Patch Upgrade Process for Avi Vantage

Overview

Avi Vantage supports patch upgrades by which hot fixes are placed into effect. Avi Vantage patches are designed not to interrupt active services. In cases where an interruption is expected, the patch package will be releases with related documents and details. To ensure configuration integrity, changes to the configuration are locked out during an patch upgrade.

Note: The patch upgrade feature is accessible only via Avi CLI.

Patch Process

  • Download a patch package from the Avi Customer Portal.
  • For every patch release there can be as many as 4 packages. The first three in the list below provide the administrator an option to patch some, but not all aspects of the Avi Vantage Platform. In applying the Service Engine patch one has the flexibility to upgrade just some SE groups. The avi-patch applies all the other patches.
    1. controller_patch
    2. se_patch
    3. ui_patch
    4. avi_patch
  • Use the patch shell command to apply a desired patch. Details are discussed under the Patch Upgrade Options section.

Preparing for the Patch

Finding the Version

One or more patch packages may be applicable to your Avi Vantage version. Therefore, it is essential to know the version that your Avi Vantage is currently on. You can check the Controller/SE version(s) using the following commands:


show version controller

show version serviceengine

Prerequisites and Restrictions

Based on your Avi Vantage Controller and SE versions, you can choose a patch package.

  • All Controllers must be on the same base+patch version to form a cluster. For instance, with three Controllers on 17.2.4, you cannot form a cluster with one on 17.2.4-1p1 and another on 17.2.4-1p2.
  • Before attempting to cluster patch Avi Controllers, run reboot clean CLI commands on each. For more details, refer to Deploying an Avi Controller Cluster.
  • All patches from a maintenance release are incorporated into successive maintenance releases. For instance, all patches associated with 17.2.3 are incorporated into 17.2.4.
  • Once a Controller is upgraded to a new maintenance release, i.e., from 17.2.3 to 17.2.4, all underlying SE groups must be upgraded to 17.2.4.
  • A patch family is the one in which the leading digit is the same, for instance, 1p1, 1p2, and 1p3 are patches in the 1px family.
  • Fixes accumulate within a patch family. For instance, the 1p2 patch contains new fixes unique to it, plus all the fixes from 1p1. The 1p3 patch includes fixes from both the 1p1 and 1p2 patches. Additionally, the 2p1 patch is the first in a new patch family and does not contain 1px fixes.
  • A given fix may appear in more than one patch family.

  • You can:
    • Choose any patch applicable to a particular maintenance release as the first patch to be applied to that base version. For example, in a patch family comprised of 1p1, 1p2 and 1p3, any one of the three can be the first applied.
    • Apply any subsequent patch, as long as it is within the same patch family. For instance, you can apply 1p5 to 1p1.
  • You cannot:
    • Apply a patch from a patch family other than the one already chosen. For instance, you cannot apply patch 2p1 once any 1px patch has been applied.
    • Apply a patch that would imply an upgrade to some different Avi Vantage maintenance release. For example, it is not possible to patch-upgrade from 17.2.3 to 17.2.4-1p3.
  • .pkg is same for both container and non-container. in case of patch this is to
  • For Controllers on baremetal/LSC or legacy GCP, upgrade package is available in docker.tgz.

    Uploading the Patch Package

Use WinSCP or any similar tool to upload the patch package to the Controller’s /tmp directory.

Note: The leader Controller will ensure that the follower Controllers are on the same version.

The Controller machine on the base version of Avi Vantage might be previously patched. Check to ensure that the required new patch package is present in the /tmp directory.


root@<controller-ip>:/home/admin# ls /tmp/se_patch.pkg
/tmp/se_patch.pkg

Login to the Avi shell using your credentials as shown below:


$ shell --user <controller username> --password <controller password>

Verify that an upgrade is not already in progress:


$[admin:<controller-ip>]: > show upgrade status
+------------------+-------+
| Field            | Value |
+------------------+-------+
| in_progress      | False |
| controller_state |       |
|   in_progress    | False |
+------------------+-------+
[admin:<controller-ip>]: >

Patch Upgrade Options

Version Upgrade and Patch

You can upgrade the Controller to a more recent version along with the required patch by using a single command as follows:


 upgrade system image_path /tmp/controller-XX.Y.Z-abcd.pkg patch_path /tmp/avi_patch-XX.Y.Z-1px-wxyz.pkg
 

This ensures that the Controller is upgraded and the mentioned patch is applied, at the same instance. Note that the patch should be of the same version as that of the Controller upgrade.

Apart from this, the following are the three options for the patch command:

  1. disruptive is False by default.
  2. force is False by default.
  3. se_group_refs governs the scope of the upgrade.

Disruptive Patch

If you do not require the non-disruptive rolling upgrade of SEs and would rather get through upgrade quickly, you can set this flag to True. The below command initiates an upgrade with the disruptive flag set to True.


$[admin:<controller-ip>]: > patch system image_path /tmp/avi_patch.pkg disruptive
Uploading file to controller
Verifying upgrade package
Upgrade has started. Please use 'show upgrade status' to check the progress.
[admin:<controller-ip>]: >

Force Patch

The below command initiates an upgrade with the force flag set to True. This allows skipping the basic checks.


$[admin:<controller-ip>]: >  patch system image_path /tmp/avi_patch.pkg force
Uploading file to controller
Verifying upgrade package
Upgrade has started. Please use 'show upgrade status' to check the progress.
[admin:<controller-ip>]: >

SE Group Patch

If the se_group_refs option is absent, all SE groups are upgraded. When present, it identifies a specific SE group for patching. If more than one SE group needs patching, each will require a separate patch command.

 
$[admin:<controller-ip>]: > patch system image_path /tmp/avi_patch.pkg se_group_refs <name_of_se_grp>
Uploading file to controller
Verifying upgrade package
Upgrade has started. Please use 'show upgrade status' to check the progress.
[admin:<controller-ip>]: >

Note: SEs check for the version present on the Controller. In the event of a mismatch, the SE is rebooted and upgraded with the new patch available on the Controller.

Restriction: If you apply a patch 5p1 to the SE-group, then all the entities in the system — SEs and Controller(s) — can only be upgraded to 5p1 or some member of the 5px patch series. For example, one cannot apply 6p1 to the Controller and 5p1 to an SE group.