Upgrading CTE on Linux
This chapter describes how to upgrade an existing CipherTrust Transparent Encryption (CTE) client and contains the following sections:
Upgrading CTE
This section describes the generic instructions for interactively upgrading CTE. If there are any changes to this procedure for the current release of CTE, those changes will be documented in the CTE Release Notes.
If you want to schedule an upgrade to occur the next time the system boots, see Scheduled Upgrade Feature.
-
Stop any application accessing files in the GuardPoint.
-
Log on to the host where you will upgrade CTE. You must have root access.
-
Copy or mount the installation file onto the host system.
-
Start the upgrade by executing the install program for the release to which you want to upgrade. If you want to automatically accept the CTE License Agreement, you can include the
-y
parameter.For example, the following command upgrades the product to version
after the user manually reviews and accepts the CTE License Agreement: ./vee-fs-7.3.0-135-rh8-x86_64.bin
The following command upgrades the product to version
but automatically accepts the CTE License Agreement: ./vee-fs-7.3.0-135-rh8-x86_64.bin -y
-
Follow the prompts. During an upgrade, the following message displays. Enter Y at the prompt:
Upgrade detected: this product will be stopped and restarted. Do you wish to proceed with the upgrade? (Y/N) [Y]: Y Installation success. You will not do the registration steps since CTE is already registered with the Key Manager.
-
To verify that the upgrade was successful, use the
vmd -v
command:vmd -v Version 6, Service Pack 2 <Release.build-number> 2022-02-04 Copyright (c) 2009-2022, Thales. All rights reserved.
Scheduled Upgrade Feature
Note
Scheduled upgrade on reboot is not supported on HDFS nodes.
Warnings for CTE for Linux
-
Prior to upgrading your system, perform a backup or take a snapshot of your system.
-
As with prior CTE versions, Key Manager connectivity is required during upgrade.
-
Yum updates, or OS patches, should be done prior to CTE upgrade on reboot.
-
If you upgrade from a compatible kernel to an incompatible kernel, the
secfs
module will fail to load on the next reboot. -
You may see the following behavior if the upgrade on reboot fails due to a crash, or a power failure, (this is similar to a failure during a normal upgrade).
-
If a crash, or power failure, occurs before the upgrade executes, the upgrade will not take place, and the currently installed CTE version continues to run after the reboot. Restart the system to upgrade successfully.
-
If a crash, or power failure, occurs during the upgrade, CTE may enter an inconsistent state. Perform a restore from your backup, or roll back to the snapshot that you just took. Then, start the upgrade again.
-
If a crash, or power failure, occurs after a successful upgrade, then the new version will run on the next reboot. No user intervention is required in this case.
-
-
During reboot or shutdown, all applications and services dependent on CTE services must be stopped before a scheduled update takes place. Failure to stop these services can result in an aborted scheduled upgrade during the system reboot. Examples of situations that may cause an aborted upgrade are applications with open files in a CTE GuardPoint, or a third party anti-virus software doing periodic scans.
For examples of how to set up CTE start/stop dependencies with other programs, see CTE and systemd.
Using the Scheduled Upgrade Feature
The following procedure describes how to use voradmin to schedule an upgrade that will be applied the next time the machine reboots.
-
If you want to check which version of CTE for Linux you currently have installed, use the
vmd –v
command:vmd -v Version 6, Service Pack 2 7.0.0.47 2022-02-04 Copyright (c) 2009-2022, Thales. All rights reserved.
-
To schedule an upgrade on reboot, use the following commands:
voradmin upgrade schedule <path_to_CTE_installer_binary> y [-t <custom_extraction_path>]
where:
-
<path to CTE installer>
is the full path to the CTE installation file for the release to which you want to upgrade. For example,./vee-fs-7.0.0-129-rh8-x86_64.bin
. -
-y
is an optional parameter that automatically accepts the CTE License Agreement. If you do not specify this parameter, the installer displays the CTE License Agreement and you must manually accept it before the upgrade can be scheduled. -
[-t <custom_extraction_path>]
is an optional parameter that specifies the path to a custom binary extraction path directory in which you want CTE to store the temporary files it needs during the upgrade. The default is/var/tmp/
, but in some systems,/var/tmp/
is restricted and not available for use.Exceptions: Do not use the -t option on protected paths, GuardPoint paths, or paths which do not have sufficient permissions to copy/extract the target binary.
For example, if you are upgrading to version 7.2.0.xx and you want to automatically accept the license agreement and use a custom directory, you would type:
voradmin upgrade schedule ./vee-fs-7.2.0-98-rh8-x86_64 -y -t /my_custom_dir
Note
The [-t] option is only supported by CTE v7.2 and subsequent versions.
-
-
If you want to verify that the upgrade was successfully scheduled, use the
voradmin upgrade show
command:voradmin upgrade show Upgrade on reboot is currently scheduled. Current CTE version is 7.0.0.47, upgrade on reboot scheduled for CTE 7.1.0.66.
-
Reboot the machine, then log in and verify that the upgrade was successful.
vmd -v Version 6, Service Pack 2 7.1.0.66 2022-02-04 Copyright (c) 2009-2022, Thales. All rights reserved.
Note
Appropriate logs will be logged in syslog.
Performing a Manual Upgrade When an Upgrade is Already Scheduled
If an administrator runs a manual upgrade after an upgrade has already been scheduled, the installer displays the following warning:
WARNING: upgrade on reboot is already scheduled for 7.1.0.66.
Do you want to cancel scheduled upgrade on reboot ? (Y/N) [Y] :
If the administrator does not cancel the scheduled upgrade, the scheduled upgrade takes precedence and the manual upgrade fails with the message:
Already scheduled upgrade on reboot remains intact.
Installation failure.
If the administrator wants to proceed with the manual upgrade immediately, they must enter Y at the prompt to cancel the scheduled upgrade:
WARNING: upgrade on reboot is already scheduled for 7.1.0.66.
Do you want to cancel scheduled upgrade on reboot ? (Y/N) [Y] : Y
WARNING: upgrade on reboot is cancelled for 7.1.0.66. Proceeding with manual upgrade.
Upgrade detected: this product will be stopped and restarted.
Do you wish to proceed with the upgrade? (Y/N) [Y]: Y
.............
Upgrade success.
To verify that the upgrade succeeded, the administrator can use the vmd –v
command:
vmd -v
Version 6, Service Pack 2
7.1.0.66
2022-02-04
Copyright (c) 2009-2022, Thales. All rights reserved.
To cancel an existing scheduled upgrade on reboot:
voradmin upgrade cancel
Successfully cancelled upgrade on reboot
Upgrading CTE agents in an LDT Communication Group from 7.4.0 to 7.5.0 and post 7.5.0
When upgrading an LDT Communication Group, you must stop CTE on all of the nodes to be upgraded before upgrading them.
-
Disable the GuardPoints on the nodes to be upgraded:
-
Go to the CipherTrust Manager UI.
-
In the GuardPoint window, click the ellipsis on the right side of a GuardPoint and select disable to disable the GuardPoint.
-
Repeat the steps for all of the GuardPoints on the nodes to be upgraded.
-
-
Stop the CTE service on all of the nodes to ensure that all of the GuardPoints are unguarded.
For Windows:
-
Go to Control Panel > Services (local).
-
Select secfsd.
-
Select Stop the Service.
For Linux, type:
/etc/vormetric/secfs stop
-
-
Upgrade CTE on all of the nodes.
-
If your setup contains manual directory type GuardPoints, then you must run
secfsd -guard <gp>
to guard the GuardPoints again after the upgrade. -
Verify that the GuardPoints are guarded on all of the nodes. Type:
# secfsd -status guard