Upgrade TufinOS 3 to 4 In-Place Central Cluster VMWare ESXi machine

Overview

Use this procedure only when:

You upgrade a central cluster on the same VM(s) AND
there is no change in the environment AND
you are on TOS R23-1 PHF2.0.0 or later.

Do not use this procedure in any of the following circumstances:

If you are on TOS R23-1 PHF1.2.0 or earlier. Use instead the procedure Upgrade TufinOS 3 to 4 Reinstall on Same VM.
If you are upgrading remote cluster on the same VM(s). Use instead the procedure Upgrade TufinOS 3 to 4 Reinstall on Same VM.
if there will be some change in the VM environment compared to your current deployment. Use instead the procedure Upgrade TufinOS 3 to 4 Reinstall on Same VM.

If you are replacing your VM(s) in the process. Use instead the procedure Upgrade TufinOS 3 to 4 on New VM.
If you are upgrading a high availability deployment. Use instead the procedure Upgrade TufinOS 3 to 4 HA VM.

Use the same procedure for all nodes in the same cluster.

If you have remote clusters, upgrade the central cluster before the remote clusters. For more information on Remote Collector clusters, see Remote Collectors.

Upgrade worker nodes before the primary data node.

During the TufinOS upgrade there will be some downtime. You are going to create a snapshot of the cluster configuration. After the snapshot is created TOS Aurora will be stopped.

This procedure does not require reinstalling TOS.

Prerequisites

NFS

TufinOS 4.x does not support NFS on this TOS release. NFS is supported from R23-2 PHF2.0.0 and later.

To use NFS for external backups:

Install NFS 4 on your backup server
Upgrade TOS
Upgrade TufinOS

Follow the instructions in the relevant knowledge center.

Alternatively, you can switch to local storage or one of the cloud storage options.

General Requirements

Do not use this procedure if you are upgrading a remote cluster.
This procedure must be performed by an experienced Linux administrator with knowledge of network configuration.
For data nodes only. Make sure you do not have unsupported LVM Volume Groups:
```
[<ADMIN> ~]$ sudo vgdisplay --noheadings -C -o vg_name | grep -qs -v "[\t ]*VolGroup0[12]$" && echo "You cannot uppgrade."
```
sudo vgdisplay --noheadings -C -o vg_name | grep -qs -v "[\t ]*VolGroup0[12]$" && echo "You cannot uppgrade."
If the output returns "You cannot upgrade.", do not use the upgrade method in the boot menu to upgrade to TufinOS 4.30. Perform the upgrade on new VMWare ESXi machines.

If you receive no output, proceed with the next step below.
For data nodes only. Make sure your /var/log partition is large enough:
```
[<ADMIN> ~]$ sudo lsblk | grep "MOUNTPOINT\|/var/log$"
```
sudo lsblk | grep "MOUNTPOINT\|/var/log$"
If the output returns a partition size of 400 MB or less, do not perform this upgrade procedure. Perform the upgrade on new VMWare ESXi machines.
If you have any external disks (for example, etcd), disconnect them. These disks should be reconnected after the TufinOS upgrade is complete.

Downloads

Download the TufinOS 4.30 installation package from the Download Center.
- For a VMWare ESXi machine, download the .iso image file.
Extract the TufinOS image from its archive.
```
[<ADMIN> ~]$ sudo tar xzvf <FILENAME>.tgz
```
sudo tar xzvf <FILENAME>.tgz
The run file name includes the release, version, build number, and type of installation.

TufinOS ISO file example: TufinOS-4.30-4368238-x86_64-Final.iso
Verify the integrity of the TufinOS installation package.
```
[<ADMIN> ~]# sha256sum -c TufinOS-X.XX-XXXXXX-x86_64-Final.iso.sha256
```
sha256sum -c TufinOS-X.XX-XXXXXX-x86_64-Final.iso.sha256
The output should return OK

Preliminary Preparations

Verify upgrade path.
1. Check your current TufinOS version:
  cat /etc/tufinos-release
  Your TufinOS release appears in the output. If the command is not recognized, you have a non-TufinOS operating system and cannot upgrade using this procedure.
2. If there is a supported upgrade path for your TufinOS release, continue with the upgrade. Otherwise, upgrade first to a supported release.

Check the cluster health.

On the primary data node, check the following status.
```
[<ADMIN> ~]$ sudo systemctl status k3s
```
sudo systemctl status k3s

In the output under the line k3s.service - Aurora Kubernetes, two lines should appear - Loaded... and Active... similar to the example below. If they appear, continue with the next step, otherwise contact Tufin Support for assistance.

Example output:

[<ADMIN> ~]$ sudo systemctl status k3s
 [root@TufinOS ~]# systemctl status k3s
 Redirecting to /bin/systemctl status k3s.service
 ● k3s.service - Aurora Kubernetes
    Loaded: loaded (/etc/systemd/system/k3s.service; enabled; vendor preset: disabled)
    Active: active (running) since Tue 2021-08-24 17:14:38 IDT; 1 day 18h ago
      Docs: https://k3s.io
   Process: 1241 ExecStartPre=/sbin/modprobe overlay (code=exited, status=0/SUCCESS)
   Process: 1226 ExecStartPre=/sbin/modprobe br_netfilter (code=exited, status=0/SUCCESS)
  Main PID: 1250 (k3s-server)
     Tasks: 1042
    Memory: 2.3G

On the same node or nodes, check the TOS status.
```
[<ADMIN> ~]$ sudo tos status
```
sudo tos status

In the output, if the System Status is Ok and all the items listed under Components appear as ok, continue with the next steps. Otherwise contact Tufin Support for assistance.

Example output:

[<ADMIN> ~]$ sudo tos status
 Tufin Orchestration Suite 2.0
  
 System Status: Ok
 System Mode:   Multi Node
  
 Nodes:
   1 Master, 1 Worker. Total 2 nodes. Nodes are healthy.
  
 Components:
   Node:            Ok
   Cassandra:       Ok
   Mongodb:         Ok
   Mongodb_sc:      Ok
   Nats:            Ok
   Neo4j:           Ok
   Postgres:        Ok
   Postgres_sc:     Ok

If you are going to perform this procedure over multiple maintenance periods, create a new backup each time.
1. Create the backup using tos backup create:
2. You can check the backup creation status using tos backup status, which shows the status of backups in progress. Wait until completion before continuing.
3. Run the following command to display the list of backups saved on the node:
```
[<ADMIN> ~]$ sudo tos backup list
```
  sudo tos backup list
4. Check that your backup file appears in the list, and that the status is "Completed".
5. Run the following command to export the backup to a file:
```
[<ADMIN> ~]$ sudo tos backup export
```
  sudo tos backup export
6. If your backup files are saved locally:
  1. Run sudo tos backup export to save your backup file from a TOS backup directory as a single .gzip file. If there are other backups present, they will be included as well.
  2. Transfer the exported .gzip file to a safe, remote location.
    
    Make sure you have the location of your backups safely documented and accessible, including credentials needed to access them, for recovery when needed.
  After the backup is exported, we recommend verifying that the file contents can be viewed by running the following command:
```
[Target location]$ tar tzvf <filename>
```
  tar tzvf <file name>
Connect Remote Clusters
If you are currently upgrading the central cluster, make sure all the Remote Collector clusters are connected.
On the Central cluster primary data node run:
[<ADMIN> ~]$ sudo tos cluster list
sudo tos cluster list
The output shows all connected clusters.
Example output:
$ sudo tos cluster list NAME ID IP TYPE Central 1 master RC1 2 192.168.75.156 data_collector
If you are running a multi-node cluster, get a list of your nodes and note them down for later.
```
[<ADMIN> ~]$ sudo tos cluster node list
```
sudo tos cluster node list
Save your TufinOS Configuration (repeat this step for each node).

The upgrade to TufinOS 4 keeps the TOS Aurora data in the /opt partition. The upgrade to TufinOS 4 is like a regular TufinOS installation with one enhancement that keeps the untouched /opt partition, thus all the TOS Aurora data remains available after this upgrade.

This is not the case with TufinOS configuration data. The upgrade erases all existing TufinOS configurations. Therefore, before you start create a list of the data you want to keep and save it outside the machine you are upgrading.

After the upgrade completion, re-configure all your backed-up data before restoring the TOS Aurora snapshot.

For more information on what to information to save, see Saving Your TufinOS Configuration:

If you have any questions about the upgrade, contact the Tufin support team. Do not attempt the upgrade if you are unsure about any part of it.
Check the data nodes if there is a separate etcd disk.
To improve the performance of TOS Aurora, the etcd database needs to be on a separate disk.
1. On each data node, run the following command:
2. If the output contains /var/lib/rancher/k3s/server/db, etcd is on a separate disk. You need to do one of the following:
  - Disconnect the disk in the VM settings. You will reconnect and mount it after the upgrade.
  - Upgrade to TufinOS 4.x on a new VMWare ESXi. See Upgrade TufinOS 3 to 4 on New VMWare ESXi Machine
3. If no output is returned, proceed with the upgrade. After the upgrade, we recommend mounting the etcd database on a separate disk.

Upgrade Worker Nodes

Repeat these steps for each worker node.

Remove the node from the cluster

Identify the node you want to remove and its status by running sudo tos cluster node list on the primary data node.

If the node is in a healthy state:

On the primary data node, run:

[<ADMIN> ~]$ sudo tos cluster node remove <node>

sudo tos cluster node remove <node>

Parameters

Parameter	Description	Required/Optional
`<node>`	Hostname address of the node to remove.	Required

On completion, a new command string is displayed, which you will need to run on the node you want to remove within 30 minutes. If the allocated time expires, you will need to repeat the current step.

Log in to the CLI of the node to be removed.
On the node to be removed, run the command string displayed on completion of the command above. On completion, all TOS-related directories and data will be deleted from the node, therefore make sure you run it on the correct node. Running the command on the wrong node will destroy the cluster.

All TOS-related directories will be deleted from the node.

If the node you want to remove is not in a healthy state:

On the primary data node, run:

[<ADMIN> ~]$ sudo tos cluster node remove <node> --force

sudo tos cluster node remove <node> --force

Parameters

Parameter	Description	Required/Optional
`<node>`	Hostname address of the node to remove.	Required

Verify that the node has been removed by again running sudo tos cluster node list.

Install TufinOS
1. If a separate disk for etcd has been added, disconnect it. You must add the disk back after the TufinOS installation is complete.
2. Place the TufinOS ISO image file on the datastore of vSphere. For local installation on a VMware machine, locate the extracted ISO image file.
3. Confirm that in your virtual machine settings, Boot Options is configured to use BIOS. If you are using EFI, the procedure will not work.
4. Edit the properties of the virtual CD/DVD drive, and do one of the following:
  
  Using vSphere:
  - As Device Type select Datastore ISO file, and browse to the TufinOS ISO image.
  - Under Device Status, select Connect at power on.
  Using a workstation:
  - Under Device Status, select Connect at power on.
  - Under Connection, select Use ISO image file, and browse to the TufinOS ISO image.
5. Set the VM to boot to BIOS configuration
  Example using vSphere
  
  Navigate to VM settings > VM options.
  
  Check: During the next boot, force entry into the BIOS setup screen.
6. Power on the VM.
7. In BIOS > Boot, select CD-ROM Drive.
8. In BIOS > Exit, select Exit Saving Changes. Click Yes.
9. Save the settings.
10. Restart the VM. TufinOS installation begins.
11. Restart the VM.
  
  Shut down TOS.
  
  [<ADMIN> ~]# tos stop
  
  tos stop
  
  Restart the virtual machine. TufinOS installation begins.
12. Select TufinOS 4.30 Installation for TOS Aurora.
13. Select Install TufinOS 4.30 for Worker Node.
14. When prompted, confirm and choose Yes.
15. When the installation is complete, reboot the virtual machine.
16. When BIOS launches, change the Boot option to Hard Drive.
17. In BIOS > Exit, select Exit Saving Changes. Click Yes.
18. Log in using the default admin user credentials:
  
  username: tufin-admin
  
  password: admin (you will be prompted to change this on first log in)
  
  IP address: assigned by DHCP
Set up the node.
1. Restore the TufinOS configuration data that you saved before beginning the upgrade procedure (see Save Your TufinOS Configuration). In general we recommend that the new server configurations be similar to the old configurations.
2. If you want to reset the host name or IP of the machine, do so now. Once TOS Aurora has been installed, changing the host name or IP address will require reinstalling - see Changing IP Address/Host Names. To change the host name, use the command below, replacing <mynode> with your preferred name:
  [<ADMIN> ~]$ sudo hostnamectl set-hostname <mynode>
  
  sudo hostnamectl set-hostname <mynode>
3. Configure the server timezone:
  [<ADMIN> ~]$ sudo timedatectl set-timezone <timezone>
  
  sudo timedatectl set-timezone <timezone>
  where <timezone> is in the format Area/Location. Examples: America/Jamaica, Hongkong, GMT, Europe/Prague.
  
  To view a list of the time-zone formats that can be used, run:
  [<ADMIN> ~]$ sudo timedatectl list-timezones
  
  sudo timedatectl list-timezones
4. Synchronize your machine time with a trusted NTP server. Follow the steps in Configuring NTP Using Chrony. In an HA deployment, all servers need to be synchronized to the same time.
5. Configure the IP address and DNS, where <Interface Name> is the name of the interface you are using (for example, ens32). If you have several network interfaces, configure the first one.
  To find the first network interface
  
  Run the command:
  
  [<ADMIN> ~]$ sudo /opt/tufinos/scripts/network_interface_by_pci_order.sh | awk -F'=' '/NET_IFS\[0\]/ { print $NF }'
  
  sudo /opt/tufinos/scripts/network_interface_by_pci_order.sh | awk -F'=' '/NET_IFS\[0\]/ { print $NF }'
6. To assign a static IP address or restore one that was used before upgrading:
  1. Run the command:
  2. Restart the network service.
7. Verify that the DNS server can resolve its own address using a reverse lookup
  Run:
  
  [<ADMIN> ~]$ sudo nslookup <DNS SERVER IP>
  sudo nslookup <DNS SERVER IP>
  If the name of the server is displayed, the DNS server can resolve its own address using a reverse lookup.
  Example Output
  [<ADMIN> ~]$ sudo nslookup 1.2.3.4 4.3.2.1.in-addr.arpa name=EXAMPLE.company.com
  If the name of the server is not displayed, set it using a reverse lookup entry at /etc/hosts.
  Example Output where 1.2.3.4 4.3.2.1.in-addr-arpa was added.
  [<ADMIN> ~]$ sudo cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost6 localhost6.localdomain6 1.2.3.4 admin.company.com admin 2.3.4.5 5.4.3.2.in-addr-arpa
Add the worker node back to the cluster.
1. On the primary data node run:
  [<ADMIN> ~]$ sudo tos cluster node add --role=<TYPE>
  
  sudo tos cluster node add --role=<TYPE>
  where <TYPE> is worker or data, depending on the type of node you want to add.
  
  On completion, a new command string is displayed, which you will need to run on the new node within one hour. If the allocated time expires, you will need to repeat the current step.
2. Log in to the CLI of the server to be added as a new node in the cluster.
3. On the new node, run the command string displayed previously on the primary data node in step 2 above. If the allocated time has expired, you will need to start from the beginning.
4. Verify that the node was added by running sudo tos cluster node list on the primary data node.

Check the cluster status.

On the primary data nodes, check the TOS status.
```
[<ADMIN> ~]$ sudo tos status
```
sudo tos status
In the output, check if the System Status is Ok and all the items listed under Components appear as ok. If this is not the case, contact Tufin Support.

Example output:

[<ADMIN> ~]$ sudo tos status
 Tufin Orchestration Suite 2.0

 System Status: Ok
 System Mode:   Multi Node

 Nodes:
   1 Master, 1 Worker. Total 2 nodes. Nodes are healthy.

 Components:
   Node:            Ok
   Cassandra:       Ok
   Mongodb:         Ok
   Mongodb_sc:      Ok
   Nats:            Ok
   Neo4j:           Ok
   Postgres:        Ok
   Postgres_sc:     Ok

Upgrade the Data Node

Create a snapshot of the TOS Aurora cluster configuration.
1. On the data node, run the following command:
  [<ADMIN> ~]$ sudo tos cluster snapshot create
  sudo tos cluster snapshot create
  A message appears "The system will shut down until the process is finished. Please confirm Y/N."
2. Type Yes.
  TOS Aurora is stopped.
Upgrade TufinOS
1. If a separate disk for etcd has been added, disconnect it. You must add the disk back after the TufinOS installation is complete.
2. Place the TufinOS ISO image file on the datastore of vSphere. For local installation on a VMware machine, locate the extracted ISO image file.
3. Confirm that in your virtual machine settings, Boot Options is configured to use BIOS. If you are using EFI, the procedure will not work.
4. Edit the properties of the virtual CD/DVD drive, and do one of the following:
  
  Using vSphere:
  - As Device Type select Datastore ISO file, and browse to the TufinOS ISO image.
  - Under Device Status, select Connect at power on.
  Using a workstation:
  - Under Device Status, select Connect at power on.
  - Under Connection, select Use ISO image file, and browse to the TufinOS ISO image.
5. Set the VM to boot to BIOS configuration
  Example using vSphere
  
  Navigate to VM settings > VM options.
  
  Check: During the next boot, force entry into the BIOS setup screen.
6. Power on the VM.
7. In BIOS > Boot, select CD-ROM Drive.
8. In BIOS > Exit, select Exit Saving Changes. Click Yes.
9. Save the settings.
10. Restart the VM. TufinOS installation begins.
11. Restart the VM.
  
  Shut down TOS.
  
  [<ADMIN> ~]# tos stop
  
  tos stop
  
  Restart the virtual machine. TufinOS installation begins.
12. Select TufinOS 3 upgrade for TOS Aurora.
13. Select Upgrade from TufinOS 3 to TufinOS 4.30.
14. When prompted, confirm and choose Yes.
15. When the installation is complete, reboot the virtual machine.
16. When BIOS launches, change the Boot option to Hard Drive.
17. In BIOS > Exit, select Exit Saving Changes. Click Yes.
18. Log in using the default admin user credentials:
  
  username: tufin-admin
  
  password: admin (you will be prompted to change this on first log in)
  
  IP address: assigned by DHCP
Set up the node.
1. Restore the TufinOS configuration data that you saved before beginning the upgrade procedure (see Save Your TufinOS Configuration). In general we recommend that the new server configurations be similar to the old configurations.
2. Configure the server timezone:
  [<ADMIN> ~]$ sudo timedatectl set-timezone <timezone>
  
  sudo timedatectl set-timezone <timezone>
  where <timezone> is in the format Area/Location. Examples: America/Jamaica, Hongkong, GMT, Europe/Prague.
  
  To view a list of the time-zone formats that can be used, run:
  [<ADMIN> ~]$ sudo timedatectl list-timezones
  
  sudo timedatectl list-timezones
3. Synchronize your machine time with a trusted NTP server. Follow the steps in Configuring NTP Using Chrony. In an HA deployment, all servers need to be synchronized to the same time.
4. To assign a static IP address or restore one that was used before upgrading:
  1. Run the command:
  2. Restart the network service.
5. Verify that the DNS server can resolve its own address using a reverse lookup
  Run:
  
  [<ADMIN> ~]$ sudo nslookup <DNS SERVER IP>
  sudo nslookup <DNS SERVER IP>
  If the name of the server is displayed, the DNS server can resolve its own address using a reverse lookup.
  Example Output
  [<ADMIN> ~]$ sudo nslookup 1.2.3.4 4.3.2.1.in-addr.arpa name=EXAMPLE.company.com
  If the name of the server is not displayed, set it using a reverse lookup entry at /etc/hosts.
  Example Output where 1.2.3.4 4.3.2.1.in-addr-arpa was added.
  [<ADMIN> ~]$ sudo cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost6 localhost6.localdomain6 1.2.3.4 admin.company.com admin 2.3.4.5 5.4.3.2.in-addr-arpa
Mount the etcd disk.
If you had the etcd database on a separate disk which you disconnected before the upgrade, remount it now.
1. Reinstate the etcd disk.
2. Log into the data node as the root user.
3. Verify that the new disk is recognized by TufinOS.
  [<ADMIN> ~]# lsblk
  
  lsblk
  [<ADMIN> ~]# ls -l /dev/sd*
  
  ls -l /dev/sd*
  Compare the output with the name of the disk you saved in the preliminary preparations, and verify that the disk name it returned ends with the next letter in the alphabet. For example, if the name you saved was sdb the output should return sdc. This indicates that TufinOS recognizes the new disk.
4. Create a variable with the block device path of the new disk.
  [<ADMIN> ~]# BLOCK_DEV="/dev/sd<>"
  
  BLOCK_DEV="/dev/sd<>"
  where <> represents the letter of the new disk.
5. Generate a UUID for the block device of the new disk.
  [<ADMIN> ~]# BLOCK_UUID="$(uuidgen)"
  
  BLOCK_UUID="$(uuidgen)"
6. Create a primary partition on the new disk.
  [<ADMIN> ~]# parted -s -a optimal ${BLOCK_DEV} mklabel msdos -- mkpart primary ext4 1MiB 100%
  
  parted -s -a optimal ${BLOCK_DEV} mklabel msdos -- mkpart primary ext4 1MiB 100%
7. Verify that the partition was created.
  [<ADMIN> ~]# parted -s ${BLOCK_DEV} print
  
  parted -s ${BLOCK_DEV} print
8. Format the partition as ext4.
  [<ADMIN> ~]# mkfs.ext4 -L ETCD -U ${BLOCK_UUID} ${BLOCK_DEV}1
  
  mkfs.ext4 -L ETCD -U ${BLOCK_UUID} ${BLOCK_DEV}1
9. Verify that the partition has been formatted with the UUID and the etcd label (output should return the partition with UUID and an ETCD label).
  [<ADMIN> ~]# blkid | grep "$BLOCK_UUID"
  
  blkid | grep "$BLOCK_UUID"
10. Create the mount point of the etcd database.
  [<ADMIN> ~]# mkdir -p /var/lib/rancher/k3s/server/db
  
  mkdir -p /var/lib/rancher/k3s/server/db
11. Set the partition to mount upon operating system startup.
  [<ADMIN> ~]# echo "UUID=${BLOCK_UUID} /var/lib/rancher/k3s/server/db ext4 defaults 0 0" >> /etc/fstab
  
  echo "UUID=${BLOCK_UUID} /var/lib/rancher/k3s/server/db ext4 defaults 0 0" >> /etc/fstab
12. Load the changes to the filesystem.
  [<ADMIN> ~]# systemctl daemon-reload
  
  systemctl daemon-reload
13. Mount the partition that was added to /etc/fstab.
  [<ADMIN> ~]# mount /var/lib/rancher/k3s/server/db
  
  mount /var/lib/rancher/k3s/server/db
  If the output is not empty, stop the procedure. The etcd disk cannot be mounted. Review what was missed in the previous steps.
14. Verify the partition has been mounted (the output should return the block device and mount point).
  [<ADMIN> ~]# mount | grep "/var/lib/rancher/k3s/server/db"
  
  mount | grep "/var/lib/rancher/k3s/server/db"
  If the output is empty, stop the procedure. The etcd disk is not mounted. Review what was missed in the previous steps.
Restore the snapshot
Run the following command:
[<ADMIN> ~]$ sudo /opt/tufin/cluster-snapshot/binaries/tos cluster snapshot restore
sudo /opt/tufin/cluster-snapshot/binaries/tos cluster snapshot restore

Check the cluster status.

On the primary data nodes, check the TOS status.
```
[<ADMIN> ~]$ sudo tos status
```
sudo tos status
In the output, check if the System Status is Ok and all the items listed under Components appear as ok. If this is not the case, contact Tufin Support.

Example output:

[<ADMIN> ~]$ sudo tos status
 Tufin Orchestration Suite 2.0

 System Status: Ok
 System Mode:   Multi Node

 Nodes:
   1 Master, 1 Worker. Total 2 nodes. Nodes are healthy.

 Components:
   Node:            Ok
   Cassandra:       Ok
   Mongodb:         Ok
   Mongodb_sc:      Ok
   Nats:            Ok
   Neo4j:           Ok
   Postgres:        Ok
   Postgres_sc:     Ok