Upgrade a single Splunk SOAR (On-premises) instance on a system with limited internet access

It is now possible to upgrade directly to later releases of Splunk SOAR (On-premises).

Privileged deployments upgrade directly to Splunk SOAR (On-premises) release 5.3.6, convert to unprivileged, then immediately upgrade to Splunk SOAR (On-premises) release 6.1.1.

Unprivileged deployments upgrade directly to Splunk SOAR (On-premises) release 6.1.1

See Splunk SOAR (On-premises) upgrade overview and prerequisites for more information.

Some deployments of Splunk SOAR (On-premises) have deliberately limited access to the internet, making it difficult to upgrade using RPM packages. TAR file distributions of Splunk SOAR (On-premises) are available to upgrade these offline deployments.

To upgrade an offline Splunk SOAR (On-premises) deployment:

1. Get the upgrade TAR file. See Splunk SOAR (On-premises) repositories and signing keys packages.
2. Update the operating system and dependencies. See Prepare your Splunk SOAR (On-premises) deployment for upgrade.
3. Upgrade Splunk SOAR (On-premises) from the tar file.

Upgrade Splunk SOAR (On-premises) from the tar file

1. Make sure you have read and done the steps from Splunk SOAR (On-premises) upgrade overview and prerequisites.
2. Log in to the Splunk SOAR (On-premises) instance's operating system as either the root user or a user with sudo privileges.
3. Make a directory for the tar file.

   mkdir /usr/local/src/upgrade-<version>
4. Change to the directory you just created.

   cd /usr/local/src/upgrade-<version>
5. Download or copy the tar file to the directory.
6. Extract the TAR file.

   tar -xvzf phantom_offline_setup_<OS>-<version>.tgz
7. Change to the directory phantom_offline_setup, which was created by extracting the TAR file:

   cd phantom_offline_setup_<OS>-<version>
8. Run the installation script with the nohup command. Using nohup helps you avoid issues in case the SSH session times out, such as upgrade failure or system wipe and rebuild.

   nohup phantom_offline_setup_<OS>.sh upgrade --no-prompt --without-apps > soar_upgrade_1.out 2> soar_upgrade_2.out 3> soar_upgrade_3.out &

   To upgrade all the installed apps during the platform upgrade:

   nohup phantom_offline_setup_<OS>.sh --no-prompt upgrade> soar_upgrade_1.out 2> soar_upgrade_2.out 3> soar_upgrade_3.out &

   Output from the command is redirected to the files soar_upgrade_1.out, soar_upgrade_2.out, and soar_upgrade_3.out.

   Because upgraded apps may require changes to their asset configuration, apps should be individually evaluated and upgraded using Main Menu > Apps, then clicking the APP UPDATES button.

9. If the upgrade script produced the following message:

   To improve database performance, after completing the upgrade, run: su - postgres -c '/usr/pgsql-11/bin/vacuumdb -h /tmp --all --analyze-in-stages'

   Then run the command:

   su - postgres -c '/usr/pgsql-11/bin/vacuumdb -h /tmp --all --analyze-in-stages'

10. Validate the upgrade by logging in to the Splunk SOAR (On-premises) web interface.
11. Once your deployment has been upgraded, reindex playbook data. From Main Menu > Administration > Administration Settings > Search Settings, select "playbooks from the drop-down menu, then click the Reindex Search Data button.