Upgrading Anchore Enterprise
Upgrading from one minor version of Anchore Enterprise to another is normally handled seamlessly by the Helm chart or an upsert of your Docker Compose configuration which are both supplied with each release. Those follow the general methods from this doc page, however for some major releases there are Specific Instructions which you may have to review.
To retrieve the current version of Anchore Enterprise the anchorectl system status command can be run, and the output will have a column titled “CODE VERSION”, which will display the running version of each service. You can also login to the Anchore Enterprise Web UI and find the version details in the top bar.
Upgrade Procedure
Prior to upgrading Anchore Enterprise, it is highly recommended to first review the Anchore Enterprise Release Notes and review the entire doc with particular attention on the ‘Recommended Component Versions’ as well as the ‘Requirements’ sections.
The ‘Requirements’ section shares important notices and/or DB schema changes and any possible suggested downtime needed for schema and/or data changes.
The ‘Recommended Component Versions’ section details the supported versions of integration tooling like AnchoreCTL, this might require further upgrades of other software components across your environment to maintain compatibility with the core Anchore Enterprise service.
When you are ready to perform an upgrade, we recommend, as a best practice, that you first Backup/snapshot your Database. When backing up, you must first stop your Anchore Enterprise services/deployment so that all services have completed their writes. We also highly recommend you test upgrades in a QA/Test environment first.
Please note, there is no automatic downgrade capability, thus the only way to downgrade after an upgrade (whether it succeeds or fails) is to restore your database contents to a state from a prior version of Anchore Enterprise, and explicitly run the compatible version of Anchore Enterprise against the corresponding database version.
☸️ Kubernetes (Helm) Upgrade Procedure
A Helm pre-upgrade hook initiates a Kubernetes job that scales down all active Anchore Enterprise pods and handles the Anchore Enterprise database upgrade.
The Helm upgrade is marked as successful only upon the job’s completion. This process causes the Helm client to pause until the job finishes and new Anchore Enterprise pods are initiated. To monitor the upgrade, follow the logs of the upgrade jobs. These jobs are automatically removed after a subsequent successful Helm upgrade.
An optional post-upgrade hook is available to perform Anchore Enterprise upgrades without forcing all pods to terminate prior to running the upgrade. This is the same upgrade behavior that was enabled by default in the legacy anchore-engine chart. To enable the post-upgrade hook, set upgradeJob.usePostUpgradeHook=true in your values file.
View both the Helm Chart Release Notes for any necessary steps prior to upgrading and also review the Anchore Enterprise Release Notes
Update the Helm repository to get the latest chart version.
helm repo updateUpgrade Anchore Enterprise using the Helm chart.
export NAMESPACE=anchore export RELEASE=my-release helm upgrade ${RELEASE} -n ${NAMESPACE} anchore/enterprise -f anchore_values.yamlReview the helm upgrade command output
Once upgraded, you can review the new state of your Anchore Enterprise install to verify the new version is running using the regular system status command.
anchorectl system status
🐳 Docker Compose Upgrade Procedure
View the Anchore Enterprise Release Notes
First review the ’name’ and volume(s) used in your new compose file. Failure to match these to your existing deployment and older Compose file will result in a new/clean deployment rather than an upgrade.
Stop all running instances of Anchore
docker compose downMake a copy of your original docker-compose.yaml file as backup
cp docker-compose.yaml docker.compose.yaml.backupDownload the latest docker-compose.yaml
curl https://docs.anchore.com/current/docs/deployment/docker_compose/docker-compose.yaml > docker-compose.yamlReview the latest docker-compose.yaml and merge any edits/changes from your original docker-compose.yaml.backup to the latest docker-compose.yaml
Restart the Anchore containers
docker compose up -dTo monitor the progress of your upgrade, you can watch the docker logs from your catalog container, where you should see some initial output indicating whether or not an upgrade is needed or being performed, followed by the regular Anchore log output.
docker compose logs -f catalogOnce upgraded, you can review the new state of your Anchore Enterprise install to verify the new version is running using the regular system status command.
anchorectl system status
🚧 Manual Upgrade Procedure
If for any reason the automated upgrade fails, or you would like to perform the upgrade of the anchore database manually, you can use the following (general) procedure. This should only be done by advanced operators after backing up the anchore database, ensuring that the anchore database is up and running, and that all running anchore components are stopped.
- Install the desired Anchore container manually.
- Run the Anchore container but override the entrypoint to run an interactive shell instead of the default ‘anchore-manager service start’ entrypoint command.
- Manually execute the database upgrade command, using the appropriate db_connect string. For example, if using Postgres, the db_connect string will look like
postgresql://$ANCHORE_DB_HOST/$ANCHORE_DB_NAME?user=$ANCHORE_DB_USER&password=$ANCHORE_DB_PASSWORD
$ anchore-manager db --db-connect "postgresql://$ANCHORE_DB_HOST/$ANCHORE_DB_NAME?user=$ANCHORE_DB_USER&password=$ANCHORE_DB_PASSWORD" upgrade
#Output
[MainThread] [anchore_manager.cli.utils/connect_database()] [INFO] DB params: {"db_connect_args": {"timeout": 86400, "ssl": false}, "db_pool_size": 30, "db_pool_max_overflow": 100}
[MainThread] [anchore_manager.cli.utils/connect_database()] [INFO] DB connection configured: True
[MainThread] [anchore_manager.cli.utils/connect_database()] [INFO] DB attempting to connect...
[MainThread] [anchore_manager.cli.utils/connect_database()] [INFO] DB connected: True
...
...
- The output will indicate whether or not a database upgrade is needed. It will then prompt for confirmation if it is, and will display upgrade progress output before completing.
Specific Version Upgrades
This section is intended as a guide for any special instructions and information related to upgrading to specific versions of Enterprise.