On This Page
Update TufinOS 4.x to 4.40
Overview
This procedure is for updating TufinOS 4 to the latest version.
TufinOS updates are additions to the current version of the operating system. Unlike upgrades, where you replace the operating system completely, an update is used for enhancing TufinOS with the latest security and performance features as well as address any issues in order to provide a better working experience.
This procedure does not require reinstalling TOS.
The type of procedure you need to perform will depend on your deployment:
-
High Availability:
-
Without downtime - Update the worker nodes, and then update TufinOS on each data node separately. For more information on HA, see High Availability.
After updating a data node, run tos status and check if the System Status is ok and all the items listed under Components appear as ok. If this is not the case, wait for the database to sync before proceeding to update the next node. -
With downtime - Power down TOS on all nodes in the cluster and then proceed to update TufinOS on all your nodes.
-
-
Single data node cluster: First update the worker nodes and then update the data node. During the update itself, there will be some downtime as all TOS processes will need to be stopped and then restarted.
-
High Availability Central Cluster + Remote Collector clusters:
-
Central Cluster - See High Availability bullet above
-
Remote Collector Clusters - First update the worker nodes, and then update TufinOS on the data node. Repeat for each remote cluster. For more information on Remote Collector clusters, see Remote Collectors.
High availability is not supported for Remote Collector clusters. -
-
Single data node cluster + Remote Collector clusters: First update the central cluster: worker nodes and then data node. Afterwards, repeat for each Remote Collector cluster.
Preliminary Preparations
-
Verify that your deployment is compatible with TufinOS 4.40
-
Check your current TufinOS version:
Your TufinOS release appears in the output. If the command is not recognized, you have a non-TufinOS operating system and cannot upgrade using this procedure.
- Review the compatibility and requirements and supported upgrade paths for TufinOS 4.40 and verify that you can perform the procedure.
-
-
Check the cluster health.
-
On the primary data node, check the following status.
-
On the same node or nodes, check the TOS status.
In the output under the line k3s.service - Aurora Kubernetes, two lines should appear - Loaded... and Active... similar to the example below. If they appear, continue with the next step, otherwise contact Tufin Support for assistance.
Example output:
[<ADMIN> ~]$ sudo systemctl status k3s [root@TufinOS ~]# systemctl status k3s Redirecting to /bin/systemctl status k3s.service ● k3s.service - Aurora Kubernetes Loaded: loaded (/etc/systemd/system/k3s.service; enabled; vendor preset: disabled) Active: active (running) since Tue 2021-08-24 17:14:38 IDT; 1 day 18h ago Docs: https://k3s.io Process: 1241 ExecStartPre=/sbin/modprobe overlay (code=exited, status=0/SUCCESS) Process: 1226 ExecStartPre=/sbin/modprobe br_netfilter (code=exited, status=0/SUCCESS) Main PID: 1250 (k3s-server) Tasks: 1042 Memory: 2.3G
In the output, if the System Status is Ok and all the items listed under Components appear as ok, continue with the next steps. Otherwise contact Tufin Support for assistance.
Example output:
[<ADMIN> ~]$ sudo tos status Tufin Orchestration Suite 2.0 System Status: Ok System Mode: Multi Node Nodes: 1 Master, 1 Worker. Total 2 nodes. Nodes are healthy. Components: Node: Ok Cassandra: Ok Mongodb: Ok Mongodb_sc: Ok Nats: Ok Neo4j: Ok Postgres: Ok Postgres_sc: Ok
-
Downloads
-
Download the TufinOS 4.40 update package from the Download Center to your local machine.
-
Log in to the node you are updating as the tufin-admin user.
-
Transfer the TufinOS update package to /opt/misc.
-
Extract the TOS run file the archive.
The run file name includes the release, version, and build number.
TufinOS update file example:
TufinOS-4.20-639387-x86_64-8.8-Final-Update.run.tgz
-
Verify the integrity of the TufinOS installation package.
[<ADMIN> ~]# sha256sum -c TufinOS-4.20-639387-x86_64-8.8-Final-Update.run.sha256
sha256sum -c TufinOS-4.20-639387-x86_64-8.8-Final-Update.run.sha256The output should return OK
Update TufinOS
Update TufinOS in a High Availability Cluster
-
Update without downtime
-
Update worker nodes(missing or bad snippet)
-
Update data nodes
Repeat this procedure for all three data nodes. First update the non-primary data nodes and then update the primary data node.
After updating a data node, run tos status and check if the System Status is ok and all the items listed under Components appear as ok. If this is not the case, wait for the database to sync before proceeding to update the next node.(missing or bad snippet)
-
-
Update with downtime(missing or bad snippet)
Update TufinOS in Single Data Node Cluster
-
Update worker nodes(missing or bad snippet)
-
Update primary data node(missing or bad snippet)
Update TufinOS in a High Availability Cluster with Remote Collector Clusters
Follow the procedures above to update the nodes in the Central cluster and the Remote Collector clusters.
After updating all nodes:
-
Check that the Remote Collector is still connected.
-
Run the following command:
-
If the Remote Collector cluster is not connected, run the following commands to connect it to the Central cluster, where:
[<ADMIN> ~]$ sudo tos cluster connect --central-cluster-vip=CENTRAL-CLUSTER-VIP --remote-cluster-vip=REMOTE-CLUSTER-VIP --remote-cluster-name=REMOTE-CLUSTER-NAME --initial-secret=OTP
sudo tos cluster connect --central-cluster-vip=CENTRAL-CLUSTER-VIP --remote-cluster-vip=REMOTE-CLUSTER-VIP --remote-cluster-name=REMOTE-CLUSTER-NAME --initial-secret=OTPwhere
Parameter
Description
Required/Optional
--central-cluster-vip
External IP address (VIP) of your central server cluster.
Required
--remote-cluster-vip
External IP address (VIP) of the server you want to connect (i.e. the current server).
Required --remote-cluster-name
Any alphanumeric string you choose; quotes are not used so you cannot embed spaces.
Required
--initial-secret
One-time password returned from running tos cluster generate-otp on the central server.
Required
The output shows all connected clusters.
Example output:
-
Update TufinOS in Single Data Node Cluster with Remote Collector Clusters
Follow the procedures above to update the nodes in the Central cluster and the Remote Collector clusters.
After updating all nodes:
-
Check that the Remote Collector is still connected.
-
Run the following command:
-
If the Remote Collector cluster is not connected, run the following commands to connect it to the Central cluster, where:
[<ADMIN> ~]$ sudo tos cluster connect --central-cluster-vip=CENTRAL-CLUSTER-VIP --remote-cluster-vip=REMOTE-CLUSTER-VIP --remote-cluster-name=REMOTE-CLUSTER-NAME --initial-secret=OTP
sudo tos cluster connect --central-cluster-vip=CENTRAL-CLUSTER-VIP --remote-cluster-vip=REMOTE-CLUSTER-VIP --remote-cluster-name=REMOTE-CLUSTER-NAME --initial-secret=OTPwhere
Parameter
Description
Required/Optional
--central-cluster-vip
External IP address (VIP) of your central server cluster.
Required
--remote-cluster-vip
External IP address (VIP) of the server you want to connect (i.e. the current server).
Required --remote-cluster-name
Any alphanumeric string you choose; quotes are not used so you cannot embed spaces.
Required
--initial-secret
One-time password returned from running tos cluster generate-otp on the central server.
Required
The output shows all connected clusters.
Example output:
-