[+]
 
 
 
 
 
[+]
Updated on 6/13/2019
All Product Installation and Upgrade Guides
Eyeglass Isilon Edition Upgrade Guide
Direct link to topic in this publication:
Home


THIS PROCEDURE IS SPECIFICALLY FOR UPGRADE FROM ANY EYEGLASS RELEASE TO EYEGLASS 2.5.x VERSION Latest Appliance


IMPORTANT: THIS UPGRADE INCLUDES A FINAL STEP TO REMOVE ALL HISTORICAL RECORDS AND ALARM RECORDS.

1. Pre-Upgrade Steps

  1. 2. Record Eyeglass Appliance Eyeglass Configuration Setting Modifications (if you have never changed these values SKIP this step)

  1. Record the global setting on your Eyeglass appliance such as the Replication schedule.  Any customizations will need to be reapplied after the upgrade and a record of the current Eyeglass settings is required.
  1. ssh to the Eyeglass appliance and login as admin (default password 3y3gl4ss).
  2. Type the following commands and record the results.  These are your current global settings:

 igls adv requesttimeout

   

3. Upgrade path for Appliances DEPLOYED below R1.9.0 (OpenSUSE 13.1 or 13.2) to Latest OVF (OpenSUSE 42.3)

  • The appliances that shipped with Eyeglass Release below 1.9.0 are based on OpenSuse 13.1 and 13.2 which  no longer have  OS patch availability.
  • The new upgrade process will allow an any release Eyeglass upgrade to latest OVF appliance which is based on OpenSuse 42.3 OS that has patches available from OpenSuse.
  • If your appliance was deployed prior to release 1.9.0,  you will need to follow this upgrade process
  • How to check the version of your OVF?
  • The appliance ID indicates the initial version of the OVF that was deployed.
  • See image below shows a 1.5.4 OVF
  • about igls.png


New upgrade process allows new OVF to be deployed and use backup restore feature, to restore a backup file from an older appliance to a new appliance.  NOTE:  This means some settings are not retained depending on the backup file release version. If unsure contact support if you have concerns on upgrade and settings.

4. Table of Migrated Settings 



Eyeglass Configuration Item

Source >1.3

Source > 1.5.3 and < 1.8

Source > 1.8.0

Restoring local credentials for clusters

Yes

Yes

Yes

Restoring licenses keys

No

Re-add manually

Yes

Yes

Adjusting licenses keys to latest format

Yes

Yes

Yes

Job Schedules

No

Yes

Yes

Job Initial state Setting (enabled, disabled)

No

No

No

custom settings with igls adv command.

Yes

Yes

Yes

Restore Notification Center settings1

  1. Post restore Edit Notification Settings and set the

Yes - requires post restore config

Yes - requires post restore config


Yes

Restoring failover log history (if available)

Yes

Yes

Yes

Restoring custom RBAC roles (if available)

No

No

Yes

Restoring API tokens  (if available)

No

No

Yes (as of 1.9.0)

Restoring Ransomware Defender security guard logs (if available)

N/A

N/A

Yes

Restoring cluster Configuration reports (if available)

 

No

No

Yes

Restoring Current Job state (enabled, disabled, DFS mode) (if available)

No

No

Yes

Alarm history

No

No

No

Old Backups Archives

No

No

No

Cluster Storage Monitor Data (if available)

N/A

No

No

RPO Generated Reports

No

No

No

RPO Report Data

No

No

No

Failover Scripts

N/A

Yes

Yes

Ransomware Defender Settings and History (if available)

  • Ransomware Defender History

  • Ransomware Defender ignored list settings

  • Ransomware Defender Statistics

  • Ransomware Defender Settings

  • Security Guard configuration2

2. schedule is restored but no other settings - these need to be re-added manually

N/A

N/A

No



5. Upgrade Steps from any release OVF to the latest OVF Appliance

The restore command  accepts a new  argument --anyrelease. Using the --anyrelease flag in restore will allow you to restore an old backup into a current version of Eyeglass.

6. Exclusions

  • All existing Eyeglass databases are removed, no backup is made.
  • NOTE: This will delete databases and they will be rediscovered on startup.  DO NOT USE this method if you have Cluster Storage Monitor or Ransomware Defender or RPO Report data with historical records that you need to retain.  Contact support.
  • View the Table of Migrated Settings section for detailed description of what is restored based on the original release

7. Prerequisites

  • Take a screenshot of the Eyeglass Jobs window prior to upgrade.  This can be used as a reference to verify Job state post restore.


8. Procedure

  1. Take an Eyeglass Restore backup from your old Eyeglass appliance.
  2. Download the Restore backup locally and then copy the zip file backup using scp or winscp to the newly deployed Eyeglass Appliance. It could be place in /tmp for example.
  3. See Restore Backup button that is required versus support backup.  The Restore backup includes SSL private keys, the support backup does not. Release > 2.5.3 



  1. Power off the old Eyeglass appliance.  It is not supported to have multiple Eyeglass appliances managing the same clusters.
  2. SSH to new Eyeglass appliance and login as admin (default password 3y3gl4ss). Issue “sudo su -” to enter in root mode (default password 3y3gl4ss).
  3. From the command line execute the command
  1. igls app restore /tmp/<eyeglass_backup.xxxx.zip> --anyrelease
  2. Replacing /tmp/<eyeglass_backup.xxxx.zip> with the name of the Eyeglass Archive file always including full path.
  3. You will be prompted to continue. Enter “y” to continue.
  4. For example:

# igls app restore /tmp/eyeglass_backup_17-07-05_20-42-08.zip --anyrelease

Do you want to revert to the archive at /tmp/eyeglass_backup_17-07-05_20-42-08.zip? [y/N]: y

  1. Login to the new Eyeglass appliance and check if:
  1. Licences have been added.
  2. Clusters have been added.

NOTE: If your cluster is running original 7.2.x.x, 8.0.0.0, 8.0.0.1, 8.0.0.2 the TLS security protocols allowed weaker security algorithms and key sizes.  Eyeglass 1.9 OVF and later has hardened security settings.  In this case you may need to edit file below in order for clusters to be added

/opt/superna/java/jre1.8.0_05/lib/security/java.security

and comment out the line “jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048, SSLv2Hello, SSLv3, TLSv1, TLSv1.1”

  • After editing this file an Eyeglass sca service restart is required

systemctl restart sca

  1. Failover and Failback History preserved.
  2. If Eyeglass version above 1.8.0 the ability to restore jobs to previous state was introduced. DFS settings should be enabled and job state should be set to previous values (enabled or disabled).
  1. Done.

2. Post Upgrade Checks

  1. Verify your initial settings as per the pre-requisite step.
  2. If using the eyeglass service account to add the Isilon Clusters to Eyeglass ensure that all permissions have been created for the eyeglass service account in Isilon and all sudoer file updates have been done as per this document Eyeglass Service Account Minimum Privileges.
  3. Log in to the Eyeglass web page and open the Eyeglass Main Menu -> Notification Center and verify that the Alarm Severity Filter is correctly set

  1. And verify that the Email Recipients are correctly set with the correct Email Type.


1. Upgrade from 1.9.0 with OpenSUSE 42.2/42.3 to Any new Release

2. PREREQUISITES

  • VMware snapshot to backup the Eyeglass appliance prior to applying the update.  This is the only rollback path available to the previous release. 
  • Eyeglass appliance must be on the OpenSUSE 42.2 or 42.3  operating system
  • Check by ssh to the Eyeglass appliance and execute the command

cat /etc/os-release

VERSION should be 42.2 or 42.3

IMPORTANT:

  • Eyeglass operation will be interrupted briefly during Upgrade for an Eyeglass service restart typically < 10 minutes
  • For Eyeglass updates, when more than one Eyeglass sub-package update is available they all must be applied as there may be dependencies between the packages requiring all updates for Eyeglass to function properly. (Eyeglass sub-packages begin with "eyeglass_" in the package name.)  If prompted, you must also say yes to external dependencies.

3. Online Upgrade (Requires Internet connected appliance with port 443) ( for R2.0 and higher only)

> also requires access allowed to https://storage.googleapis.com/repo.superna.net/eyeglass/production/*

> this URL may also need to be whitelisted

To do an online upgrade to a release > 1.9.0:

1.  ssh to the Eyeglass appliance and sudo to root (command sudo su -) or login to the appliance as root.

2.  Run the following command to do the upgrade:  NOTE: This command checks for an active support contract, and will only upgrade if support contract validation is successful.

igls app upgrade

3.   Enter ‘y’ to continue with the update.  If prompted, you must say ‘y’ to external dependencies.

4.  You may be prompted for Phone Home Agreement if not previously set.  Enter ‘y’ or ‘n’ to continue.

5.  Once the upgrade is completed, login to the Eyeglass web page.

IMPORTANT: Refresh any open Eyeglass window to ensure that you have latest changes.

6.  Check the About Eyeglass window and verify version numbers are as shown here  for the Release you upgraded to.

  1. Complete.

4. Offline Upgrade (No Internet connection Available to the appliance)

To do an offline upgrade to a release > 1.9.0: (Eyeglass appliance has no internet access):

  1. Login to support site with a registered support account https://support.superna.net 

Scroll down on page after login to locate the software download validation form.

Screen Shot 2017-08-15 at 8.43.41 PM.png 

  1. Get the appliance ID from the about window of the Eyeglass desktop
  1. Screen Shot 2017-08-15 at 8.45.43 PM.png
  1. Enter the appliance ID and click download button to retrieve the offline installer. NOTE: This command checks for an active support contract, and will only download software if support contract validation is successful.
  2. SCP (winscp) the offline package onto the appliance.
  3. ssh to the Eyeglass appliance and sudo to root (command sudo su -) or login to the appliance as root.
  4. Make the offline package executable: chmod 755 <filename>
  5. Run the installer: ./<filename>
  6. You may be prompted for Phone Home Agreement if not previously set.  Enter ‘y’ or ‘n’ to continue.
  7. Once the update is completed, login to the Eyeglass web page
  1. IMPORTANT: Refresh any open Eyeglass window to ensure that you have latest changes.
  1. Check the About Eyeglass window and verify version numbers are as shown here .
  2. Complete.

5. Post-Upgrade Steps

  1. Update Eyeglass to manage Isilon cluster using SSIP instead of FQDN (for  upgrade to release 2.5.3 and higher - MANDATORY if CSRF patch enabled on Isilon )

  1. Session architecture required to support the Isilon CSRF patch which disabled Basic Authentication does not work when Isilon cluster is managed by Eyeglass using FQDN as the session token is not shared between nodes on the Isilon.  For this reason, as of release 2.5.3 Isilon cluster it is mandatory to add Isilon cluster to Eyeglass using SSIP if CSRF patch is applied and enabled on Isilon.  If CSRF is not enabled this change is optional.  Please refer to Technical Advisory #15 and Technical Advisory #17 for more details.
  2. To update Eyeglass to manage Isilon cluster using SSIP instead of FQDN follow steps below:
  3. 1. Login to the Eyeglass GUI
  4. 2. Make a record of how cluster is currently added and how Eyeglass Jobs are configured:
  5. a) Open the Jobs/Job Definitions window and take a screenshot or make a record of which Jobs are enabled/disabled in each of the following sections of the Jobs window that apply to your environment:
  6. - Configuration Replication: Share, Export, Alias replication
  7. - Configuration Replication: DFS Mode
  8. - Configuration Replication: Skip Share, Export, Alias replication
  9. - Disaster Recovery Testing
  10. - Failover: Runbook Robot
  11. - Configuration Replication: Snapshot schedules
  12. - Zone and Pool Failover Readiness
  13. -  Configuration Replication: Access Zone replication
  14. b) Open DR Dashboard / Pool Readiness and make note of all Pool to Policy mappings (if applicable). 

    3) ssh to the Eyeglass appliance and login as admin (default password 3y3gl4ss)
  15. 4) sudo su - (to elevate to root and enter the admin user password)
  16. 5) Edit /opt/superna/sca/data/nedata.xml
  17. 6) Change FQDN to SSIP manually as below
  18. IMPORTANT: 
  19. - SSIP used must be in a subnet that has a pool in the System Access zone.  Typically the management subnet is used.
  20. - Take care to match IP address and cluster correctly

  21. 7) Repeat above step for each cluster that is added with FQDN.
  22. 8) Save the changes.
  23. 9) Execute the rediscover command
  24. igls appliance rediscover
  25. 10) Once initial inventory has completed for all clusters added (check in Eyeglass GUI Jobs/Running Jobs):
  26. - open the Jobs / Jobs Definition view and confirm that Eyeglass Jobs are configured as they were prior to running the procedure
  27. - open the DR Dashboard / Pool Readiness (if applicable) and confirm that Pool / Policy mapping is configured as it was prior to running the procedure
  28. 11) Done

  1. Modify tomcat configuration to use java 8 (for  upgrade to release 2.5.3 and higher AND Eyeglass appliance with OpenSUSE 42.2 ONLY)

  1. By default, OpenSUSE 42.2 is configured to use java version 7.  For Eyeglass 2.5.3 it must use java version 8.  To update this configuration follow these steps:
  1. 1. ssh to the Eyeglass appliance and login as admin (default password 3y3gl4ss).
  2. 2. sudo su - (to elevate to root and enter the admin user password)
  3. 3. edit /etc/tomcat/tomcat.conf
  4. 4. replace the JAVA_HOME setting with /opt/superna/java/jre 
  5. 5. save your changes
  6. 6. restart tomcat
  7. systemctl restart tomcat  


  1. Change failover timeout (for upgrade to release 2.0 and higher)

  1. It is recommended to change the failover timeout to 45 minutes for R2.0 and higher as failover logic has been updated to Continue on failed/timed out StepAfter analyzing many failovers the new logic will continue to execute steps as outlined here.  For a long running step, this will move the failover to the next step after waiting for 45 minutes.  Impact to failover is that any subsequent steps related to the timed out step are not executed.
  1. ssh to the Eyeglass appliance and login as admin (default password 3y3gl4ss).
  2. Type the following command

 igls adv failovertimeout set --minutes 45

  1. Enable fast failover mode (for upgrade to release 2.5.2 and higher)

  1. It is recommended to change to fast failover mode which takes advantage of parallel threads.  This mode switches to parallel policy with up to 10 threads for make writeable step and resync prep step.
  1. ssh to the Eyeglass appliance and login as admin (default password 3y3gl4ss).
  2. Type the following command

igls adv failovermode set --parallel=true

  1. ** REQUIRED UPDATE Disable Parallel Config Sync for SMB Shares  (for upgrade to release 2.5.2 and higher)

  1. Due to Isilon OneFS PAPI API defect, the following configuration change must be made on the Eyeglass appliance
  1. ssh to the Eyeglass appliance and login as admin (default password 3y3gl4ss)
  2. Elevate to root user by using command below and entering admin password

sudo su -

  1. cd /opt/superna/sca/data
  2. edit system.xml
  3. Find the line

<runconfigsyncinparallel>true</runconfigsyncinparallel>

  1. If this line is present, remove this one line only from the file.
  2. Save your changes
  3. Restart the sca service

systemctl restart sca

  1. Done

Copyright Superna LLC