server-1
domain: conjur-master-1.mycompany.com
container: Conjur v5.2.2
configured as: Master
server-2
domain: conjur-master-2.mycompany.com
container: Conjur v5.2.2
configured as: Synchronous-Standby
server-3
domain: conjur-master-3.mycompany.com
container: Conjur v5.2.2
configured as: Standby
server-4
domain: conjur-follower-1.mycompany.com
container: Conjur v5.2.2
configured as: Follower
All steps assume the Conjur container is named conjur. The server a command is run on is denoted by (<server-name>).
-
Stop all replication on all servers but the master:
(server-2)
$ docker exec conjur evoke replication stop(server-3)
$ docker exec conjur evoke replication stop(server-4)
$ docker exec conjur evoke replication stop -
(server-1) Remove all nodes from the from the cluster:
$ docker exec conjur evoke cluster member remove conjur-master-2.mycompany.com
$ docker exec conjur evoke cluster member remove conjur-master-3.mycompany.com
$ docker exec conjur evoke cluster member remove conjur-master-1.mycompany.com
- (server-3) Stop and remove Conjur container:
$ docker stop conjur
$ docker rm conjur
- (server-1) Create a new seed file (alternatively, and old seed file can be used if certificates have not changed):
$ docker exec conjur evoke seed standby conjur-master-3.mycompany.com conjur-master-1.mycompany.com > standby-seed.tar
- (server-3) Launch newer version (5.2.3) of Conjur container on server-3:
$ docker run --name conjur -d --restart=always --security-opt seccomp:<profile> -p "443:443" -p "5432:5432" -p "1999:1999" registry2.itci.conjur.net/conjur-appliance:5.2.3
- (server-3) Configure new version as promotable standby after unpacking the seed file:
$ docker exec conjur evoke unpack seed standby-seed.tar
$ docker exec conjur evoke configure upgradable
- (server-2) Stop the other standby:
$ docker stop conjur
- (server-1) Stop the master (auto-failover will not occur because there is not a quorum)
$ docker stop conjur
- (server-3) Promote the new master:
$ docker exec conjur evoke role promote
- (server-3) Generate new seeds for the new standbys and the follower:
$ docker exec conjur evoke seed standby conjur-master-1.mycompany.com conjur-master-3.mycompany.com > standby-seed-1.tar
$ docker exec conjur evoke seed standby conjur-master-2.mycompany.com conjur-master-3.mycompany.com > standby-seed-2.tar
$ docker exec conjur evoke seed follower conjur-master-4.mycompany.com conjur-master-3.mycompany.com > follower-seed-1.tar
-
Re-provision former master and standby using new version (5.2.3):
(server-1)
$ docker rm conjur $ docker run --name conjur -d --restart=always --security-opt seccomp:<profile> -p "443:443" -p "5432:5432" -p "1999:1999" registry2.itci.conjur.net/conjur-appliance:5.2.3 $ docker exec conjur evoke unpack seed standby-seed-1.tar $ docker exec conjur evoke configure standby(server-2)
$ docker rm conjur $ docker run --name conjur -d --restart=always --security-opt seccomp:<profile> -p "443:443" -p "5432:5432" -p "1999:1999" registry2.itci.conjur.net/conjur-appliance:5.2.3 $ docker exec conjur evoke unpack seed standby-seed-2.tar $ docker exec conjur evoke configure standby -
(server-3) Re-enroll standbys in the cluster:
$ docker exec conjur evoke cluster enroll -n conjur-master-3.mycompany.com conjur
$ docker exec conjur evoke cluster enroll -n conjur-master-1.mycompany.com -m conjur-master-3.mycompany.com conjur
$ docker exec conjur evoke cluster enroll -n conjur-master-2.mycompany.com -m conjur-master-3.mycompany.com conjur
- (server-4) Redeploy the follower using the new version (5.2.3):
$ docker rm conjur
$ docker run --name conjur -d --restart=always --security-opt seccomp:<profile> -p "443:443" registry2.itci.conjur.net/conjur-appliance:5.2.3
$ docker exec conjur evoke unpack seed follower-seed-1.tar
$ docker exec conjur evoke configure follower