[+]
 
[+]
 
 
 
[+]
Updated on 8/15/2019
All Product Installation and Upgrade Guides
Eyeglass Isilon Edition Upgrade Guide
Direct link to topic in this publication:
Home





Pre-Upgrade Steps

Record Eyeglass Appliance Eyeglass Configuration Setting Modifications (if you have never changed these values SKIP this step)

  1. Record the global setting on your Eyeglass appliance such as the Replication schedule.  Any customizations will need to be reapplied after the upgrade and a record of the current Eyeglass settings is required.
    1. ssh to the Eyeglass appliance and login as admin (default password 3y3gl4ss).
    2. Type the following commands and record the results. These are your current global settings:
    3. igls adv requesttimeout   

Inplace Upgrade path for Appliances running openSuse 42.3 OS to release 2.5.5 and will stay on opensuse 42.3

This option allows customers to upgrade to 2.5.5 without deploying  a new OVF to get the latest operating system. NOTE: OS verson 42.3 no longer recieves security updates and is customers choice to stay on this OS of the appliance. NOTE: The OS is not covered by the support contract.

  1. To check the OS version
  2. ssh as admin user to Eyeglass
  3. type cat /etc/os-release
  4. The OS version is displayed
  5. If Running 42.3 and you wish to stay on this OS version without using new OVF upgrade path, then continue with steps here.


Inplace Upgrade Prerequisites 

  1. The upgrade will disrupt Eyeglass services for less than 10 minutes
  2. A VM level snapshot should be taken before upgrade to allow rollback to the previous version of the appliance


Online Upgrade - Requires Internet access to the Appliance

  1. NOTE: Requires access to https://storage.googleapis.com/repo.superna.net/eyeglass/production/*  from the appliance to the Internet to download software

  2. To complete the online upgrade
    1. ssh to the appliance as admin
    2. switch to root
      1. su -s  (enter admin password when prompted)
      2. Run the following command to do the upgrade: NOTE: This command checks for an active support contract, and will only upgrade if support contract validation is successful.
      3. igls app upgrade
      4. You may be prompted for Phone Home Agreement if not previously set. Enter ‘y’ or ‘n’ to continue.
      5. Once the upgrade is completed, login to the Eyeglass web page
      6. IMPORTANT: Refresh any open Eyeglass window to ensure that you have latest changes.
      7. Check the About Eyeglass window and verify version numbers are as shown here  for the Release you upgraded to
      8. Check Post upgrade steps here


Offline Upgrade no Internet Access to the Appliance      

  1. To complete an offline upgrade:
  2. Login to support site with a registered support account https://support.superna.net
  3. Scroll down on page after login to locate the software download validation form.
  4. Screen Shot 2017-08-15 at 8.43.41 PM.png
  5. Get the appliance ID from the about window of the Eyeglass desktop 
  6. Screen Shot 2017-08-15 at 8.45.43 PM.png
  7. Enter the appliance ID and click download button to retrieve the offline installer. NOTE: This command checks for an active support contract, and will only download software if support contract validation is successful. 
  8. SCP (winscp) the offline package onto the appliance. 
  9. ssh to the Eyeglass appliance and sudo to root (command sudo su -) or login to the appliance as root. 
  10. Make the offline package executable: chmod 755 <filename> 
  11. Run the installer: ./<filename> 
  12. You may be prompted for Phone Home Agreement if not previously set. Enter ‘y’ or ‘n’ to continue. 
  13. Once the update is completed, login to the Eyeglass web page
  14. IMPORTANT: Refresh any open Eyeglass window to ensure that you have latest changes.
  15. Check the About Eyeglass window and verify version numbers are as shown here.
  16. Complete
  17. Check Post upgrade steps here



Upgrade path for Appliances to New OVF 15.1 OS with 2.5.5 Release - Backup/Restore


All OVF versions prior to version 2.5.5 are using opensuse OS versions that no longer have security patches available (13.1, 13.2 , 42.1, 42.3).   Use this upgrade option to get upgraded to 2.5.5 AND get the latest opensuse OS 15.1 that has automatic security patch updates available. New upgrade process allows new OVF to be deployed and use backup restore feature, to restore a backup file from an older appliance to a new appliance.  NOTE:  This means some settings are not retained depending on the backup file release version. If unsure contact support if you have concerns on upgrade and settings.

  1. Deploy new 15.1 OVF Eyeglass VM with 2.5.5 pre-installed by downloading the latest OVF from the support site. Use the install guide as a reference
  2. Follow steps to download the new OVF  here
  3. NOTE: The new ip address can be different than the old appliance  IP.
  4. Reference the table of settings that are migrated below.
  5. After the new ovf is deployed and you can login continue with the backup and restore steps here.

Table of Migrated Settings 



Eyeglass Configuration Item

Source Appliance software version > 1.8.0

Restoring local credentials for clusters

Yes

Restoring licenses keys

Yes

Adjusting licenses keys to latest format

Yes

Job Schedules

Yes

Job Initial state Setting (enabled, disabled)

No

custom settings with igls adv command.

Yes

Restore Notification Center settings1

  1. Post restore Edit Notification Settings and set the

Yes

Restoring failover log history (if available)

Yes

Restoring custom RBAC roles (if available)

Yes

Restoring API tokens  (if available)

Yes (as of 1.9.0)

Restoring Ransomware Defender security guard logs (if available)

Yes

Restoring cluster Configuration reports (if available)

 

Yes

Restoring Current Job state (enabled, disabled, DFS mode) (if available)

Yes

Alarm history

No

Old Backups Archives

No

Cluster Storage Monitor Data (if available)

No

RPO Generated Reports

No

RPO Report Data

No

Failover Scripts

Yes

Ransomware Defender Settings and History (if available)

  • Ransomware Defender History

  • Ransomware Defender ignored list settings
  • Ransomware Defender Statistics
  • Ransomware Defender Settings
  • Security Guard configuration2

2. schedule is restored but no other settings - these need to be re-added manually

No





Upgrade Steps from old OVF to the latest OVF Appliance

The restore command  accepts a new  argument --anyrelease. Using the --anyrelease flag in restore will allow you to restore an old backup into a current version of Eyeglass.

Historical Database Information is not restored

  1. All existing Eyeglass databases are removed, no backup is made.
  2. NOTE: This will delete databases and they will be rediscovered on startup.  DO NOT USE this method if you have Cluster Storage Monitor or Ransomware Defender or RPO Report data with historical records that you need to retain.  Contact support.
  3. View the Table of Migrated Settings section for detailed description of what is restored based on the original release

Prerequisites

  1. Take a screenshot of the Eyeglass Jobs window prior to upgrade.  This can be used as a reference to verify Job state post restore.

Procedures

  1. Take an Eyeglass Restore backup from your old Eyeglass appliance.
  2. Download the Restore backup locally and then copy the zip file backup using scp or winscp to the newly deployed Eyeglass Appliance. It should be place in /tmp for example.
  3. See Restore Backup button that is required versus support backup.  The Restore backup includes SSL private keys, the support backup does not. Release > 2.5.3
  4.  
  5. Power off the old Eyeglass appliance. It is not supported to have multiple Eyeglass appliances managing the same clusters.

  6. SSH to new Eyeglass appliance and login as admin (default password 3y3gl4ss). Issue “sudo su -” to enter in root mode (default password 3y3gl4ss).


  7. From the command line execute the command
    1. igls app restore /tmp/<eyeglass_backup.xxxx.zip> --anyrelease
    2. Replacing /tmp/<eyeglass_backup.xxxx.zip> with the name of the Eyeglass Archive file always including full path.
    3. You will be prompted to continue. Enter “y” to continue.
    4. For example:
    5. igls app restore /tmp/eyeglass_backup_17-07-05_20-42-08.zip --anyrelease
    6. Do you want to revert to the archive at /tmp/eyeglass_backup_17-07-05_20-42-08.zip? [y/N]: y
    7. Once the restore is complete continue below
  8. Check Post upgrade steps here 


      Post-Upgrade Steps

      MANDATORY STEP Ransomware Defender and Easy Auduitor Licenses - Set User licensed status on Managed Clusters  


    1. This step is mandatory to enusre licenses are assigned to the correct cluster.  This release no longer supports auto assigned license mode.
    2. Login to Eyeglass
    3. Open License Manager 
    4. Click on Licensed Devices

    5. First STEP: Set each cluster that should NOT be licensed to Unlicensed status using the drop down menu.
    6. 2nd STEP: Set each cluster listed to user licensed for the product(s) that should be assigned to this cluster.  Example the production writeable clusters should be set to User Licensed for Ransomware Defender or Easy Auditor.
    7. Click the submit button to save.


      Check Eyeglass Job Status, Licenses and Cluster Inventory

    1. Login to the new Eyeglass appliance and check if:
      1. Open Jobs window and verify all jobs modes are set correctly and appear in either config sync or DFS section.  The screenshot taken before should be used to check the jobs are in the correct mode.  
        1. If the jobs are in the wrong mode please set the mode correctly with the bulk actions menu.
    2. Licences have been added in the license manager Icon.
    3. Clusters are displayed in the Inventory Icon.
      1. Check Eyeglass Service account permissions are up to date and email configuration 

    1. If using the eyeglass service account to add the Isilon Clusters to Eyeglass ensure that all permissions have been created for the eyeglass service account in Isilon and all sudoer file updates have been done as per this document Eyeglass Service Account Minimum Privileges.
    2. Log in to the Eyeglass web page and open the Eyeglass Main Menu -> Notification Center and verify that the Alarm Severity Filter is correctly set
    3. And verify that the Email Recipients are correctly set with the correct Email Type.
    4. done


    If applicable  - If clusters do not appear in Inventory and no Job appears in the Jobs icon - Update TLS Security settings

    1. If clusters are not added in the inventory icon complete steps below if using OneFS versions listed below to verify TLS security Algorithms
      1. NOTE: If your cluster is running original 7.2.x.x, 8.0.0.0, 8.0.0.1, 8.0.0.2 the TLS security protocols allowed weaker security algorithms and key sizes. Eyeglass 1.9 OVF and later has hardened security settings that will not negotiate a weaker TLS connection. These steps allows Eyeglass to connect using algorithms compatible with these OneFS releases.  
      2. In this case you may need to edit file below in order for clusters to be added
        1. vim /opt/superna/java/jre1.8.0_05/lib/security/java.security
        2. comment out the line by placing a # at the front of this line “jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048, SSLv2Hello, SSLv3, TLSv1, TLSv1.1”
        3. save the file with :wq  (save and exit)
        4. After editing this file an Eyeglass sca service restart is required
          1. sudo systemctl restart sca  (enter admin password when prompted)

    If applicable - Switch Eyeglass Connection from DNS/FQDN to SSIP in System Zone due to CSRF API Session Authentication Default in Onefs If you have clusters added with a DNS name FQDN this needs to be switched to using SSIP


    1. required to support the Isilon CSRF patch which disabled Basic Authentication does not work when Isilon cluster is managed by Eyeglass using FQDN as the session token is not shared between nodes on the Isilon.  For this reason, as of release 2.5.3 Isilon cluster it is mandatory to add Isilon cluster to Eyeglass using SSIP if CSRF patch is applied and enabled on Isilon.  If CSRF is not enabled this change is optional.  Please refer to Technical Advisory #15 and Technical Advisory #17 for more details.
    2. To update Eyeglass to manage Isilon cluster using SSIP instead of FQDN follow steps below
    3. Login to the Eyeglass GUI
    4. Make a record of how cluster is currently added and how Eyeglass Jobs are configured:
    5. Open the Jobs/Job Definitions window and take a screenshot or make a record of which Jobs are enabled/disabled in each of the following sections of the Jobs window that apply to your environment:
      1. Configuration Replication: Share, Export, Alias replication
      2. Configuration Replication: DFS Mode
      3. Configuration Replication: Skip Share, Export, Alias replication
      4. Disaster Recovery Testing
      5. Failover: Runbook Robot
      6. Configuration Replication: Snapshot schedules
      7. Zone and Pool Failover Readiness
      8. Configuration Replication: Access Zone replication
    6. Open DR Dashboard / Pool Readiness and make note of all Pool to Policy mappings (if applicable). 
    7. ssh to the Eyeglass appliance and login as admin (default password 3y3gl4ss)
    8. sudo su - (to elevate to root and enter the admin user password)
    9. Edit /opt/superna/sca/data/nedata.xml
    10. Change FQDN to SSIP manually as below
    11. IMPORTANT: 
      1. - SSIP used must be in a subnet that has a pool in the System Access zone. Typically the management subnet is used.
      2. Take care to match IP address and cluster correctly
      3. Repeat above step for each cluster that is added with FQDN.
      4. Save the changes
      5. Execute the rediscover command
        1. igls appliance rediscover
      6. Once initial inventory has completed for all clusters added (check in Eyeglass GUI Jobs/Running Jobs):
        1. open the Jobs / Jobs Definition view and confirm that Eyeglass Jobs are configured as they were prior to running the procedure
        2. open the DR Dashboard / Pool Readiness (if applicable) and confirm that Pool / Policy mapping is configured as it was prior to running the procedure
      7. done


    Copyright Superna LLC