AirGap Vault Agent - Re-deployment Upgrade
Upgrade Pre-checks
-
Customers must have eyeglass user password of both Vault and source PowerScale clusters.
-
SSH to AirGap Vault Agent VM as ecaadmin user.
-
Get output of the following commands and copy them to a notepad:
a.
ecactl isilons listb.
history | grep "isilon add"noteThis command should return the
isilon add **command used during deployment from the history log, so you don't have to rebuild the command. If the output is empty, that's OK — you will need to rebuild the command to add clusters post upgrade.c.
cat /opt/superna/eca/eca-env-common.conf -
Run the following commands to verify AirGap is working:
a.
ecactl airgap syncjob- Output should be the list of airgap job names.
b.
ecactl airgap check --prod <NAME_OF_PROD_CLUSTER>(name of the protected cluster will be in the Step 3.a output)- Output should show connection to the production Eyeglass as succeeded. If failing, open a support ticket to troubleshoot further.
- If multiple production Isilons, test for each separately.
-
If all looks good, proceed with upgrade.
Upgrade Steps
-
On the old AirGap Vault Agent VM, run
ecactl cluster downto bring the cluster down, then Power Off the old VM. -
Download the latest OVF file from the support portal: https://support.superna.net/hc/en-us
-
Deploy the new AirGap Vault Agent VM with the same or different network details.
-
Deploy the new EVA VM with the same cluster name. You can find the name under the ECA_CLUSTER_ID flag in the
/opt/superna/eca/eca-env-common.conffile. -
Power On the new AirGap Vault Agent VM.
-
Verify the configuration is correct:
a. SSH to the new EVA VM with ecaadmin user.
b. Switch to root user:
sudo suc.
ovf print-envnoteMode should be
vault-agent.d.
df -hnotezkramdiskshould not be present.e.
cat /etc/fstabnoteThe
tmpfsline should not be present. If present, follow the steps below to remove it:- Run:
nano /etc/fstab - Remove the line:
tmpfs /opt/superna/mnt/zk-ramdisk tmpfs nodev,nosuid,noexec,nodiratime,size=512M 0 0 - Save the file:
- Press Ctrl+X
- Answer yes to save and exit the nano editor.
- Run:
-
Update
/opt/superna/eca/eca-env-common.confwith the old AirGap Vault Agent VM details. -
Update NTP server IP if required:
a.
nano /etc/chrony.d/pool.confb. Remove default entries and update with the internal NTP server IP.
c. Save the file:
- Press Ctrl+X
- Answer yes to save and exit the nano editor.
d. Restart the service:
systemctl restart chronyd.service -
Run:
sudo systemctl restart docker -
Run:
ecactl cluster upwarningDo NOT use the
--cleanflag, otherwisezk-ramdiskgets cleared. -
Once the cluster is up, add Vault and source PowerScale clusters,
a. Run:
ecactl isilon add \
--vaulthost x.x.x.x \
--user eyeglass \
--vaultPoolName groupnet0.subnet0.xxx \
--vaultsynciqexternalInterface 1:ext-1,2:ext-1,3:ext-1,4:ext-1b. Run:
ecactl isilon add \
--protectedhost x.x.x.x \
--protectedManagementNode X \
--user eyeglassnoteUse the command copied from the old AirGap Vault Agent VM history command output. Otherwise, update the command above based on the output of
ecactl isilons list. -
Update ecaadmin user default password:
a. Switch to root user:
sudo sub. Update password:
passwd ecaadmin
Post Upgrade Checks
-
Run
ecactl isilons listand verify the output is the same as before the upgrade. -
Run the following commands to verify AirGap is working:
a.
ecactl airgap syncjobs- Output should be the list of airgap job names and scheduled job times.
b.
ecactl airgap check --prod <NAME_OF_PROD_CLUSTER>(name of the protected Isilon will be in the Step 1 output)- Output should show connection to the production Eyeglass as succeeded. If failing, open a support ticket to troubleshoot further.
-
Verify the AirGap job list:
ecactl airgap list -
Start an AirGap job if required, or wait for the scheduled run:
ecactl airgap startjob --job <job name>(job name can be retrieved from Step 3 output) -
View the job status:
ecactl jobs view --follow --id <Job_ID>(Job ID can be retrieved from Step 4 output)