VEN Migration Script - edward2705/pcemigrate GitHub Wiki

Overview

The VEN migration tool was written to simplify the VEN migration process. The script was written in Powershell for Windows and bash for Linux deployment.

It requires workloads.csv file generated from pcemigrate.sh script for metadata label reference.

Syntax

Linux Platform

Usage: ./ven-migrate.sh --use_configfile --pce pce [ --port port ] --activation_code activation_code --proxy-server IP_ADDRESS:PORT --migrate_type [ activate | pair] [ --api_version
API_VERSION ] [ --profile_id profile_id ] [ --vendir VEN directory ]
Where:
  --use_configfile
    Use ven-migrate.conf configuration file
  --pce pce
  --port port, default: 443 [optional]
  --activation_code activation code
  --proxy-server ip_address:port
  --migrate_type activate | pair
    activate = deactivate and activate the ven
    pair = unpair and pair the ven
  --api_version API_VERSION, default: v25
  --profile_id profile_id
  --vendir VEN directory, default: /opt/illumio_ven

Windows Platform

Usage: ven-migrate.ps1 -use_configfile -pce PCE [-port PORT] -activation_code ACTIVATION_CODE -proxy-server IP_ADDRESS:PORT -migrate_type [activate|pair] [ -api_version
  API_VERSION ] [ -profile_id PROFILE_ID ] [ -vendir VEN_DIRECTORY ]
Where:
  -use_configfile
   use ven-migrate.conf configuration file
  -pce PCE
  -port PCE Port, default: 443 [optional]
  -activation_code ACTIVATION_CODE
  -proxy-server ip_address:port
  -migrate_type [pair | activate]
  -api_version API_VERSION, default: v25 [required for migrate_type=pair ]
  -profile_id PROFILE_ID [required for migrate_type=pair ]
  -vendir VEN Directory, default: c:\Program Files\Illumio [optional]
There are two migration types:

  • pair - unpair and pair the VEN

  • activate - deactivate and activate the VEN

The script can either use the configuration file which defines the parameter needed or pass the parameter via CLI.

Using configuration file

The script requires ven-migrate.conf with the following parameters

pce=pce_fqdn
port=pce_port
activation_code=ven_activation_code
api_version=api_version
profile_id=ven_profile_id
migrate_type=pair_or_activate
proxy_server=ip_address:port <<<< only add this parameter if proxy server is needed
ven-migrate.conf example:
pce=us-scp14.illum.io
port=443
activation_code=1f01a58771d27fa70f5abc233453e8b3f5baffd1d5246fc0d1f2c4de83fe1b729638057fa5d11e94c
api_version=v25
profile_id=223423657
migrate_type=pair

Command Example

# ./ven-migrate.sh  --use_configfile
2023-12-08 13:53:01 ./ven-migrate.conf file found!
2023-12-08 13:53:01 pce: snc1.internal.local, port: 8443, activation_code: 1f01a58771d27fa70f5abc233453e8b3f5baffd1d5246fc0d1f2c4de83fe1b729638057fa5d11e94c
2023-12-08 13:53:01 migrate_type: pair, api_version: v25, profile_id: 2
2023-12-08 13:53:01 executing ven unpair command
2023-12-08 13:53:01 /opt/illumio_ven/illumio-ven-ctl unpair open
Stopping venAgentMonitor:    ...done.
...
2023-12-08T13:53:25-05:00 Removed binary distribution tree from /opt
2023-12-08T13:53:26-0500 Uninstall successful

VEN has been SUCCESSFULLY unpaired with Illumio

2023-12-08 13:53:26 executing ven pairing command
2023-12-08 13:53:26 rm -fr /opt/illumio_ven_data/tmp && umask 026 && mkdir -p /opt/illumio_ven_data/tmp && curl --tlsv1 "https://snc1.internal.local:8443/api/v25/software/ven/image?pair_script=pair.sh&profile_id=2" -o /opt/illumio_ven_data/tmp/pair.sh && chmod +x /opt/illumio_ven_data/tmp/pair.sh && /opt/illumio_ven_data/tmp/pair.sh --management-server snc1.internal.local:8443 --activation-code 1f01a58771d27fa70f5abc233453e8b3f5baffd1d5246fc0d1f2c4de83fe1b729638057fa5d11e94c --enforcement_mode "visibility_only" --role "r.web" --app "a.app1" --env "e.prod" --loc "l.ny"
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 37268    0 37268    0     0   189k      0 --:--:-- --:--:-- --:--:--  189k

             Installing Illumio
             ------------------
Retrieving Illumio Packages [x86_64][CentOS][7.9] ..........
Validating sha256 .................
Installing Illumio Packages ..........
EXPECTED_VERSION: 22.5.30-9870.c7
INSTALLED_VERSION: 22.5.30-9870.c7
....
Pairing with Illumio .................

               Pairing Status
               --------------
Pairing Configuration exists ......SUCCESS
VEN Manager Daemon running ........SUCCESS
Master Configuration retrieval ....SUCCESS
VEN Configuration retrieval .......SUCCESS

VEN has been SUCCESSFULLY paired with Illumio

Using CLI parameters

Using migration option: migrate_type = pair

 ./ven-migrate.sh --pce snc1.internal.local --port 8443 --activation_code 1f01a58771d27fa70f5abc233453e8b3f5baffd1d5246fc0d1f2c4de83fe1b729638057fa5d11e94c --profile_id 2 --api_version v25 --migrate_type pair
2023-12-08 14:04:56 pce: snc1.internal.local, port: 8443, activation_code: 1f01a58771d27fa70f5abc233453e8b3f5baffd1d5246fc0d1f2c4de83fe1b729638057fa5d11e94c
2023-12-08 14:04:56 migrate_type: pair, api_version: v25, profile_id: 2
2023-12-08 14:04:56 executing ven unpair command
2023-12-08 14:04:56 /opt/illumio_ven/illumio-ven-ctl unpair open
.....
VEN has been SUCCESSFULLY unpaired with Illumio

2023-12-08 14:05:21 executing ven pairing command
2023-12-08 14:05:21 rm -fr /opt/illumio_ven_data/tmp && umask 026 && mkdir -p /opt/illumio_ven_data/tmp && curl --tlsv1 "https://snc1.internal.local:8443/api/v25/software/ven/image?pair_script=pair.sh&profile_id=2" -o /opt/illumio_ven_data/tmp/pair.sh && chmod +x /opt/illumio_ven_data/tmp/pair.sh && /opt/illumio_ven_data/tmp/pair.sh --management-server snc1.internal.local:8443 --activation-code 1f01a58771d27fa70f5abc233453e8b3f5baffd1d5246fc0d1f2c4de83fe1b729638057fa5d11e94c --enforcement_mode "visibility_only" --role "r.web" --app "a.app1" --env "e.prod" --loc "l.ny"
.....
.....
VEN has been SUCCESSFULLY paired with Illumio

Using migration option: migrate_type = activate

# ./ven-migrate.sh --pce snc1.internal.local --port 8443 --activation_code 1f01a58771d27fa70f5abc233453e8b3f5baffd1d5246fc0d1f2c4de83fe1b729638057fa5d11e94c --migrate_type activate
2023-12-08 14:08:06 pce: snc1.internal.local, port: 8443, activation_code: 1f01a58771d27fa70f5abc233453e8b3f5baffd1d5246fc0d1f2c4de83fe1b729638057fa5d11e94c
2023-12-08 14:08:06 migrate_type: activate, api_version: v25, profile_id:
2023-12-08 14:08:06 deactivating the ven
2023-12-08 14:08:06 executing /opt/illumio_ven/illumio-ven-ctl deactivate

Deactivating the VEN...
The VEN has been deactivated
PCE was notified

Agent state: unpaired

2023-12-08 14:08:17 workload: test-wkld1; role: r.web; app: a.app1; env: e.prod; loc: l.ny
2023-12-08 14:08:17 /opt/illumio_ven/illumio-ven-ctl activate --management-server snc1.internal.local:8443 --activation-code 1f01a58771d27fa70f5abc233453e8b3f5baffd1d5246fc0d1f2c4de83fe1b729638057fa5d11e94c --enforcement_mode visibility_only --role "r.web" --app "a.app1" --env "e.prod" --loc "l.ny"
Checking Runtime Environment..........

             Activating Illumio
             ------------------
Storing Activation Configuration .....
Starting Illumio Processes............

               Pairing Status
               --------------
Pairing Configuration exists ......SUCCESS
VEN Manager Daemon running ........SUCCESS
Master Configuration retrieval ....SUCCESS
VEN Configuration retrieval .......SUCCESS

VEN has been SUCCESSFULLY paired with Illumio

2023-12-08 14:08:27 sleeping for 10 secs before checking the ven status
2023-12-08 14:08:37
Checking Runtime Environment..........
Status for illumio-control:
 - Environment Illumio VEN Environment is setup
 - venAgentMgr venAgentMgr is running
 - IPSec IPSec feature not enabled
 - venPlatformHandler venPlatformHandler is running
 - venVtapServer venVtapServer is running
 - venAgentMonitor venAgentMonitor is running

Agent state: illuminated
⚠️ **GitHub.com Fallback** ⚠️