pcemigrate
The migrate command allows for the transfer of policy objects and workloads between PCEs, typically from an on-premise PCE to Illumio Cloud. It provides flexibility by tracking migration progress for easy resumption in the event of an interruption.
The migration process can be completed in one step by exporting policy objects to JSON files and then importing them into the target PCE.
Alternatively, a two-step process is available: first, export objects using the
--only-export-objectsoption, then import them into the target PCE. This two-step method enables the sharing or testing of policy objects across different systems.Users can choose which management objects to migrate, with no management objects migrating by default.
pcemigrate
% pcemigrate migrate --help
Handles policy initial migration from a source PCE to a target PCE.
Usage: pcemigrate migrate [flags]
Flags:
--from-pce string Source PCE.
--to-pce string Destination PCE.
--data-base-dir string Base working directory.
--forced-restart Restart from the beginning of a
previously failed migration.
--ignore-case Ignore case when matching name,
hostname or external data set
and external
data reference.
--max-create int The maximum number of
unmanaged workloads that
can be created.
-1 is unlimited. (default -1)
--provision-version string Policy version: draft, active.
(default -1)
--only-export-objects Only export all the objects to
be migrated.
--use-last-good-export Use the last good export if
available.
--only-import-objects Only import all the objects
to be migrated.
Export of objects is already
done.
--skip-export-users Skip export of local users.
They will not be migrated
--skip-export-rbac-settings Skip export of RBAC objects:
Access restrictions,
Auth sec principals, permissions
They will not be migrated.
--provision Provision changes.
--provision-comments string Provision comment.
--import-users Migrate local users.
--import-rbac-settings Import RBAC objects:
Access restrictions,
Auth sec principals, permissions.
--import-pairing-profiles Migrate pairing profiles.
--import-container-clusters Migrate cluster containers and
cluster workload
profiles.
--ignore-workload-update-failures Continue migration even if
creation/update of some
unmanaged workloads failed in
Bulk Api calls.
--concurrency-level string Concurrency level.
sequential: no concurrency,
moderate: ops on objects of
the same PCE
executed concurrently,
normal: main ops on different
objects across PCEs executed
concurrently;
advanced: additional
optimizations.
(default "normal")
--profiling-level int Profiling level.
1: overall execution,
2: down to specific type of
operations,
3: down to operation on object
types.
(default 1)
--cpu-profile-filename string Name of the file where to save
pprof CPU
profile date.
--mem-profile-filename string Name of the file where to save
pprof memory profile date.
-h, --help The help for migrate
Global Flags (not relevant for all commands):
--config-file string The path for the pcemigrate pce.yaml file.
--debug Enable debug level logging for
troubleshooting.
--log-file string The path for the pcemigrate log file.
(default "pcemigrate.log")
--migrate-op When migrate-op is set to true, the
Import operation
are interpreted as a copy of objects
from a different
PCE as part of a PCE migration
operation.
--no-prompt Remove the user prompt when used
with update-pce.
--pce string PCE to use in command if not
using default PCE.
--update-pce This command will update the PCE
after a single user prompt.
The default will just log potential
changes to workloads.
--verbose When verbose is enabled, includes
the raw API responses.
This makes pcemigrate.log increase
in size significantly.
Set On-prem PCE Parameters
Use these commands to set the parameters for the on-premises PCEs you will be migrating.
Add PCE Parameters
Use this command to add an entry with specific parameters to the configuration YAML file for pcemigrate
pce-add
% ~/pcemigrate/bin/pcemigrate pce-add --help
Adds a PCE to the pce.yaml file.
The default file name is pce.yaml stored in the current directory.
Use the --config-file flag to set a custom file and use the --config-file
on all subsequent commands.
You can also use ILLUMIO_CONFIG environment variable.
The command can be automated (avoid prompt) by using flags or the following
environment variables:
PCE_NAME, PCE_FQDN, PCE_PORT, PCE_USER, PCE_PWD, PCE_DISABLE_TLS,
PCE_PROXY, PCE_API_KEY, PCE_API_USER.
The --update-pce and --no-prompt flags are ignored for this command.
Usage:
pcemigrate pce-add [flags]
Flags: --name string Name of the PCE. Will be prompted
for if left blank.
--fqdn string FQDN of the PCE. Will be prompted
for if left blank.
--port int Port of the PCE. Will be prompted
for if not specified.
--email string Mail to log into the PCE.
Will be prompted for if left blank.
--pwd string Password to log into the PCE.
Will be prompted for if
left blank.
--disable-tls-verification Disable TLS verification to the PCE.
--login-server string Login server. Almost always blank
--api-user string API user to log into the PCE.
Will be prompted for
if left blank.
--api-key string API key to log into the PCE.
Will be prompted for
if left blank.
--proxy-server string Set the proxy server to be used to
access the PCE.
--org int Org id. Will be prompted if
not specified.
-s, --session Authentication will be a temporary
session token.
No API Key will be generated.
-p, --use-proxy Set a proxy. Can be changed later
with the clear-proxy
and set-proxy commands.
-a, --use-api-key Use pregenerated api credentials
from an api key or a
service account.
-n, --no-auth Do not authenticate to the PCE.
Subsequent commands will require
PCEMIGRATE_API_USER, PCEMIGRATE_API_KEY,
PCEMIGRATE_ORG environment
variables to be set.
-h, --help Help for pce-add
Global Flags (not relevant for all commands):
--config-file string Path for the pcemigrate
pce.yaml file.
--debug Enable debug level logging for
troubleshooting.
--log-file string Path for the pcemigrate log file.
(default "pcemigrate.log")
--migrate-op When migrate-op is set to true,
the Import operation is interpreted
as a copy of objects from a
different PCE as part of
a PCE migration operation.
--no-prompt Remove the user prompt when used
with update-pce.
--pce string The PCE to use in the command if
not using the default PCE.
--update-pce This command will update the PCE
after a single user prompt.
The default will just log potential
changes to workloads.
--verbose When verbose is enabled, includes
the raw API responses.
This makes pcemigrate.log increase
in size significantly.The pcemigrate tool uses a YAML configuration file to access PCEs and execute operations. Initially, parameters of the PCE need to be added to this file, which include:
Friendly name for easy reference in pcemigrate commands, such as "mnctestvc26000" for the PCE FQDN "mnctestvc26000.testlabs.io."
PCE's FQDN, port, org ID, proxy server, session token, API key, etc.
An example includes adding PCE parameters to the configuration key, incorporating API keys for both the on-premises PCE (4x2testvc10000) and the Illumio SaaS (mnctestvc26000).
Upon correct parameter input, pcemigrate accesses the PCE and retrieves the software version. It is possible to specify secrets (password, api key) via prompt or environment variables.run 'pcemigrate pce-add --help' for more information.
Remove a PCE
Remove specific PCE entry parameters from the YAML configuration file.
pce-remove
% ~/pcemigrate/bin/pcemigrate pce-remove --help
Removes the pce.yaml file and optionally removes all
pcemigrate generated API keys from PCE.
The --update-pce and --no-prompt flags are ignored
for this command.
Usage: pcemigrate pce-remove [name of pce] [flags]
Flags:
-x, --clear-keys Removes the PCE from the yaml
file and clears all
pcemigrate generated API credentials
from the PCE.
-h, --help Help for pce-remove
Global Flags (not relevant for all commands):
--config-file string The path for the pcemigrate
pce.yaml file.
--debug Enables debug-level logging for
troubleshooting.
--log-file string The path for the pcemigrate
\log file.
(default "pcemigrate.log")
--migrate-op When migrate-op is set to true,
the Import operation
is interpreted as a copy of objects
from a different PCE
as part of a PCE migration operation.
--no-prompt Removes the user prompt when used
with update-pce.
--pce string The PCE to use in the command if
not using the default PCE.
--update-pce This command will update the PCE after
a single user prompt.
The default will just log potential
changes to workloads.
--verbose When verbose is enabled, includes the
raw API responses.
This makes pcemigrate.log increase
in size significantly.pce.yaml
This is an example of the YAML file. There are two PCE entries with the 4x2testvc49 and mncdevtest6 names assigned to them, respectively.
cat pce.yaml 4x2testvc49: disabletlschecking: false fqdn: 4x2testvc49.ilabs.io key: 5669b123d8e5afdacc964d2bca2e691e94539cddb6a37a5b34efc8a283a76371 org: 1 pce_version: 24.3.0-8933 port: 8443 proxy: "" user: api_14fbdbf3dfd95d871 userhref: ""continue_on_error: false debug: false default_pce_name: 4x2testvc49 log_file: pcemigrate logmax_entries_for_stdout: 100 migrate_op: true mncdevtest6: disabletlschecking: false fqdn: mncdevtest6.ilabs.io key: c85c40126ad961011d141ee82c9b4f2d5033854bd607725523c0d9ae6a3c2d63 org: 196612 pce_version: 24.1.0-1994 port: 8443 proxy: "" user: api_119408df531ee915e userhref: "" no_prompt: false output_format: json target_pce: ""update_pce: false verbose: false
List of PCEs
Displays the list of PCEs added to the YAML configuration file.
pce-list
List all PCEs in pce.yaml.
Usage:
pcemigrate pce-list [flags]
Flags: -h, --help help for pce-list
Global Flags (not relevant for all commands):
--config-file string The path for the pcemigrate
pce.yaml file.
--debug Enables debug-level logging for
troubleshooting.
--log-file string The path for the pcemigrate
log file.
(default "pcemigrate.log")
--migrate-op When migrate-op is set, the
Import operation is interpreted as a
copy of objects from a different
PCE as part of a PCE migration operation.
(default true)
--no-prompt Removes the user prompt when used with
update-pce.
--pce string The PCE to use in the command if not
using the default PCE.
--update-pce This command will update the PCE after
a single user prompt.
The default will just log potential
changes to workloads.
--verbose When debug is enabled, includes the raw
API responses.
This makes pcemigrate.log increase in
size significantly. Set a Proxy
set-proxy
Usage:
pcemigrate set-proxy [fqdn:port] [flags]
Flags:-h, --help help for set-proxy
Global Flags (not relevant for all commands):
--config-file string The path for the pcemigrate
pce.yaml file.
--debug Enables debug-level logging for
troubleshooting.
--log-file string The path for the pcemigrate log file.
(default "pcemigrate.log")
--migrate-op When migrate-op is set, the Import
operation is
interpreted as a copy of objects
from a different
PCE as part of a PCE migration
operation. (default true)
--no-prompt Remove the user prompt when used
with update-pce.
--pce string The PCE to use in the command if
not using the default PCE.
--update-pce This command will update the PCE
after a single user prompt.
Default will just log potentially
changes to workloads.
--verbose When debug is enabled, includes
the raw API responses.
This makes pcemigrate.log increase
in size significantly.Clear a Proxy
clear-proxy
pcemigrate clear-proxy --help
Clear pcemigrate specific proxy.
Usage:
pcemigrate clear-proxy [pce name] [flags]
Flags:
-h, --help help for clear-proxy
Global Flags (not relevant for all commands):
--config-file string path for pcemigrate pce.yaml file.
--debug Enable debug level logging for
troubleshooting.
--log-file string path for pcemigrate log file.
(default "pcemigrate.log")
--migrate-op When migrate-op is set to true,
Import operation are interpreted as
copy of objects from a different PCE as
part of a PCE migration operation.
--no-prompt Remove the user prompt when used with
update-pce.
--pce string PCE to use in command if not using
default PCE.
--update-pce Command will update the PCE after a
single user prompt.
Default will just log potential changes.
--verbose When verbose is enabled, include the
raw API responses. This makes
pcemigrate.log
increase in size significantly.
pcemigrate create-config-map
This command retrieves the Policy object from the target PCE and creates Policy map data as if the migration had been completed successfully between the source and target.
pcemigrate create-config-map --help
pcemigrate create-config-map --help
Note: Assume that hrefs of policy objects are the same
Usage:
pcemigrate create-config-map [flags]
Flags:
--from-pce string Source PCE.
--to-pce string Destination PCE.
--data-base-dir string Base working directory.
-h, --help help for create-config-map
Global Flags (not relevant for all commands):
--config-file string path for pcemigrate pce.yaml file.
--debug Enable debug level logging for
troubleshooting.
--log-file string path for pcemigrate log file.
(default "pcemigrate.log")
--migrate-op When migrate-op is set to true,
Import operation are interpreted
as copy of objects from a
different PCE as part of a
PCE migration operation.
--no-prompt Remove the user prompt when used
with update-pce.
--pce string PCE to use in command if not using
default PCE.
--update-pce Command will update the PCE after a
single user prompt. Default
will just log potentially
changes to workloads.
--verbose When verbose is enabled, include the
raw API responses.
This makes pcemigrate.log increase
in size significantly.
pcemigrate transplant-vens
pcemigrate transplant-vens-status --help
This command compares two PCEs and checks if VENs have been migrated successfully to the target PCE.
pcemigrate transplant-vens-status --help
Compares two PCEs and checks if VENs have been migrated
successfully to the target PCE.
Usage:
pcemigrate transplant-vens-status [flags]
Flags:
--csv_output_file_path string CSV output file location.
--from-pce string Source PCE.
-h, --help help for transplant-vens-status
--href_file string ven href file location.
--to-pce string Destination PCE.
Global Flags (not relevant for all commands):
--config-file string path for pcemigrate pce.yaml file.
--debug Enable debug level logging for
troubleshooting.
--log-file string path for pcemigrate log file.
(default "pcemigrate.log")
--migrate-op When migrate-op is set to true,
Import operation are
interpreted as copy of objects from a
different PCE as part of a
PCE migration operation.
--no-prompt Remove the user prompt when used
with update-pce.
--pce string PCE to use in command if not using
default PCE.
--update-pce Command will update the PCE after
a single user prompt.
Default will just log potentially
changes to workloads.
--verbose When verbose is enabled, include the
raw API responses.
This makes pcemigrate.log increase
in size significantly.pcemigrate transplant-vens --help
Used for bulk transferring of V ENs from one PCE to another PCE.
pcemigrate transplant-vens --help
Handles bulk transferring of VENs from one PCE to another.
Usage:
pcemigrate transplant-vens [flags]
Flags:
--from-pce string Source PCE.
--to-pce string Destination PCE.
--href_file string ven href file location.
--update_workload_object_map Flag to disable
update_workload_object_map.
-h, --help help for transplant-vens
Global Flags (not relevant for all commands):
--config-file string path for pcemigrate pce.yaml file.
--debug Enable debug level logging for
troubleshooting.
--log-file string path for pcemigrate log file.
(default "pcemigrate.log")
--migrate-op When migrate-op is set to true,
Import operation are interpreted as copy
of objects from a different PCE
as part of a PCE migration operation.
--no-prompt Remove the user prompt when used with
update-pce.
--pce string PCE to use in command if not using
default PCE.
--update-pce Command will update the PCE after a
single user prompt.
Default will just log potentially
changes to workloads.
--verbose When verbose is enabled, include the
raw API responses.
in size significantly.pcemigrate sync
The sync command replicates policy object changes to the other PCE and manages workload changes from either PCE to the other. It can synchronize changes to the following policy objects:
sync
% pcemigrate sync --help
Handles syncing of policy objects changes made on the source PCE
(--from-pce) to the target PCE (--to-pce) and syncs changes to
managed workloads on either side to the other side.
Usage:
pcemigrate sync [flags]
Flags:
--from-pce string Source PCE to sync from.
--to-pce string Destination PCE to sync to.
--forced-restart Restart from the beginning of the
previously failed sync.
--provision Provision changes.
--provision-comments string Provision comments.
--data-base-dir string Base working directory.
--ignore-case Ignore case when matching name,
hostname, or external data set and
external data reference.
--max-create int The maximum number of unmanaged
workloads that can be created.
-1 is unlimited. (default -1)
--skip-workload-sync Skip syncing the workload change.
--ignore-workload-update-failures Continue the sync operation even if
creation/update of some unmanaged
workloads failed in Bulk Api calls.
--concurrency-level string Concurrency level.
Sequential: No concurrency;
Moderate: Main ops on different
objects of the same PCE;
Normal: Main ops on different
objects across PCEs;
Advanced: More ops. (default "normal")
--profiling-level int Profiling level. 1: Overall execution,
2: Down to specific type of operations,
3: Down to operation on object types.
(default 1)
-cpu-profile-filename string The name of the file where to save
the pprof CPU profile date.
--mem-profile-filename string The name of the file where to save
the pprof memory profile date.
--stop-at-step string This command wil end after the step
specified:
none|export-src.|
analyze-src|delete-tgt|
update-tgt|analyze-tgt
delete-src|update-src
(default "none")
-h, --help The help for sync
Global Flags (not relevant for all commands):
--config-file string The path for the pcemigrate
pce.yaml file.
--debug Enables debug-level logging for
troubleshooting.
--log-file string The path for the pcemigrate log file.
(default "pcemigrate.log")
--migrate-op When migrate-op is set to true,
the Import operation
is interpreted as a copy of objects
from a different
PCE as part of a PCE migration
operation.
--no-prompt Removes the user prompt when
used with update-pce.
--pce string The PCE to use in the command if
not using the default PCE.
--update-pce This command will update the PCE
after a single user prompt.
The default will just log potential
changes to workloads.
--verbose When verbose is enabled, includes the
raw API responses.
This makes pcemigrate.log increase
in size significantly. delete
This command deletes policy objects.
% pcemigrate delete --help
Delete any object with an HREF (such as unmanaged workloads,
labels, services, IPLists, and so forth) specified in the
JSON file from the PCE.
For each object specified in the JSON file, only the href
field is taken into account.
If no href field is present, the object is ignored.
Usage:
pcemigrate delete <JSON file of objects>
to delete hrefs> [flags]
Flags:
-h, --help The help for delete
--ignore-not-found Ignores failures to delete objects
not found or already deleted.
--provision Provision provisionable objects after
deleting them.
--provision-comment string Optionally specify the provision comment.
--unmanaged-only Only delete a workload if it is unmanaged.
Global Flags (not relevant for all commands):
--config-file string The path for the pcemigrate pce.yaml file.
--debug Enables debug-level logging for
troubleshooting.
--log-file string The path for the pcemigrate log file.
(default "pcemigrate.log")
--migrate-op When migrate-op is set to true, the
Import operation is interpreted as a copy
of objects from a different PCE
as part of a PCE migration operation.
--no-prompt Removes the user prompt when used
with update-pce.
--pce string The PCE to use in the command if not
using the default PCE.
--update-pce This command will update the PCE after
a single user prompt.
The default will just log potential
changes to workloads.
--verbose When verbose is enabled, includes the
raw API responses.
This makes pcemigrate.log increase
in size significantly.