Documentation

Enforcer

About upgrading your enforcers

We recommend upgrading your enforcers each time you upgrade your control plane, but it is not required. Older enforcers continue communicating with newer control planes.

IMPORTANT

Never upgrade your enforcers without upgrading the control plane first. Newer enforcers cannot communicate with older control planes.

The enforcer must restart to complete the upgrade. While the enforcer is restarting, all traffic is allowed.

To upgrade your enforcers, refer to the section that corresponds to your target hosts.

Kubernetes/OpenShift clusters

  1. Update the aporeto Helm repo.

    helm repo add aporeto https://charts.aporeto.com/clients
    
  2. Upgrade the operator.

    helm upgrade aporeto-operator aporeto/aporeto-operator \
    --namespace aporeto-operator 
    
  3. Upgrade the enforcer.

    helm upgrade enforcerd aporeto/enforcerd \
    --namespace aporeto 
    
  4. From the Aporeto web interface, navigate to the namespace of your cluster and click Enforcers. You should observe the enforcers disconnect and reconnect as they restart. After they reconnect, they should have the latest enforcer version number: 1.1201.4.

Linux hosts

About upgrading Linux hosts

Aporeto offers two types of installations on Linux hosts. To upgrade, refer to the section that matches your installation type.

Upgrading enforcers running as services

  1. If you are hosting your own repository, you must first download the enforcer packages and upload them to your own repository. Otherwise, skip to step 2.

    curl https://download.aporeto.com/enforcerd/enforcerd-1.1201.4.amd64.deb
    curl https://download.aporeto.com/enforcerd/enforcerd-1.1201.4.x86_64.rpm
    curl https://download.aporeto.com/enforcerd/enforcerd-initd-1.1201.4.x86_64.rpm
    curl https://download.aporeto.com/enforcerd/enforcerd-rhel6-1.1201.4.x86_64.rpm
    curl https://download.aporeto.com/enforcerd/enforcerd-sshplugin-1.1201.4.amd64.deb
    curl https://download.aporeto.com/enforcerd/enforcerd-sshplugin-1.1201.4.x86_64.rpm
    curl https://download.aporeto.com/enforcerd/enforcerd-upstart-1.1201.4.amd64.deb
    
  2. Access the target host, such as by establishing an SSH session.

    ssh -i "private-key.pem" ubuntu@ec2-36-200-154-69.us-west-2.compute.amazonaws.com
    
  3. Update the repository to point to the latest version.

    echo "deb [arch=$(dpkg --print-architecture)] \
    https://repo.aporeto.com/ubuntu/$(lsb_release -cs) aporeto main" \
    | sudo tee /etc/apt/sources.list.d/aporeto.list
    
    echo "deb [arch=$(dpkg --print-architecture)] \
    https://repo.aporeto.com/debian/$(lsb_release -cs) aporeto main" \
    | sudo tee /etc/apt/sources.list.d/aporeto.list
    
    cat << EOF | sudo tee /etc/yum.repos.d/Aporeto.repo
    [Aporeto]
    name=aporeto
    baseurl=https://repo.aporeto.com/centos/\$releasever/
    gpgkey=https://download.aporeto.com/aporeto-packages.gpg
    gpgcheck=1
    repo_gpgcheck=1
    enabled=1
    EOF
    
    cat << EOF | sudo tee /etc/yum.repos.d/Aporeto.repo
    [Aporeto]
    name=aporeto
    baseurl=https://repo.aporeto.com/redhat/\$releasever/
    gpgkey=https://download.aporeto.com/aporeto-packages.gpg
    gpgcheck=1
    repo_gpgcheck=1
    enabled=1
    EOF
    
    cat << EOF | sudo tee /etc/yum.repos.d/Aporeto.repo
    [Aporeto]
    name=aporeto
    baseurl=https://repo.aporeto.com/nodist/yum/
    gpgkey=https://download.aporeto.com/aporeto-packages.gpg
    gpgcheck=1
    repo_gpgcheck=1
    enabled=1
    EOF
    

    TIP

    If you are hosting your own repository, you must replace https://repo.aporeto.com in the above commands with its location. In some distributions, you also need to adjust the GPG key check to match your setup.

  4. Update the repository.

    sudo apt update
    
    sudo yum update
    

  5. Upgrade the enforcer.

    sudo apt upgrade enforcerd
    
    sudo yum upgrade enforcerd
    

  6. Restart the enforcer.

    sudo systemctl restart enforcerd
    sudo systemctl status enforcerd
    
    sudo restart enforcerd
    sudo status enforcerd
    
    sudo /etc/init.d/enforcerd restart
    sudo /etc/init.d/enforcerd status
    

  7. From the Aporeto web interface, navigate to the namespace of your cluster and click Enforcers. You should observe the enforcers disconnect and reconnect as they restart. After they reconnect, they should have the latest enforcer version number: 1.1201.4.

Upgrading enforcers running in containers

  1. If you are using a private registry, you must first pull down the new container image. Otherwise, skip to step 2.

    sudo docker pull aporeto/enforcerd:release-3.14.6
    

    Push the image up to your own registry, which probably requires credentials.

  2. Access the target host, such as by establishing an SSH session.

    ssh -i "private-key.pem" ubuntu@ec2-36-200-154-69.us-west-2.compute.amazonaws.com
    
  3. Stop and remove the old container.

    sudo docker stop enforcerd
    sudo docker rm enforcerd
    
  4. Use the command that matches your original installation method to install the new container.

    sudo modprobe nf_conntrack; \
      sudo modprobe nf_conntrack_ipv4; \
      sudo modprobe nf_conntrack_ipv6; \
      sudo modprobe ip6table_nat; \
      sudo modprobe ip6_tables; \
      sudo modprobe ip6table_mangle;
    sudo docker run \
      -d \
      --name=enforcerd \
      --privileged=true \
      --net=host \
      --pid=host \
      --restart=always \
      -v /lib/modules:/lib/modules \
      -v /var/run:/var/run:rw \
      -v /sys:/sys \
      -v /var/lib/aporeto:/var/lib/aporeto \
      -v /usr/share/aporeto:/usr/share/aporeto \
      -e ENFORCERD_COMPRESSED_TAGS=1 \
      -e ENFORCERD_APPCREDS=/var/lib/aporeto/enforcerd.creds \
      -e ENFORCERD_ENABLE_IPV6=1 \
      aporeto/enforcerd:release-3.14.6
    sudo docker ps --filter 'name = enforcerd'
    
    sudo modprobe nf_conntrack; \
      sudo modprobe nf_conntrack_ipv4; \
      sudo modprobe nf_conntrack_ipv6; \
      sudo modprobe ip6table_nat; \
      sudo modprobe ip6_tables; \
      sudo modprobe ip6table_mangle;
    sudo docker run \
      -d \
      --name=enforcerd \
      --privileged=true \
      --net=host \
      --pid=host \
      --restart=always \
      -v /lib/modules:/lib/modules \
      -v /var/run:/var/run:rw \
      -v /sys:/sys \
      -v /var/lib/aporeto:/var/lib/aporeto \
      -v /usr/share/aporeto:/usr/share/aporeto \
      -e ENFORCERD_NAMESPACE=$ENFORCERD_NAMESPACE \
      -e ENFORCERD_COMPRESSED_TAGS=1 \
      -e ENFORCERD_ENABLE_IPV6=1 \
      -e ENFORCERD_API=https://api.console.aporeto.com \
      aporeto/enforcerd:release-3.14.6
    sudo docker ps --filter 'name = enforcerd'
    
    sudo modprobe nf_conntrack; \
      sudo modprobe nf_conntrack_ipv4; \
      sudo modprobe nf_conntrack_ipv6; \
      sudo modprobe ip6table_nat; \
      sudo modprobe ip6_tables; \
      sudo modprobe ip6table_mangle;
    sudo docker run \
      -d \
      --name=enforcerd \
      --privileged=true \
      --net=host \
      --pid=host \
      --restart=always \
      -v /lib/modules:/lib/modules \
      -v /var/run:/var/run:rw \
      -v /sys:/sys \
      -v /var/lib/aporeto:/var/lib/aporeto \
      -v /usr/share/aporeto:/usr/share/aporeto \
      -e ENFORCERD_TOKEN=$TOKEN \
      -e ENFORCERD_COMPRESSED_TAGS=1 \
      -e ENFORCERD_PERSIST_CREDENTIALS=true \
      -e ENFORCERD_ENABLE_IPV6=1 \
      -e ENFORCERD_API=https://api.console.aporeto.com \
      aporeto/enforcerd:release-3.14.6
    sudo docker ps --filter 'name = enforcerd'
    

    IMPORTANT

    If you used the advanced on-premise install and chose to store the token only in memory, you must reprovision the credential. Refer to the installation documentation for instructions.

  5. From the Aporeto web interface, navigate to the namespace of your cluster and click Enforcers. You should observe the enforcers disconnect and reconnect as they restart. After they reconnect, they should have the latest enforcer version number: 1.1201.4.

Windows hosts

  1. Access the remote host according to your preferred means, such as via SSH or Remote Desktop.

  2. Uninstall the enforcer.

    msiexec /x enforcer.msi
    
  3. Follow the installation instructions to reinstall the enforcer.

  4. After installing the enforcer, use the Aporeto web interface to confirm that it has the latest enforcer version number: 1.1201.4.