The current way of menu based patching of the gateway won’t work due to large number of servers spread across multiple sites. There has to be a better way to patch SSG servers than that the menu driven option. How to automate this task ?
Good suggestion, I've had the same question from several customers.
BTW: Don't forget to vote for your own idea!
I totally agree! Especially a cluster patch/upgrade is a real painfull and brittle process. It prevents us from patching every month our api gateways. It should be fully automated without downtime in a cluster.
Technically, the whole thing is already in the form of bash scripts, end it ends up calling /opt/SecureSpan/Appliance/libexec/patchcli_launch as the layer7 user to install a patch. I'm sure this could be automated with remote ssh calls.
Hi, I wanted to clarify whether users were looking for:
I'm also curious to know whether users have examples of upgrade processes for other "Gateway-like" products that they like, and if so, what did you like about those products?
I would like a cluster be easily upgraded. By example when patching a clusternode it will stop the ping (on just one node), break the database mirror, patch the node, joins the cluster and when operational again enables the ping. It is now a lot of handcrafting to patch a cluster (it takes us half a day for one cluster and we have 6 of them).
though I'm not arguing that your process works, it is imho a bit overkill. We wrote some scripts to auto patch our AWS clusters - and there's no need to stop ping, break db replication, join clusters, enable pings.
just apply patch, restart server (ping will be disabled - proper LB setup with stop traffic going to node)
box comes back up (patched), when server is back up, ping responds, LB adds it into array again, job done - next node.
Stuart, thank you for your feedback! It could be possible that we perform an overkill. I thought we use the method suggested by CA. If it could be easier I am very curious!
When patching an new api gateway version. When do you upgrade the database version? After the first node or after the second node is patched (in a two node cluster)? Do you have any downtime while patching the cluster?
Would/could you share the scripts or procesdescription you use to patch your clusters?
ah no - to be clear - I am talking about monthly platform patches. application patches are a different kettle of fish.
We do not currently automate them - we prefer to do those out of hours and take the whole cluster down to upgrade at once as a significant amount of regression testing is needed to confirm everything still works as it should, etc.
Retrieving data ...