Cloud customer?
Start for Free >
Upgrade in MyJFrog >
What's New in Cloud >





Overview

The procedure to upgrade Insight depends on your installation type. We strongly recommend reading through this page before proceeding with your upgrade.

If you wish to continue using Insight, before upgrading, refer to the information on System Requirements

Make sure to use the same upgrade method (RPM, Debian, Docker, etc.) as the one you initially used to install Insight.


Before You Proceed

JFrog Insight 1.x can only be installed as part of the JFrog Platform Deployment installation. Make sure this installation is completed first before continuing.

Default Home Directory

The default Insight home directory is defined according to the installation type. For additional details see the JFrog Product Directory Structure page.

Note: This guide uses $JFROG_HOME to represent the JFrog root directory containing the deployed product.

Setting Up High Availability on Mission Control

High Availability configuration for Insight requires a cluster of 3 or more active/active nodes on the same LAN.

JFrog Subscription Levels

SELF-HOSTED
ENTERPRISE 
ENTERPRISE+
Page Contents



Upgrading from Version 1.x to 1.x

The following upgrade methods are supported:

When you upgrade a Insight high availability cluster, ensure that you trigger the upgrade process on all the nodes simultaneously.

Interactive Script Upgrade (Recommended)

This supports all install types, including Docker Compose, RPM and Debian.

  1. Stop the service.

    systemd OS
    systemctl stop insight
    systemv OS
    service insight stop
    Docker Compose
    cd jfrog-insight-<version>-compose
    docker-compose -p insight down
  2. Extract the contents of the compressed archive and go to the extracted folder.
    Note: Make sure to merge your customizations in your current docker-compose.yaml file to the new extracted version of the docker-compose.yaml file.

    tar -xvf jfrog-insight-<version>-<compose|rpm|deb>.tar.gz
    cd jfrog-insight-<version>-<compose|rpm|deb>

    Copy the contents of the .env file in the previous installation to the newly created .env file in this archive without copying the versions, as this will affect the upgrade.

  3. Run the installer script.
    Note: If needed, the script will prompt you with a series of mandatory inputs, including the jfrogURL (custom base URL) and joinKey.

    Compose
    ./config.sh
    RPM/DEB
    ./install.sh
  4. Start and manage the Insight service.

    systemd OS
    systemctl start|stop insight
    systemv OS
    service insight start|stop
    Docker Compose
    cd jfrog-insight-<version>-compose
    docker-compose -p insight up -d
    docker-compose -p insight ps
    docker-compose -p insight down
  5. Access Insight from your browser at: http://<jfrogUrl>/ui/, go the Dashboard tab in the Application module in the UI.
  6. Check Insight Log.

    tail -f $JFROG_HOME/insight/var/log/console.log

Manual RPM/Debian Upgrade

  1. Stop the current server.

    systemd OS
    systemctl stop insight
    systemv OS
    service insight stop
  2. Extract the contents of the compressed archive and go to the extracted folder.

    tar -xvf jfrog-insight-<version>-<rpm|deb>.tar.gz
    cd jfrog-insight-<version>-<rpm|deb>
  3. Configure Elasticsearch.


  4. When connecting an external instance of Elasticsearch to Insight, add the following flag in the Shared Configurations of $JFROG_HOME/insight/var/etc/system.yaml file and step (6) can be skipped.

    shared:
       elasticsearch:
           external: true
  5. Recommended to install Search Guard plugin when using Elasticsearch that is packaged with Insight. This will help ensure secure communication to Elasticsearch. 

    1. Search Guard package can be located in the extracted contents at jfrog-insight-<version>-<rpm|deb>/third-party/elasticsearch/search-guard-<version>.zip.
      For installation steps, refer to Search Guard documentation.

    2. Add an admin user to Search Guard which will ensure authenticated communication with Elasticsearch.
      1. The Search Guard configuration accepts a hashed password. Use the following command to generate the hash for the password. Also, add the username and password generated here in the Shared Configuration as specified in step (5) above.

        /etc/elasticsearch/plugins/search-guard-7/tools/hash.sh -p <clear_text_password>
        
        #This will output a hashed password (<hash_password>), make a copy of it
      2. Prepare the configuration snippet to add a new(admin) user with the hashed password obtained from previous step

        <username>:
            hash: "<hashed_password>"
            backend_roles:
               - "admin"
            description: "Insight Elastic admin user"
      3. Paste the above snippet to the end of this file sg_internal_users.yml located at /etc/elasticsearch/plugins/search-guard-7/sgconfig/


    3. Enable anonymous access to “_cluster/health” endpoint. This is required to check the health of Elasticsearch cluster.
      1. Enable anonymous auth in this file sg_config.yml at /etc/elasticsearch/plugins/search-guard-7/sgconfig/

        sg_config:
               dynamic:
                  http:
                     anonymous_auth_enabled: true #set this to true
      2. Map anonymous user sg_anonymous to backend role sg_anonymous_backendrole in this file sg_roles_mapping.yml at /etc/elasticsearch/plugins/search-guard-7/sgconfig

        sg_anonymous:
            backend_roles:
                - sg_anonymous_backendrole
      3. Add this snippet to the end of this file sg_roles.yml located at /etc/elasticsearch/plugins/search-guard-7/sgconfig

        sg_anonymous:
          cluster_permissions:
            - cluster:monitor/health
  6. Install Insight as a service on Red Hat compatible Linux distributions, as a root user.

    rpm
    yum -y install ./insight/insight.rpm
    Debian
    dpkg -i ./insight/insight.deb
  7. Set the Artifactory connection details.
  8. Start and manage Insight.

    service insight start|stop
  9. Access Insight from your browser at: http://<jfrogUrl>/ui/, go the Dashboard tab in the Application module in the UI.

  10. Check Insight Log.

    tail -f $JFROG_HOME/insight/var/log/console.log

Linux Archive Upgrade

  1. Stop the current server.

    Stop Mission Control
    cd $JFROG_HOME/insight/app/bin
    ./insight.sh stop
  2. Configure Elasticsearch.


  3. When connecting an external instance of Elasticsearch to Insight, add the following flag in the Shared Configurations of $JFROG_HOME/insight/var/etc/system.yaml file and step (6) can be skipped.

    shared:
       elasticsearch:
           external: true
  4. Recommended to install Search Guard plugin when using Elasticsearch that is packaged with Insight. This will help ensure secure communication to Elasticsearch. 

    1. Search Guard package can be located in the extracted contents at insight/app/third-party/elasticsearch/search-guard-<version>.zip
      For installation steps, refer to Search Guard documentation.

    2. Add an admin user to Search Guard which will ensure authenticated communication with Elasticsearch.
      1. The Search Guard configuration accepts a hashed password. Use the following command to generate the hash for the password. Also, add the username and password generated here in the Shared Configuration as specified in step (5) above.

        /etc/elasticsearch/plugins/search-guard-7/tools/hash.sh -p <clear_text_password>
        
        #This will output a hashed password (<hash_password>), make a copy of it
      2. Prepare the configuration snippet to add a new(admin) user with the hashed password obtained from previous step

        <username>:
            hash: "<hashed_password>"
            backend_roles:
               - "admin"
            description: "Insight Elastic admin user"
      3. Paste the above snippet to the end of this file sg_internal_users.yml located at /etc/elasticsearch/plugins/search-guard-7/sgconfig/


    3. Enable anonymous access to “_cluster/health” endpoint. This is required to check the health of Elasticsearch cluster.
      1. Enable anonymous auth in this file sg_config.yml at /etc/elasticsearch/plugins/search-guard-7/sgconfig/

        sg_config:
               dynamic:
                  http:
                     anonymous_auth_enabled: true #set this to true
      2. Map anonymous user sg_anonymous to backend role sg_anonymous_backendrole in this file sg_roles_mapping.yml at /etc/elasticsearch/plugins/search-guard-7/sgconfig

        sg_anonymous:
            backend_roles:
                - sg_anonymous_backendrole
      3. Add this snippet to the end of this file sg_roles.yml located at /etc/elasticsearch/plugins/search-guard-7/sgconfig

        sg_anonymous:
          cluster_permissions:
            - cluster:monitor/health
  5. Extract the contents of the compressed archive and go to the extracted folder.

    Untar
    tar -xvf jfrog-insight-<version>-linux.tar.gz
  6. Replace the existing $JFROG_HOME/insight/app with the new app folder.

    Upgrade
    # Export variables to simplify commands
    export JFROG_HOME=/opt/jfrog
    export JF_NEW_VERSION=/opt/jfrog/insight-4.x
    
    # Remove app
    rm -rf $JFROG_HOME/insight/app
    
    # Copy new app
    cp -r $JF_NEW_VERSION/app $JFROG_HOME/insight
    
    # Remove extracted new version
    rm -rf $JF_NEW_VERSION
    
  7. Run the migration script to remove old service directories.

    Run the migration script with the same privileges as you have in your current Insight installation. This script will remove old services directories, redundant service yaml files in router  and translate your current configurations to the new configuration format, according to the new file system layout.
    
    $JFROG_HOME variable points to the new installation
    export JFROG_HOME=<Full path to jfrog directory, for example: /opt/jfrog>
    cd $JFROG_HOME/insight/app/bin
    ./migrate.sh
    Check that the migration has completed successfully, by reviewing the following files:
     - migration log: $JFROG_HOME/insight/var/log/migration.log
    - system.yaml configuration: $JFROG_HOME/insight/var/etc/system.yaml
       This newly created file will contain your current custom configurations in the new format.
  8. Manage Insight.

    $JFROG_HOME/app/bin/insight.sh start|stop
  9. Access Insight from your browser at: http://<jfrogUrl>/ui/, go the Dashboard tab in the Application module in the UI.
  10. Check Insight Log.

    tail -f $JFROG_HOME/insight/var/log/console.log

Helm Upgrade

Once you have a new chart version, you can update your deployment.

Non-Compatible Upgrades

In cases where a new version is not compatible with existing deployed version (see the relevant Changelog), you will need to do the following:

  • Deploy a new version along side the old version (and set a new release name)
  • Copy configurations and data from old deployment to the new one


To upgrade.

  1. Verify that you have upgraded Artifactory to v.7x. For more information, see Helm Upgrade.
  2. Update the existing deployed version to the updated version.

    helm upgrade insight jfrog/insight
  3. Stop the old Insight pod (scale down replicas to 0) (PostgreSQL remains in place).

    $ kubectl scale statefulsets <OLD_RELEASE_NAME>-insight --replicas=0
  4. Export data from the old PostgreSQL instance in the following way.
    1. Connect to the old PostgreSQL pod (you can get the name by running kubectl get pods).

      $ kubectl exec -it <OLD_RELEASE_NAME>-postgresql bash
    2. Copy the jfmcDataExport.sh file and run the following commands.

      $ kubectl cp ./jfmcDataExport.sh <OLD_RELEASE_NAME>-postgresql:/tmp/jfmcDataExport.sh
      $ chown postgres:postgres /tmp/jfmcDataExport.sh
      $ su postgres -c "PGPASSWORD=password bash /tmp/jfmcDataExport.sh --output=/tmp"
      if you are on 2x charts(operating system user postgres is not there) run ./jfmcDataExport.sh --output=/tmp and provide jfmc user password
    3. Copy the exported file to your local system.

      $ kubectl cp <OLD_RELEASE_NAME>-postgresql:/tmp/jfmcDataExport.tar.gz ./jfmcDataExport.tar.gz
  5. Install the new Insight and copy the exported file.
    1. Run the helm install with the new version called insight-new.
    2. Copy the exported tar file to the new Insight pod.

      $ kubectl cp ./jfmcDataExport.tar.gz <NEW_RELEASE_NAME>-insight:/opt/jfrog/mc/var/bootstrap/mc/jfmcDataExport.tar.gz -c insight
    3. Restart the new Insight pod.
    4. Validate that the import was successful. The filename should be renamed to jfmcDataExport.tar.gz.done (it will be renamed to jfmcDataExport.tar.gz.failed if the import procedure failed).
  6. Run the following command to remove the old Insight deployment and Helm release.

    helm delete <OLD_RELEASE_NAME>
  7. Access Insight from your browser at: http://<jfrogUrl>/ui/, then go to the Security & Compliance tab in the Application module in the UI.

  8. Check the status of your deployed Helm releases.

    helm status insight

    Insight should now be available.

  • No labels
Copyright © 2022 JFrog Ltd.