After upgrading the latest version of PostgreSQL, Redis, and Salt, you then need to upgrade the RaaS node from the previous version to the latest version.
Be aware that database upgrades require re-indexing data. If your data is complex, a database upgrade could potentially take several hours. For a discussion of when to plan an upgrade and other tips, see Best practices when upgrading.
Before upgrading your RaaS node, you must back up your system data to avoid data loss. For an explanation of which files and directories must be backed up before upgrading, see Back up your data.
To upgrade the RaaS node:
- Download the upgrade files from Customer Connect.
- Save any changes you made to the default file system, pillar data, and jobs as new files or jobs.
- Note any pillar assignments that are made to the default targets. These need to be re-assigned after upgrade.
- Stop the RaaS service using the following command:
sudo systemctl stop raas
- Remove the log file(s) in the
/var/log/raas
directory. Clearing the log files provides a clean log file if troubleshooting is necessary. - Remove the currently installed version of the API (RaaS) with the following command:
sudo yum remove raas
- Upgrade the RaaS node by installing the latest RPM. Use the following example command, replacing the exact file name of the RPM:
sudo yum install raas-rpm-file-name.rpm
- IMPORTANT: Restore the backup of the following files:
/etc/raas/raas
/etc/raas/raas.secconf
/etc/raas/pki/
- Update permissions for the
raas
user with the following command:sudo chown -R raas:raas /etc/pki/raas/certs
- OPTIONAL: If you have a SaltStack SecOps license and want to add the compliance library, add the following new section to the
/etc/raas/raas
file:sec: ingest_override: true locke_dir: locke post_ingest_cleanup: true username: 'secops' content_url: 'https://enterprise.saltstack.com/secops_downloads' download_enabled: true download_frequency: 86400 stats_snapshot_interval: 3600 compile_stats_interval: 10 ingest_on_boot: True content_lock_timeout: 60 content_lock_block_timeout: 120
Note:This step is optional and only applies to organizations that have a valid SaltStack SecOps license. This add-on module is available for SaltStack Config versions 6.0 and later. The previous configuration options in the
/etc/raas/raas
configuration file are specific to these add-on modules. - OPTIONAL: If you have a SaltStack SecOps license and want to add the vulnerability library, add a new section to the
/etc/raas/raas
file:vman: vman_dir: vman download_enabled: true download_frequency: 86400 username: vman content_url: 'https://enterprise.saltstack.com/vman_downloads' ingest_on_boot: true compile_stats_interval: 60 stats_snapshot_interval: 3600 old_policy_file_lifespan: 2 delete_old_policy_files_interval: 86400 tenable_asset_import_enabled: True tenable_asset_import_grains: ['fqdn', 'ipv4', 'ipv6', 'hostname', 'mac_address', 'netbios_name', 'bios_uuid', 'manufacturer_tpm_id', 'ssh_fingerprint', 'mcafee_epo_guid', 'mcafee_epo_agent_guid', 'symantec_ep_hardware_key', 'qualys_asset_id', 'qualys_host_id', 'servicenow_sys_id', 'gcp_project_id', 'gcp_zone', 'gcp_instance_id', 'azure_vm_id', 'azure_resource_id', 'aws_availability_zone', 'aws_ec2_instance_ami_id', 'aws_ec2_instance_group_name', 'aws_ec2_instance_state_name', 'aws_ec2_instance_type', 'aws_ec2_name', 'aws_ec2_product_code', 'aws_owner_id', 'aws_region', 'aws_subnet_id', 'aws_vpc_id', 'installed_software', 'bigfix_asset_id' ]
Note:This step is optional and only applies to organizations that have a valid SaltStack SecOps license. This add-on module is available for SaltStack Config versions 6.0 and later. The previous configuration options in the
/etc/raas/raas
configuration file are specific to these add-on modules. - The RaaS currently has a known issue related to stale jobs. When upgrading, some users might notice a queue of stale jobs that are stuck in a pending state. Upgrading the RaaS node can cause these jobs to run unless they are first cleared out.
To prevent this from happening, first check whether any old commands are stored in the database. On your PostgreSQL node, check for any pending jobs using the following command:
select count(1) from commands where state='new';
The result is the number of pending jobs. If the number of jobs is
0
, proceed with the rest of the upgrade process. If the number of jobs is greater than0
, Contact Support for a workaround. - Upgrade the RaaS service database using the following command:
sudo su - raas raas upgrade
Note:Depending on the size of your database, the upgrade can take anywhere from several minutes to over an hour.If you encounter errors, check the
/var/log/raas/raas
logfile for more information. - After the upgrade, exit the session for the
raas
user with the following command:exit
- Start the RaaS service using the following command:
sudo systemctl enable raas sudo systemctl start raas
Verify that SaltStack Config is functioning correctly and is running the latest version. Proceed to the next section.
What to do next
After upgrading the RaaS node, the final task is to upgrade the Master Plugin. See Upgrade the Master Plugin for more information.