Once you have created an update repository as described in Add an update repository, or if you already have an update repository, you can apply the security updates.
This section instructs you on how to update Ubuntu packages manually. More specifically, the procedure includes update of the KVM nodes one by one, the VMs running on top of each KVM node, and the OpenStack compute nodes.
If you prefer the automated update, use the Apply Ubuntu security updates using Jenkins procedure.
Note
This documentation does not cover the upgrade of Ceph nodes.
To apply the Ubuntu security updates manually:
Log in to the Salt Master node.
For OpenStack Ocata with OpenContrail v3.2, update the
python-concurrent.futures package. Otherwise, skip this step.
salt -C "ntw* or nal*" cmd.run "apt-get -y --force-yes upgrade python-concurrent.futures"
Update the Virtual Control Plane and KVM nodes:
Identify the KVM nodes:
salt "kvm*" test.ping
Example of system response:
kvm01.bud.mirantis.net:
True
kvm03.bud.mirantis.net:
True
kvm02.bud.mirantis.net:
True
In the example above, three KVM nodes are identified: kvm01,
kvm02, and kvm03.
Identify the VMs running on top of each KVM node. For example, for
kvm01:
salt "kvm01*" cmd.run "virsh list --name"
Example of system response:
kvm01.bud.mirantis.net:
cfg01
prx01.<domain_name>
ntw01.<domain_name>
msg01.<domain_name>
dbs01.<domain_name>
ctl01.<domain_name>
cid01.<domain_name>
nal01.<domain_name>
Using the output of the previous command, upgrade the cid,
ctl, gtw/ntw/nal, log, mon, msg, mtr,
dbs, and prx VMs of the particular KVM node. Do not upgrade
cfg01, cmp, and kvm.
Note
Ceph nodes are out of the scope of this procedure.
Example:
for NODE in prx01.<domain_name> \
ntw01.<domain_name> \
msg01.<domain_name> \
dbs01.<domain_name> \
ctl01.<domain_name> \
cid01.<domain_name> \
nal01.<domain_name>
do
salt "${NODE}*" cmd.run "export DEBIAN_FRONTEND=noninteractive && \
apt-get update && \
apt-get -y upgrade && \
apt-get -y -o Dpkg::Options::="--force-confdef" \
-o Dpkg::Options::="--force-confnew" dist-upgrade"
done
Wait for all services of the cluster to be up and running.
dbs node, verify that the Galera cluster
status is Synced and contains at least three nodes as described in
Verify a Galera cluster status.msg node, verify the RabbitMQ cluster
status and that it contains at least three nodes as described in
Troubleshoot RabbitMQ.Once you upgrade the VMs running on top of a KVM node, upgrade and
restart this KVM node itself. For example, kvm01:
salt "kvm01*" cmd.run "export DEBIAN_FRONTEND=noninteractive && \
apt-get update && \
apt-get -y upgrade && \
apt-get -y -o Dpkg::Options::="--force-confdef" \
-o Dpkg::Options::="--force-confnew" dist-upgrade && \
shutdown -r 0"
Wait for all services of the cluster to be up and running. For details, see substeps of the step 3.4.
Repeat the steps 3.1-3.7 for the remaining kvm nodes one by one.
Upgrade the OpenStack compute nodes using the example below, where
cmp10. is a set of nodes.
Caution
Before upgrading a particular set of cmp nodes, migrate
the critical cloud environment workloads, which should not be
powered off, from these nodes to the cmp nodes that are
not under maintenance.
Example:
# Check that the command will be applied to only needed nodes
salt -E "cmp10." test.ping
# Perform the upgrade
salt -E "cmp10." cmd.run "export DEBIAN_FRONTEND=noninteractive && apt-get \
update && apt-get -y upgrade && apt-get -y -o \
Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" \
dist-upgrade && apt-get -y install linux-headers-generic && shutdown -r 0"