1.5.1. Upgrade to Rocky Linux 9

The OpenNAC Enterprise 1.2.4 version requires the upgrade to Rocky Linux 9. This section describes all the steps needed to carry out the complete process.

Note

The update process may take approximately 1 to 2 hours and will involve a machine restart.

1.5.1.1. Before you begin

Warning

This procedure is certified only for OVA installations. Do not execute it in cloud environments.

1. Ensure that you have internet connection.

[root@CORE ~]# ping google.com
PING google.com (142.250.200.142) 56(84) bytes of data.
64 bytes from mad41s14-in-f14.1e100.net (142.250.200.142): icmp_seq=1 ttl=117 time=13.10 ms
64 bytes from mad41s14-in-f14.1e100.net (142.250.200.142): icmp_seq=2 ttl=117 time=13.10 ms
64 bytes from mad41s14-in-f14.1e100.net (142.250.200.142): icmp_seq=3 ttl=117 time=13.6 ms

--- google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 13.550/13.833/13.986/0.200 ms

2. Ensure that you have credentials to access our public repository (https://repo-opennac.opencloudfactory.com/).

3. In case of having the virtual machine (VM) in Proxmox, change it from the CPU type to HOST type:

  • Shut down the VM from the Proxmox administration website.

  • In the “Hardware” section, edit “Processors” and select “Type: host”.

  • Start the VM.

4. Create a snapshot as a backup in case of any issues (remember to delete it once the correct operation of the update has been validated). Do it from the virtualization administration website, in the “Snapshots” section.

5. If your server is configured as an ON Core node with MariaDB installed, follow these instructions to ensure a smooth MariaDB upgrade.

Note

If your MariaDB root password has changed, create the Password file /root/updateRocky8_mariadb and specify the new password inside the file:

echo "MariaDBRootPassword" > /root/updateRocky8_mariadb

  • If there is no password file, the default MariaDB root password will be used, but we strongly recommend changing the default password as it is a fundamental security measure.

  • If the provided password in the file is not valid, the upgrade process might fail. In this case, a message should be displayed indicating the need for a manual MariaDB upgrade (see the step 6 of the script execution section).

6. If you need to use an HTTP Proxy for internet access, it must be enabled. Usually, the HTTP Proxy is configured in the /etc/yum.conf file, utilizing the proxy property. For example:

# cat /etc/yum.conf
[main]
gpgcheck=1
installonly_limit=3
clean_requirements_on_remove=True
best=True
skip_if_unavailable=False
proxy=http://proxy_user:proxy_password@X.X.X.X/

Where “http://proxy_user:proxy_password@X.X.X.X/” is the HTTP Proxy URL.

In this case, to enable HTTP Proxy, execute the following command, replacing the example above with your specific HTTP Proxy URL:

http_proxy="http://proxy_user:proxy_password@X.X.X.X/"
https_proxy="http://proxy_user:proxy_password@X.X.X.X/"
export http_proxy
export https_proxy

Warning

External security software, including HIDS or security agents, may disrupt the execution of the “updateRocky8_step1.sh” script.

Ensure to manually stop all such software not included in the OVA before starting the upgrade to avoid potential issues.

1.5.1.2. Script execution

The script will performs several internal processes, including:

  • Preparation of the installation, which involves downloading a second required script.

  • Upgrading Rocky 8 packages to their latest versions.

  • Changing repositories to Rocky 9.

  • Uninstalling obsolete packages.

  • Restarting the machine.

  • Running the previously downloaded second script.

  • Installing PHP 8.1.

  • Upgrading Rocky 9 and OpenNAC packages.

  • Executing a hardening playbook on all nodes in your environment.

  • Finalizing the upgrade process.

  • Verifying the installation packages.

  • Restarting the machine.

Note

Before executing the script, ensure to replace “repo_user” and “repo_password” with the user and password used to access the OpenNAC repository. These should match the user and password configured in the /etc/yum.repos.d/opennac.repo file, otherwise the script execution might return an error.

1. Run the following command to download the update script:

wget --user "repo.user" --ask-password -nv -O updateRocky8_step1.sh https://repo-opennac.opencloudfactory.com/1.2.4/updateRocky8_step1.sh

2. Execute the script:

bash updateRocky8_step1.sh

These are the script options:

  • -b: Ignore backup check option. Normally, the script checks for a backup of the previous day in the “/backup” directory within Cores. If it doesn’t find one, it throws an error and stops execution. Using this parameter allows you to bypass this check and proceed even without a backup. In the output example below, no backup was found:

[root@core122DC01 ~]# wget --user "repo_user" --password "repo_pass" -nv -O updateRocky8_step1.sh https://repo-opennac.opencloudfactory.com/1.2.4/updateRocky8_step1.sh && bash updateRocky8_step1.sh -b
2024-02-27 12:21:26 URL:https://repo-opennac.opencloudfactory.com/1.2.4/updateRocky8_step1.sh [22160/22160] -> "updateRocky8_step1.sh" [1]
Scanning installed RPMs ...
Analyzing CPU type ...
CPU type supported

Checking backup ...
Yesterday backup not found
If you want force an installation, skipping backup check, use '-b' parameter

  • -c: Ignore CPU check option. For Rocky 9 to function correctly, it requires a specific type of CPU. If the detected CPU doesn’t match the expected one, the script generates an error and stops execution. The “-c” parameter allows you to overlook this check, enabling the script to continue regardless of CPU compatibility.

  • -r: Use only base URL repository without the mirror list. Enable this option when there are access restrictions to Rocky repositories, allowing only the Rocky Linux base URL instead of the entire mirror list. This is necessary for reconfiguring new Rocky Linux 9 repositories.

  • -h: Help information. Prints help information, with a list of options.

  • -f: Forces reinstallation. If an error occurs and you attempt to relaunch the procedure, the script detects that it has already been executed, produces an error, and stops further execution. By using this parameter, you can disregard this check and rerun the update, allowing you to resume the process once any issues are resolved.

3. The process is executed in the background. Use the following command to see how the script is progressing:

tail -100f /root/updateRocky8.log

4. After the script execution is finished, you can review the detailed results of the two update phases in the /root/updateRocky8.log log by executing:

tail -1000 /root/updateRocky8.log

Towards the end of the log, you should find a summary similar to the following:

...
Hardening script ended

Updated RPMs:
opennac-api
opennac-api-doc
opennac-admonportal
opennac-captive-portal
opennac-utils
opennac-freeradius3-config
freeradius-openNAC
opennac-gauth
opennac-api-vpngw
opennac-admonportal-vpngw
opennac-zend
opennac-dhcp-helper-reader
opennac-healthcheck
opennac-gpg-key

************************************************************
System updated !!
************************************************************

Done: 20240403_173607

5. The “Updated RPMs” include all the updated openNAC packages. Confirm that the installed packages on the node are the correct ones. You can refer to the list of packages for each node at the end of each component section.

In the event of an error while updating any package, the following message will appear:

************************************************************
Error: The following RPMs have not been updated:
opennac-package_name

Install and configure the indicated RPMs manually.
************************************************************

As the message indicates, to solve this issue, install and configure the RPMs manually.

6. If the following message appears in the log:

############################################################
To finish upgrade, a manual execution is required:

    /usr/bin/mariadb-upgrade -u root -p

MariaDB root password will be required by command line
############################################################

The MariaDB upgrade process has to be executed using the “MariaDB root” password requested by command line, as suggested in the log.

Execute the command:

/usr/bin/mariadb-upgrade -u root -p

7. If the system attempts a crypto policies update and spots that the existing ones are not appropriate, it will notify you. You will then have the choice to update them manually or not, which could be necessary if they were previously changed manually for specific installation requirements.

If the situation described occurs, a message similar to the MariaDB warning will be displayed at the end of the log:

############################################################
Crypto policies have not been updated,
due to a previous configuration.
Current crypto policies are: LEGACY

If you want apply correct crypto policies execute:
   update-crypto-policies --set DEFAULT:OPENNAC-SECURE
############################################################

8. If the installation is successful, delete the VM snapshot.

After completing the Rocky Linux upgrade, you can proceed to the update of your OpenNAC components.

Warning

Keep in mind that the update process includes security enhancements that configured the crypto-policies-scripts package for SSH. This involves specifying the allowed algorithms for key exchange, host keys, encryption ciphers, message authentication codes, and fingerprints.

After updating, if you are not using the latest version of the SSH client, you won’t be able to connect via SSH.

Consult the rule 82 of the OpenNAC hardening section for more information.