Method of Procedure Document BIG-IP system software upgrades VCMP Software 11.6.1 to 13.1.1.4 PT BANK RAKYAT INDONESIA, TBK (PERSERO) Version 1.0
Dipersiapkan untuk : PT. Bank Rakyat Indonesia, Tbk
© 2019 PT. IP Network Solusindo. Hak Cipta dilindungi oleh undang-undang. Dokumen ini mengandung informasi yang rahasia dan hanya diperuntukkan bagi PT. Bank Rakyat Indonesia, Tbk dan PT. IP Network Solusindo
TITLE
Method of Procedure Document BIG-IP system software upgrades VCMP Software 11.6.1 to 13.1.1.4 PT BANK RAKYAT INDONESIA, TBK (PERSERO) Version 1.0
OWNER
Abdul Rochim
REV. Rev Date
1.0
Description
Changed By
Checked By
Pihak Pertama : PT Bank Rakyat Indonesia (Persero) Tbk Divisi
Nama
Kepala Bagian CAN
Nugroho Pancayogo
Tanda Tangan
Tanggal
Tanda Tangan
Tanggal
Pihak Kedua : PT IP Network Solusindo Divisi
Nama
Service Delivery Manager
Doris Taneo
Senior Security Engineer
Abdul Rochim
2
Daftar Isi 1. Introduction F5 Bank BRI .................................................................................................................... 4 1.1 Serial Number Perangkat .............................................................................................................. 4 1.2 To Do ............................................................................................................................................. 4 1.3 Objective ....................................................................................................................................... 4 1.4 Tools/Requirements...................................................................................................................... 4 1.5 Site Location & Schedule Activity ..................................................................................................... 4 1.6 Pre-Activity Works ........................................................................................................................ 4 1.2 Topologi F5 .................................................................................................................................... 5 1.2.1 Topologi F5 BRI Sudirman ...................................................................................................... 5 1.2.2 Topologi F5 BRI GTI Ragunan ................................................................................................. 6 2. Choosing - BIG-IP upgrade version...................................................................................................... 7 2.1 The F5 hardware/software compatibility matrix .......................................................................... 7 2.2 Overview of supported BIG-IP upgrade paths and an upgrade planning
reference ....... 7
3. Preparing for a software upgrade ....................................................................................................... 8 4. Importing the BIG-IP configuration ................................................................................................... 13 5. Upgrading software on a vCMP system ............................................................................................ 16
3
1. Introduction F5 Bank BRI 1.1 Serial Number Perangkat No 1 2 3 4
Platform 5250v (C109) 5250v (C109) 5250v (C109) 5250v (C109)
Serial Number f5-vmoj-azgm (C109) f5-eyry-folv (C109) f5-liov-qcya (C109) f5-lswc-esot (C109)
Hostname phoenix.bri.co.id vapula.bri.co.id soekarno.bri.co.id hatta.bri.co.id
Location BRI Sudirman BRI Sudirman BRI GTI Ragunan BRI GTI Ragunan
OS Version 11.6.1 11.6.1 11.6.1 11.6.1
1.2 To Do This Document prepared for Upgrading Software BIP-IP F5
1.3 Objective Upgrading Software BIG-IP F5 from 11.6.1 to 13.1.1.4
1.4 Tools/Requirements
Laptop Internet Access User Monitoring Traffic Monitoring
1.5 Site Location & Schedule Activity
Estimate Time : Service Impact : Yes
1.6 Pre-Activity Works
Backup and download file configuration each Guest ( UCS ) Archive. Backup and download QKView each Guest & Host. ISO Software version 13.1.1.4 have downloaded. Make sure existing function (LTM, GTM, ASM, APM) is running normally.
4
1.2 Topologi F5 1.2.1 Topologi F5 BRI Sudirman
1/11
1/9
Router XL
0 4
PA-5020 Cassowary
0/0/0
2 2
F5
6
1
3 1
ISP XL 0/0/1 sip5
5
10
sip6
3
1/11 1/9
4
mgt
sip8
2 SW 172.22.49.x Q50
HA
SW INET SW New Rak 1 Q50 Cisco 2950
fa2
Segmen Server Bank BRI (New DMZ) 172.20.50.0/24
ISP LINKNET
fa0
Router Linknet PA-5020 Ostrich
sip7
IPS SourceFire (Semeru)
4 2
1
F5 mgt
18
11
Switch Mgt
SRX 650 Rabbit
Figure 1 : Existing Topology F5 BRI - Site Sudirman 5
1.2.2 Topologi F5 BRI GTI Ragunan DMZ
172.18.104.0/24
139.0.15.168/29 EX42-48T-ACCESS DMZ INTERNAL
2 2
F5
EX82-CORE-A 3 INTERNAL NETWORK
1
F5 3
3
5
2960-AGG-DMZ 4 5 6 FW CROW-CHECKPOINT
EX82-CORE-B
6 0 22
172.18.151.107
SWITCH INET
172.18.105.3/28
MXB
MGT MGT
Figure 2 : Existing Topology F5 BRI - Site Ragunan
6
2. Choosing - BIG-IP upgrade version 2.1 The F5 hardware/software compatibility matrix
2.2 Overview of supported BIG-IP upgrade paths and an upgrade planning reference
7
3. Preparing for a software upgrade
Before perform your software upgrade, F5 recommends that you make the following preparations:
No 1
Action Opening a proactive service request with F5 Technical Support for
Estimated Time 1 Minutes
accompany during upgrade version 2
Confirm BIG-IP software version using the TMOS Shell
Check the integrity of the running configuration
2 Minutes
Reactivate the system license :
Verifying the service check date of your license :
Ok Not
2 Minutes
use the tmsh load /sys config verify command 4
Ok Not
(tmsh) show /sys software status command 3
Status
Ok Not
10 Minutes
Ok Not
Impact of procedure: Performing the following procedure should not have a negative impact on your system. 1. Log in to the command line. 2. To change directories to the /config directory, type the following command: cd/config 3. To parse the bigip.license file for the Service check date, type the following command: grep "Service check date" bigip.license Note: The date format is year-month-day
Reactivating the system license : Impact of procedure: The license reactivation process may reload the configuration and temporarily interrupt traffic processing. 1. Log in to the Configuration utility. 2. Navigate to System > License > Reactivate. 3. Select either Automatic or Manual as the activation method. Note: If your system does not have Internet access to the F5 license server, you must select Manual. 8
4. Click Next and follow the on-screen instructions. For more information about automatic or manual license activation 5
Verify that the BIG-IP device certificate has not expired
2 Minutes
Ok Not
6
For high availability (HA) BIG-IP systems, verify that all systems in the
5 Minutes
device group are in sync
Ok Not
BIG-IP 11.2.1 and later
In BIG-IP 11.2.1 and later, you can perform the following ConfigSync actions using the Configuration utility:
Perform a ConfigSync operation for the entire group from any device group member. Determine whether a ConfigSync is required, and view the recommended sync action. Synchronize the configuration from a selected device to the other device group members by using Sync Device to Group. Synchronize the most recent configuration from one or more of the device group members to the selected device group member by using Sync Group to Device. Force a synchronization from a device with an older configuration to a device, or devices, with a newer configuration. In BIG-IP 13.x and later, you are prompted to Sync and Overwrite the configuration when synchronizing an older configuration to the device group. In BIG-IP 11.2.1 through BIG-IP 12.x, you use Overwrite Configuration when performing the ConfigSync. Note your local admin and root user passwords in case you need them for troubleshooting.
1 Minutes
Ok Not
Generate a qkview diagnostics file and upload to BIG-IP iHealth to look for any triggered upgrade-related heuristics in the Diagnostics and Upgrade Advisor tabs
1. Create a user configuration set (UCS). Backing up your BIG-IP system configuration
60 Minute
Ok Not
30 Minute
Ok Not
Backing up configuration data by using the Configuration utility Impact of procedure: Performing the following procedure should not have a negative impact on your system. 2. Log in to the Configuration utility. 3. Navigate to System > Archives. 9
4. To initiate the process of creating a new UCS archive, click Create. 5. In the File Name box, type a name for the file. 6. Optional: If you want to encrypt the UCS archive file, for Encryption, click Enabled and enter a passphrase. You must supply the passphrase to restore the encrypted UCS archive file. 7. Optional: If you want to exclude SSL private keys from the UCS archive, from the Private Keys menu, select Exclude. 8. To create the UCS archive file, click Finished. 9. When the system completes the backup process, examine the status page for any reported errors before proceeding to the next step. 10. To return to the Archive List page, click OK. 11. Copy the .ucs file to another system. Backing up configuration data using tmsh Impact of procedure: Performing the following procedure should not have a negative impact on your system. 1. Log in to tmsh by typing the following command: tmsh 2. Create the UCS archive file by using the following command syntax, replacing <path/to/UCS> with the full path to the UCS archive file: save /sys ucs <path/to/UCS> For example: save /sys ucs /var/tmp/MyUCS.ucs 3. Optional: You can encrypt the UCS archive with a passphrase by using the following command syntax, replacing <path/to/UCS> with the full path to the UCS archive file and replacing <password> with the passphrase you want to use to encrypt the UCS archive: save /sys ucs <path/to/UCS> passphrase <password> For example: save /sys ucs /var/tmp/MyUCS.ucs passphrase password 4. Optional: You can exclude SSL private keys from the UCS archive by using the following command syntax, replacing <path/to/UCS> with the full path to the UCS archive file: save /sys ucs <path/to/UCS> no-private-key For example:
10
save /sys ucs /var/tmp/MyUCS.ucs no-private-key 5. Copy the .ucs file to another system. Restoring your BIG-IP system configuration Impact of procedure: The BIG-IP system replaces any existing configuration with the UCS archive file configuration. To restore a configuration in a UCS archive using the Configuration utility, review the considerations described in the Considerations for restoring configuration data section of this article before performing the following procedure: 1. 2. 3. 4. 5. 6. 7. 8.
9.
Log in to the Configuration utility. Navigate to System > Archives. Click the UCS archive you want to restore. If the UCS archive is encrypted, type the passphrase for the encrypted UCS archive file for Restore Passphrase. If the UCS archive is not encrypted, you can skip this step. To initiate the UCS archive restore process, click Restore. When the system completes the restore process, examine the status page for any reported errors before proceeding to the next step. To return to the Archive List page, click OK. If you restored the UCS archive on a different device and received the errors noted in the Considerations for restoring configuration data section of this article, you must reactivate the BIG-IP system license. After relicensing the system, restart the system to ensure that the configuration is fully loaded. To restart the system, navigate to System > Configuration,and then click Reboot.
Restoring configuration data from the command line using tmsh Impact of procedure: The BIG-IP system replaces any existing configuration with the UCS archive file configuration. 1. Log in to tmsh by typing the following command: tmsh 2. Restore the UCS archive file by using the following command syntax, replacing <path/to/UCS> with the full path of the UCS archive file you want to restore: load /sys ucs <path/to/UCS> If you don't specify the path, the BIG-IP system performs as if the UCS archive file is located in the default /var/local/ucs directory. 3. If you encrypted the UCS archive file with a passphrase during 11
the backup, the system prompts you to enter the passphrase for the archive file. 4. If you installed the UCS archive on the same device on which you created the backup, the system loads the restored configuration. If you restored the backup on a different device and encounter errors, review the Considerations for restoring configuration data section of this article. Beginning in 11.6.3, 12.1.3, and 13.1.0, BIG-IP software no longer uses 10 Minutes cumulative hotfixes. Product defects and security fixes are now included in a full release referred to as a point release. Point releases are identified by a fourth version element. If you intend to install these BIGIP versions or later versions, you should download the point release that you plan to install from the F5 Downloads site. If you intend to install versions that support hotfixes, you should download the base BIG-IP version that you plan to install from the F5 Downloads site, including the latest hotfix, if available.
Ok
Verify the integrity of the downloaded software images using the MD5 checksum utility
Ok
Not
Not
12
4. Importing the BIG-IP configuration No 1
Action
Controlling configuration import when performing software
Estimated Time
Status
10 Minutes
Ok
installations (11.x - 13.x)
Not
Specifying the configuration import to use the configuration from the target boot location To import the configuration from the target installation location (if it exists) during an installation, perform the following procedure prior to performing the software installation: Impact of procedure: Performing the following procedure should not have a negative impact on your system. 1. Log in to tmsh by typing the following command: tmsh 2. To specify the configuration import to use the configuration from the target installation location during an installation, type the following commands: modify /sys db liveinstall.moveconfig value disable modify /sys db liveinstall.saveconfig value enable 3. Save the change by typing the following command: save /sys config 4. Proceed with performing the software installation using the Configuration utility. Specifying no configuration import To specify that no configuration should be imported to the target installation location during an installation, perform the following procedure before you perform the software installation: Impact of procedure: Performing the following procedure should not have a negative impact on your system. 1. Log in to tmsh by typing the following command: tmsh 2. To specify no configuration import to the target installation location during an installation, type the following two commands: modify /sys db liveinstall.moveconfig value disable modify /sys db liveinstall.saveconfig value disable 13
3. Save the change by typing the following command: save /sys config 4. Proceed with performing the software installation using the Configuration utility. Specifying the configuration import to use the configuration from the currently active boot location By default, the BIG-IP system imports the configuration of the currently active boot location to the target installation location during a software installation. If the database keys have been changed from their default values and you want to import the configuration of the currently active boot location to the target installation location, perform the following procedure before you perform the software installation: Impact of procedure: Performing the following procedure should not have a negative impact on your system. 1. Log in to tmsh by typing the following command: tmsh 2. To specify the configuration import to use the configuration from the currently active boot location during an installation, type the following two commands: modify /sys db liveinstall.moveconfig value enable modify /sys db liveinstall.saveconfig value enable 3. Save the change by typing the following command: save /sys config 4. Proceed with performing the software installation using the Configuration utility.
Installing the configuration from a boot location other than the boot location being activated
Impact of procedure: When the new boot location is confirmed, the BIGIP system immediately reboots into the new partition. 1. 2. 3. 4. 5.
Log in to the Configuration utility as an administrative user. Navigate to System > Software Management > Boot Locations. Click the boot location you want to activate. From the Install Configuration list, click Yes. From the Source Volume list, click the boot location of the desired configuration. Note: Only boot locations with a version equal to or greater than 11.4.0 are available.
14
6. Click Activate. 7. To confirm that you want to boot in another volume, click OK.
2
When you boot the system to the BIG-IP 11.x volume, the system
5 Minutes
Ok
converts the configuration that you imported to
Not
the /config/bigpipe directory to the BIG-IP 11.x format and copies the configuration to the /config directory. To complete various system tasks and import the running configuration for the first time, the first boot of the new BIG-IP software volume takes extra time compared to subsequent system reboots. You can monitor installation progress using the serial console port, AOM (Always On Management) or the vconsole command when monitoring Virtual Clustered Multiprocessing (vCMP) guest upgrades.
3
If the system completes the software installation and you can boot the new volume but the BIG-IP configuration fails to migrate, you may see a message similar to the following example displayed in the Configuration utility:
30 Minutes
Ok Not
The configuration has not yet loaded. If this message persists, it may indicate a configuration problem. To determine the cause of the configuration loading failure, type the tmsh load /sys config verify command from the command line and correct any reported validation errors. Once you have corrected the validation errors, type the tmsh load /sys config command.
15
5. Upgrading software on a vCMP system When you upgrade software on vCMP systems, keep the following information in mind:
When upgrade a vCMP host, the guests go offline. Upgrading the vCMP host does not upgrade individual guests. To avoid excessive disk and CPU usage, upgrade only one vCMP guest at a time. Each guest inherits the license of the vCMP host, and the host license includes all BIG-IP modules available for use with vCMP guest instances. If you need to reactivate the license, you reactivate it at the vCMP host only. While not required, F5 recommends that you configure your vCMP host to run the same BIG-IP version as the latest version used by any of its vCMP guests. F5 hardware platforms with multiple blades manage and share software image ISO files between blades automatically. Starting in 11.6.0, BIG-IP software images that are stored and managed on the vCMP host are also available for vCMP guests to install. Hosts and guests use unique UCS configuration files. For example, virtual servers configured within a BIG-IP guest are not contained in the UCS file created on the vCMP host.
No
Action Performing a software upgrade on a BIG-IP system :
Estimated Time
Status
30 Minutes
Ok
Impact of procedure: You can upgrade the active BIG-IP system in an HA configuration before you reboot into the new software volume. However, if the BIG-IP system serves high volume traffic, you can perform the upgrade during a maintenance window to lessen the impact on a busy system. Optionally, you can perform the upgrade on the standby systems in an HA configuration before the maintenance window to shorten the required duration of the maintenance window.
Not
Note: Ensure that your system is already booted into the software volume that contains the configuration you are planning to upgrade. If the system is not already booted into that volume, reboot your system to that software volume before you begin the following procedure. 1. Log in to the Configuration utility with administrative privileges. 2. To upload the necessary ISO files, navigate to System > Software Management. 3. Click Import. 4. Click Browse to select the file to upload from your local computer. 5. Click Import. Notes:
Alternatively, you can use the Secure Copy (SCP) protocol from a remote device to transfer images to the /shared/images/ directory on the BIG-IP. For more information, refer to K175: Transferring files to or from an F5 system. Images automatically appear in the Configuration utility when the system completes the upload and verifies the
16
internal checksum. 6. If you are installing a point release, navigate to System > Software Management > Image list. If you are installing a hotfix, navigate to System > Software Management > Hotfix list. Note: The BIG-IP system automatically installs the base image before installing the hotfix to the new software volume. 7. Select the box next to the point release image or the hotfix image you want to install. 8. Click Install. 9. Select an available disk from the Select Disk menu. 10. Select an empty volume set from the Volume Set Name menu, or type a new volume set name. Note: You can use any combination of lowercase alphanumeric characters (a-z, 0-9) and the hyphen character. The volume set name can be from 1 to 32 characters in length but cannot be only one 0 (zero) character (for example HD1.0 or MD1.0). For instance, if the HD1 disk is active and you type Development into Volume set name, the system creates a volume set named HD1.Development and installs the specified software to the new volume set. 11. Click Install. Note: If the string you type does not match an existing volume set, the system creates the volume set and installs the software. To see the installation progress, view the Install Status column of the Installed Images section of the page.
2
Rebooting to the newly upgraded software volume :
30 Minutes
Ok Not
Impact of procedure: If this is a standalone system, F5 recommends that you perform this procedure during a maintenance window. Note: The first reboot into the new volume can take up to 30 or more minutes depending on the size of the configuration. If the installation fails, the tmsh load /sys config command may show an error, which will aid troubleshooting. 1. Log in to the Configuration utility with administrative privileges. 2. Navigate to System > Software Management > Boot Locations. 3. Click the boot location containing the newly upgraded software volume. 4. To restart the system to the specified boot location, click Activate. Note: If there have been no changes since you performed the upgrade, you do not need to set the Install Configuration option to Yes when activating the new volume.
17
5. To close the confirmation message, click OK .
3
Checking and testing your upgrade
15 Minutes
Ok Not
Verifying the configuration Impact of procedure: Since this procedure interrupts traffic during failover, F5 recommends that you perform the procedure during a maintenance window. 1. To verify that the expected objects appear in the shared and non-shared portions of the configuration, navigate to Local Traffic > Pools. 2. Confirm that the expected objects are present. 3. Navigate to Network > VLANs. 4. Confirm that the expected objects are present. 5. To verify that the pool health status matches other BIG-IP systems in an HA configuration, navigate to Local Traffic > Pools. 6. Optionally, you can generate a qkview and review it in the iHealth Diagnostics section for currently known issues. 7. Force the active BIG-IP system into standby mode to move the upgraded system to the active role. Note: This step interrupts traffic while the system fails over. If you encounter any problems with the newly upgraded system, you must perform another failover to the previously active system. 8. Test the client traffic to the upgraded BIG-IP system to confirm that the system is processing traffic as expected. 9. Once you confirm the health of the upgraded unit, repeat all of the previously listed upgrade steps on the peer BIG-IP system, which is now in the standby state and running the lower BIG-IP version. 10. Once you have completed all upgrades, create a new set of UCS files to retain backups of the new BIG-IP version's configuration.
Backing out your software upgrade If a BIG-IP system fails to upgrade and you cannot perform further troubleshooting due to time constraints, complete the following steps before reverting to the previous BIG-IP version.
30 Minutes
Ok Not
Note: If you do not perform troubleshooting before reverting changes, it may be difficult to determine a root cause for failure. If possible, contact F5 Technical Support while the issue is occurring so you can 18
perform relevant data gathering, such as creating a fresh qkview file. Gathering troubleshooting information 1. To determine what may be causing the configuration load error, run the tmsh load /sys config command. 2. Create a qkview file. Using the Configuration utility to reboot 1. Log in to the Configuration utility with administrative privileges. 2. Navigate to System > Software Management > Boot Locations. 3. Click the Boot Location for the previous software version. 4. Click Activate. 5. To close the confirmation message, click OK. Rebooting from the command line 1. Log in to the command line. 2. To reboot to the previous software version, use the following command syntax: tmsh reboot volume For example, to reboot to volume HD1.1, type the following command: tmsh reboot volume HD1.1
19