Encrypt the VEN Migration File
enc-ven-migrate-conf
% venmigrate enc-ven-migrate-conf --help
Generates an encrypted version of the venmigrate yaml file. The default migration yaml file name is venmigrate.yaml stored in the current directory. The default encrypted version file name is venmigrate.enc.
Use the --ven-migrate-config and --enc-ven-migrate-config flags respectively to set custom file names.
You can also use ILLUMIO_VEN_MIGRATE_CONFIG and ILLUMIO_ENC_VEN_MIGRATE_CONFIG environment variables.
The --update-pce and --no-prompt flags are ignored for this command.
Usage:
venmigrate enc-ven-migrate-conf [flags]
Flags:
--ven-migrate-config string The ven migration configuration yaml file. The default is venmigrate.yaml
--enc-ven-migrate-config string The encrypted ven migration configuration file. The default is venmigrate.enc
-h, --help The help for enc-ven-migrate-conf
Global Flags (not relevant for all commands):
--debug Enables debug-level logging for troubleshooting.
--enc-ven-migrate-conf-file string The path of the encrypted ven migration options file. It has precedence over the non-encrypted option yaml file. The default is venmigrate.enc
--log-file string The path of the venmigrate log file. (default "venmigrate.log")
--ven-migrate-conf-file string The path of the ven migration non-encrypted options yaml file. The default is the venmigrate.yaml file.
--verbose When debug is enabled, includes the raw API responses.Migrate a VEN
migrate
~/pcemigrate/bin/venmigrate migrate --help
Handles the migration of a VEN from one PCE to another PCE either through unpairing/pairing deactivate/activate based on the migration type setting.
Settings specified with this command override settings saved in the ven migration configuration file.
If no workload meta data JSON file exists, there will be an attempt to retrieve the workload meta data from the source PCE if the workload is still paired and the parameters to access the source PCE are provided. If no meta data is found, the command default to the pairing profile default settings.
If parameters to access the target PCE are provided and the workload has custom labels, the command will apply the custom labels to the managed workload aftermigrating the VEN.
If parameters to access the source PCE are provided, the command will check that the associated migration unmanaged workload exists on the source PCE. If it does not, it will create it before migrating the VEN. If it cannot create it, the failure will be ignored unless --do-not-ignore-missing-umwl is specified.
If parameters to access the target PCE are specified, after successfully migrating the VEN, the command will check if the associated migration unmanaged workload still exists. If it does, it will try to delete it as it is no longer useful.
The command will not fail if it cannot delete the associated migration unmanaged workload.
The ven migration configuration yaml file and the encrypted VEN migration configuration file can be specified by setting the following environment variables, respectively:
ILLUMIO_VEN_MIGRATE_CONFIG, ILLUMIO_ENC_VEN_MIGRATE_CONFIG.
Usage:
venmigrate migrate [flags]
Flags:
--run-status Runs 'illumio-ven-ctl status' and exits.
--do-not-ignore-missing-umwl string If set to yes, the command will fail if the associated migration unmanaged workload does not exist and cannot be created before the VEN migration.
--pce string The FQDN of the target PCE.
--port int The front-end port of the target PCE.
--org-id int The API owner organization ID
--api-user string The API user.
--api-key string The API key.
--proxy string The proxy URL.
--fe-mgmt-port int The front-end management port of the target PCE.
--src-pce string The FQDN of the source PCE.
--src-port int The front-end port of the source PCE.
--src-org-id int The API owner organization ID of the source PCE.
--src-api-user string The API user for the source PCE.
--src-api-key string The API key for the source PCE.
--src-proxy string The proxy URL to reach the source PCE.
--src-fe-mgmt-port int The front-end management port of the source PCE.
--pairing-profile-id int The pairing profile id.
--api-version string The API version.
--hostname string The workload hostname
--workload-meta-data-file string The workload meta data data JSON file. Default: workload-meta-data.json. (default "workload-meta-data.json")
--activation-code string The activation code.
--enforcement-mode string The enforcement mode.
--migration-type string The type of VEN migration planned: pair or activate.
--ven-dir string The path of the VEN directory. Default: /opt/illumio_ven (linux/mac), C:\Program Files\Illumio (Windows)
--ven-data-dir string The path of the VEN data directory. Default: /opt/illumio_ven_data (linux/mac), C:\ProgramData\Illumio (Windows)
--do-not-apply-custom-labels If set not attempt to apply custom labels will be performed.
--no-label-assignment Do not specify a label when pairing the VEN. They will be inherited from the profile.
--no-enforcement-mode Do not specify an enforcement mode when pairing the VEN. It will be inherited from the profile.
-h, --help The help for migrate
Global Flags (not relevant for all commands):
--debug Enables debug level logging for troubleshooting.
--enc-ven-migrate-conf-file string The path of the encrypted ven migration options file. It has precedence over the non-encrypted option yaml file. Default venmigrate.enc
--log-file string The path of the venmigrate log file. (default "venmigrate.log")
--ven-migrate-conf-file string The path of the ven migration non-encrypted options yaml file. Default: venmigrate.yaml file.
--verbose When debug is enabled, includes the raw API responses. Apply Custom Labels
apply-custom-label
% venmigrate apply-custom-label --help
Applies custom labels to a managed workload.
Usage:
venmigrate apply-custom-label [flags]
Flags:
--hostname string Workload hostname
--workload-meta-data-file string The workload meta data data JSON file. Default: workload-meta-data.json. (default "workload-meta-data.json")
--pce string The FQDN of the target PCE.
--org-id int The API owner organization ID.
--fe-mgmt-port int The front-end management port of the target PCE.
--proxy string The proxy URL.
--api-user string The API user.
--api-key string The API key.
-h, --help The help for apply-custom-label
Global Flags (not relevant for all commands):
--debug Enable debug level logging for troubleshooting.
--enc-ven-migrate-conf-file string The path of the encrypted ven migration options file. It has precedence on non-encrypted option yaml file. Default venmigrate.enc
--log-file string The path of the venmigrate log file. (default "venmigrate.log")
--ven-migrate-conf-file string The path of the ven migration non-encrypted options yaml file. Default: venmigrate.yaml file.
--verbose When debug is enabled, includes the raw API responses.Limitations of the venmigrate Script
Metadata for all of the managed workloads is saved in a JSON file, which is used during the VEN migration. It has to be loaded to a hash data structure and the information for the host entry that corresponds to the VEN has to be extracted. This may cause issues when there is a large number of managed workloads.