Splunk® Phantom (Legacy)

Install and Upgrade Splunk Phantom

This documentation does not apply to the most recent version of Splunk® Phantom (Legacy). For documentation on the most recent version, go to the latest release.

Upgrade GlusterFS for Splunk Phantom deployments with Glusterfs fileshares

Splunk Phantom version 4.9 updates the version of GlusterFS to version 7.5 from from 4.1.6. In order to properly upgrade GlusterFS, cluster downtime is required.

This topic applies to:

  • Splunk Phantom instances with an external fileshare using GlusterFS.
  • Splunk Phantom clusters with a GlusterFS-based fileshare node.
  • Splunk Phantom clusters using a Shared Services server.

Prerequisites

Prior to upgrading GlusterFS to version 7.5, do the following actions:

  • Create a full backup of your GlusterFS filestore. Store this backup in a safe place.
  • Make a full backup of your Splunk Phantom deployment before upgrading. Alternatively, for single instance deployments running as a virtual machine, create a snapshot of the virtual machine. Save this backup in a safe place.
  • If your deployment is running a warm standby, disable warm standby. See Disable Warm Standby.
  • If you are using automation to run ibackup.pyc tool, cancel backups that could run during your upgrade window. For example, if you have configured a cron job to run ibackup.pyc, disable that cron job.
  • Complete all tasks in Splunk Phantom upgrade overview and prerequisites, including installing the Splunk Phantom repositories and signing keys packages.

Scripted GlusterFS upgrade procedure

Splunk Phantom 4.9 includes scripts for upgrading GlusterFS which are installed when you install the repositories and signing keys, or unpack the installation TAR file. If during the upgrade procedure you get a "No such file or directory" error for one of the scripts, you need to install the Splunk Phantom repositories and signing keys packages.

  1. Log in to the Splunk Phantom instance's operating system:
    1. For privileged deployments, log in as the root user or a user with sudo privileges.
    2. For unprivileged deployments, log in as the user account that runs Splunk Phantom.
  2. On the Splunk Phantom instance, or on each cluster node, stop all Splunk Phantom services. If you have previously stopped all Splunk Phantom services because you upgraded PostgreSQL, and you have not restarted them, you can skip this step.
    For example, as the root user:
    /<PHANTOM_HOME>/bin/stop_phantom.sh

    For clustered deployments wait for each node to stop Splunk Phantom services before stopping services on the next node.

  3. On the Splunk Phantom instance, or on each cluster node, stop GlusterFS services. For example, as the root user:
    /<PHANTOM_HOME>/bin/upgrade_gluster_node.sh stop
  4. Using SCP, copy the file /<PHANTOM_HOME>/bin/extgfs_upgrade_gluster_server.sh from a Splunk Phantom instance or cluster node to your GlusterFS server.
  5. On your GlusterFS server or cluster, run the GlusterFS upgrade script. The script has no arguments or switches. For example, as the root user:
    ./extgfs_upgrade_gluster_server.sh
  6. On the Splunk Phantom instance, or on each cluster node, upgrade GlusterFS. For example, as the root user:
    /<PHANTOM_HOME>/bin/upgrade_gluster_node.sh upgrade
  7. On the Splunk Phantom instance, or on each cluster node, start GlusterFS. For example, as the root user:
    /<PHANTOM_HOME>/bin/upgrade_gluster_node.sh start

    For clustered deployments wait for each node to completely start Splunk Phantom services before running upgrade_gluster_node.sh on the next node.

Once the GlusterFS upgrade is successfully completed, you may proceed with upgrading either PostgreSQL if you have not already completed that task, or with upgrading your Splunk Phantom instance or cluster nodes.

Manual upgrade procedure

In the event you are unable to use the scripted procedure, you can update GlusterFS on the server manually.

  1. On your Splunk Phantom instance or each node of your Splunk Phantom cluster, stop Splunk Phantom.
    1. Log in to the Splunk Phantom instance's operating system as either the root user or a user with sudo privileges. If you're operating an unprivileged Splunk Phantom deployment, you will need to log in as the user that runs Splunk Phantom.
    2. Stop all Splunk Phantom services. Do this on each Splunk Phantom cluster node. If you have previously stopped all Splunk Phantom services because you upgraded PostgreSQL, and you have not restarted them, you can skip this step.
      For example, as the root user:
      /opt/phantom/bin/stop_phantom.sh
      Or for an unprivileged instance, as the user account that runs Splunk Phantom:
      /<PHANTOM_HOME>/bin/stop_phantom.sh

      For clustered deployments wait for each node to stop Splunk Phantom services before stopping services on the next node.

  2. Log in to the GlusterFS server or cluster and perform the offline upgrade procedure from Upgrade to 7 as described on the Gluster Docs site.
    1. Splunk Phantom does not use either of the features.lock-heal or features.grace-timeout settings for GlusterFS.
    2. Splunk Phantom does not use any of the deprecated xlators.
  3. On the Splunk Phantom instance, or on each cluster node, upgrade GlusterFS. For example, as the root user:
    /<PHANTOM_HOME>/bin/upgrade_gluster_node.sh upgrade
  4. On the Splunk Phantom instance, or on each cluster node, start GlusterFS. For example, as the root user:
    /<PHANTOM_HOME>/bin/upgrade_gluster_node.sh start

    For clustered deployments wait for each node to completely start Splunk Phantom services before running upgrade_gluster_node.sh on the next node.

Once the GlusterFS upgrade is successfully completed, you may proceed with upgrading either PostgreSQL if you have not already completed that task, or with upgrading your Splunk Phantom instance or cluster nodes.

Last modified on 08 January, 2021
Upgrade PostgreSQL for Splunk Phantom deployments with external databases   Upgrade a single Splunk Phantom instance

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.9


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters