After upgrading the latest version of PostgreSQL, Redis, and Salt, you then need to upgrade the RaaS node from the previous version to the latest version.

Be aware that database upgrades require re-indexing data. If your data is complex, a database upgrade could potentially take several hours. For a discussion of when to plan an upgrade and other tips, see Best practices when upgrading.

Important:

Before upgrading your RaaS node, you must back up your system data to avoid data loss. For an explanation of which files and directories must be backed up before upgrading, see Back up your data.

To upgrade the RaaS node:

  1. Download the upgrade files from Customer Connect.
  2. Save any changes you made to the default file system, pillar data, and jobs as new files or jobs.
  3. Note any pillar assignments that are made to the default targets. These need to be re-assigned after upgrade.
  4. Stop the RaaS service using the following command:
    sudo systemctl stop raas
  5. Remove the log file(s) in the /var/log/raas directory. Clearing the log files provides a clean log file if troubleshooting is necessary.
  6. Remove the currently installed version of the API (RaaS) with the following command:
    sudo yum remove raas
  7. Upgrade the RaaS node by installing the latest RPM. Use the following example command, replacing the exact file name of the RPM:
    sudo yum install raas-rpm-file-name.rpm
  8. IMPORTANT: Restore the backup of the following files:
    • /etc/raas/raas
    • /etc/raas/raas.secconf
    • /etc/raas/pki/
  9. Update permissions for the raas user with the following command:
    sudo chown -R raas:raas /etc/pki/raas/certs
  10. OPTIONAL: If you have a SaltStack SecOps license and want to add the compliance library, add the following new section to the /etc/raas/raas file:
    sec:
      ingest_override: true
      locke_dir: locke
      post_ingest_cleanup: true
      username: 'secops'
      content_url: 'https://enterprise.saltstack.com/secops_downloads'
      download_enabled: true
      download_frequency: 86400
      stats_snapshot_interval: 3600
      compile_stats_interval: 10
      ingest_on_boot: True
      content_lock_timeout: 60
      content_lock_block_timeout: 120
    Note:

    This step is optional and only applies to organizations that have a valid SaltStack SecOps license. This add-on module is available for SaltStack Config versions 6.0 and later. The previous configuration options in the /etc/raas/raas configuration file are specific to these add-on modules.

  11. OPTIONAL: If you have a SaltStack SecOps license and want to add the vulnerability library, add a new section to the /etc/raas/raas file:
    vman:
      vman_dir: vman
      download_enabled: true
      download_frequency: 86400
      username: vman
      content_url: 'https://enterprise.saltstack.com/vman_downloads'
      ingest_on_boot: true
      compile_stats_interval: 60
      stats_snapshot_interval: 3600
      old_policy_file_lifespan: 2
      delete_old_policy_files_interval: 86400
      tenable_asset_import_enabled: True
      tenable_asset_import_grains: ['fqdn', 'ipv4', 'ipv6', 'hostname', 'mac_address', 'netbios_name',
                                    'bios_uuid', 'manufacturer_tpm_id', 'ssh_fingerprint',
                                    'mcafee_epo_guid', 'mcafee_epo_agent_guid', 'symantec_ep_hardware_key',
                                    'qualys_asset_id', 'qualys_host_id', 'servicenow_sys_id', 'gcp_project_id',
                                    'gcp_zone', 'gcp_instance_id', 'azure_vm_id', 'azure_resource_id',
                                    'aws_availability_zone', 'aws_ec2_instance_ami_id',
                                    'aws_ec2_instance_group_name', 'aws_ec2_instance_state_name',
                                    'aws_ec2_instance_type', 'aws_ec2_name', 'aws_ec2_product_code',
                                    'aws_owner_id', 'aws_region', 'aws_subnet_id', 'aws_vpc_id',
                                    'installed_software', 'bigfix_asset_id'
                                    ]
    Note:

    This step is optional and only applies to organizations that have a valid SaltStack SecOps license. This add-on module is available for SaltStack Config versions 6.0 and later. The previous configuration options in the /etc/raas/raas configuration file are specific to these add-on modules.

  12. The RaaS currently has a known issue related to stale jobs. When upgrading, some users might notice a queue of stale jobs that are stuck in a pending state. Upgrading the RaaS node can cause these jobs to run unless they are first cleared out.

    To prevent this from happening, first check whether any old commands are stored in the database. On your PostgreSQL node, check for any pending jobs using the following command:

    selectcount(1)fromcommandswherestate='new';

    The result is the number of pending jobs. If the number of jobs is 0, proceed with the rest of the upgrade process. If the number of jobs is greater than 0, Contact Support for a workaround.

  13. Upgrade the RaaS service database using the following command:
    sudo su - raas
    raas upgrade
    Note:

    Depending on the size of your database, the upgrade can take anywhere from several minutes to over an hour.If you encounter errors, check the /var/log/raas/raas logfile for more information.

  14. After the upgrade, exit the session for the raas user with the following command:
    exit
  15. Start the RaaS service using the following command:
    sudo systemctl enable raas
    sudo systemctl start raas

Verify that SaltStack Config is functioning correctly and is running the latest version. Proceed to the next section.

What to do next

After upgrading the RaaS node, the final task is to upgrade the Master Plugin. See Upgrade the Master Plugin for more information.