Splunk Phantom version 4.9 updates the version of GlusterFS to version 7.5 from from 4.1.6. In order to properly upgrade GlusterFS, cluster downtime is required.
This topic applies to:
- Splunk Phantom instances with an external fileshare using GlusterFS.
- Splunk Phantom clusters with a GlusterFS-based fileshare node.
- Splunk Phantom clusters using a Shared Services server.
Prerequisites
Prior to upgrading GlusterFS to version 7.5, do the following actions:
- Create a full backup of your GlusterFS filestore. Store this backup in a safe place.
- Make a full backup of your Splunk Phantom deployment before upgrading. Alternatively, for single instance deployments running as a virtual machine, create a snapshot of the virtual machine. Save this backup in a safe place.
- If your deployment is running a warm standby, disable warm standby. See Disable Warm Standby.
- If you are using automation to run ibackup.pyc tool, cancel backups that could run during your upgrade window. For example, if you have configured a cron job to run ibackup.pyc, disable that cron job.
- Complete all tasks in Splunk Phantom upgrade overview and prerequisites, including installing the Splunk Phantom repositories and signing keys packages.
Scripted GlusterFS upgrade procedure
Splunk Phantom 4.9 includes scripts for upgrading GlusterFS which are installed when you install the repositories and signing keys, or unpack the installation TAR file. If during the upgrade procedure you get a "No such file or directory" error for one of the scripts, you need to install the Splunk Phantom repositories and signing keys packages.
- Log in to the Splunk Phantom instance's operating system:
- For privileged deployments, log in as the root user or a user with sudo privileges.
- For unprivileged deployments, log in as the user account that runs Splunk Phantom.
- On the Splunk Phantom instance, or on each cluster node, stop all Splunk Phantom services. If you have previously stopped all Splunk Phantom services because you upgraded PostgreSQL, and you have not restarted them, you can skip this step.
For example, as the root user:/<PHANTOM_HOME>/bin/stop_phantom.sh
For clustered deployments wait for each node to stop Splunk Phantom services before stopping services on the next node.
- On the Splunk Phantom instance, or on each cluster node, stop GlusterFS services. For example, as the root user:
/<PHANTOM_HOME>/bin/upgrade_gluster_node.sh stop
- Using SCP, copy the file
/<PHANTOM_HOME>/bin/extgfs_upgrade_gluster_server.sh
from a Splunk Phantom instance or cluster node to your GlusterFS server. - On your GlusterFS server or cluster, run the GlusterFS upgrade script. The script has no arguments or switches. For example, as the root user:
./extgfs_upgrade_gluster_server.sh
- On the Splunk Phantom instance, or on each cluster node, upgrade GlusterFS. For example, as the root user:
/<PHANTOM_HOME>/bin/upgrade_gluster_node.sh upgrade
- On the Splunk Phantom instance, or on each cluster node, start GlusterFS. For example, as the root user:
/<PHANTOM_HOME>/bin/upgrade_gluster_node.sh start
For clustered deployments wait for each node to completely start Splunk Phantom services before running
upgrade_gluster_node.sh
on the next node.
Once the GlusterFS upgrade is successfully completed, you may proceed with upgrading either PostgreSQL if you have not already completed that task, or with upgrading your Splunk Phantom instance or cluster nodes.
Manual upgrade procedure
In the event you are unable to use the scripted procedure, you can update GlusterFS on the server manually.
- Read the offline upgrade procedure from Upgrade to 7 as described in the Gluster Docs site.
- On your Splunk Phantom instance or each node of your Splunk Phantom cluster, stop Splunk Phantom.
- Log in to the Splunk Phantom instance's operating system as either the root user or a user with sudo privileges. If you're operating an unprivileged Splunk Phantom deployment, you will need to log in as the user that runs Splunk Phantom.
- Stop all Splunk Phantom services. Do this on each Splunk Phantom cluster node. If you have previously stopped all Splunk Phantom services because you upgraded PostgreSQL, and you have not restarted them, you can skip this step.
For example, as the root user:Or for an unprivileged instance, as the user account that runs Splunk Phantom:/opt/phantom/bin/stop_phantom.sh
/<PHANTOM_HOME>/bin/stop_phantom.sh
For clustered deployments wait for each node to stop Splunk Phantom services before stopping services on the next node.
- Log in to the GlusterFS server or cluster and perform the offline upgrade procedure from Upgrade to 7 as described on the Gluster Docs site.
- Splunk Phantom does not use either of the
features.lock-heal
orfeatures.grace-timeout
settings for GlusterFS. - Splunk Phantom does not use any of the deprecated xlators.
- Splunk Phantom does not use either of the
- On the Splunk Phantom instance, or on each cluster node, upgrade GlusterFS. For example, as the root user:
/<PHANTOM_HOME>/bin/upgrade_gluster_node.sh upgrade
- On the Splunk Phantom instance, or on each cluster node, start GlusterFS. For example, as the root user:
/<PHANTOM_HOME>/bin/upgrade_gluster_node.sh start
For clustered deployments wait for each node to completely start Splunk Phantom services before running
upgrade_gluster_node.sh
on the next node.
Once the GlusterFS upgrade is successfully completed, you may proceed with upgrading either PostgreSQL if you have not already completed that task, or with upgrading your Splunk Phantom instance or cluster nodes.
Upgrade PostgreSQL for Splunk Phantom deployments with external databases | Upgrade a single Splunk Phantom instance |
This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.9
Feedback submitted, thanks!