01Sign in

Resume or initiate a migration session.

Start with New Session only for first-time browser pairing. Use Recovery Session when this browser already paired earlier and needs to rejoin. Use Project Tools later with application credentials only.

New Session

Use this for the first browser pairing only. The rescue console remains the source of truth and must confirm the short pairing secret before the browser unlocks.

If this MIG is not available for new pairing, the browser will stay locked and the existing session will remain unchanged.

MIG Code

MIG-

Issued by the rescue console. Enter the active MIG exactly as shown there.

↩ submit

Project Tools

Use this path after the initial migration when you need tenant-scoped follow-up work such as root conversion. This mode does not require a MIG and does not re-enter rescue-session controls.

Project Tools is authenticated only by application credential. Migrated images are discovered by metadata in the tenant project rather than by rescue-session state.

Show step-by-step application credential setup

Use a dedicated application credential for Milkshake project tools. Milkshake should create and retain its own isolated worker network, subnet, router, and security groups in the tenant project. Keep the scratch VM off production networks and grant only the permissions needed to read migrated images, create one scratch VM, upload the converted result, and create or reuse the dedicated worker network resources.

Milkshake should create a dedicated worker network, subnet, router, and security groups the first time Project Tools runs in this tenant. Those resources should persist for later conversions.
Do not place the scratch VM on a production workload network. Attach it only to the dedicated Milkshake worker network.
Create an application credential from a project user or role set that can create and delete the scratch VM, upload images, manage temporary worker storage, and create or reuse the Milkshake worker network resources.
Paste the auth URL, region, application credential ID, and secret into this page. Milkshake will use those values only for tenant-scoped post-migration tools.

Milkshake needs the same target region and Keystone auth URL that appear above. Example access rule file for the APIs Milkshake needs:

cat > rules.json <<'EOF' [ { "service": "identity", "method": "POST", "path": "/v3/auth/tokens" }, { "service": "image", "method": "GET", "path": "/v2/images" }, { "service": "image", "method": "GET", "path": "/v2/images/*" }, { "service": "image", "method": "POST", "path": "/v2/images" }, { "service": "image", "method": "PATCH", "path": "/v2/images/*" }, { "service": "image", "method": "PUT", "path": "/v2/images/*/file" }, { "service": "compute", "method": "GET", "path": "/v2.1/servers/detail" }, { "service": "compute", "method": "GET", "path": "/v2.1/servers/*" }, { "service": "compute", "method": "POST", "path": "/v2.1/servers" }, { "service": "compute", "method": "DELETE", "path": "/v2.1/servers/*" }, { "service": "network", "method": "GET", "path": "/v2.0/networks" }, { "service": "network", "method": "POST", "path": "/v2.0/networks" }, { "service": "network", "method": "GET", "path": "/v2.0/subnets" }, { "service": "network", "method": "POST", "path": "/v2.0/subnets" }, { "service": "network", "method": "GET", "path": "/v2.0/routers" }, { "service": "network", "method": "POST", "path": "/v2.0/routers" }, { "service": "network", "method": "PUT", "path": "/v2.0/routers/*/add_router_interface" }, { "service": "network", "method": "GET", "path": "/v2.0/security-groups" }, { "service": "network", "method": "POST", "path": "/v2.0/security-groups" }, { "service": "network", "method": "GET", "path": "/v2.0/security-group-rules" }, { "service": "network", "method": "POST", "path": "/v2.0/security-group-rules" }, { "service": "network", "method": "GET", "path": "/v2.0/ports" }, { "service": "network", "method": "POST", "path": "/v2.0/ports" }, { "service": "volumev3", "method": "GET", "path": "/v3/*/volumes/detail" }, { "service": "volumev3", "method": "GET", "path": "/v3/*/volumes/*" }, { "service": "volumev3", "method": "POST", "path": "/v3/*/volumes" }, { "service": "volumev3", "method": "DELETE", "path": "/v3/*/volumes/*" } ] EOF

Create the application credential with that access rule file, then copy the generated ID and secret:

openstack application credential create milkshake-project-tools \ --description "Milkshake project tools only" \ --expiration 2026-05-15T00:00:00 \ --access-rules rules.json \ -f yaml id: 11111111111111111111111111111111 name: milkshake-project-tools project_id: 22222222222222222222222222222222 secret: copy-this-generated-secret expires_at: "2026-05-15T00:00:00+0000"

Example OpenStack CLI flow for the dedicated Milkshake worker network resources:

openstack network create milkshake-worker-net openstack subnet create milkshake-worker-subnet \ --network milkshake-worker-net \ --subnet-range 172.31.240.0/24 openstack router create milkshake-worker-router openstack router set milkshake-worker-router --external-gateway public openstack router add subnet milkshake-worker-router milkshake-worker-subnet openstack security group create milkshake-worker-sg openstack application credential create milkshake-project-tools \ --description "Milkshake project tools only" \ --expiration 2026-05-15T00:00:00 \ --access-rules rules.json \ -f yaml

If your cloud supports application credential access rules, restrict the credential further. Do not attach a keypair or floating IP to the scratch VM, keep inbound security-group rules empty, and let the Milkshake worker network resources persist for reuse.

Target Region

Target Auth URL

Application Credential ID

Application Credential Secret

App credential scope only