Update to v25.06

Warning

Make a backup before performing the following steps.

Preparing for the Update

  1. Ensure that Docker Compose version 2 is installed:

    docker-compose version --short

    Upgrade if required. MITIGATOR no longer supports Docker Compose version 1.

  2. Remove elements unsupported by Docker Compose v2 from .env file:

    sed -e 's/\b\(docker-compose.yml\):\1/\1/' -i .env

  3. If using NVIDIA (Mellanox) network adapters update OFED to the latest version.

  4. Download metric migration script on all instances running ClickHouse:

    wget https://docs.mitigator.ru/master/kb/update2506/update2506.sql -O /srv/mitigator/update2506.sql

  5. Add MITIGATOR_PUBLIC_ADDRESS variable to .env file on all instances. To keep existing behavior, set it to the same value as MITIGATOR_HOST_ADDRESS.

    If MITIGATOR_HOST_ADDRESS is set to a domain name, replace it with IP address if possible, otherwise containers may lose connectivity in case of a DNS failure. MITIGATOR_PUBLIC_ADDRESS may be set to either a domain name or an IP address.

  6. Stop MITIGATOR:

    docker-compose down

  7. Change instance data ownership on all instances:

    chown -R 65534:65534 /var/lib/docker/volumes/mitigator_own_id/_data

  8. Remove obsolete web UI files on all instances:

    docker volume rm mitigator_frontend

Upgrading Mounted Custom Settings

If custom settings files for Postgres (postgresql.conf) or Nginx (nginx.conf) are mounted into containers, these files must be upgraded for use with new images.

Upgrading Postgres Custom Settings

Check that postgresql.conf is mounted:

docker-compose config | grep postgresql.conf

The following output lines indicate that postgresql.conf is mounted:

source: /srv/mitigator/postgresql.conf
target: /etc/postgresql/11/main/postgresql.conf

If there are no such lines in the output, postgresql.conf upgrade is not needed. If the path on the host differs from /srv/mitigator/postgresql.conf, adjust the path in the upgrade command below accordingly.

Upgrade postgresql.conf:

sed -e "/include '\/database_identifier'/d" -i /srv/mitigator/postgresql.conf

Upgrading Nginx Custom Settings

Check that nginx.conf is mounted:

docker-compose config | grep nginx.conf

The following output lines indicate that nginx.conf is mounted:

source: /srv/mitigator/nginx.conf
target: /etc/nginx/nginx.conf

If there are no such lines in the output, nginx.conf upgrade is not needed. If the path on the host differs from /srv/mitigator/nginx.conf, adjust the path in the upgrade command below accordingly.

Upgrade nginx.conf:

sed -e "/user www-data;/d" -e "s|pid /run/nginx.pid|pid /var/lib/nginx/nginx.pid|" -i /srv/mitigator/nginx.conf

Upgrading Custom HTTP(S) Settings

Check that mitigator.conf is mounted:

docker-compose config | grep mitigator.conf

The following output lines indicate that mitigator.conf is mounted:

source: /srv/mitigator/mitigator.conf
target: /etc/nginx/conf.d/mitigator.conf

If there are no such lines in the output, mitigator.conf upgrade is not needed. If the path on the host differs from /srv/mitigator/mitigator.conf, adjust the path in the upgrade command below accordingly.

Upgrade mitigator.conf:

sed -e 's/listen 80/listen 8000/' -e 's/listen 443/listen 8443/' -i /srv/mitigator/mitigator.conf

Correcting Access for HTTPS Key and Certificate

The following instruction is relevant when a custom HTTPS certificate is used for MITIGATOR access. Default settings specify the following files within the container: key from /etc/nginx/cert.key and certificate from /etc/nginx/cert.crt. If custom HTTP(S) settings specify different files, adjust the paths everywhere in this section.

Check that /etc/nginx/cert.key is mounted;

docker-compose config | grep /etc/nginx/cert.key

The following output lines indicate that cert.key is mounted:

source: /srv/mitigator/cert.key
target: /etc/nginx/cert.key

If there are no such lines in the output, access correction is not needed. If the key path on the host differs from /srv/mitigator/cert.key, adjust the path in the following commands. Likewise, adjust the certificate path /srv/mitigator/cert.crt if needed.

Change the key and certificate group ownership and permit reading to the group members:

chgrp 33 /srv/mitigator/cert.key /srv/mitigator/cert.crt && \
chmod g=r /srv/mitigator/cert.key /srv/mitigator/cert.crt

System Update

Info

After the system is updated and started, the database migration process begins. While the migration is in progress, the web interface will be unavailable. For large databases, this process can take a long time. You can track the completion of the migration by running the command:

docker-compose logs -f postgres | grep ready

There should be 2 entries in the grep results.

Update all MITIGATOR instances using standard update procedure.

Migrating Data after Update

Perform metric migration after starting MITIGATOR:

docker-compose exec -T clickhouse clickhouse-client -mn < update2506.sql && \
docker-compose restart carbon-clickhouse

Migration may take a while. DDoS-protection functions of MITIGATOR are fully operational while migrating data. Some graphs may not render during migration.

This command prints nothing if successful. Please report to the developers about any error printed.