Upgrade TufinOS 3 to 4 In-Place Central Cluster VMWare ESXi machine

Overview

Use this procedure only when:

  • You upgrade a central cluster on the same VM(s) AND

  • there is no change in the environment AND

  • you are on TOS R23-1 PHF2.0.0 or later.

Do not use this procedure in any of the following circumstances:

Use the same procedure for all nodes in the same cluster.

If you have remote clusters, upgrade the central cluster before the remote clusters. For more information on Remote Collector clusters, see Remote Collectors.

Upgrade worker nodes before the primary data node.

During the TufinOS upgrade there will be some downtime. You are going to create a snapshot of the cluster configuration. After the snapshot is created TOS Aurora will be stopped.

This procedure does not require reinstalling TOS.

Prerequisites

NFS

TufinOS 4.x does not support NFS on this TOS release. NFS is supported from R23-2 PHF2.0.0 and later.

To use NFS for external backups:

  1. Install NFS 4 on your backup server

  2. Upgrade TOS

  3. Upgrade TufinOS

Follow the instructions in the relevant knowledge center.

Alternatively, you can switch to local storage or one of the cloud storage options.

General Requirements

  1. Do not use this procedure if you are upgrading a remote cluster.
  2. This procedure must be performed by an experienced Linux administrator with knowledge of network configuration.

  3. For data nodes only. Make sure you do not have unsupported LVM Volume Groups:

    [<ADMIN> ~]$ sudo vgdisplay --noheadings -C -o vg_name | grep -qs -v "[\t ]*VolGroup0[12]$" && echo "You cannot uppgrade."
    sudo vgdisplay --noheadings -C -o vg_name | grep -qs -v "[\t ]*VolGroup0[12]$" && echo "You cannot uppgrade."

    If the output returns "You cannot upgrade.", do not use the upgrade method in the boot menu to upgrade to TufinOS 4.30. Perform the upgrade on new VMWare ESXi machines.

    If you receive no output, proceed with the next step below.

  4. For data nodes only. Make sure your /var/log partition is large enough:

    [<ADMIN> ~]$ sudo lsblk | grep "MOUNTPOINT\|/var/log$"
    sudo lsblk | grep "MOUNTPOINT\|/var/log$"

    If the output returns a partition size of 400 MB or less, do not perform this upgrade procedure. Perform the upgrade on new VMWare ESXi machines.

  5. If you have any external disks (for example, etcd), disconnect them. These disks should be reconnected after the TufinOS upgrade is complete.

Downloads

  1. Download the TufinOS 4.30 installation package from the Download Center.

    • For a VMWare ESXi machine, download the .iso image file.

  2. Extract the TufinOS image from its archive.

    [<ADMIN> ~]$ sudo tar xzvf <FILENAME>.tgz
    sudo tar xzvf <FILENAME>.tgz

    The run file name includes the release, version, build number, and type of installation.

    TufinOS ISO file example: TufinOS-4.30-4368238-x86_64-Final.iso

  3. Verify the integrity of the TufinOS installation package.

    [<ADMIN> ~]# sha256sum -c TufinOS-X.XX-XXXXXX-x86_64-Final.iso.sha256
    sha256sum -c TufinOS-X.XX-XXXXXX-x86_64-Final.iso.sha256

    The output should return OK

Preliminary Preparations

  1. If you are going to perform this procedure over multiple maintenance periods, create a new backup each time.

    1. Create the backup using tos backup create:

    2. [<ADMIN> ~]$ sudo tos backup create
      sudo tos backup create

      Example output:

      [%=Local.admin-prompt% sudo tos backup create
      [Aug 23 16:18:42]  INFO Running backup
      Backup status can be monitored with "tos backup status"
    3. You can check the backup creation status using tos backup status, which shows the status of backups in progress. Wait until completion before continuing.

    4. [<ADMIN> ~]$ sudo tos backup status
      sudo tos backup status

      Example output:

      [<ADMIN> ~]$ sudo tos backup status
       Found active backup "23-august-2021-16-18"
    5. Run the following command to display the list of backups saved on the node:

      [<ADMIN> ~]$ sudo tos backup list
      sudo tos backup list
    6. Example output:

      [<ADMIN> ~]$ sudo tos backup list
       ["23-august-2021-16-18"]
         Started: "2021-08-23 13:18:43 +0000 UTC"
         Completed: "N/A"
         Modules: "ST, SC"
         HA mode: "false"
         TOS release: "21.2 (PGA.0.0) Final"
         TOS build: "21.2.2100-210722164631509"
         Expiration Date: "2021-09-22 13:18:43 +0000 UTC"
         Status: "Completed"
    7. Check that your backup file appears in the list, and that the status is "Completed".

    8. Run the following command to export the backup to a file:

      [<ADMIN> ~]$ sudo tos backup export
      sudo tos backup export
    9. The command creates a single backup file.

      [<ADMIN> ~]$ sudo tos backup export
       [Aug 23 16:33:42]  INFO Preparing target dir /opt/tufin/backups
       [Aug 23 16:33:42]  INFO Compressing...
       [Aug 23 16:33:48]  INFO Backup exported file: /opt/tufin/backups/backup-21-2-pga.0.0-final-20210823163342.tar.gzip 
       [Aug 23 16:33:48]  INFO Backup export has completed
    10. If your backup files are saved locally:

      1. Run sudo tos backup export to save your backup file from a TOS backup directory as a single .gzip file. If there are other backups present, they will be included as well.

      2. Transfer the exported .gzip file to a safe, remote location.

        Make sure you have the location of your backups safely documented and accessible, including credentials needed to access them, for recovery when needed.

      After the backup is exported, we recommend verifying that the file contents can be viewed by running the following command:

      [Target location]$ tar tzvf <filename>
      tar tzvf <file name>
  2. If you are running a multi-node cluster, get a list of your nodes and note them down for later.

    [<ADMIN> ~]$ sudo tos cluster node list
    sudo tos cluster node list

Upgrade Worker Nodes

Repeat these steps for each worker node.

Upgrade the Data Node