attachment to your customer support case.
Rolling back a migration
You can roll back a migration by using the MTC web console or the CLI.
Rolling back a migration in the MTC web console
You can roll back a migration by using the Migration Toolkit for Containers (MTC) web console.
If your application was stopped during a failed migration, you must roll back the migration in order to prevent data corruption in the persistent volume.
Rollback is not required if the application was not stopped during migration because the original application is still running on the source cluster.
Procedure
-
In the MTC web console, click Migration plans.
-
Click the Options menu
beside a migration plan and select Rollback. -
Click Rollback and wait for rollback to complete.
In the migration plan details, Rollback succeeded is displayed.
-
Verify that rollback was successful in the OKD web console of the source cluster:
-
Click Home → Projects.
-
Click the migrated project to view its status.
-
In the Routes section, click Location to verify that the application is functioning, if applicable.
-
Click Workloads → Pods to verify that the pods are running in the migrated namespace.
-
Click Storage → Persistent volumes to verify that the migrated persistent volume is correctly provisioned.
-
Rolling back a migration from the CLI
You can roll back a migration by creating a MigMigration custom resource (CR) from the CLI.
If your application was stopped during a failed migration, you must roll back the migration in order to prevent data corruption in the persistent volume.
Rollback is not required if the application was not stopped during migration because the original application is still running on the source cluster.
Procedure
-
Create a
MigMigrationCR based on the following example:$ cat << EOF | oc apply -f - apiVersion: migration.openshift.io/v1alpha1 kind: MigMigration metadata: labels: controller-tools.k8s.io: "1.0" name: migration-rollback namespace: openshift-migration spec: ... rollback: true ... migPlanRef: name: <migplan_name> (1) namespace: openshift-migration EOF1 Specify the name of the associated MigPlanCR. -
In the MTC web console, verify that the migrated project resources have been removed from the target cluster.
-
Verify that the migrated project resources are present in the source cluster and that the application is running.
Known issues
This release has the following known issues:
-
During migration, the Migration Toolkit for Containers (MTC) preserves the following namespace annotations:
-
openshift.io/sa.scc.mcs -
openshift.io/sa.scc.supplemental-groups -
openshift.io/sa.scc.uid-rangeThese annotations preserve the UID range, ensuring that the containers retain their file system permissions on the target cluster. There is a risk that the migrated UIDs could duplicate UIDs within an existing or future namespace on the target cluster. (BZ#1748440)
-
-
If an AWS bucket is added to the MTC web console and then deleted, its status remains
Truebecause theMigStorageCR is not updated. (BZ#1738564) -
Most cluster-scoped resources are not yet handled by MTC. If your applications require cluster-scoped resources, you might have to create them manually on the target cluster.
-
If a migration fails, the migration plan does not retain custom PV settings for quiesced pods. You must manually roll back the migration, delete the migration plan, and create a new migration plan with your PV settings. (BZ#1784899)
-
If a large migration fails because Restic times out, you can increase the
restic_timeoutparameter value (default:1h) in theMigrationControllerCR. -
If you select the data verification option for PVs that are migrated with the file system copy method, performance is significantly slower.