$ echo -n | openssl s_client -connect <host_FQDN>:<port> \ (1)
| sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > <ca_bundle.cert> (2)
- Documentation
- OpenShift Container Platform
- Migration Toolkit for Containers
- Migrating from OpenShift Container Platform 4.2 and later
- Migrating your applications Page history / Open an issue
×
- Welcome
- Release notes
- Architecture
-
Installing
-
Installing on AWS
- Configuring an AWS account
- Manually creating IAM
- Installing a cluster quickly on AWS
- Installing a cluster on AWS with customizations
- Installing a cluster on AWS with network customizations
- Installing a cluster on AWS into an existing VPC
- Installing a private cluster on AWS
- Installing a cluster on AWS into a government region
- Installing a cluster on AWS using CloudFormation templates
- Installing a cluster on AWS in a restricted network
- Uninstalling a cluster on AWS
-
Installing on Azure
- Configuring an Azure account
- Manually creating IAM
- Installing a cluster quickly on Azure
- Installing a cluster on Azure with customizations
- Installing a cluster on Azure with network customizations
- Installing a cluster on Azure into an existing VNet
- Installing a private cluster on Azure
- Installing a cluster on Azure into a government region
- Installing a cluster on Azure using ARM templates
- Uninstalling a cluster on Azure
-
Installing on GCP
- Configuring a GCP project
- Manually creating IAM
- Installing a cluster quickly on GCP
- Installing a cluster on GCP with customizations
- Installing a cluster on GCP with network customizations
- Installing a cluster on GCP into an existing VPC
- Installing a private cluster on GCP
- Installing a cluster on GCP using Deployment Manager templates
- Installing a cluster on GCP using Deployment Manager templates and a shared VPC
- Restricted network GCP installation
- Uninstalling a cluster on GCP
- Installing on bare metal
- Deploying installer-provisioned clusters on bare metal
- Installing on IBM Z and LinuxONE
- Installing on IBM Power Systems
-
Installing on OpenStack
- Installing a cluster on OpenStack with customizations
- Installing a cluster on OpenStack with Kuryr
- Installing a cluster on OpenStack on your own infrastructure
- Installing a cluster on OpenStack with Kuryr on your own infrastructure
- Installing a cluster on OpenStack in a restricted network
- Uninstalling a cluster on OpenStack
- Uninstalling a cluster on OpenStack from your own infrastructure
- Installing on RHV
-
Installing on vSphere
- Installing a cluster on vSphere
- Installing a cluster on vSphere with customizations
- Installing a cluster on vSphere with network customizations
- Installing a cluster on vSphere with user-provisioned infrastructure
- Installing a cluster on vSphere with user-provisioned infrastructure and network customizations
- Restricted network vSphere installation with user-provisioned infrastructure
- Uninstalling a cluster on vSphere that uses installer-provisioned infrastructure
- Installation configuration
- Troubleshooting installation issues
- Support for FIPS cryptography
-
Installing on AWS
- Updating clusters
- Post-installation configuration
- Support
- Web console
-
Security and compliance
- Compliance Operator
- File Integrity Operator
-
Container security
- Understanding container security
- Understanding host and VM security
- Hardening Red Hat Enterprise Linux CoreOS
- Understanding compliance
- Securing container content
- Using container registries securely
- Securing the build process
- Deploying containers
- Securing the container platform
- Securing networks
- Securing attached storage
- Monitoring cluster events and logs
- Configuring certificates
-
Certificate types and descriptions
- User-provided certificates for the API server
- Proxy certificates
- Service CA certificates
- Node certificates
- Bootstrap certificates
- etcd certificates
- OLM certificates
- User-provided certificates for default ingress
- Ingress certificates
- Monitoring and cluster logging Operator component certificates
- Control plane certificates
- Viewing audit logs
- Configuring the audit log policy
- Allowing JavaScript-based access to the API server from additional hosts
- Encrypting etcd data
- Scanning pods for vulnerabilities
-
Authentication and authorization
- Understanding authentication
- Configuring the internal OAuth server
- Configuring OAuth clients
- Understanding identity provider configuration
-
Configuring identity providers
- Configuring an HTPasswd identity provider
- Configuring a Keystone identity provider
- Configuring an LDAP identity provider
- Configuring a basic authentication identity provider
- Configuring a request header identity provider
- Configuring a GitHub or GitHub Enterprise identity provider
- Configuring a GitLab identity provider
- Configuring a Google identity provider
- Configuring an OpenID Connect identity provider
- Using RBAC to define and apply permissions
- Removing the kubeadmin user
- Configuring the user agent
- Understanding and creating service accounts
- Using service accounts in applications
- Using a service account as an OAuth client
- Scoping tokens
- Using bound service account tokens
- Managing Security Context Constraints
- Impersonating the system:admin user
- Syncing LDAP groups
-
Networking
- Understanding networking
- Accessing hosts
- Understanding the Cluster Network Operator
- Understanding the DNS Operator
- Understanding the Ingress Operator
- Configuring the node port service range
- Using SCTP
- Network policy
-
Multiple networks
- Understanding multiple networks
- Attaching a Pod to an additional network
- Removing a Pod from an additional network
- Configuring a bridge network
- Configuring a host-device network
- Configuring an ipvlan network
- Configuring a macvlan network with basic customizations
- Configuring a macvlan network
- Editing an additional network
- Removing an additional network
- Configuring PTP
-
Hardware networks
- About Single Root I/O Virtualization (SR-IOV) hardware networks
- Installing the SR-IOV Operator
- Configuring the SR-IOV Operator
- Configuring an SR-IOV network device
- Configuring an SR-IOV Ethernet network attachment
- Configuring an SR-IOV InfiniBand network attachment
- Adding Pod to an SR-IOV network
- Using high performance multicast
- Using DPDK and RDMA
-
OpenShift SDN default CNI network provider
- About the OpenShift SDN default CNI network provider
- Configuring egress IPs for a project
- Configuring an egress firewall for a project
- Viewing an egress firewall for a project
- Editing an egress firewall for a project
- Removing an egress firewall from a project
- Considerations for the use of an egress router pod
- Deploying an egress router pod in redirect mode
- Deploying an egress router pod in HTTP proxy mode
- Deploying an egress router pod in DNS proxy mode
- Configuring an egress router pod destination list from a config map
- Enabling multicast for a project
- Disabling multicast for a project
- Configuring multitenant isolation
- Configuring kube-proxy
-
OVN-Kubernetes default CNI network provider
- About the OVN-Kubernetes network provider
- Migrate from the OpenShift SDN default CNI network provider
- Rollback to the OpenShift SDN default CNI network provider
- Configuring an egress firewall for a project
- Viewing an egress firewall for a project
- Editing an egress firewall for a project
- Removing an egress firewall from a project
- Configuring an egress IP address
- Assigning an egress IP address
- Enabling multicast for a project
- Disabling multicast for a project
- Configuring Routes
-
Configuring ingress cluster traffic
- Overview
- Configuring ExternalIPs for services
- Configuring ingress cluster traffic using an Ingress Controller
- Configuring ingress cluster traffic using a load balancer
- Configuring ingress cluster traffic on AWS using a Network Load Balancer
- Configuring ingress cluster traffic using a service external IP
- Configuring ingress cluster traffic using a NodePort
- Configuring the cluster-wide proxy
- Configuring a custom PKI
- Load balancing on OpenStack
- Associating secondary interfaces metrics to network attachments
-
Storage
- Understanding ephemeral storage
- Understanding persistent storage
-
Configuring persistent storage
- Persistent storage using Amazon EFS
- Persistent storage using AWS Elastic Block Store
- Persistent storage using Azure Disk
- Persistent storage using Azure File
- Persistent storage using Cinder
- Persistent storage using Fibre Channel
- Persistent storage using FlexVolume
- Persistent storage using GCE Persistent Disk
- Persistent storage using hostPath
- Persistent Storage using iSCSI
- Persistent storage using local volumes
- Persistent storage using NFS
- Persistent storage using Red Hat OpenShift Container Storage
- Persistent storage using VMware vSphere
- Using Container Storage Interface (CSI)
- Expanding persistent volumes
- Dynamic provisioning
- Registry
-
Operators
- Understanding Operators
- User tasks
- Administrator tasks
-
Developing Operators
- Getting started with the Operator SDK
- Creating Ansible-based Operators
- Creating Helm-based Operators
- Generating a ClusterServiceVersion (CSV)
- Working with bundle images
- Validating Operators using the scorecard
- Configuring built-in monitoring with Prometheus
- Configuring leader election
- Operator SDK CLI reference
- Appendices
- Red Hat Operators reference
-
Builds
- Understanding image builds
- Understanding build configurations
- Creating build inputs
- Managing build output
- Using build strategies
- Custom image builds with Buildah
- Performing basic builds
- Triggering and modifying builds
- Performing advanced builds
- Using Red Hat subscriptions in builds
- Securing builds by strategy
- Build configuration resources
- Troubleshooting builds
- Setting up additional trusted certificate authorities for builds
- Creating and using ConfigMaps
- Pipelines
-
Images
- Configuring the Cluster Samples Operator
- Using the Cluster Samples Operator with an alternate registry
- Understanding containers, images, and imagestreams
- Creating images
- Managing images
- Managing imagestreams
- Using imagestreams with Kubernetes resources
- Image configuration resources
- Using templates
- Using Ruby on Rails
- Using images
- Applications
- Machine management
-
Nodes
-
Working with pods
- About Pods
- Viewing Pods
- Configuring a cluster for Pods
- Automatically scaling pods with the Horizontal Pod Autoscaler
- Automatically adjust pod resource levels with the Vertical Pod Autoscaler
- Providing sensitive data to Pods
- Using Device Manager to make devices available to nodes
- Including pod priority in Pod scheduling decisions
- Placing pods on specific nodes using node selectors
-
Controlling pod placement onto nodes (scheduling)
- About pod placement using the scheduler
- Configuring the default scheduler to control pod placement
- Placing pods relative to other pods using pod affinity and anti-affinity rules
- Controlling pod placement on nodes using node affinity rules
- Placing pods onto overcommited nodes
- Controlling pod placement using node taints
- Placing pods on specific nodes using node selectors
- Controlling pod placement using pod topology spread constraints
- Evicting pods using the descheduler
- Using Jobs and DaemonSets
- Working with nodes
-
Working with containers
- Using containers
- Using Init Containers to perform tasks before a pod is deployed
- Using volumes to persist container data
- Mapping volumes using projected volumes
- Allowing containers to consume API objects
- Copying files to or from a container
- Executing remote commands in a container
- Using port forwarding to access applications in a container
- Using sysctls in containers
- Working with clusters
- Remote worker nodes on the network edge
-
Working with pods
-
Logging
- About cluster logging
- Installing cluster logging
-
Configuring your cluster logging deployment
- About the Cluster Logging Custom Resource
- Configuring the logging collector
- Configuring the log store
- Configuring the log visualizer
- Configuring cluster logging storage
- Configuring CPU and memory limits for cluster logging components
- Using tolerations to control cluster logging pod placement
- Moving the cluster logging resources with node selectors
- Configuring systemd-journald for cluster logging
- Configuring the log curator
- Maintenance and support
- Viewing cluster logs
- Forwarding logs to third party systems
- Collecting and storing Kubernetes events
- Updating cluster logging
- Viewing cluster dashboards
- Troubleshooting cluster logging
- Uninstalling cluster logging
- Exported fields
- Monitoring
- Metering
-
Scalability and performance
- Recommended installation practices
- Recommended host practices
- Recommended cluster scaling practices
- Using the Node Tuning Operator
- Using Cluster Loader
- Using CPU Manager
- Using Topology Manager
- Scaling the Cluster Monitoring Operator
- Planning your environment according to object maximums
- Optimizing storage
- Optimizing routing
- What huge pages do and how they are consumed by apps
- Performance Addon Operator for low latency nodes
- Backup and restore
-
Migration Toolkit for Containers
-
Migrating from OpenShift Container Platform 3
- About migrating from OpenShift Container Platform 3 to 4
- Planning your migration from OpenShift Container Platform 3 to 4
- Migration tools and prerequisites
- Deploying the Migration Toolkit for Containers
- Upgrading the Migration Toolkit for Containers
- Configuring a replication repository
- Migrating your applications
- Migrating your control plane settings
- Troubleshooting
- Migrating from OpenShift Container Platform 4.1
- Migrating from OpenShift Container Platform 4.2 and later
-
Migrating from OpenShift Container Platform 3
-
CLI tools
- OpenShift CLI (oc)
- Developer CLI (odo)
- Helm CLI
- Knative CLI (kn) for use with OpenShift Serverless
- Pipelines CLI (tkn)
- opm CLI
-
API reference
- API list
- Common object reference
-
Authorization APIs
- About Authorization APIs
- LocalResourceAccessReview [authorization.openshift.io/v1]
- LocalSubjectAccessReview [authorization.openshift.io/v1]
- ResourceAccessReview [authorization.openshift.io/v1]
- SelfSubjectRulesReview [authorization.openshift.io/v1]
- SubjectAccessReview [authorization.openshift.io/v1]
- SubjectRulesReview [authorization.openshift.io/v1]
- TokenReview [authentication.k8s.io/v1]
- LocalSubjectAccessReview [authorization.k8s.io/v1]
- SelfSubjectAccessReview [authorization.k8s.io/v1]
- SelfSubjectRulesReview [authorization.k8s.io/v1]
- SubjectAccessReview [authorization.k8s.io/v1]
- Autoscale APIs
-
Config APIs
- About Config APIs
- APIServer [config.openshift.io/v1]
- Authentication [config.openshift.io/v1]
- Build [config.openshift.io/v1]
- ClusterOperator [config.openshift.io/v1]
- ClusterVersion [config.openshift.io/v1]
- Console [config.openshift.io/v1]
- DNS [config.openshift.io/v1]
- FeatureGate [config.openshift.io/v1]
- Image [config.openshift.io/v1]
- Infrastructure [config.openshift.io/v1]
- Ingress [config.openshift.io/v1]
- Network [config.openshift.io/v1]
- OAuth [config.openshift.io/v1]
- OperatorHub [config.openshift.io/v1]
- Project [config.openshift.io/v1]
- Proxy [config.openshift.io/v1]
- Scheduler [config.openshift.io/v1]
- Console APIs
- Extension APIs
-
Image APIs
- About Image APIs
- Image [image.openshift.io/v1]
- ImageSignature [image.openshift.io/v1]
- ImageStreamImage [image.openshift.io/v1]
- ImageStreamImport [image.openshift.io/v1]
- ImageStreamMapping [image.openshift.io/v1]
- ImageStream [image.openshift.io/v1]
- ImageStreamTag [image.openshift.io/v1]
- ImageTag [image.openshift.io/v1]
-
Machine APIs
- About Machine APIs
- ContainerRuntimeConfig [machineconfiguration.openshift.io/v1]
- ControllerConfig [machineconfiguration.openshift.io/v1]
- KubeletConfig [machineconfiguration.openshift.io/v1]
- MachineConfigPool [machineconfiguration.openshift.io/v1]
- MachineConfig [machineconfiguration.openshift.io/v1]
- MachineHealthCheck [machine.openshift.io/v1beta1]
- Machine [machine.openshift.io/v1beta1]
- MachineSet [machine.openshift.io/v1beta1]
- Metadata APIs
- Monitoring APIs
-
Network APIs
- About Network APIs
- ClusterNetwork [network.openshift.io/v1]
- Endpoints [core/v1]
- EndpointSlice [discovery.k8s.io/v1beta1]
- EgressNetworkPolicy [network.openshift.io/v1]
- HostSubnet [network.openshift.io/v1]
- Ingress [networking.k8s.io/v1beta1]
- IngressClass [networking.k8s.io/v1beta1]
- NetNamespace [network.openshift.io/v1]
- NetworkAttachmentDefinition [k8s.cni.cncf.io/v1]
- NetworkPolicy [networking.k8s.io/v1]
- Route [route.openshift.io/v1]
- Service [core/v1]
- Node APIs
- OAuth APIs
-
Operator APIs
- About Operator APIs
- Authentication [operator.openshift.io/v1]
- Console [operator.openshift.io/v1]
- Config [operator.openshift.io/v1]
- Config [imageregistry.operator.openshift.io/v1]
- Config [samples.operator.openshift.io/v1]
- CSISnapshotController [operator.openshift.io/v1]
- DNS [operator.openshift.io/v1]
- DNSRecord [ingress.operator.openshift.io/v1]
- Etcd [operator.openshift.io/v1]
- ImageContentSourcePolicy [operator.openshift.io/v1alpha1]
- ImagePruner [imageregistry.operator.openshift.io/v1]
- IngressController [operator.openshift.io/v1]
- KubeAPIServer [operator.openshift.io/v1]
- KubeControllerManager [operator.openshift.io/v1]
- KubeScheduler [operator.openshift.io/v1]
- KubeStorageVersionMigrator [operator.openshift.io/v1]
- Network [operator.openshift.io/v1]
- OpenShiftAPIServer [operator.openshift.io/v1]
- OpenShiftControllerManager [operator.openshift.io/v1]
- ServiceCA [operator.openshift.io/v1]
-
OperatorHub APIs
- About OperatorHub APIs
- CatalogSource [operators.coreos.com/v1alpha1]
- ClusterServiceVersion [operators.coreos.com/v1alpha1]
- InstallPlan [operators.coreos.com/v1alpha1]
- OperatorGroup [operators.coreos.com/v1]
- OperatorSource [operators.coreos.com/v1]
- PackageManifest [packages.operators.coreos.com/v1]
- Subscription [operators.coreos.com/v1alpha1]
- Policy APIs
- Project APIs
- RBAC APIs
- Role APIs
- Schedule and quota APIs
-
Security APIs
- About Security APIs
- CertificateSigningRequest [certificates.k8s.io/v1beta1]
- CredentialsRequest [cloudcredential.openshift.io/v1]
- PodSecurityPolicyReview [security.openshift.io/v1]
- PodSecurityPolicySelfSubjectReview [security.openshift.io/v1]
- PodSecurityPolicySubjectReview [security.openshift.io/v1]
- RangeAllocation [security.openshift.io/v1]
- Secret [core/v1]
- SecurityContextConstraints [security.openshift.io/v1]
- ServiceAccount [core/v1]
-
Storage APIs
- About Storage APIs
- CSIDriver [storage.k8s.io/v1]
- CSINode [storage.k8s.io/v1]
- PersistentVolumeClaim [core/v1]
- StorageClass [storage.k8s.io/v1]
- VolumeAttachment [storage.k8s.io/v1]
- VolumeSnapshot [snapshot.storage.k8s.io/v1beta1]
- VolumeSnapshotClass [snapshot.storage.k8s.io/v1beta1]
- VolumeSnapshotContent [snapshot.storage.k8s.io/v1beta1]
- Template APIs
- User and group APIs
-
Workloads APIs
- About Workloads APIs
- BuildConfig [build.openshift.io/v1]
- Build [build.openshift.io/v1]
- CronJob [batch/v1beta1]
- DaemonSet [apps/v1]
- Deployment [apps/v1]
- DeploymentConfig [apps.openshift.io/v1]
- Job [batch/v1]
- Pod [core/v1]
- ReplicationController [core/v1]
- PersistentVolume [core/v1]
- ReplicaSet [apps/v1]
- StatefulSet [apps/v1]
-
Service Mesh
-
Service Mesh 2.x
- Service Mesh 2.x release notes
- Service Mesh architecture
- Service Mesh and Istio differences
- Preparing to install Service Mesh
- Installing Service Mesh
- Upgrading from 1.1 to 2.0
- Customizing the installation
- Deploying applications on Service Mesh
- Data visualization and observability
- Security
- Traffic management
- Custom resources
- Extensions
- Using the 3scale Istio adapter
-
Service Mesh 1.x
- Service Mesh 1.x release notes
- Service Mesh architecture
- Service Mesh and Istio differences
- Preparing to install Service Mesh
- Installing Service Mesh
- Customizing the installation
- Deploying applications on Service Mesh
- Data visualization and observability
- Security
- Traffic management
- Custom resources
- Using the 3scale Istio adapter
-
Service Mesh 2.x
- Jaeger
-
OpenShift Virtualization
- About OpenShift Virtualization
- OpenShift Virtualization release notes
-
OpenShift Virtualization installation
- Preparing your OpenShift cluster for OpenShift Virtualization
- Installing OpenShift Virtualization using the web console
- Installing OpenShift Virtualization using the CLI
- Installing the virtctl client
- Uninstalling OpenShift Virtualization using the web console
- Uninstalling OpenShift Virtualization using the CLI
- Upgrading OpenShift Virtualization
- Additional security privileges granted for kubevirt-controller and virt-launcher
- Using the CLI tools
-
Virtual machines
- Creating virtual machines
- Editing virtual machines
- Editing boot order
- Deleting virtual machines
- Managing virtual machine instances
- Controlling virtual machines states
- Accessing virtual machine consoles
- Triggering virtual machine failover by resolving a failed node
- Installing the QEMU guest agent on virtual machines
- Viewing the QEMU guest agent information for virtual machines
- Managing ConfigMaps, secrets, and service accounts in virtual machines
- Installing VirtIO driver on an existing Windows virtual machine
- Installing VirtIO driver on a new Windows virtual machine
- Advanced virtual machine management
- Importing virtual machines
- Cloning virtual machines
-
Virtual machine networking
- Using the default Pod network with OpenShift Virtualization
- Attaching a virtual machine to multiple networks
- Configuring an SR-IOV network device for virtual machines
- Defining an SR-IOV network
- Attaching a virtual machine to an SR-IOV network
- Viewing the IP address of NICs on a virtual machine
- Using a MAC address pool for virtual machines
-
Virtual machine disks
- Features for storage
- Configuring local storage for virtual machines
- Configuring CDI to work with namespaces that have a compute resource quota
- Uploading local disk images by using the web console
- Uploading local disk images by using the virtctl tool
- Uploading a local disk image to a block storage DataVolume
- Managing offline virtual machine snapshots
- Moving a local virtual machine disk to a different node
- Expanding virtual storage by adding blank disk images
- Cloning a DataVolume using smart-cloning
- Storage defaults for DataVolumes
- Creating and using default OS images
- Using container disks with virtual machines
- Preparing CDI scratch space
- Re-using statically provisioned persistent volumes
- Deleting DataVolumes
- Virtual machine templates
- Live migration
- Node maintenance
- Node networking
-
Logging, events, and monitoring
- Viewing logs
- Viewing events
- Diagnosing DataVolumes using events and conditions
- Viewing information about virtual machine workloads
- Monitoring virtual machine health
- Viewing cluster information
- OpenShift cluster monitoring, logging, and Telemetry
- Collecting OpenShift Virtualization data for Red Hat Support
-
Serverless applications
- Getting started
- Installing OpenShift Serverless
- Architecture
- Creating and managing serverless applications
- High availability on OpenShift Serverless
- Tracing requests
- Knative Serving
- Event workflows
- Event sources
- Using Apache Kafka with OpenShift Serverless
- Networking
- Using metering with OpenShift Serverless
- Integrations
- Release Notes
- Support
Migrating your applications
You must add your clusters and a replication repository to the MTC web console. Then, you can create and run a migration plan.
If your cluster or replication repository are secured with self-signed certificates, you can create a CA certificate bundle file or disable SSL verification.
Creating a CA certificate bundle file
If you use a self-signed certificate to secure a cluster or a replication repository, certificate verification might fail with the following error message: Certificate signed by unknown authority.
You can create a custom CA certificate bundle file and upload it in the MTC web console when you add a cluster or a replication repository.
Procedure
Download a CA certificate from a remote endpoint and save it as a CA bundle file:
| 1 | Specify the host FQDN and port of the endpoint, for example, api.my-cluster.example.com:6443. |
| 2 | Specify the name of the CA bundle file. |
Configuring a migration plan
Increasing Migration Controller limits for large migrations
You can increase the Migration Controller limits on migration objects and container resources for large migrations.
|
You must test these changes before you perform a migration in a production environment. |
Procedure
-
Edit the Migration Controller manifest:
$ oc edit migrationcontroller -n openshift-migration -
Update the following parameters:
... mig_controller_limits_cpu: "1" (1) mig_controller_limits_memory: "10Gi" (2) ... mig_controller_requests_cpu: "100m" (3) mig_controller_requests_memory: "350Mi" (4) ... mig_pv_limit: 100 (5) mig_pod_limit: 100 (6) mig_namespace_limit: 10 (7) ...1 Specifies the number of CPUs available to the Migration Controller. 2 Specifies the amount of memory available to the Migration Controller. 3 Specifies the number of CPU units available for Migration Controller requests. 100mrepresents 0.1 CPU units (100 * 1e-3).4 Specifies the amount of memory available for Migration Controller requests. 5 Specifies the number of PVs that can be migrated. 6 Specifies the number of pods that can be migrated. 7 Specifies the number of namespaces that can be migrated. -
Create a migration plan that uses the updated parameters to verify the changes.
If your migration plan exceeds the Migration Controller limits, the MTC console displays a warning message when you save the migration plan.
Excluding resources from a migration plan
You can exclude resources, for example, ImageStreams, persistent volumes (PVs), or subscriptions, from a migration plan in order to reduce the load or to migrate images or PVs with a different tool.
Procedure
-
Edit the Migration Controller CR:
$ oc edit migrationcontroller -n openshift-migration -
Update the
specsection by adding a parameter to exclude specific resources or by adding a resource to theexcluded_resourcesparameter if it does not have its own exclusion parameter:apiVersion: migration.openshift.io/v1alpha1 kind: MigrationController metadata: name: migration-controller namespace: openshift-migration spec: disable_image_migration: true (1) disable_pv_migration: true (2) ... excluded_resources: (3) - imagetags - templateinstances - clusterserviceversions - packagemanifests - subscriptions - servicebrokers - servicebindings - serviceclasses - serviceinstances - serviceplans1 Add disable_image_migration: trueto exclude imagestreams from the migration. Do not edit theexcluded_resourcesparameter.imagestreamsis added toexcluded_resourceswhen the Migration Controller Pod restarts.2 Add disable_pv_migration: trueto exclude PVs from the migration plan. Do not edit theexcluded_resourcesparameter.persistentvolumesandpersistentvolumeclaimsare added toexcluded_resourceswhen the Migration Controller Pod restarts. Disabling PV migration also disables PV discovery when you create the migration plan.3 You can add OpenShift Container Platform resources to the excluded_resourceslist. Do not delete any of the default excluded resources. These resources are known to be problematic for migration. -
Wait two minutes for the Migration Controller Pod to restart so that the changes are applied.
-
Verify that the resource is excluded:
$ oc get deployment -n openshift-migration migration-controller -o yaml | grep EXCLUDED_RESOURCES -A1The output contains the excluded resources, as shown in the following example:
- name: EXCLUDED_RESOURCES value: imagetags,templateinstances,clusterserviceversions,packagemanifests,subscriptions,servicebrokers,servicebindings,serviceclasses,serviceinstances,serviceplans,imagestreams,persistentvolumes,persistentvolumeclaims
Adding a cluster to the MTC web console
You can add a cluster to the MTC web console.
Prerequisites
If you are using Azure snapshots to copy data:
-
You must provide the Azure resource group name when you add the source cluster.
-
The source and target clusters must be in the same Azure resource group and in the same location.
Procedure
-
Log in to the cluster.
-
Obtain the service account token:
$ oc sa get-token migration-controller -n openshift-migrationExample outputeyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJtaWciLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoibWlnLXRva2VuLWs4dDJyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6Im1pZyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImE1YjFiYWMwLWMxYmYtMTFlOS05Y2NiLTAyOWRmODYwYjMwOCIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDptaWc6bWlnIn0.xqeeAINK7UXpdRqAtOj70qhBJPeMwmgLomV9iFxr5RoqUgKchZRG2J2rkqmPm6vr7K-cm7ibD1IBpdQJCcVDuoHYsFgV4mp9vgOfn9osSDp2TGikwNz4Az95e81xnjVUmzh-NjDsEpw71DH92iHV_xt2sTwtzftS49LpPW2LjrV0evtNBP_t_RfskdArt5VSv25eORl7zScqfe1CiMkcVbf2UqACQjo3LbkpfN26HAioO2oH0ECPiRzT0Xyh-KwFutJLS9Xgghyw-LD9kPKcE_xbbJ9Y4Rqajh7WdPYuB0Jd9DPVrslmzK-F6cgHHYoZEv0SvLQi-PO0rpDrcjOEQQ -
Log in to the MTC web console.
-
In the Clusters section, click Add cluster.
-
Fill in the following fields:
-
Cluster name: May contain lower-case letters (
a-z) and numbers (0-9). Must not contain spaces or international characters. -
Url: URL of the cluster’s API server, for example,
https://<master1.example.com>:8443. -
Service account token: String that you obtained from the source cluster.
-
Azure cluster: Optional. Select it if you are using Azure snapshots to copy your data.
-
Azure resource group: This field appears if Azure cluster is checked.
-
If you use a custom CA bundle, click Browse and browse to the CA bundle file.
-
-
Click Add cluster.
The cluster appears in the Clusters section of the MTC web console.
Adding a replication repository to the MTC web console
You can add an object storage bucket as a replication repository to the MTC web console.
Prerequisites
-
You must configure an object storage bucket for migrating the data.
Procedure
-
Log in to the MTC web console.
-
In the Replication repositories section, click Add repository.
-
Select a Storage provider type and fill in the following fields:
-
AWS for AWS S3, MCG, and generic S3 providers:
-
Replication repository name: Specify the replication repository name in the MTC web console.
-
S3 bucket name: Specify the name of the S3 bucket you created.
-
S3 bucket region: Specify the S3 bucket region. Required for AWS S3. Optional for other S3 providers.
-
S3 endpoint: Specify the URL of the S3 service, not the bucket, for example,
https://<s3-storage.apps.cluster.com>. Required for a generic S3 provider. You must use thehttps://prefix. -
S3 provider access key: Specify the
<AWS_SECRET_ACCESS_KEY>for AWS or the S3 provider access key for MCG. -
S3 provider secret access key: Specify the
<AWS_ACCESS_KEY_ID>for AWS or the S3 provider secret access key for MCG. -
Require SSL verification: Clear this check box if you are using a generic S3 provider.
-
If you use a custom CA bundle, click Browse and browse to the Base64-encoded CA bundle file.
-
-
GCP:
-
Replication repository name: Specify the replication repository name in the MTC web console.
-
GCP bucket name: Specify the name of the GCP bucket.
-
GCP credential JSON blob: Specify the string in the
credentials-velerofile.
-
-
Azure:
-
Replication repository name: Specify the replication repository name in the MTC web console.
-
Azure resource group: Specify the resource group of the Azure Blob storage.
-
Azure storage account name: Specify the Azure Blob storage account name.
-
Azure credentials - INI file contents: Specify the string in the
credentials-velerofile.
-
-
-
Click Add repository and wait for connection validation.
-
Click Close.
The new repository appears in the Replication repositories section.
Creating a migration plan in the MTC web console
You can create a migration plan in the MTC web console.
Prerequisites
-
The MTC web console must contain the following:
-
Source cluster
-
Target cluster
-
Replication repository
-
-
The source and target clusters must have network access to each other and to the replication repository.
-
If you use snapshots to copy data, the source and target clusters must run on the same cloud provider (AWS, GCP, or Azure) and be located in the same region.
Procedure
-
Log in to the MTC web console.
-
In the Plans section, click Add plan.
-
Enter the Plan name and click Next.
The Plan name can contain up to 253 lower-case alphanumeric characters (
a-z, 0-9). It must not contain spaces or underscores (_). -
Select a Source cluster.
-
Select a Target cluster.
-
Select a Replication repository.
-
Select the projects to be migrated and click Next.
-
Select Copy or Move for the PVs:
-
Copy copies the data in a source cluster’s PV to the replication repository and then restores it on a newly created PV, with similar characteristics, in the target cluster.
Optional: You can verify data copied with the file system method by selecting Verify copy. This option generates a checksum for each source file and checks it after restoration. The operation significantly reduces performance.
-
Move unmounts a remote volume (for example, NFS) from the source cluster, creates a PV resource on the target cluster pointing to the remote volume, and then mounts the remote volume on the target cluster. Applications running on the target cluster use the same remote volume that the source cluster was using. The remote volume must be accessible to the source and target clusters.
-
-
Click Next.
-
Select a Copy method for the PVs:
-
Snapshot backs up and restores the disk using the cloud provider’s snapshot functionality. It is significantly faster than Filesystem.
The storage and clusters must be in the same region and the storage class must be compatible.
-
Filesystem copies the data files from the source disk to a newly created target disk.
-
-
Select a Storage class for the PVs.
If you selected the Filesystem copy method, you can change the storage class during migration, for example, from Red Hat Gluster Storage or NFS storage to Red Hat Ceph Storage.
-
Click Next.
-
If you want to add a migration hook, click Add Hook and perform the following steps:
-
Specify the name of the hook.
-
Select Ansible playbook to use your own playbook or Custom container image for a hook written in another language.
-
Click Browse to upload the playbook.
-
Optional: If you are not using the default Ansible runtime image, specify your custom Ansible image.
-
Specify the cluster on which you want the hook to run.
-
Specify the service account name.
-
Specify the namespace.
-
Select the migration step at which you want the hook to run:
-
PreBackup: Before backup tasks are started on the source cluster
-
PostBackup: After backup tasks are complete on the source cluster
-
PreRestore: Before restore tasks are started on the target cluster
-
PostRestore: After restore tasks are complete on the target cluster
-
-
-
Click Add.
You can add up to four hooks to a migration plan, assigning each hook to a different migration step.
-
Click Finish.
-
Click Close.
The migration plan appears in the Plans section.
Running a migration plan in the MTC web console
You can stage or migrate applications and data with the migration plan you created in the MTC web console.
Prerequisites
The MTC web console must contain the following:
-
Source cluster
-
Target cluster
-
Replication repository
-
Valid migration plan
Procedure
-
Log in to the source cluster.
-
Delete old images:
$ oc adm prune images -
Log in to the MTC web console.
-
Select a migration plan.
-
Click Stage to copy data from the source cluster to the target cluster without stopping the application.
You can run Stage multiple times to reduce the actual migration time.
-
When you are ready to migrate the application workload, click Migrate.
Migrate stops the application workload on the source cluster and recreates its resources on the target cluster.
-
Optional: In the Migrate window, you can select Do not stop applications on the source cluster during migration.
-
Click Migrate.
-
Optional: To stop a migration in progress, click the Options menu
and select Cancel. -
When the migration is complete, verify that the application migrated successfully in the OpenShift Container Platform web console:
-
Click Home → Projects.
-
Click the migrated project to view its status.
-
In the Routes section, click Location to verify that the application is functioning, if applicable.
-
Click Workloads → Pods to verify that the pods are running in the migrated namespace.
-
Click Storage → Persistent volumes to verify that the migrated persistent volume is correctly provisioned.
-