Update TufinOS 4.x to 4.40

Overview

This procedure is for updating TufinOS 4 to the latest version.

TufinOS updates are additions to the current version of the operating system. Unlike upgrades, where you replace the operating system completely, an update is used for enhancing TufinOS with the latest security and performance features as well as address any issues in order to provide a better working experience.

This procedure does not require reinstalling TOS.

The type of procedure you need to perform will depend on your deployment:

• High Availability:

  • Without downtime - Update the worker nodes, and then update TufinOS on each data node separately. For more information on HA, see High Availability.

    After updating a data node, run tos status and check if the System Status is ok and all the items listed under Components appear as ok. If this is not the case, wait for the database to sync before proceeding to update the next node.

  • With downtime - Power down TOS on all nodes in the cluster and then proceed to update TufinOS on all your nodes.

• Single data node cluster: First update the worker nodes and then update the data node. During the update itself, there will be some downtime as all TOS processes will need to be stopped and then restarted.

• High Availability Central Cluster + Remote Collector clusters:

  • Central Cluster - See High Availability bullet above

  • Remote Collector Clusters - First update the worker nodes, and then update TufinOS on the data node. Repeat for each remote cluster. For more information on Remote Collector clusters, see Remote Collectors.

  High availability is not supported for Remote Collector clusters.

• Single data node cluster + Remote Collector clusters: First update the central cluster: worker nodes and then data node. Afterwards, repeat for each Remote Collector cluster.

Preliminary Preparations

1. Verify that your deployment is compatible with TufinOS 4.40

   1. Check your current TufinOS version:

      cat /etc/tufinos-release

      Your TufinOS release appears in the output. If the command is not recognized, you have a non-TufinOS operating system and cannot upgrade using this procedure.

   2. Review the compatibility and requirements and supported upgrade paths for TufinOS 4.40 and verify that you can perform the procedure.
2. Check the cluster health.

   1. On the primary data node, check the following status.

      [<ADMIN> ~]$ sudo systemctl status k3s

      sudo systemctl status k3s

   In the output under the line k3s.service - Aurora Kubernetes, two lines should appear - Loaded... and Active... similar to the example below. If they appear, continue with the next step, otherwise contact Tufin Support for assistance.

   Example output:

   [<ADMIN> ~]$ sudo systemctl status k3s
    [root@TufinOS ~]# systemctl status k3s
    Redirecting to /bin/systemctl status k3s.service
    ● k3s.service - Aurora Kubernetes
       Loaded: loaded (/etc/systemd/system/k3s.service; enabled; vendor preset: disabled)
       Active: active (running) since Tue 2021-08-24 17:14:38 IDT; 1 day 18h ago
         Docs: https://k3s.io
      Process: 1241 ExecStartPre=/sbin/modprobe overlay (code=exited, status=0/SUCCESS)
      Process: 1226 ExecStartPre=/sbin/modprobe br_netfilter (code=exited, status=0/SUCCESS)
     Main PID: 1250 (k3s-server)
        Tasks: 1042
       Memory: 2.3G

   2. On the same node or nodes, check the TOS status.

      [<ADMIN> ~]$ sudo tos status

      sudo tos status

   In the output, if the System Status is Ok and all the items listed under Components appear as ok, continue with the next steps. Otherwise contact Tufin Support for assistance.

   Example output:

   [<ADMIN> ~]$ sudo tos status
    Tufin Orchestration Suite 2.0
     
    System Status: Ok
    System Mode:   Multi Node
     
    Nodes:
      1 Master, 1 Worker. Total 2 nodes. Nodes are healthy.
     
    Components:
      Node:            Ok
      Cassandra:       Ok
      Mongodb:         Ok
      Mongodb_sc:      Ok
      Nats:            Ok
      Neo4j:           Ok
      Postgres:        Ok
      Postgres_sc:     Ok

3. Remote Collector clusters. If you are currently updating the central cluster, make sure all the Remote Collector clusters are connected.

   On the Central cluster primary data node run:

   [<ADMIN> ~]$ sudo tos cluster list

   sudo tos cluster list

   The output shows all connected clusters.

   Example output:

   $ sudo tos cluster list
   NAME    ID    IP                TYPE
   
   Central    1                    master
   RC1        2    192.168.75.156    data_collector

Downloads

1. Download the TufinOS 4.40 update package from the Download Center to your local machine.

2. Log in to the node you are updating as the tufin-admin user.

3. Transfer the TufinOS update package to /opt/misc.

4. Extract the TOS run file the archive.

   [<ADMIN> ~]$ sudo tar xzvf <FILENAME>.tgz

   sudo tar xzvf <FILENAME>.tgz

   The run file name includes the release, version, and build number.

   TufinOS update file example: TufinOS-4.20-639387-x86_64-8.8-Final-Update.run.tgz

5. Verify the integrity of the TufinOS installation package.

   [<ADMIN> ~]# sha256sum -c TufinOS-4.20-639387-x86_64-8.8-Final-Update.run.sha256

   sha256sum -c TufinOS-4.20-639387-x86_64-8.8-Final-Update.run.sha256

   The output should return OK

Update TufinOS

Update TufinOS in a High Availability Cluster

• Update without downtime

  • Update worker nodes

    (missing or bad snippet)
  • Update data nodes

    Repeat this procedure for all three data nodes. First update the non-primary data nodes and then update the primary data node.

    After updating a data node, run tos status and check if the System Status is ok and all the items listed under Components appear as ok. If this is not the case, wait for the database to sync before proceeding to update the next node.

    (missing or bad snippet)
• Update with downtime

  (missing or bad snippet)

Update TufinOS in Single Data Node Cluster

• Update worker nodes

  (missing or bad snippet)
• Update primary data node

  (missing or bad snippet)

Update TufinOS in a High Availability Cluster with Remote Collector Clusters

Follow the procedures above to update the nodes in the Central cluster and the Remote Collector clusters.

After updating all nodes:

• Check that the Remote Collector is still connected.

  1. Run the following command:

  [<ADMIN> ~]$ sudo tos cluster list

  sudo tos cluster list

  The output shows all connected clusters.

  Example output:

  $ sudo tos cluster list
  NAME    ID    IP                TYPE
  
  Central    1                    master
  RC1        2    192.168.75.156    data_collector

  2. If the Remote Collector cluster is not connected, run the following commands to connect it to the Central cluster, where:

     [<ADMIN> ~]$ sudo tos cluster connect --central-cluster-vip=CENTRAL-CLUSTER-VIP --remote-cluster-vip=REMOTE-CLUSTER-VIP --remote-cluster-name=REMOTE-CLUSTER-NAME --initial-secret=OTP

     sudo tos cluster connect --central-cluster-vip=CENTRAL-CLUSTER-VIP --remote-cluster-vip=REMOTE-CLUSTER-VIP --remote-cluster-name=REMOTE-CLUSTER-NAME --initial-secret=OTP

     where

     Parameter	Description	Required/Optional
     --central-cluster-vip	External IP address (VIP) of your central server cluster.	Required
     --remote-cluster-vip	External IP address (VIP) of the server you want to connect (i.e. the current server).	Required
     --remote-cluster-name	Any alphanumeric string you choose; quotes are not used so you cannot embed spaces.	Required
     --initial-secret	One-time password returned from running tos cluster generate-otp on the central server.	Required

Update TufinOS in Single Data Node Cluster with Remote Collector Clusters

Follow the procedures above to update the nodes in the Central cluster and the Remote Collector clusters.

After updating all nodes:

• Check that the Remote Collector is still connected.

  1. Run the following command:

  [<ADMIN> ~]$ sudo tos cluster list

  sudo tos cluster list

  The output shows all connected clusters.

  Example output:

  $ sudo tos cluster list
  NAME    ID    IP                TYPE
  
  Central    1                    master
  RC1        2    192.168.75.156    data_collector

  2. If the Remote Collector cluster is not connected, run the following commands to connect it to the Central cluster, where:

     [<ADMIN> ~]$ sudo tos cluster connect --central-cluster-vip=CENTRAL-CLUSTER-VIP --remote-cluster-vip=REMOTE-CLUSTER-VIP --remote-cluster-name=REMOTE-CLUSTER-NAME --initial-secret=OTP

     sudo tos cluster connect --central-cluster-vip=CENTRAL-CLUSTER-VIP --remote-cluster-vip=REMOTE-CLUSTER-VIP --remote-cluster-name=REMOTE-CLUSTER-NAME --initial-secret=OTP

     where

     Parameter	Description	Required/Optional
     --central-cluster-vip	External IP address (VIP) of your central server cluster.	Required
     --remote-cluster-vip	External IP address (VIP) of the server you want to connect (i.e. the current server).	Required
     --remote-cluster-name	Any alphanumeric string you choose; quotes are not used so you cannot embed spaces.	Required
     --initial-secret	One-time password returned from running tos cluster generate-otp on the central server.	Required