Updating TNSR

With a signed client certificate from Netgate in place, TNSR has access to the Netgate software repositories which contain important updates to TNSR. These updates can be retrieved using the package upgrade command in the TNSR CLI.

Note

Updating TNSR also updates the operating system. Even when there are no TNSR updates available, it is a good practice to periodically perform an update to obtain important operating system updates such as security vulnerability mitigations.

See also

Most of this document covers in-place updates. For information on updating by redeploying/reinstalling, see Upgrading by Redeploying TNSR.

Warning

There is no method to upgrade in-place from a CentOS-based TNSR installation to an Ubuntu-based TNSR installation. The only way to migrate to Ubuntu is by backing up, reinstalling, and then restoring the old configuration.

Pre-Upgrade Tasks

Before updating TNSR, perform the following tasks:

  • Read through the Netgate TNSR Releases release notes for the new version to identify relevant changes in behavior which may require special actions before or after the upgrade

  • Make sure the signed certificate is in place (Install the certificate)

  • Check the ownership and permissions of the update certificate. The files must by owned by the _apt user.

    See Certificate File Permissions for details.

  • Make sure the TNSR instance has working Internet connectivity

  • Have installation media ready for the new version of TNSR software. Problems during an in-place update may require reinstallation of TNSR software.

  • Take a backup of the running and startup configurations, plus other important files such as the signed certificate and keys (Configuration Backups)

  • Save a configuration history version, if enabled:

    tnsr# configure
    tnsr(config)# configuration history version save before-upgrade-xx.yy
    

    Replace xx.yy with the new TNSR version.

  • If TNSR is running as a virtual machine, take a snapshot

Tip

Though it is optional, best practices for updating include a pre-upgrade reboot. This reboot ensures that the hardware and installation are functional before attempting the upgrade. This can help identify potential hardware and other issues, such as storage failures, so they do not present themselves unexpectedly during the upgrade.

Updating TNSR In-place

Updating TNSR in place will upgrade both TNSR and the operating system to the latest available versions without reinstalling from scratch.

Warning

Check Version-Specific Upgrade Notes for specific notes on upgrading from past versions of TNSR software.

Updates via the TNSR CLI

The easiest way to update TNSR is from within the TNSR CLI:

tnsr# package upgrade

That command will download and apply all available updates for TNSR and the operating system. The upgrade output will instruct the administrator to reboot when the TNSR upgrade process is complete.

Note

There will be no output from this command until the process completely finishes or times out, which may take a several minutes for larger upgrades.

Note

Running this command when there is no new version of TNSR software will upgrade base operating system components, including upstream security fixes. In this case, the upgrade script will only prompt to reboot when there is a kernel change.

Example output from a successful upgrade:

tnsr# package upgrade
TNSR is going to upgrade packages. It can take several minutes.

Looking for packages to be upgraded
Getting repository metadata for TNSR 24.02
Removing HWE kernel packages
Executing pre upgrade scripts
Upgrading TNSR to 24.02
Executing post upgrade scripts
TNSR was upgraded to 24.02. Please reboot the system.

Warning

The CLI command may time out before it fully completes all of the required upgrade tasks. When this happens, the command output printed to the CLI will only reflect the portions of the upgrade completed before it timed out.

If this happens, run the package upgrade command again. If the process completed, it will detect that and print the final result. If the upgrade process is still working in the background it will reattach to the existing session and show its output.

tnsr# package upgrade
TNSR is going to upgrade packages. It can take several minutes.

Previous TNSR upgrade attempt exited with the following result:

TNSR was upgraded to 24.02. Please reboot the system.

Please reboot the system to continue upgrading TNSR.

Do not reboot TNSR until instructed to do so by the upgrade output.

Kernel Changes Require a Mid-Upgrade Reboot

In some cases the upgrade process may also need to change the kernel. For example, previous versions of TNSR software have used “HWE” kernels which are no longer necessary.

If this is necessary, the upgrade process will print a message stating that it changed the kernel and that a reboot is necessary before it can continue. When this happens, reboot and then run package upgrade again to complete the upgrade.

Example output when the kernel changes:

tnsr# package upgrade
TNSR is going to upgrade packages. It can take several minutes.

Previous TNSR upgrade attempt exited with the following result:

System is running HWE kernel, which is not compatible with next TNSR version.
Proper kernel is now configured to be used on next boot. Please reboot the
system immediately and re-run upgrade to finish upgrade process.

Please reboot the system to continue upgrading TNSR.

Reboot the router as directed:

tnsr# configure
tnsr(config)# reboot now
Reboot initiated. Are you sure? [yes/no]
yes

Run package upgrade again to complete the upgrade:

tnsr# package upgrade
TNSR is going to upgrade packages. It can take several minutes.

Looking for packages to be upgraded
Getting repository metadata for TNSR 24.02
Removing HWE kernel packages
Executing pre upgrade scripts
Upgrading TNSR to 24.02
Executing post upgrade scripts
TNSR was upgraded to 24.02. Please reboot the system.

Updating via the shell

TNSR can also be updated from the command line using the tnsr-upgrade script:

$ sudo tnsr-upgrade
$ sudo reboot

The rest of the procedure is the same as described in Updates via the TNSR CLI with regard to following the directions in the output about when to reboot and if it needs run multiple times.

Version-Specific Upgrade Notes

Upgrading from TNSR 23.11

TNSR software version 23.11 had a minor issue in package upgrade which could cause the command to timeout when run from the TNSR CLI. This problem scenario is already covered by Updates via the TNSR CLI but there is an alternative workaround.

The upgrade script can be run from a shell prompt as described in Updating via the shell and when run from the shell, it is not subjected to the TNSR CLI command timeout issue.

Once the system is running TNSR software version 24.02 or later, future upgrades can be performed at the CLI as described in Updates via the TNSR CLI.

Upgrading from TNSR 23.06 and earlier

TNSR software versions 23.06 and earlier have a known issue with the package upgrade method which can make upgrading problematic.

On systems running these older versions, upgrades must be performed by using apt.

From a shell prompt, run the following commands to update and reboot:

$ sudo apt update
$ sudo apt full-upgrade -y
$ sudo reboot

Note

The upgrade process may prompt to replace existing configuration files for TNSR service daemons such as Kea, VPP, and others. These files are managed by TNSR itself, and TNSR will overwrite them as needed. If prompted, the best practice is to answer N to keep the existing configuration files. Either way, once TNSR is restarted it will replace them with its own configuration data.

Once the system is running TNSR software version 24.02 or later, future upgrades can be performed at the CLI as described in Updates via the TNSR CLI.

Post-Upgrade Reboot

TNSR upgrades include kernel updates, driver updates, and other operating system component updates. As such, the best practice is to reboot after upgrading these to ensure the device is running the proper kernel and is using a consistent set of updated system components.

The reboot procedure is covered in Rebooting the Router.

Updating the Configuration Database

Automatic Configuration Update

TNSR has its own automatic configuration upgrade procedures which accommodate changes made to the configuration database structure between versions.

Warning

The TNSR configuration upgrade only alters the running configuration database and not the startup database. After starting TNSR the first time post-upgrade, validate the running configuration. If the running configuration is OK, copy it to the startup configuration:

tnsr# config
tnsr(config)# configuration copy running startup

Manual Configuration Update

Any errors which could not be corrected by the automatic configuration upgrade process must be corrected by hand. Alternately, the configuration databases may be erased and recreated from scratch.

To attempt manual corrections, check the system logs after attempting to start TNSR for information about which configuration entries are causing the failure. View the logs with sudo systemctl status clixon-backend.service, sudo journalctl -xelu clixon-backend.service and sudo journalctl -xe.

A log entry for a configuration problem could look like the following example:

clixon_backend: startup_failsafe: 297: Database error: Startup failed and no
  Failsafe database found, exiting
clixon_backend: <rpc-reply><rpc-error>
  <error-type>application</error-type>
  <error-tag>unknown-element</error-tag><error-info>
  <bad-element>someinvalidtag</bad-element></error-info>
  <error-severity>error</error-severity>
  <error-message>namespace is: urn:ietf:params:xml:ns:netconf:base:1.0</error-message>
  </rpc-error></rpc-reply>

To correct such problems, stop TNSR, edit the configuration in /var/tnsr/running_db (e.g. sudo vi /var/tnsr/running_db), erase or adjust the offending tag or configuration section, copy the repaired configuration to /var/tnsr/startup_db, and attempt to start TNSR again. Repeat until no errors are reported and TNSR starts normally.

To erase the configuration database, remove its files from /var/tnsr:

$ sudo rm /var/tnsr/*_db

After removing the configuration and starting TNSR, the TNSR configuration will need to be created again manually from scratch using the CLI or RESTCONF. Open the contents of a configuration backup in a text editor to use as a guide.

Additional Reboot / Update Verification

After performing a TNSR update and updating the configuration, administrators may wish to perform a reboot of the router to ensure it starts up correctly with the expected configuration.

This practice ensures that the router performs as expected at startup during an upgrade maintenance window.

Once the upgrade has been validated as working, create a new configuration history version, if enabled:

tnsr# configure
tnsr(config)# configuration history version save after-upgrade-xx.yy

Replace xx.yy with the new TNSR version.

Upgrading by Redeploying TNSR

Rather than performing an in-place update of a TNSR installation, administrators may instead choose to deploy a fresh instance of TNSR using the new version. This practice is typical of environments such as cloud providers or virtual machines, but may be performed for ISO installations and others as well.

In those cases, follow this general procedure:

  • Take a backup of the configuration and other important files (e.g. PKI data)

  • Deploy a new instance of TNSR using the installation instructions for the chosen platform

  • Restore the configuration and other files

  • Update the configuration (Updating the Configuration Database)

See Configuration Backups for details on saving and restoring configuration backups, and review Updating the Configuration Database for important information about updating the configuration for a new version of TNSR.