A DC/OS patch describes a set of changes and supporting data designed to update, fix, or improve the features/functionality of DC/OS. A point release that consists of minor changes is also called a patch.
A patching process includes the following:
- Addresses fixed issues, known issues/limitations, notable changes and security enhancements
- Does not impact workloads which is an essential piece of patching live clusters with no downtime
- Helps users to understand the minor changes impacting the functionality of DC/OS
- To update to a newer major or minor version (e.g. 2.0 to 2.1), refer to the instructions for upgrading.
If patching is performed on a supported OS with all prerequisites fulfilled, then the patch should preserve the state of running tasks on the cluster.
Important guidelines
-
Review the release notes before patching DC/OS.
-
Due to a cluster configuration issue with overlay networks, it is recommended to set
enable_ipv6
to false inconfig.yaml
when patching or configuring a new cluster. You can find additional information and a more robust remediation procedure in our latest critical product advisory. -
If IPv6 is disabled in the kernel, then IPv6 must be disabled in the
config.yaml
file. -
The DC/OS Enterprise license key must reside in a
genconf/license.txt
file. Enterprise -
The DC/OS GUI and other higher-level system APIs may be inconsistent or unavailable until all master nodes have been patched. For example, a patched DC/OS Marathon leader cannot connect to the leading Mesos master until it has also been patched. When this occurs:
- The DC/OS GUI may not provide an accurate list of services.
-
A patched DC/OS Marathon leader cannot connect to a non-secure (not patched) leading Mesos master. The DC/OS UI cannot be trusted until all masters are patched. There are multiple Marathon scheduler instances and multiple Mesos masters, each being patched, and the Marathon leader may not be the Mesos leader.
-
Task history in the Mesos UI will not persist through the patch.
-
DC/OS Enterprise downloads can be found here. Enterprise
Supported patch paths
- From any current release to the next. For example, a patch from 2.1.4 to 2.1.5 would be supported.
- From any current release to an identical release. For example, a patch from 2.1.4 to 2.1.4 would be supported. This is useful for making configuration changes.
Modifying DC/OS configuration
You cannot change your cluster configuration at the same time that you are patching to a new version. Cluster configuration changes must be done with an update to an already installed version. For example, you cannot simultaneously patch a cluster from 2.1.x to 2.1.y and add more public agents. You can add more public agents with an update to 2.1.x, and then patch to 2.1.y Or you can patch to 2.1.y and then add more public agents by updating 2.1.y after the patch.
To modify your DC/OS configuration, you must run the installer with the modified config.yaml
and update your cluster using the new installation files. Changes to the DC/OS configuration have the same risk as patching a host. Incorrect configurations could potentially crash your hosts, or an entire cluster.
Only a subset of DC/OS configuration parameters can be modified. The adverse effects on any software that is running on top of DC/OS is outside of the scope of this document. Contact Mesosphere Support for more information.
Here is a list of the parameters that you can modify:
dns_search
docker_remove_delay
gc_delay
resolvers
telemetry_enabled
use_proxy
enable_mesos_input_plugin
The security mode (security
) can be changed but only to a stricter security mode. Security downgrades are not supported. For example, if your cluster is in strict
mode and you want to downgrade to permissive
mode, you must reinstall the cluster and terminate all running workloads.
See the security mode for information on different security modes.
Instructions
These steps must be performed for version patches and cluster configuration changes.
Prerequisites
-
Mesos, Mesos Frameworks, Marathon, Docker and all running tasks in the cluster should be stable and in a known healthy state.
-
For Mesos compatibility reasons, we recommend patching any running Marathon-on-Marathon instances to Marathon version 1.3.5 before proceeding with this DC/OS patch.
-
You must have access to copies of the config files used with the previous DC/OS version:
config.yaml
andip-detect
. -
You must be using
systemd
218 or newer to maintain task state. -
All hosts (masters and agents) must be able to communicate with all other hosts as described at network security.
-
In CentOS or RedHat, install IP sets with this command (used in some IP detect scripts):
sudo yum install -y ipset
-
You must be familiar with using
systemctl
andjournalctl
command line tools to review and monitor service status. Troubleshooting notes can be found at the end of this document. -
You must be familiar with the DC/OS Production Installation instructions.
-
Take a snapshot of ZooKeeper prior to patching. Marathon supports rollbacks, but does not support downgrades.
-
Important: Take a snapshot of the IAM database prior to upgrading. This is very easy to do and should be considered a necessity.
-
Ensure that Marathon event subscribers are disabled before beginning the patch. Leave them disabled after completing the patch, as this feature is now deprecated.
-
Verify that all Marathon application constraints are valid before beginning the patch. Use this script to check if your constraints are valid.
-
Optional You can add custom node and cluster health checks to your
config.yaml
.
Bootstrap Node
Choose your desired security mode and then follow the applicable patch instructions.
Patching DC/OS 2.1 without changing security mode
This procedure patches a DC/OS 2.1 cluster without changing the cluster’s security mode.
-
Copy your existing
config.yaml
andip-detect
files to an emptygenconf
folder on your bootstrap node. The folder should be in the same directory as the installer. -
Merge the old
config.yaml
into the newconfig.yaml
format. In most cases the differences will be minimal. -
After updating the format of the config.yaml, compare the old
config.yaml
and newconfig.yaml
. Verify that there are no differences in pathways or configurations. Changing these while patching can lead to catastrophic cluster failures. -
Modify the
ip-detect
file as desired. -
Build your installer package.
- Download the
dcos_generate_config.ee.sh
file. - Generate the installation files. Replace
<installed_cluster_version>
in the command below with the DC/OS version currently running on the cluster you intend to patch, for example1.8.8
.dcos_generate_config.ee.sh --generate-node-upgrade-script <installed_cluster_version>
- The command in the previous step will produce a URL in the last line of its output, prefixed with
Node patch script URL:
. Record this URL for use in later steps. It will be referred to in this document as the “Node patch script URL”. - Run the nginx container to serve the installation files.
- Download the
-
Go to the DC/OS Master procedure to complete your installation.
Patching to DC/OS 2.1 in strict mode
This procedure patches to DC/OS 2.1 in strict security mode.
If you are updating a running DC/OS cluster to run in strict
security mode, be aware that security vulnerabilities may persist even after migration to strict mode. When moving to strict mode, your services will now require authentication and authorization to register with Mesos or access its HTTP API. You should test these configurations in permissive mode before patching to strict, to maintain scheduler and script uptimes across the patch.
As permissive mode allows some insecure behavior, a cluster may have been compromised before it is upgraded to strict security mode. To obtain the full security benefits of strict security mode, we recommend that you re-install the operating system on each node and install a new cluster.
Prerequisites:
- Your cluster must be a recently patched version of DC/OS 2.1 and running in permissive security mode before it can be updated to strict mode. If your cluster was running in strict mode before it was patched to DC/OS 2.1, you can skip this procedure.
- If you have running pods or if the Mesos “HTTP command executors” feature has been enabled in a custom configuration, you must restart these tasks in DC/OS 2.1 permissive security mode before patching to strict mode. Otherwise, these tasks will be restarted when the masters are patched.
To update a cluster from permissive security to strict security, complete the following procedure:
-
Replace
security: permissive
withsecurity: strict
in yourconfig.yaml
. Do not make any other changes to pathways or configurations in theconfig.yaml
. -
Modify the
ip-detect
file as desired. -
Build your installer package.
- Download the
dcos_generate_config.ee.sh
file. - Generate the installation files. Replace
<installed_cluster_version>
in the below command with the DC/OS version currently running on the cluster you intend to patch, for example2.1.0
.dcos_generate_config.ee.sh --generate-node-upgrade-script <installed_cluster_version>
- The command in the previous step will produce a URL in the last line of its output, prefixed with
Node patch script URL:
. Record this URL for use in later steps. It will be referred to in this document as the “Node patch script URL”. - Run the nginx container to serve the installation files.
- Download the
-
Go to the DC/OS Master procedure to complete your installation.
DC/OS Masters
Proceed with patching every master node one at a time in any order using the following procedure. When you complete each patch, monitor the Mesos master metrics to ensure the node has rejoined the cluster and completed reconciliation.
-
Download and run the node patch script:
curl -O <Node patch script URL> sudo bash dcos_node_upgrade.sh
-
Verify that the patch script succeeded and exited with the status code
0
:echo $? 0
-
Validate the patch by running the following commands on the master node:
-
Monitor Exhibitor and wait for it to converge.
On DC/OS Enterprise clusters with a static master list use the command:
sudo curl --cacert /var/lib/dcos/exhibitor-tls-artifacts/root-cert.pem --cert /var/lib/dcos/exhibitor-tls-artifacts/client-cert.pem --key /var/lib/dcos/exhibitor-tls-artifacts/client-key.pem https://localhost:8181/exhibitor/v1/cluster/status
On other clusters use the command:
curl http://localhost:8181/exhibitor/v1/cluster/status
Wait until the response shows that all hosts have
"description":"serving"
. -
Wait until the
dcos-mesos-master
unit is up and running. -
Verify that
Enterprisecurl http://<dcos_master_private_ip>:5050/metrics/snapshot
has the metricregistrar/log/recovered
with a value of1
. -
Verify that
/opt/mesosphere/bin/mesos-master --version
indicates that the patched master is running the version of Mesos specified in the release notes, for example1.9.1
. -
Verify that the number of under-replicated ranges in CockroachDB has dropped to zero as the IAM database is replicated to the new master. Run the following command and confirm that the
ranges_underreplicated
column shows only zeros.
sudo /opt/mesosphere/bin/cockroach node status --ranges --certs-dir=/run/dcos/pki/bouncer --host=$(/opt/mesosphere/bin/detect_ip)
+----+---------------------+--------+---------------------+---------------------+------------------+-----------------------+--------+--------------------+------------------------+ | id | address | build | updated_at | started_at | replicas_leaders | replicas_leaseholders | ranges | ranges_unavailable | ranges_underreplicated | +----+---------------------+--------+---------------------+---------------------+------------------+-----------------------+--------+--------------------+------------------------+ | 1 | 172.31.7.32:26257 | v1.1.4 | 2018-03-08 13:56:10 | 2018-02-28 20:11:00 | 195 | 194 | 195 | 0 | 0 | | 2 | 172.31.10.48:26257 | v1.1.4 | 2018-03-08 13:56:05 | 2018-03-05 13:33:45 | 200 | 199 | 200 | 0 | 0 | | 3 | 172.31.23.132:26257 | v1.1.4 | 2018-03-08 13:56:01 | 2018-02-28 20:18:41 | 187 | 187 | 187 | 0 | 0 | +----+---------------------+--------+---------------------+---------------------+------------------+-----------------------+--------+--------------------+------------------------+
If the
ranges_underreplicated
column lists any non-zero values, wait a minute and rerun the command. The values will converge to zero after all data is safely replicated. -
-
Go to the DC/OS Agents procedure to complete your installation.
DC/OS Agents
On all DC/OS agents:
-
Navigate to the
/opt/mesosphere/lib
directory and delete this library file. Deleting this file will prevent conflicts.libltdl.so.7
-
Download and run the node patch script:
curl -O <Node patch script URL> sudo bash dcos_node_upgrade.sh
-
Verify that the patch script succeeded and exited with the status code
0
:echo $? 0
-
Validate the patch:
- Verify that
curl http://<dcos_agent_private_ip>:5051/metrics/snapshot
has the metricslave/registered
with a value of1
. - Monitor the Mesos UI to verify that the patched node rejoins the DC/OS cluster and that tasks are reconciled (
http://<master-ip>/mesos
). If you are patching from permissive to strict mode, this URL will behttps://<master-ip>/mesos
.
- Verify that
Troubleshooting Recommendations
The following commands should provide insight into patch issues:
On All Cluster Nodes
sudo journalctl -u dcos-download
sudo journalctl -u dcos-spartan
sudo systemctl | grep dcos
If your patch fails because of a custom node or cluster check, run these commands for more details:
dcos-check-runner check node-poststart
dcos-check-runner check cluster
On DC/OS Masters
sudo journalctl -u dcos-exhibitor
less /opt/mesosphere/active/exhibitor/usr/zookeeper/zookeeper.out
sudo journalctl -u dcos-mesos-dns
sudo journalctl -u dcos-mesos-master
On DC/OS Agents
sudo journalctl -u dcos-mesos-slave
Notes
Packages available in the DC/OS 2.1 Catalog are newer than those in the older versions of the Catalog. Services are not automatically patched when DC/OS is installed because not all DC/OS services have patch paths that will preserve existing states.