Upgrading Anti-Virus for VMware Tanzu

Learn how to upgrade Anti-Virus for VMware Tanzu (formerly known as ClamAV Add-on for PCF).

For product versions and upgrade paths, see Upgrade Planner.

Compatibility and prerequisites

See the following topics to ensure you have the required component versions and prerequisites:

Upgrade Considerations for Anti-Virus for VMware Tanzu

The upgrade instructions vary depending on the version of Anti-Virus for Tanzu you are currently using. See the table below for the new features to consider and the upgrade instructions to use.

If you are currently on...	When upgrading to v2.3...
v1.x	Uninstall ClamAV Add-on for PCF v1.x and install Anti-Virus v2.x tile. For upgrade instructions, see Replace Pivotal Anti-Virus v1.x with Anti-Virus for VMware Tanzu v2.x below.
v2.0	Decide whether to use Anti-Virus Mirror for Tanzu or an existing mirror. Anti-Virus for Tanzu now supports existing mirrors with TLS. For more information, see Using an Existing Mirror below. If required, configure the mirror port. For more information see Configuring the Mirror Port below. You can set Timeout to connect to the database server (in seconds). VMware recommends that you reset the value of CPU limit (Percentage). You must ensure that all VMs you install Anti-Virus for Tanzu on have at least 2 GB free RAM and 2 CPU. On Google Cloud Platform (GCP), the recommended minimum VM size is `micro.cpu`. You must set the field memory limit (in bytes) to at least `1610612736`. For upgrade instructions, see Upgrade Anti-Virus for VMware Tanzu to This Version from v2.0 below.
v2.1	You can set Timeout to connect to the database server (in seconds). VMware recommends that you reset the value of CPU limit (Percentage). You must ensure that all VMs you install Anti-Virus for Tanzu on have at least 2 GB free RAM and 2 CPU. On Google Cloud Platform (GCP), the recommended minimum VM size is `micro.cpu`. You must set the field memory limit (in bytes) to at least `1610612736`. For upgrade instructions, see Upgrade Anti-Virus for VMware Tanzu to This Version from v2.1 or Later below.
v2.2	You must ensure that all VMs you install Anti-Virus for Tanzu on have at least 2 GB free RAM and 2 CPU. On Google Cloud Platform (GCP), the recommended minimum VM size is `micro.cpu`. You must set the field memory limit (in bytes) to at least `1610612736`. For upgrade instructions, see Upgrade Anti-Virus for VMware Tanzu to This Version from v2.1 or Later below.

Replace Pivotal Anti-Virus v1.x with Anti-Virus for VMware Tanzu v2.x

To uninstall Pivotal Anti-Virus v1.x and install Anti-Virus for VMware Tanzu v2.x in its place:

Retrieve the latest runtime config YML by running:
```
bosh -e ENVIRONMENT runtime-config > PATH-TO-SAVE-THE-RUNTIME-CONFIG
```
Where:
- ENVIRONMENT is your environment
- PATH-TO-SAVE-THE-RUNTIME-CONFIG is the location where you want to save the runtime configuration.
For example:
```
$ bosh -e my-env runtime-config > /runtime/config/
```
In the runtime config YML, remove all ClamAV properties under the releases: and addons: sections.

Update the runtime config:

ENVIRONMENT=<insert variable here>
PATH-TO-SAVE-THE-RUNTIME-CONFIG=<insert variable here>
bosh -e $ENVIRONMENT update-runtime-config --name=clamav ${PATH-TO-SAVE-THE-RUNTIME-CONFIG}

Where:

ENVIRONMENT is your environment
PATH-TO-SAVE-THE-RUNTIME-CONFIG is the location of the runtime configuration you are updating.

For example:

$ bosh -e my-env update-runtime-config --name=clamav /runtime/config/

Follow the instructions in Installing and Configuring Anti-Virus for VMware Tanzu to set up the Anti-Virus for VMware Tanzu tile.

Upgrade Anti-Virus for VMware Tanzu to This Version from v2.0

Additional configurations might be required when upgrading from v2.0.x. This is because of the following features introduced in Anti-Virus for Tanzu v2.1:

Support for existing mirrors with Transport Layer Security (TLS). For more information, see Using an Existing Mirror.
Ability to configure the Mirror Port used by Anti-Virus for Tanzu. For more information see Configuring the Mirror Port.

To upgrade Anti-Virus for VMware Tanzu to v2.3 from v2.0, you must:

Update Anti-Virus for VMware Tanzu
Complete Configuring Anti-Virus for VMware Tanzu and Apply Changes

Update Anti-Virus for VMware Tanzu

To update Anti-Virus for VMware Tanzu:

Record the value in the CPU limit (percentage) field.

Note Upgrading to this version from v2.1 or earlier restores this field to the default value of 50%. All other configuration details are kept when upgrading.
Download the latest version of Anti-Virus for Tanzu from Broadcom Support to your local machine.
If you do not want to use an existing mirror, download the latest version Anti-Virus Mirror for Tanzu from Broadcom Support to your local machine.
Upload the new .pivotal files to Tanzu Operations Manager.
If required, upload any stemcells associated with the update.
Update any new mandatory configuration parameters. For information about what to configure for your version, see the table in Upgrade Considerations for Anti-Virus for VMware Tanzu above.

Complete Configuring Anti-Virus for VMware Tanzu and Apply Changes

The instructions to complete your configuration depend on whether:

You are using Anti-Virus Mirror for Tanzu and want to continue to using it. See Continue Using Anti-Virus Mirror for Tanzu below.
You are using an existing mirror. See Continue Using an Existing Mirror below.
You are currently using Anti-Virus Mirror for Tanzu, but want to switch to an existing mirror instead. See Switch to an Existing Mirror below.

Continue Using Anti-Virus Mirror for Tanzu

To complete your configuration if you are using Anti-Virus Mirror for Tanzu:

(Optional) To change the ports used by Anti-Virus for Tanzu and Anti-Virus Mirror for Tanzu, follow the instructions in Changing the Port Used by Anti-Virus for Tanzu and Anti-Virus Mirror for Tanzu.
If you have not done so as part of a previous step, apply configuration changes for your whole foundation:
1. Return to the Tanzu Operations Manager Installation Dashboard and click Review Pending Changes.
2. Select all the products in your foundation and click Apply Changes.

Continue Using an Existing Mirror

To complete your configuration if you are using an existing mirror:

Check that the port used by Anti-Virus for Tanzu and your mirror are the same. If they are not, configure the Mirror Port used for Anti-Virus for Tanzu:
- To change the Mirror Port in Anti-Virus for Tanzu to use the port that your existing mirror uses, follow the procedure in Change the Port in the Anti-Virus for Tanzu Tile.
- To change the port on your existing mirror to use the Anti-Virus for Tanzu default of 6501, do that now.
If you have not done so as part of a previous step, apply configuration changes for your whole foundation:
1. Return to the Tanzu Operations Manager Installation Dashboard and click Review Pending Changes.
2. Select all the products in your foundation and click Apply Changes.

Switch to an Existing Mirror

To complete your configuration if you are currently using Anti-Virus Mirror for Tanzu, but want to switch to an existing mirror instead:

Follow the instructions in Changing the port used by Anti-Virus for Tanzu with an existing mirror.

Upgrade Anti-Virus for VMware Tanzu to This Version from v2.1 or Later

To upgrade Anti-Virus for VMware Tanzu to v2.3 from v2.1 or later:

If you are upgrading from v2.1, record the value in the CPU limit (percentage) field.

Note Upgrading to this version from v2.1 or earlier restores this field to the default value of 50%. All other configuration details are kept when upgrading.
Download the latest version of Anti-Virus for Tanzu from Broadcom Support to your local machine.
If you do not have an existing mirror, download the latest version Anti-Virus Mirror for Tanzu from Broadcom Support to your local machine.
Upload the new .pivotal files to Tanzu Operations Manager.
If required, upload any stemcells associated with the update.
Update any new mandatory configuration parameters. For information about what to configure for the version you are updating to, see the table in Upgrade Considerations for Anti-Virus for VMware Tanzu above.
Return to the Tanzu Operations Manager Installation Dashboard and click Review Pending Changes.
Ensure all products are selected and click Apply Changes.

Use an Existing Mirror

In v2.1.3, Anti-Virus for Tanzu only supported TLS when using mutual TLS (mTLS) with Anti-Virus Mirror for Tanzu.
In v2.1.6 and later, Anti-Virus for Tanzu permits the use of an existing mirror with TLS.

Note mTLS is not available when using an existing mirror. The existing mirror serves the database files, which are outside of VMware's control, and does not require two way authentication with the Anti-Virus for Tanzu process. Anti-Virus for Tanzu only needs to verify that it is communicating with the correct server by verifying its certificate.

If you are currently using Anti-Virus Mirror for Tanzu and want to use an existing mirror instead, VMware recommends that you configure Anti-Virus for Tanzu to use the new mirror before uninstalling Anti-Virus Mirror for Tanzu.

Configure the Mirror Port

In v2.0.x, the port used by Anti-Virus for Tanzu and Anti-Virus Mirror for Tanzu was 80 and was not configurable. In v2.1.x and later, the default port used is 6501 and is now configurable.

If you are using the Anti-Virus Mirror for Tanzu with Anti-Virus for Tanzu, do one of the following:

To use the default port with Anti-Virus for Tanzu and Anti-Virus Mirror for Tanzu, then you do not need to make any changes after upgrading.
To change the ports used by Anti-Virus for Tanzu and Anti-Virus Mirror for Tanzu, see Upgrade Anti-Virus for VMware Tanzu to This Version from v2.0 above.

If you are using an existing mirror with Anti-Virus for Tanzu, do one of the following:

Configure your existing mirror to use the default 6501 port used by Anti-Virus for Tanzu.
Configure Anti-Virus for Tanzu to use the port used by your existing mirror. To do this, see Upgrade Anti-Virus for VMware Tanzu to This Version from v2.0 above.