Add script for migrating from other CNI to Antrea #5677
Conversation
hjiajing
force-pushed
the
antrea-migration
branch
4 times, most recently
from
294746a
to
18d73e3
Compare
luolanzone
added
the
action/release-note
hjiajing
force-pushed
the
antrea-migration
branch
from
18d73e3
to
97cb804
Compare
|
Please update the title and comment: s/scrtip/script/ |
hjiajing
force-pushed
the
antrea-migration
branch
from
97cb804
to
3f8c169
Compare
Sure. I will add more descriptions for the |
hjiajing
changed the title
hjiajing
force-pushed
the
antrea-migration
branch
9 times, most recently
from
fbc3a98
to
6356dbe
Compare
hjiajing
changed the title
hjiajing
force-pushed
the
antrea-migration
branch
2 times, most recently
from
ccd7f28
to
b288390
Compare
|
|
||
| if len(rule) != 0 { | ||
| antreaRules = append(antreaRules, | ||
| v1beta1.Rule{Action: migrate.ToPtr(v1beta1.RuleActionReject)}) |
There was a problem hiding this comment.
I don't get this, why Reject rule is added?
There was a problem hiding this comment.
In Calico NP, if one NP is applied to some Pods, then these Pods' ingress and egress traffic will be rejected except Allow fields in that NP, so I added a default Reject rule.
| @@ -1,4 +1,4 @@ | |||
| // Copyright 2021 Antrea Authors | |||
| // Copyright 2023 Antrea Authors | |||
There was a problem hiding this comment.
I reformated this file accidentally, resulting in the import files being sorted. Then make code-gen command will edit this file every time even if I undo my format operation. Maybe I could edit the year manually.
There was a problem hiding this comment.
Not sure what's kind of reformat are you referring to, but I feel it's better to avoid this change if there is no code change on the CRD.
hjiajing
force-pushed
the
antrea-migration
branch
4 times, most recently
from
904508a
to
370b89c
Compare
hjiajing
force-pushed
the
antrea-migration
branch
from
21343f2
to
706c955
Compare
docs/migrate-to-antrea.md
Outdated
|
|
||
| The migration process is divided into three steps: | ||
|
|
||
| 1. Clean up old CNI. |
There was a problem hiding this comment.
You probably missed this one.
There was a problem hiding this comment.
Sorry, thanks for the reminder. Addressed.
hjiajing
force-pushed
the
antrea-migration
branch
2 times, most recently
from
7d5bc4e
to
266531a
Compare
build/yamls/antrea-migrator.yml
Outdated
| - apiGroups: | ||
| - "" | ||
| resources: | ||
| - pods | ||
| verbs: | ||
| - create | ||
| - apiGroups: | ||
| - "" | ||
| resources: | ||
| - pods/exec | ||
| verbs: | ||
| - create | ||
| - apiGroups: | ||
| - "apps/v1" | ||
| resources: | ||
| - daemonsets | ||
| verbs: | ||
| - create |
There was a problem hiding this comment.
why does it require these permissions?
There was a problem hiding this comment.
Removed these rules.
docs/migrate-to-antrea.md
Outdated
| After Antrea is installed in the cluster, the next step is to restart all | ||
| Pods in the cluster in-place by the following command. This step will create | ||
| a DaemonSet in the cluster, which will restart all Pods in the cluster in-place. |
There was a problem hiding this comment.
After Antrea is up and running, you can now deploy Antrea migrator by the following command. The migrator runs as a DaemonSet, antrea-migrator, in the cluster, which will restart all non hostNetwork Pods in the cluster in-place and perform necessary network resource cleanup.
docs/migrate-to-antrea.md
Outdated
| network management and IPAM from the old CNI. In order to avoid the Pods | ||
| being rescheduled, we restart all Pods in-place by deploying a DaemonSet | ||
| named `antrea-migrator`, which will run a Pod on each Node. The | ||
| `antrea-migrator` Pod will stop all containerd tasks of Pods with CNI network on | ||
| each Node, and the containerd tasks will be restarted by the containerd | ||
| service. In this way, all Pods in the cluster will not be rescheduled but will | ||
| be restarted in-place. |
There was a problem hiding this comment.
| network management and IPAM from the old CNI. In order to avoid the Pods | |
| being rescheduled, we restart all Pods in-place by deploying a DaemonSet | |
| named `antrea-migrator`, which will run a Pod on each Node. The | |
| `antrea-migrator` Pod will stop all containerd tasks of Pods with CNI network on | |
| each Node, and the containerd tasks will be restarted by the containerd | |
| service. In this way, all Pods in the cluster will not be rescheduled but will | |
| be restarted in-place. | |
| network management and IPAM from the old CNI. In order to avoid the Pods | |
| being rescheduled and minimize service downtime, the migrator restarts | |
| all non-hostNetwork Pods in-place by restarting their sandbox container. | |
| Therefore, it's expected to see these Pods' `RESTARTS` being increased | |
| by 1 like below: |
hack/release/prepare-assets.sh
Outdated
| @@ -107,6 +107,8 @@ export IMG_TAG=$VERSION | |||
| export IMG_NAME=projects.registry.vmware.com/antrea/antrea-ubuntu | |||
| ./hack/generate-standard-manifests.sh --mode release --out "$OUTPUT_DIR" | |||
|
|
|||
| sed "s|antrea\/antrea-migrator:latest|$(echo $IMG_NAME | sed "s/ubuntu/migrator/"):$VERSION|g" ./build/yamls/antrea-migrator.yml > "$OUTPUT_DIR"/antrea-migrator.yml | |||
There was a problem hiding this comment.
Removed this line since we do not need to add it to release asserts.
docs/migrate-to-antrea.md
Outdated
| a DaemonSet in the cluster, which will restart all Pods in the cluster in-place. | ||
|
|
||
| ```bash | ||
| $ kubectl apply -f https://github.com/antrea-io/antrea/releases/download/v1.15.0/antrea-migrator.yml |
There was a problem hiding this comment.
| $ kubectl apply -f https://github.com/antrea-io/antrea/releases/download/v1.15.0/antrea-migrator.yml | |
| $ kubectl apply -f https://github.com/antrea-io/antrea/main/build/yamls/antrea-migrator.yml |
Like antrea-aks-node-init.yml, the resource is version-generic and case-specific, I think we don't need to add it to release assets.
There was a problem hiding this comment.
Changed to main/build/yamls
| @@ -0,0 +1,33 @@ | |||
| # Copyright 2023 Antrea Authors | |||
docs/migrate-to-antrea.md
Outdated
|
|
||
| After Antrea is installed in the cluster, the next step is to restart all | ||
| Pods in the cluster in-place by the following command. This step will create | ||
| a DaemonSet in the cluster, which will restart all Pods in the cluster in-place. |
There was a problem hiding this comment.
Maybe highlight antrea-migrator is supported since v1.15.0.
There was a problem hiding this comment.
Done. A description of the version is added in front of this doc.
hack/release/prepare-assets.sh
Outdated
| @@ -107,6 +107,8 @@ export IMG_TAG=$VERSION | |||
| export IMG_NAME=projects.registry.vmware.com/antrea/antrea-ubuntu | |||
| ./hack/generate-standard-manifests.sh --mode release --out "$OUTPUT_DIR" | |||
|
|
|||
| sed "s|antrea\/antrea-migrator:latest|$(echo $IMG_NAME | sed "s/ubuntu/migrator/"):$VERSION|g" ./build/yamls/antrea-migrator.yml > "$OUTPUT_DIR"/antrea-migrator.yml | |||
There was a problem hiding this comment.
Could you use "projects.registry.vmware.com/antrea/antrea-migrator:$VERSION" directly to replace antrea-migrator:latest? There is an on-going change #5794 to split agent and controller images. Maybe better to have your own image string in case there is conflict.
There was a problem hiding this comment.
Removed this line since we do not need to add it to release asserts.
hjiajing
force-pushed
the
antrea-migration
branch
from
266531a
to
0fcc98b
Compare
hjiajing
force-pushed
the
antrea-migration
branch
from
0fcc98b
to
0561773
Compare
docs/migrate-to-antrea.md
Outdated
| migrate-example-6d6b97f96b-jpflg 1/1 Running 1 (23s ago) 2m5s 10.10.1.5 test-worker <none> <none> | ||
| ``` | ||
|
|
||
| When we meet the condition that all Pods of antrea-migrator are in `Running` |
There was a problem hiding this comment.
antrea-migrator -> antrea-migrator
Please change all occasions.
There was a problem hiding this comment.
Fixed, as well as the the other occasions.
docs/migrate-to-antrea.md
Outdated
| The reason for restarting all Pods is that Antrea needs to take over the | ||
| network management and IPAM from the old CNI. In order to avoid the Pods | ||
| being rescheduled and minimize service downtime, the migrator restarts | ||
| all non-hostNetwork Pods in-place by restarting their sandbox container. |
docs/migrate-to-antrea.md
Outdated
| migrate-example-6d6b97f96b-jpflg 1/1 Running 1 (23s ago) 2m5s 10.10.1.5 test-worker <none> <none> | ||
| ``` | ||
|
|
||
| When we meet the condition that all Pods of antrea-migrator are in `Running` |
There was a problem hiding this comment.
"When the antrea-migrator Pods on all Nodes are"?
docs/migrate-to-antrea.md
Outdated
|
|
||
| When we meet the condition that all Pods of antrea-migrator are in `Running` | ||
| state, the migration process is completed. You can then remove the antrea-migrator | ||
| DaemonSet safely by the following command: |
hjiajing
force-pushed
the
antrea-migration
branch
2 times, most recently
from
9c8fd50
to
19c95cd
Compare
hjiajing
force-pushed
the
antrea-migration
branch
from
19c95cd
to
f5bcc9c
Compare
hjiajing
force-pushed
the
antrea-migration
branch
from
f5bcc9c
to
4f106a5
Compare
|
@jianjuns @antoninbas let me know if you will take another look, thanks. |
|
I have no extra comment. |
build/yamls/antrea-migrator.yml
Outdated
| command: | ||
| - "sleep" | ||
| - "infinity" |
There was a problem hiding this comment.
nit: it's nicer to default to the pause command in your container image
the pause command handles signals well, unlike sleep. Deleting Pods where a container uses sleep infinity can take 30s (default grace period IIRC).
see https://github.com/antrea-io/image-utils/blob/25f87067c80ab22c0b8574e1bb13cd859f669707/images/toolbox/Dockerfile#L60-L62
There was a problem hiding this comment.
/pause is added to the image and the command of the YAML file is removed.
docs/migrate-to-antrea.md
Outdated
| NOTE: The following is a reference list of CNIs and versions we have already | ||
| verified the migration process. CNIs and versions that are not listed here |
There was a problem hiding this comment.
The following is a reference list of CNIs and versions for which we have verified the migration process.
docs/migrate-to-antrea.md
Outdated
| network management and IPAM from the old CNI. In order to avoid the Pods | ||
| being rescheduled and minimize service downtime, the migrator restarts | ||
| all non-hostNetwork Pods in-place by restarting their sandbox containers. | ||
| Therefore, it's expected to see these Pods' `RESTARTS` being increased |
There was a problem hiding this comment.
it's expected to see the RESTARTS count for these Pods being increased
Add a YAML file antrea-migrator.yml to migrate clusters with other CNIs to Antrea. It will restart all Pods in-place. A new image "antrea-migrator" is responsible for restarting all Pods on each Nodes. It is a DaemonSet that tries to kill sandboxes to restart the Pods in-place. Signed-off-by: hjiajing <hjiajing@vmware.com>
hjiajing
force-pushed
the
antrea-migration
branch
from
4f106a5
to
36689d9
Compare
|
/skip-all |
A new image "antrea-migrator" is responsible for restarting all Pods on each Nodes. It is a DaemonSet that tries to kill sandboxes to restart the Pods in-place. In this way, the cluster could be migrated from old CNIs to Antrea.