红帽全球峰会You are viewing documentation for a release that is no longer maintained. To view the documentation for the most recent version, see the latest RHACS docs.
2.2. 升级中央集群
备份 Central 数据库后,下一步是升级中部集群。此步骤包括 upgrade Central、roxctl CLI 和 Scanner。
2.2.1. 升级 Central
您可以通过下载和部署更新的镜像,将 Central 更新到最新版本。
先决条件
- 如果从私有镜像 registry 部署镜像,请先将新镜像推送到私有 registry 中,然后替换本节中的命令中的镜像 registry。
流程
运行以下命令来升级 Central:
oc -n stackrox patch deploy/central -p '{"spec":{"template":{"spec":{"containers":[{"name":"central","env":[{"name":"ROX_NAMESPACE","valueFrom":{"fieldRef":{"fieldPath":"metadata.namespace"}}}]}]}}}}'$ oc -n stackrox patch deploy/central -p '{"spec":{"template":{"spec":{"containers":[{"name":"central","env":[{"name":"ROX_NAMESPACE","valueFrom":{"fieldRef":{"fieldPath":"metadata.namespace"}}}]}]}}}}'1 Copy to Clipboard Copied! Toggle word wrap Toggle overflow - 1
- 如果使用 Kubernetes,请输入
kubectl而不是oc。
oc -n stackrox patch deployment/scanner -p '{"spec":{"template":{"spec":{"containers":[{"name":"scanner","securityContext":{"runAsUser":65534}}]}}}}'$ oc -n stackrox patch deployment/scanner -p '{"spec":{"template":{"spec":{"containers":[{"name":"scanner","securityContext":{"runAsUser":65534}}]}}}}'1 Copy to Clipboard Copied! Toggle word wrap Toggle overflow - 1
- 如果使用 Kubernetes,请输入
kubectl而不是oc。
oc -n stackrox set image deploy/central central=registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:3.71.3
$ oc -n stackrox set image deploy/central central=registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:3.71.31 Copy to Clipboard Copied! Toggle word wrap Toggle overflow - 1
- 如果使用 Kubernetes,请输入
kubectl而不是oc。
重要如果您要从 Red Hat Advanced Cluster Security for Kubernetes 3.65.0 升级,必须运行以下命令来创建
stackrox-central-diagnostics角色:oc -n stackrox patch role stackrox-central-diagnostics -p '{"rules":[{"apiGroups":["*"],"resources":["deployments","daemonsets","replicasets","configmaps","services"],"verbs":["get","list"]}]}'$ oc -n stackrox patch role stackrox-central-diagnostics -p '{"rules":[{"apiGroups":["*"],"resources":["deployments","daemonsets","replicasets","configmaps","services"],"verbs":["get","list"]}]}'1 Copy to Clipboard Copied! Toggle word wrap Toggle overflow - 1
- 如果使用 Kubernetes,请输入
kubectl而不是oc。
如果您还没有使用 Helm 或 Operator 安装 Red Hat Advanced Cluster Security for Kubernetes,并希望使用 OpenShift OAuth 服务器启用身份验证,您必须运行以下命令:
oc -n stackrox set env deploy/central ROX_ENABLE_OPENSHIFT_AUTH=true
$ oc -n stackrox set env deploy/central ROX_ENABLE_OPENSHIFT_AUTH=trueCopy to Clipboard Copied! Toggle word wrap Toggle overflow Copy to Clipboard Copied! Toggle word wrap Toggle overflow
验证
检查新 pod 是否已部署:
oc get deploy -n stackrox -o wide
$ oc get deploy -n stackrox -o wide1 Copy to Clipboard Copied! Toggle word wrap Toggle overflow - 1
- 如果使用 Kubernetes,请输入
kubectl而不是oc。
oc get pod -n stackrox --watch
$ oc get pod -n stackrox --watch1 Copy to Clipboard Copied! Toggle word wrap Toggle overflow - 1
- 如果使用 Kubernetes,请输入
kubectl而不是oc。
2.2.2. 升级 roxctl CLI
要将 roxctl CLI 升级到最新版本,您必须卸载 roxctl CLI 的现有版本,然后安装 roxctl CLI 的最新版本。
2.2.2.1. 卸载 roxctl CLI
您可以按照以下流程卸载 Linux 上的 roxctl CLI 二进制文件。
流程
查找并删除
roxctl二进制文件:ROXPATH=$(which roxctl) && rm -f $ROXPATH
$ ROXPATH=$(which roxctl) && rm -f $ROXPATH1 Copy to Clipboard Copied! Toggle word wrap Toggle overflow - 1
- 根据您的环境,您可能需要管理员删除
roxctl二进制文件。
2.2.2.2. 在 Linux 中安装 roxctl CLI
您可以按照以下流程在 Linux 上安装 roxctl CLI 二进制文件。
流程
下载
roxctlCLI 的最新版本:curl -O https://mirror.openshift.com/pub/rhacs/assets/3.71.3/bin/Linux/roxctl
$ curl -O https://mirror.openshift.com/pub/rhacs/assets/3.71.3/bin/Linux/roxctlCopy to Clipboard Copied! Toggle word wrap Toggle overflow 使
roxctl二进制文件可执行:chmod +x roxctl
$ chmod +x roxctlCopy to Clipboard Copied! Toggle word wrap Toggle overflow 将
roxctl二进制文件放到PATH中的目录中:要查看您的
PATH,请执行以下命令:echo $PATH
$ echo $PATHCopy to Clipboard Copied! Toggle word wrap Toggle overflow
验证
验证您已安装的
roxctl版本:roxctl version
$ roxctl versionCopy to Clipboard Copied! Toggle word wrap Toggle overflow
2.2.2.3. 在 macOS 上安装 roxctl CLI
您可以按照以下流程在 macOS 中安装 roxctl CLI 二进制文件。
流程
下载
roxctlCLI 的最新版本:curl -O https://mirror.openshift.com/pub/rhacs/assets/3.71.3/bin/Darwin/roxctl
$ curl -O https://mirror.openshift.com/pub/rhacs/assets/3.71.3/bin/Darwin/roxctlCopy to Clipboard Copied! Toggle word wrap Toggle overflow 从二进制文件中删除所有扩展属性:
xattr -c roxctl
$ xattr -c roxctlCopy to Clipboard Copied! Toggle word wrap Toggle overflow 使
roxctl二进制文件可执行:chmod +x roxctl
$ chmod +x roxctlCopy to Clipboard Copied! Toggle word wrap Toggle overflow 将
roxctl二进制文件放到PATH中的目录中:要查看您的
PATH,请执行以下命令:echo $PATH
$ echo $PATHCopy to Clipboard Copied! Toggle word wrap Toggle overflow
验证
验证您已安装的
roxctl版本:roxctl version
$ roxctl versionCopy to Clipboard Copied! Toggle word wrap Toggle overflow
2.2.2.4. 在 Windows 上安装 roxctl CLI
您可以按照以下流程在 Windows 上安装 roxctl CLI 二进制文件。
流程
下载
roxctlCLI 的最新版本:curl -O https://mirror.openshift.com/pub/rhacs/assets/3.71.3/bin/Windows/roxctl.exe
$ curl -O https://mirror.openshift.com/pub/rhacs/assets/3.71.3/bin/Windows/roxctl.exeCopy to Clipboard Copied! Toggle word wrap Toggle overflow
验证
验证您已安装的
roxctl版本:roxctl version
$ roxctl versionCopy to Clipboard Copied! Toggle word wrap Toggle overflow
升级 roxctl CLI 后,您可以升级 Scanner。
2.2.3. 升级扫描器
您可以使用 roxctl CLI 将 Scanner 更新至最新版本。
先决条件
- 如果从私有镜像 registry 部署镜像,您必须首先将新镜像推送到私有 registry 中,然后编辑以下部分中的命令以使用私有镜像 registry 的名称。
流程
如果已经创建了自定义扫描程序配置,则必须在更新扫描程序配置文件前应用这些更改。
使用以下
roxctl命令生成 Scanner:roxctl -e "$ROX_CENTRAL_ADDRESS" scanner generate
$ roxctl -e "$ROX_CENTRAL_ADDRESS" scanner generateCopy to Clipboard Copied! Toggle word wrap Toggle overflow 应用 TLS secret YAML 文件:
如果使用 OpenShift Container Platform,请输入以下命令:
oc apply -f scanner-bundle/scanner/02-scanner-03-tls-secret.yaml
$ oc apply -f scanner-bundle/scanner/02-scanner-03-tls-secret.yamlCopy to Clipboard Copied! Toggle word wrap Toggle overflow 如果使用 Kubernetes,请输入以下命令:
kubectl apply -f scanner-bundle/scanner/02-scanner-03-tls-secret.yaml
$ kubectl apply -f scanner-bundle/scanner/02-scanner-03-tls-secret.yamlCopy to Clipboard Copied! Toggle word wrap Toggle overflow
应用 Scanner 配置 YAML 文件:
如果使用 OpenShift Container Platform,请输入以下命令:
oc apply -f scanner-bundle/scanner/02-scanner-04-scanner-config.yaml
$ oc apply -f scanner-bundle/scanner/02-scanner-04-scanner-config.yamlCopy to Clipboard Copied! Toggle word wrap Toggle overflow 如果使用 Kubernetes,请输入以下命令:
kubectl apply -f scanner-bundle/scanner/02-scanner-04-scanner-config.yaml
$ kubectl apply -f scanner-bundle/scanner/02-scanner-04-scanner-config.yamlCopy to Clipboard Copied! Toggle word wrap Toggle overflow
更新 Scanner 镜像:
如果使用 OpenShift Container Platform,请输入以下命令:
oc -n stackrox set image deploy/scanner scanner=registry.redhat.io/advanced-cluster-security/rhacs-scanner-rhel8:3.71.3
$ oc -n stackrox set image deploy/scanner scanner=registry.redhat.io/advanced-cluster-security/rhacs-scanner-rhel8:3.71.3Copy to Clipboard Copied! Toggle word wrap Toggle overflow 如果使用 Kubernetes,请输入以下命令:
kubectl -n stackrox set image deploy/scanner scanner=registry.redhat.io/advanced-cluster-security/rhacs-scanner-rhel8:3.71.3
$ kubectl -n stackrox set image deploy/scanner scanner=registry.redhat.io/advanced-cluster-security/rhacs-scanner-rhel8:3.71.3Copy to Clipboard Copied! Toggle word wrap Toggle overflow
更新 Scanner 数据库镜像:
如果使用 OpenShift Container Platform,请输入以下命令:
oc -n stackrox set image deploy/scanner-db db=registry.redhat.io/advanced-cluster-security/rhacs-scanner-db-rhel8:3.71.3 init-db=registry.redhat.io/advanced-cluster-security/rhacs-scanner-db-rhel8:3.71.3
$ oc -n stackrox set image deploy/scanner-db db=registry.redhat.io/advanced-cluster-security/rhacs-scanner-db-rhel8:3.71.3 init-db=registry.redhat.io/advanced-cluster-security/rhacs-scanner-db-rhel8:3.71.3Copy to Clipboard Copied! Toggle word wrap Toggle overflow 如果使用 Kubernetes,请输入以下命令:
kubectl -n stackrox set image deploy/scanner-db db=registry.redhat.io/advanced-cluster-security/rhacs-scanner-db-rhel8:3.71.3 init-db=registry.redhat.io/advanced-cluster-security/rhacs-scanner-db-rhel8:3.71.3
$ kubectl -n stackrox set image deploy/scanner-db db=registry.redhat.io/advanced-cluster-security/rhacs-scanner-db-rhel8:3.71.3 init-db=registry.redhat.io/advanced-cluster-security/rhacs-scanner-db-rhel8:3.71.3Copy to Clipboard Copied! Toggle word wrap Toggle overflow
验证
检查新 pod 是否已成功部署:
如果使用 OpenShift Container Platform,请输入以下命令:
oc get pod -n stackrox --watch
$ oc get pod -n stackrox --watchCopy to Clipboard Copied! Toggle word wrap Toggle overflow 如果使用 Kubernetes,请输入以下命令:
kubectl get pod -n stackrox --watch
$ kubectl get pod -n stackrox --watchCopy to Clipboard Copied! Toggle word wrap Toggle overflow
2.2.3.1. 升级到 RHACS 版本 3.71
如果您使用 roxctl CLI 和 YAML 文件升级到 RHACS 3.71,则需要执行一些额外的步骤。Scanner DB 镜像不再将 scanner-db-password Kubernetes Secret 挂载到 db Scanner DB 容器中。相反,扫描程序-db-password 仅适用于 init 容器 init-db。因此,您必须将 POSTGRES_PASSWORD_FILE 环境变量添加到 init 容器配置中。init 容器还必须挂载 scanner-db-tls-volume 和 scanner-db-password 卷。如果使用 OpenShift Container Platform 或 Kubernetes,以下小节为 RHACS 提供升级步骤。如需有关 init 容器的更多信息,请参阅 Kubernetes 文档。
先决条件
-
此流程假设 Scanner DB 配置中的
db容器位于索引 0中,它是容器列表中的第一个条目;而scanner-db-password卷挂载位于index 2,即第三个条目。
虽然这种情况适用于大多数部署,但在输入这些命令前检查 Scanner DB 的配置。如果您的值不同,则必须通过以下命令调整 …/containers/x/volumeMounts/y 值。
流程
应用补丁:
如果使用 OpenShift Container Platform,请输入以下命令:
oc -n stackrox patch deployment.apps/scanner-db --patch '{"spec":{"template":{"spec":{"initContainers":[{"name":"init-db","env":[{"name":"POSTGRES_PASSWORD_FILE","value":"/run/secrets/stackrox.io/secrets/password"}],"command":["/usr/local/bin/docker-entrypoint.sh","postgres","-c","config_file=/etc/postgresql.conf"],"volumeMounts":[{"name":"db-data","mountPath":"/var/lib/postgresql/data"},{"name":"scanner-db-tls-volume","mountPath":"/run/secrets/stackrox.io/certs","readOnly":true},{"name":"scanner-db-password","mountPath":"/run/secrets/stackrox.io/secrets","readOnly":true}],"securityContext":{"runAsGroup":70,"runAsNonRoot":true,"runAsUser":70}}]}}}}'$ oc -n stackrox patch deployment.apps/scanner-db --patch '{"spec":{"template":{"spec":{"initContainers":[{"name":"init-db","env":[{"name":"POSTGRES_PASSWORD_FILE","value":"/run/secrets/stackrox.io/secrets/password"}],"command":["/usr/local/bin/docker-entrypoint.sh","postgres","-c","config_file=/etc/postgresql.conf"],"volumeMounts":[{"name":"db-data","mountPath":"/var/lib/postgresql/data"},{"name":"scanner-db-tls-volume","mountPath":"/run/secrets/stackrox.io/certs","readOnly":true},{"name":"scanner-db-password","mountPath":"/run/secrets/stackrox.io/secrets","readOnly":true}],"securityContext":{"runAsGroup":70,"runAsNonRoot":true,"runAsUser":70}}]}}}}'Copy to Clipboard Copied! Toggle word wrap Toggle overflow 如果使用 Kubernetes,请输入以下命令:
kubectl -n stackrox patch deployment.apps/scanner-db --patch '{"spec":{"template":{"spec":{"initContainers":[{"name":"init-db","env":[{"name":"POSTGRES_PASSWORD_FILE","value":"/run/secrets/stackrox.io/secrets/password"}],"command":["/usr/local/bin/docker-entrypoint.sh","postgres","-c","config_file=/etc/postgresql.conf"],"volumeMounts":[{"name":"db-data","mountPath":"/var/lib/postgresql/data"},{"name":"scanner-db-tls-volume","mountPath":"/run/secrets/stackrox.io/certs","readOnly":true},{"name":"scanner-db-password","mountPath":"/run/secrets/stackrox.io/secrets","readOnly":true}],"securityContext":{"runAsGroup":70,"runAsNonRoot":true,"runAsUser":70}}]}}}}'$ kubectl -n stackrox patch deployment.apps/scanner-db --patch '{"spec":{"template":{"spec":{"initContainers":[{"name":"init-db","env":[{"name":"POSTGRES_PASSWORD_FILE","value":"/run/secrets/stackrox.io/secrets/password"}],"command":["/usr/local/bin/docker-entrypoint.sh","postgres","-c","config_file=/etc/postgresql.conf"],"volumeMounts":[{"name":"db-data","mountPath":"/var/lib/postgresql/data"},{"name":"scanner-db-tls-volume","mountPath":"/run/secrets/stackrox.io/certs","readOnly":true},{"name":"scanner-db-password","mountPath":"/run/secrets/stackrox.io/secrets","readOnly":true}],"securityContext":{"runAsGroup":70,"runAsNonRoot":true,"runAsUser":70}}]}}}}'Copy to Clipboard Copied! Toggle word wrap Toggle overflow
删除路径:
如果使用 OpenShift Container Platform,请输入以下命令:
oc -n stackrox patch deployment.apps/scanner-db --type json --patch '[{"op":"remove","path":"/spec/template/spec/containers/0/volumeMounts/2"}]'$ oc -n stackrox patch deployment.apps/scanner-db --type json --patch '[{"op":"remove","path":"/spec/template/spec/containers/0/volumeMounts/2"}]'Copy to Clipboard Copied! Toggle word wrap Toggle overflow 如果使用 Kubernetes,请输入以下命令:
kubectl -n stackrox patch deployment.apps/scanner-db --type json --patch '[{"op":"remove","path":"/spec/template/spec/containers/0/volumeMounts/2"}]'$ kubectl -n stackrox patch deployment.apps/scanner-db --type json --patch '[{"op":"remove","path":"/spec/template/spec/containers/0/volumeMounts/2"}]'Copy to Clipboard Copied! Toggle word wrap Toggle overflow
2.2.4. 验证 Central 集群升级
在升级了 Central 和 Scanner 后,验证该中央集群升级已完成。
流程
检查 Central 日志:
如果使用 OpenShift Container Platform,请输入以下命令:
oc logs -n stackrox deploy/central -c central
$ oc logs -n stackrox deploy/central -c centralCopy to Clipboard Copied! Toggle word wrap Toggle overflow 如果使用 Kubernetes,请输入以下命令:
kubectl logs -n stackrox deploy/central -c central
$ kubectl logs -n stackrox deploy/central -c centralCopy to Clipboard Copied! Toggle word wrap Toggle overflow
成功升级的输出示例
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}