Scenario A: Upgrade of Ubuntu 16.04 to Ubuntu 18.04
Scenario B: Fresh Ubuntu 18.04 Installaon
Troubleshoong
ii
Introducon
This document concerns upgrading of Paragon Acve Assurance Control Center from version 2.34 to a
later version.
The upgrade entails special procedures as it involves upgrading the Ubuntu OS from 16.04 to 18.04. The
document covers two scenarios:
• Upgrade of Ubuntu 16.04 (with Control Center installed) to Ubuntu 18.04.
• Fresh installaon of Ubuntu 18.04 followed by installaon of Control Center and transfer of backup
data from an old Control Center instance to the new instance.
For other upgrades, please refer to the Upgrade Guide.
1
Scenario A: Upgrade of Ubuntu 16.04 to Ubuntu
18.04
• Begin by disabling the apache2 and netrounds-callexecuter services:
sudo tar -czf ncc_openvpn.tar.gz /var/lib/netrounds/openvpn
# Note: Be sure to store these in a safe place.
# Back up RRD files (metrics data)
# Check the file size before compressing the RRDs. Use of the tar command is
not
# recommended if the RRDs are larger than 50 GB; see note below.
du -hs /var/lib/netrounds/rrd
sudo tar -czf ncc_rrd.tar.gz /var/lib/netrounds/rrd
2
NOTE: The pg_dump command will ask for a password which can be found in /etc/
netrounds/netrounds.conf under "postgres database". The default password is "netrounds".
NOTE: For a large-scale setup (> 50 GB), making a tarball of the RRD les might take too long,
and taking a snapshot of the volume can be a beer idea. Possible soluons for doing this
include: using a le system that supports snapshots, or taking a snapshot of the virtual volume
if the server is running in a virtual environment.
• Check the integrity of the database using the supplied script netrounds_2.35_validate_db.sh.
WARNING: If this script outputs warnings, do not aempt the database migraon
procedure described "below" on page 4. Contact Juniper support by ling a cket at
hps://support.juniper.net/support/requesng-support (supplying the output from the
script) to have the problems with the database resolved before you proceed with the
upgrade.
• Take backups of the Control Center conguraon les:
• Upgrade Ubuntu to version 18.04. A typical upgrade procedure is as follows (adapted from hps://
wiki.ubuntu.com/BionicBeaver/ReleaseNotes):
3
• To upgrade on a server system:
• Install update-manager-core if it is not already installed.
• Make sure the Prompt line in /etc/update-manager/release-upgrades is set to 'lts' (to ensure
that the OS is upgraded to the 18.04, the next LTS version aer 16.04).
• Launch the upgrade tool with the command sudo do-release-upgrade.
• Follow the on-screen instrucons. As far as Paragon Acve Assurance is concerned, you can
keep the defaults throughout. (It may of course happen that you need to make dierent
choices for reasons unrelated to Paragon Acve Assurance.)
• Once Ubuntu has been upgraded, reboot the system. Then perform the following steps:
• Upgrade PostgreSQL.
• Update PostgreSQL database les from version 9.5 to version 10:
sudo pg_dropcluster 10 main --stop # Shut down server and completely
delete cluster# "main" version 10 (this prepares for the upgrade# in the
next command)
sudo pg_upgradecluster 9.5 main # Upgrade cluster "main" version 9.5
to latest# available version (10)
sudo pg_dropcluster 9.5 main # Completely delete cluster "main"
• Compute the checksum for the tarball containing the new Control Center version and verify that
it is equal to the SHA256 checksum provided on the download page:
sha256sum paa-control-center_${CC_VERSION}.tar.gz
• Unpack the Control Center tarball:
export CC_VERSION=<enter new version here>
tar -xzf netrounds-control-center_${CC_VERSION}.tar.gz
• Compare the previously backed-up conguraonles with the newly installed ones, and manually
merge the contents of the two sets of les (they should remain in the same locaons).
• Enable the apache2, kaa, and netrounds-callexecuter services:
sudo tar -czf ncc_openvpn.tar.gz /var/lib/netrounds/openvpn
# Note: Be sure to store these in a safe place.
# Back up RRD files (metrics data)
# Check the file size before compressing the RRDs. Use of the tar command is
not
# recommended if the RRDs are larger than 50 GB; see note below.
du -hs /var/lib/netrounds/rrd
sudo tar -czf ncc_rrd.tar.gz /var/lib/netrounds/rrd
NOTE: The pg_dump command will ask for a password which can be found in /etc/
netrounds/netrounds.conf under "postgres database". The default password is "netrounds".
NOTE: For a large-scale setup (> 50 GB), making a tarball of the RRD les might take too long,
and taking a snapshot of the volume can be a beer idea. Possible soluons for doing this
include: using a le system that supports snapshots, or taking a snapshot of the virtual volume
if the server is running in a virtual environment.
• On the Ubuntu 16.04 instance, take backups of the Control Center conguraon les:
As far as Paragon Acve Assurance is concerned, you can keep the defaults throughout. (It may of
course happen that you need to make dierent choices for reasons unrelated to Paragon Acve
Assurance.)
• Once Ubuntu 18.04 is installed, reboot the system.
• The following disk paroning is recommended, especially for snapshot backups (but it is up to
you as a user to decide):
• Recommended paroning for lab setup:
• /: Whole disk, ext4.
• Recommended paroning for producon setup:
• /: 10% of disk space, ext4.
• /var: 10% of disk space, ext4.
• /var/lib/netrounds/rrd: 80% of disk space, ext4.
• No encrypon
• Set the me zone to UTC, for example as follows:
sudo timedatectl set-timezone Etc/UTC
• Set all locales to en_US.UTF-8.
• One way to do this is to manually edit the le/etc/default/locale. Example:
LANG=en_US.UTF-8
LC_ALL=en_US.UTF-8
LANGUAGE=en_US.UTF-8
• Make sure the following line is NOT commented out in the /etc/locale.gen:
en_US.UTF-8 UTF-8
9
• Regenerate the locale les to make sure the selected language is available:
sudo apt-get install locales
sudo locale-gen
• Make sure that trac on the following ports are allowed to and from Control Center:
• Inbound:
• TCP port 443 (HTTPS): Web interface
• TCP port 80 (HTTP): Web interface (used by Speedtest, redirects other URLs to HTTPS)
• TCP port 830: ConfD (oponal)
• TCP port 6000: Encrypted OpenVPN connecon for Test Agent Appliances
• TCP port 6800: Encrypted WebSocket connecon for Test Agent Applicaons
• Outbound:
• TCP port 25 (SMTP): Mail delivery
• UDP port 162 (SNMP): Sending SNMP traps for alarms
• UDP port 123 (NTP): Time synchronizaon
• Install NTP:
• First disable medatectl:
sudo timedatectl set-ntp no
• Run this command:
timedatectl
and verify that
systemd-timesyncd.service active: no
• Now you can run the NTP installaon:
10
sudo apt-get install ntp
• Make sure that the congured NTP servers are reachable:
ntpq -np
The output should normally be "all ones" expressed in octal.
1
• Install PostgreSQL and set up a user for Control Center:
sudo apt-get update
sudo apt-get install postgresql
sudo -u postgres psql -c "CREATE ROLE netrounds WITH ENCRYPTED PASSWORD
'netrounds' SUPERUSER LOGIN;"
1
In the output, the "reach" value for the NTP servers is an octal value indicang the outcome of the
last eight NTP transacons. If all eight were successful, the value will be octal 377 (= binary
0b11111111). However, when you have just installed NTP, it is likely that fewer than eight NTP
transacons have occurred, so that the value will be smaller: one of 1, 3, 7, 17, 37, 77, or 177 if all
transacons were successful.
Using an external PostgreSQL server is not recommended.
• Install and congure an email server.
• Control Center will send emails to users:
• when they are invited to an account,
• when sending email alarms (i.e. if email rather than SNMP is used for this purpose), and
• when sending periodic reports.
• Run the command
sudo apt-get install postfix
11
• For a simple setup where postx can send directly to the desnaon email server, you can set
General type of mail conguraon to "Internet Site", and System mail name can usually be le asis. Otherwise, postx needs to be congured according to the environment. For guidance, refer to
the ocial Ubuntu documentaon at hps://help.ubuntu.com/lts/serverguide/postx.html.
• Install Control Center on the Ubuntu 18.04 instance.
This procedure also installs the Paragon Acve Assurance REST API.
export CC_VERSION=<enter new version here>
# Compute the checksum for the tar file and verify that it is equal to the
SHA256
# checksum provided on the download page
sha256sum paa-control-center_${CC_VERSION}.tar.gz
# Unpack the tarball
tar -xzf netrounds-control-center_${CC_VERSION}.tar.gz
NOTE: This is a sensive command, and care should be taken when execung it on a remote
machine. In such a scenario it is strongly recommended that you use a program like screen or
tmux so that the migrate command will connue running even if the ssh session breaks.
12
sudo ncc migrate
The ncc migrate command takes considerable me to execute (many minutes). It should print the
following (details omied below):
Migrating database...
Operations to perform:
<...>
Synchronizing apps without migrations:
<...>
Running migrations:
<...>
Creating cache table...
<...>
Syncing test scripts...
<Updating script ...>
• Transfer the backup data to the 18.04 instance using scp or some other tool.
• Restore the OpenVPN keys:
# Remove any existing OpenVPN keys
sudo rm -rf /var/lib/netrounds/openvpn
# Unpack the backed-up keys
sudo tar -xzf ncc_openvpn.tar.gz -C /
• Restore RRD data:
# Remove any existing RRDs
sudo rm -rf /var/lib/netrounds/rrd
# Unpack the backed-up RRDs
sudo tar -xzf ncc_rrd.tar.gz -C /
• Compare the backed-up conguraon les with the newly installed ones, and manually merge the
contents of the two sets of les (they should remain in the same locaons).
• Acvate the product license using the license le taken from the old instance:
Follow the NETCONF & YANG API Orchestraon Guide to install and congure ConfD if
you need it.
14
Troubleshoong
IN THIS SECTION
Problems Starng ConfD | 14
Problems Starng callexecuter | 15
Web Server Does Not Respond | 16
Restarng of Paragon Acve Assurance Services Fails | 17
Problems Starng ConfD
If you have problems starng ConfD aer the upgrade, please contact your Juniper partner or your local
Juniper account manager or sales representave in order to get a new subscripon.
Problems Starng callexecuter
Check the callexecuter logs with the command
sudo journalctl -xeu netrounds-callexecuter
You may see an error like the following:
Jun 03 09:53:27 myhost django-admin[6290]: ERROR netrounds.manager.callexecuter
Unhandled exception in CallExecuter.run [name=netrounds.manager.callexecuter,
thread=140364632504128, process=8238, funcName=handle, le
Jun 03 09:53:27 myhost django-admin[6290]: Traceback (most recent call last):
Jun 03 09:53:27 myhost django-admin[6290]: File "debian/tmp/usr/lib/python2.7/
dist-packages/netrounds/manager/management/commands/runcallexecuter.py", line
65, in handle
Jun 03 09:53:27 myhost django-admin[6290]: File "debian/tmp/usr/lib/python2.7/
dist-packages/netrounds/manager/calldispatcher.py", line 164, in run
Jun 03 09:53:27 myhost django-admin[6290]: File "debian/tmp/usr/lib/python2.7/
dist-packages/netrounds/manager/models.py", line 204, inwait
Jun 03 09:53:27 myhost django-admin[6290]: File "debian/tmp/usr/lib/python2.7/
dist-packages/netrounds/manager/models.py", line 42, in __unicode__
Jun 03 09:53:27 myhost django-admin[6290]: AttributeError: 'unicode' object has
no attribute 'iteritems'
15
What has happened is that the netrounds-callexecuter*.deb package was upgraded without making
sure the netrounds-callexecuter systemd service was stopped and disabled. The database is in the
wrong state; it needs to be restored from backup, and the upgrade needs to be repeated.
Do as follows to disable and stop the netrounds-callexecuter service:
sudo systemctl disable netrounds-callexecuter
sudo systemctl stop netrounds-callexecuter
Web Server Does Not Respond
Check the apache logs with the command
tail -n 50 /var/log/apache2/netrounds_error.log
If you see the following error, it means that Control Center version 2.34 is running on Ubuntu 18.04,
that is, Control Center has not been successfully upgraded. The soluon is to upgrade Control Center to
a later version as described in this document.
Failed to start netrounds-agent-ws-server.service: Unit netrounds-agent-ws-
server.service is masked.
Failed to start netrounds-agent-daemon.service: Unit netrounds-agent-
daemon.service is masked.
This means that the services menoned have been masked in the course of the package removal process
and require manual cleanup. The cleanup procedure is shown below: