Upgrading Package Security Manager

This guide walks you through the process of upgrading your Package Security Manager installation to a newer version. Package Security Manager supports in-place upgrades, meaning you can upgrade while the software is running.

Verify system requirements

Ensure your environment meets the new version’s system requirements.

If upgrading your OS to RHEL 9, you must first switch from Docker to Podman.

Create backups

Create backups of the following files:

docker-compose.yml
.env

These contain your custom configurations and will be overwritten during the upgrade!

Open a terminal.
Log in to your Package Security Manager server.
Navigate to your Anaconda installer directory (ate-installer-*) by running the following command:
```
# Replace <INSTALLER_DIR> with your installer directory
cd <INSTALLER_DIR>
```
Start typing ate-installer- in your terminal, then press Tab to autocomplete the directory name.
Create a backup of the docker-compose.yml file by running the following command:
```
cp docker-compose.yml ../docker-compose.yml.backup
```

Verify service account permissions

If you are using Package Security Manager 6.1.6 or later, you can skip this step.

You must verify the correct permissions are set for the service account to prevent users from losing their assigned permissions:

Log in to your Keycloak admin panel at https://<YOUR_DOMAIN>/auth/admin.
Navigate to Clients and select repo-account-sync.
Select the Service Account Roles tab.
Open the Client Roles dropdown and select realm-management.
Add manage-users and manage-realm to the Assigned Roles.

Download the installer

Download the installer using the URL provided by Anaconda:

# Replace `<INSTALLER_LOCATION>` with the provided installer URL
curl -O <INSTALLER_LOCATION>

Run the upgrade

Choose the appropriate command based on your setup:

# Replace `<INSTALLER>` with the installer you just downloaded
# Replace `<PATH_TO_REPO_FOLDER>` with the path to your repository - the default path is /opt/anaconda/repo
# Replace `<FQDN>` with your fully qualified domain name
# Replace `<PREVIOUS_INSTALLER>` with the location of the previous installer file (where the docker-compose.yml is located)
bash `<INSTALLER>`  -- -b `<PATH_TO_REPO_FOLDER>` -d `<FQDN>` --upgrade-from ../`<PREVIOUS_INSTALLER>`

If your current version of Package Security Manager is utilizing Grafana, you must include the following argument in your upgrade. If you do not, you will lose access to your Grafana dashboards. Upgrading removes your previous version of Grafana.

--grafana-monitor-stack

Don’t forget to log in and update your password for your Grafana monitoring dashboards!

Once the upgrade is complete, run the following command to instruct Keycloak to allow HTTP traffic:

# Replace `<ADMIN_PASSWORD>` with the password used to log in to Keycloak as user "admin"
docker compose exec -T keycloak ./bin/kcadm.sh update realms/master -s sslRequired=NONE --server http://localhost:8080/auth --realm master --user admin --password `<ADMIN_PASSWORD>`

# Replace `<INSTALLER>` with the installer you just downloaded
# Replace `<PATH_TO_REPO_FOLDER>` with the path to your repository - the default path is /opt/anaconda/repo
# Replace `<FQDN>` with your fully qualified domain name
# Replace `<PREVIOUS_INSTALLER>` with the location of the previous installer file (where the docker-compose.yml is located)
bash `<INSTALLER>`  -- -b `<PATH_TO_REPO_FOLDER>` -d `<FQDN>` --upgrade-from ../`<PREVIOUS_INSTALLER>`

--grafana-monitor-stack

Don’t forget to log in and update your password for your Grafana monitoring dashboards!

Once the upgrade is complete, run the following command to instruct Keycloak to allow HTTP traffic:

# Replace `<ADMIN_PASSWORD>` with the password used to log in to Keycloak as user "admin"
docker compose exec -T keycloak ./bin/kcadm.sh update realms/master -s sslRequired=NONE --server http://localhost:8080/auth --realm master --user admin --password `<ADMIN_PASSWORD>`

If your setup uses HTTPS protocol, you’ll need to provide the TLS certificate and key in your installation command:

# Replace <INSTALLER> with the installer you just downloaded
# Replace <PATH_TO_REPO_FOLDER> with the path to your repository - the default path is /opt/anaconda/repo
# Replace <FQDN> with your fully qualified domain name
# Replace <PATH_TO_CERT> and <PATH_TO_KEY> with your TLS certificate and key paths
# Replace <PREVIOUS_DIR> with the location of the previous installation (where the docker-compose.yml is located)
bash <INSTALLER> -- -b <PATH_TO_REPO_FOLDER> --domain <FQDN> --tls-cert <PATH_TO_CERT> --tls-key <PATH_TO_KEY> --upgrade-from ../<PREVIOUS_INSTALLER>

--grafana-monitor-stack

Don’t forget to log in and update your password for your Grafana monitoring dashboards!

If your upgrade fails at this point, it is likely due to a permissions issue with your Redis cache. To complete the upgrade, reset permissions for your Redis cache and restart your containers by running the following commands:

docker compose down
chmod 644 "<BASE_INSTALL_DIR>/state/redis/data/dump.rdb"
docker compose up --detach

Restore configurations

If necessary, restore your custom configurations from the backup files you created when you began the upgrade process.

Additional considerations:

For upgrades to Package Security Manager 6.6.2 or later, see Upgrading Postgres.
To support artifacts larger than 3GB, see Increasing artifact upload size limit.
If using a custom implementation, verify that your docker-compose.yml and repo.conf (nginx configuration) files reflect the upgraded changes.

Package Security Manager (On-Prem)