Hi Jon,
Thank you for your response and we appreciate it.
We tried to install the fixpack in the container by updating the docker-compose.yaml and .env(we are using the same files in your git repo)
Notice that there is no *.fixpack file in this release, only *.pkg, unlike when we do it in our appliance.
https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FTivoli%2FIBM+Security+Verify+Access&fixids=10.0.0-ISS-ISVA-FP0001&source=SAR&function=fixId&parent=IBM%20SecurityBut upon recreating of container, we received this error:
isam-config_1 | 2020-10-21T08:05:59+0800: ---- Applying fixpack: isva_10.0.0.1_20200928-1645.pkg
isam-dsc_1 | 2020-10-21T08:06:02+0800: ---- Applying fixpack: isva_10.0.0.1_20200928-1645.pkg
isam-webseal_1 | 2020-10-21T08:06:23+0800: ---- Applying fixpack: isva_10.0.0.1_20200928-1645.pkg
isam-config_1 | isva_10.0.0.1_20200928-1645.pkg: Signature verified
isam-config_1 | isva_10.0.0.1_20200928-1645.pkg: Fix pack is not in the correct format
isam-config_1 | umount: /tmp/mesa_install_fixpack566.mJPbsQ: must be superuser to umount
isam-config_1 | isva_10.0.0.1_20200928-1645.pkg install failed
isam-config_1 | isva_10.0.0.1_20200928-1645.pkg install failed
isam-config_1 | 2020-10-21T08:06:34+0800: ---- Failed to apply fixpack: isva_10.0.0.1_20200928-1645.pkg
isam-dsc_1 | isva_10.0.0.1_20200928-1645.pkg: Signature verified
isam-dsc_1 | isva_10.0.0.1_20200928-1645.pkg: Fix pack is not in the correct format
isam-dsc_1 | umount: /tmp/mesa_install_fixpack527.19B4cy: must be superuser to umount
isam-dsc_1 | isva_10.0.0.1_20200928-1645.pkg install failed
isam-dsc_1 | isva_10.0.0.1_20200928-1645.pkg install failed
isam-dsc_1 | 2020-10-21T08:06:40+0800: ---- Failed to apply fixpack: isva_10.0.0.1_20200928-1645.pkg
isam-webseal_1 | isva_10.0.0.1_20200928-1645.pkg: Signature verified
isam-webseal_1 | isva_10.0.0.1_20200928-1645.pkg: Fix pack is not in the correct format
isam-webseal_1 | umount: /tmp/mesa_install_fixpack532.XtZ7cP: must be superuser to umount
isam-webseal_1 | isva_10.0.0.1_20200928-1645.pkg install failed
isam-webseal_1 | isva_10.0.0.1_20200928-1645.pkg install failed
isam-webseal_1 | 2020-10-21T08:07:00+0800: ---- Failed to apply fixpack: isva_10.0.0.1_20200928-1645.pkg
Appreciate your help here Jon. Thank you.
------------------------------
Pang Dela Cruz
Middleware Administrator
ADB
------------------------------
Original Message:
Sent: Wed October 21, 2020 02:42 AM
From: Jon Harry
Subject: Upgrading the ISAM Docker image
Pang,
I'm pretty sure that you will not see an upgrade of the config file moving to 10.0.0.1 because this is just a fixpack release.
Jon.
------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
Original Message:
Sent: Tue October 20, 2020 09:24 PM
From: Pang Dela Cruz
Subject: Upgrading the ISAM Docker image
Hi Jon,
As we are trying to upgrade our container, I have stumble upon this post. We also wanted a seamless upgrade of the containers like what we are having in the appliance version.
We have ibmcom/verify-access:10.0.0.0 and would like to upgrade to 10.0.0.1, as what you mentioned we need to upgrade the configuration container first. We did the below steps:
1. We are using docker-compose, we updated docker-compose.yaml for config container and the rest are still 10.0.0.0:
isam-config:
image: ibmcom/verify-access:10.0.0.1
we have an existing snapshot isva_10.0.0.0_published.snapshot in our volume
2. run docker-compose -f docker-compose.yaml up -d
output:
Recreating isam_isam-config_1 ...
isam_isam-dsc_1 is up-to-date
Recreating isam_isam-config_1 ... done
879931ceacd7 ibmcom/verify-access:10.0.0.1 "/sbin/bootstrap.sh" 34 minutes ago Up 34 minutes (healthy) 443/tcp, 0.0.0.0:9443->9443/tcp isam_isam-config_1
8a9b3696602f ibmcom/verify-access:10.0.0.0 "/sbin/bootstrap.sh" 41 hours ago Up 41 hours (healthy) 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 9443/tcp isam_isam-webseal_1
711034e4a4ea ibmcom/verify-access:10.0.0.0 "/sbin/bootstrap.sh" 41 hours ago Up 41 hours (healthy) 9443/tcp, 0.0.0.0:10443->443/tcp, 0.0.0.0:10444->444/tcp isam_isam-dsc_1
3. access config container. upload license.
Please correct me if I am wrong here, it says that it will automatically convert our old version snapshot in the volume, but in which part? We where tailing the logs of docker-compose the whole time no conversion was done. Please let us know if we miss a step here.
Thank you.
------------------------------
Pang Dela Cruz
Original Message:
Sent: Thu January 16, 2020 11:42 AM
From: Jon Harry
Subject: Upgrading the ISAM Docker image
Sushant,
Upgrade should be achieved by upgrading the configuration container to 9.0.7.0. When the 9.0.7.0 configuration container starts it detects it has no 9.0.7.0 snapshot available, reads the 9.0.4.0 snapshot, converts it to 9.0.7.0, and saves it as 9.0.7.0 snapshot. Any configuration changes made are saved as updated 9.0.7.0 snapshots. The 9.0.4.0 snapshot is not updated.
As you upgrade other containers (your WebSEALs) to 9.0.7.0 they will read this 9.0.7.0 snapshot and use it.
Old WebSEALs (still at 9.0.4.0) will read the 9.0.4.0 snapshot.
I didn't understand your issue with expired certificates. I don't understand how the upgrade from 9.0.4.0 to 9.0.7.0 cause certificate expiry.
Jon.
------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
Original Message:
Sent: Thu January 16, 2020 12:45 AM
From: Sushant Dusad
Subject: Upgrading the ISAM Docker image
Hi All,
Currently we are using the ISAM Docker Image for Version 9.0.4 and it has been configured with an external SDS.
We need to upgrade this to v9.0.7 but are unsure as to how that will work.
We tried using the snapshot of the v9.0.4 and copied it in v9.0.7 but due to some expired CA certificates that does not work and all the WebSEAL instances are not starting up. We also tried updating those CA certificates but that did not help.
We would like to do a seamless upgrade without affecting the current configuration.
We currently have 4 docker containers running, where 1 is running as the config service where as the other 3 are running as WebSEALs.
Any pointers in this direction would help.
------------------------------
Sushant Dusad
Associate Technical Manager
Great Software Laboratory
Pune
------------------------------