Upgrade TufinOS 3 to 4 HA, VMWare ESXi

Overview

Use this procedure only to upgrade TufinOS 3.x to 4.30 on a high availability environment.

If you have remote clusters, upgrade the central cluster before the remote clusters. For more information on Remote Collector clusters, see Remote Collectors.

Upgrade worker nodes before the primary data node.

During the TufinOS upgrade there may be some downtime when upgrading each of the data nodes.

Prerequisites

  • This procedure must be performed by an experienced Linux administrator with knowledge of network configuration.

  • TufinOS 4.x does not support NFS on this TOS release. NFS is supported from R23-2 PHF2.0.0 and later.

    To use NFS for external backups:

    1. Install NFS 4 on your backup server

    2. Upgrade TOS

    3. Upgrade TufinOS

    Follow the instructions in the relevant knowledge center.

    Alternatively, you can switch to local storage or one of the cloud storage options.

  • If you have any external disks (for example, etcd), disconnect them. These disks should be reconnected after the TufinOS upgrade is complete.

Downloads

  1. Download the TufinOS 4.30 installation package from the Download Center.

    • For a VMWare ESXi machine, download the .iso image file.

  2. Extract the TufinOS image from its archive.

    [<ADMIN> ~]$ sudo tar xzvf <FILENAME>.tgz
    sudo tar xzvf <FILENAME>.tgz

    The run file name includes the release, version, build number, and type of installation.

    TufinOS ISO file example: TufinOS-4.30-4368238-x86_64-Final.iso

  3. Verify the integrity of the TufinOS installation package.

    [<ADMIN> ~]# sha256sum -c TufinOS-X.XX-XXXXXX-x86_64-Final.iso.sha256
    sha256sum -c TufinOS-X.XX-XXXXXX-x86_64-Final.iso.sha256

    The output should return OK

Preliminary Preparations

  1. If you are going to perform this procedure over multiple maintenance periods, create a new backup each time.

    1. Create the backup using tos backup create:

    2. [<ADMIN> ~]$ sudo tos backup create
      sudo tos backup create

      Example output:

      [%=Local.admin-prompt% sudo tos backup create
      [Aug 23 16:18:42]  INFO Running backup
      Backup status can be monitored with "tos backup status"
    3. You can check the backup creation status using tos backup status, which shows the status of backups in progress. Wait until completion before continuing.

    4. [<ADMIN> ~]$ sudo tos backup status
      sudo tos backup status

      Example output:

      [<ADMIN> ~]$ sudo tos backup status
       Found active backup "23-august-2021-16-18"
    5. Run the following command to display the list of backups saved on the node:

      [<ADMIN> ~]$ sudo tos backup list
      sudo tos backup list
    6. Example output:

      [<ADMIN> ~]$ sudo tos backup list
       ["23-august-2021-16-18"]
         Started: "2021-08-23 13:18:43 +0000 UTC"
         Completed: "N/A"
         Modules: "ST, SC"
         HA mode: "false"
         TOS release: "21.2 (PGA.0.0) Final"
         TOS build: "21.2.2100-210722164631509"
         Expiration Date: "2021-09-22 13:18:43 +0000 UTC"
         Status: "Completed"
    7. Check that your backup file appears in the list, and that the status is "Completed".

    8. Run the following command to export the backup to a file:

      [<ADMIN> ~]$ sudo tos backup export
      sudo tos backup export
    9. The command creates a single backup file.

      [<ADMIN> ~]$ sudo tos backup export
       [Aug 23 16:33:42]  INFO Preparing target dir /opt/tufin/backups
       [Aug 23 16:33:42]  INFO Compressing...
       [Aug 23 16:33:48]  INFO Backup exported file: /opt/tufin/backups/backup-21-2-pga.0.0-final-20210823163342.tar.gzip 
       [Aug 23 16:33:48]  INFO Backup export has completed
    10. If your backup files are saved locally:

      1. Run sudo tos backup export to save your backup file from a TOS backup directory as a single .gzip file. If there are other backups present, they will be included as well.

      2. Transfer the exported .gzip file to a safe, remote location.

        Make sure you have the location of your backups safely documented and accessible, including credentials needed to access them, for recovery when needed.

      After the backup is exported, we recommend verifying that the file contents can be viewed by running the following command:

      [Target location]$ tar tzvf <filename>
      tar tzvf <file name>
  2. If you are running a multi-node cluster, get a list of your nodes.

    [<ADMIN> ~]$ sudo tos cluster node list
    sudo tos cluster node list

Upgrade Worker Nodes

Repeat these steps for each worker node.

Upgrade The Data Nodes