Changeset View
Changeset View
Standalone View
Standalone View
sysadm/network-architecture/how-to-upgrade-firewall-os.rst
| .. _upgrade_firewall_os: | .. _upgrade_firewall_os: | ||||
| How to upgrade firewall OS | How to upgrade firewall OS | ||||
| ========================== | ========================== | ||||
| .. todo:: | .. admonition:: Intended audience | ||||
| This page is a work in progress. For now, please refer to the existing documentation :ref:`swh-devel:network_configuration`. | :class: important | ||||
| No newline at end of file | |||||
| sysadm staff members. | |||||
| Initial status | |||||
| ^^^^^^^^^^^^^^ | |||||
| This is the nominal status of the firewalls: | |||||
| .. list-table:: | |||||
| :header-rows: 1 | |||||
| * - Firewall | |||||
| - Status | |||||
| * - pushkin | |||||
| - PRIMARY | |||||
| * - glyptotek | |||||
| - BACKUP | |||||
| Preparation | |||||
| ^^^^^^^^^^^ | |||||
| * Connect to the `principal <https://pushkin.internal.softwareheritage.org>`_ (pushkin | |||||
| here) | |||||
| * Check the `CARP status | |||||
| <https://pushkin.internal.softwareheritage.org/carp_status.php>`_ to ensure the | |||||
| firewall is the principal (must have the status MASTER for all the IPS) | |||||
| * Connect to the `backup <https://glyptotek.internal.softwareheritage.org>`_ (glytotek | |||||
| here) | |||||
| * Check the `CARP status | |||||
| <https://glyptotek.internal.softwareheritage.org/carp_status.php>`__ to ensure the | |||||
| firewall is the backup (must have the status BACKUP for all the IPS) | |||||
| * Ensure the 2 firewalls are in sync: | |||||
| * On the principal, go to the `High availability status | |||||
| <https://pushkin.internal.softwareheritage.org/status_habackup.php>`_ and force a | |||||
| synchronization | |||||
| * click on the button on the right of ``Synchronize config to backup`` | |||||
| .. image:: ../images/infrastructure/network/sync.png | |||||
| * Switch the principal/backup to prepare the upgrade of the master (The switch is | |||||
| transparent from the user perspective and can be done without service interruption) | |||||
| * [1] On the principal, go to the `Virtual IPS status | |||||
| <https://pushkin.internal.softwareheritage.org/carp_status.php>`_ page | |||||
| * Activate the CARP maintenance mode | |||||
| .. image:: ../images/infrastructure/network/carp_maintenance.png | |||||
| * check the status of the VIPs, they must be ``BACKUP`` on pushkin and ``PRIMARY`` on glyptotek | |||||
| * wait a few minutes to let the monitoring detect if there are connection issues, check | |||||
| ssh connection on several servers on different VLANs (staging, admin, ...) | |||||
| If everything is ok, proceed to the next section. | |||||
| Upgrade the first firewall | |||||
| ^^^^^^^^^^^^^^^^^^^^^^^^^^ | |||||
| Before starting this section, the firewall statuses should be: | |||||
| .. list-table:: | |||||
| :header-rows: 1 | |||||
| * - Firewall | |||||
| - Status | |||||
| * - pushkin | |||||
| - BACKUP | |||||
| * - glyptotek | |||||
| - PRIMARY | |||||
| If not, be sure of what you are doing and adapt the links accordingly | |||||
| * [2] go to the `System Firmware: status | |||||
| <https://pushkin.internal.softwareheritage.org/ui/core/firmware#status>`_ page | |||||
| (pushkin here) | |||||
| * Click on the ``Check for upgrades`` button | |||||
| .. image:: ../images/infrastructure/network/check_for_upgrade.png | |||||
| * follow the interface indication, one or several reboots can be necessary depending to | |||||
| the number of upgrade to apply | |||||
| .. image:: ../images/infrastructure/network/proceed_update.png | |||||
| * repeat from the ``Check for upgrades`` operation until there is no upgrades to apply | |||||
| * Switch the principal/backup to restore ``pushkin`` as the principal: | |||||
| * on the current backup (pushkin here) go to `Virtual IPS status | |||||
| <https://pushkin.internal.softwareheritage.org/carp_status.php>`_ | |||||
| * [3] click on `Leave Persistent CARP Maintenance Mode` | |||||
| .. image:: ../images/infrastructure/network/reactivate_carp.png | |||||
| * refresh the page, the role should have changed from ``BACKUP`` to ``MASTER`` | |||||
| * check on the other firewall, if the roles is indeed ``BACKUP`` for all the IPs | |||||
| * Wait few moment to ensure everything is ok with the new version | |||||
| Upgrade the second firewall | |||||
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^ | |||||
| Before starting this section, the firewall statuses should be: | |||||
| .. list-table:: | |||||
| :header-rows: 1 | |||||
| * - Firewall | |||||
| - Status | |||||
| * - pushkin | |||||
| - PRIMARY | |||||
| * - glyptotek | |||||
| - BACKUP | |||||
| If not, be sure of what you are doing and adapt the links accordingly | |||||
| * Proceed to the second firewall upgrade | |||||
| * perform [1] on the backup (should be ``glyptotek`` here) | |||||
| * perform [2] on the backup (should be ``glyptotek`` here) | |||||
| * perform [3] on the backup (should be ``glyptotek`` here) | |||||