Contribute in GitHub:
Open doc issue|Edit online
Applying the fix pack
Use these instructions if you have already installed or upgraded IBM Support for Hyperledger Fabric and want to apply the latest fix pack. Fix packs are cumulative, which means they include all fixes from previous fix packs. Fix packs contain important bug fixes and should be applied to your network as soon as possible.
You can use these steps if you deployed the platform on Kubernetes, such as open source Kubernetes or a Kubernetes distribution like Rancher. If you have multiple networks deployed on your cluster, you will need to repeat steps 3-5 to update each network because they run on separate namespaces. If you experience any problems, use the instructions for rolling back the fix pack installation. You can install the fix pack without disrupting a running network. However, you cannot use the console to deploy new nodes, deploy smart contracts, or create new channels during the process.
You can install the fix pack by updating the IBM Support for Hyperledger Fabric deployment on your Kubernetes cluster to pull the latest images. You can apply the fix pack by using the following steps:
- Update the fabproxy
- Update the webhook
- Update the Hyperledger Fabric operator
- Update the Hyperledger Fabric version
- Update your blockchain nodes
What the fix pack contains
The fix pack is cumulative and contains any security patches for the Fabric images and miscellaneous bug fixes. See the Release notes for details.
Log in to your cluster
Before you can complete the next steps, you need to log in to your cluster by using the kubectl CLI. Follow the instructions for logging in to your cluster.
Step one: Update the fabproxy image
If this environment was migrated from IBM Support for Hyperledger Fabric, then run the following command to update the fabproxy component in the ibpinfra namespace.
kubectl -n ibpinfra set image deploy proxy-fabproxy fabproxy=icr.io/cpopen/ibm-hlfsupport/ibm-hlfsupport-fabproxy:1.0.9-20260122-amd64
Step two: Update the webhook
Update the webhook that you created when you initially deployed or upgraded the blockchain service. Run the following commands to update the webhook in the ibm-hlfsupport-infra namespace or project:
kubectl patch deploy/ibm-hlfsupport-webhook -n ibm-hlfsupport-infra --type='json' -p='[{"op": "add", "path": "/spec/template/spec/containers/0/securityContext/seccompProfile", "value":{"type":"RuntimeDefault"}}]'
kubectl set image deploy/ibm-hlfsupport-webhook -n ibm-hlfsupport-infra ibm-hlfsupport-webhook=icr.io/cpopen/ibm-hlfsupport-crdwebhook:1.0.9-20260122-amd64
When the webhook update is successful, you see something similar to:
deployment.apps/ibm-hlfsupport-webhook image updated
Before you proceed with the next step, wait for the webhook to restart by running the following command:
kubectl get po -n ibm-hlfsupport-infra -w | grep ibm-hlfsupport-webhook
When the webhook is successfully restarted, it looks similar to:
NAME READY STATUS RESTARTS AGE
ibm-hlfsupport-webhook-5fd96f6c7d-gpwhr 1/1 Running 0 1m
Step three: Update the Hyperledger Fabric operator
Run the following command to download the operator deployment spec to your local file system. The default name of the operator deployment is ibm-hlfsupport-operator. If you changed the name during the deployment process, you can
use the kubectl get deployment -n <namespace> command to get the name of the deployments on your namespace. Replace <namespace> with the name of your namespace or OpenShift project:
kubectl set image deploy/ibm-hlfsupport-operator -n <namespace> ibm-hlfsupport-operator=icr.io/cpopen/ibm-hlfsupport-operator:1.0.9-20260122-amd64
After you update the operator, it will restart and pull the latest operator image. While the operator is restarting, you can still access your console UI. However, you cannot use the console to deploy smart contracts, or use the console or the APIs to create or remove a node.
Verify that the operator was successfully updated by running the command:
kubectl get deployment ibm-hlfsupport-operator
When the upgrade is successful, the output looks similar to:
NAME READY UP-TO-DATE AVAILABLE AGE
ibm-hlfsupport-operator 1/1 1 1 1m
If you experience a problem while you are updating the operator, go to this troubleshooting topic for a list of commonly encountered problems.
Step four: Update the Hyperledger Fabric version
Update the Hyperledger Fabric version by running the commands below, which update the console to use the latest Fabric images and versions.
NAMESPACE=[IBP COMPONENTS NAMESPACE]
CONSOLE_SPEC=$(kubectl get ibpconsoles.ibp.com --no-headers -n $NAMESPACE | awk '{print $1}')
kubectl delete cm ${CONSOLE_SPEC}-console ${CONSOLE_SPEC}-deployer -n $NAMESPACE
kubectl rollout restart deploy ${CONSOLE_SPEC} -n $NAMESPACE
Review the console-deployer configmap to verify that all images and versions have been upgraded and the registry URLs are pointing to the cpopen registry icr.io/cpopen/ibm-hlfsupport by running the following command:
kubectl get cm ${CONSOLE_SPEC}-deployer -n $NAMESPACE -o yaml
The versions section of the console-deployer configmap should look similar to the following example:
usetags: true
versions:
ca:
1.5.16-1:
default: true
image:
caDigest: sha256:74b44d8dca1ea8df760ee7ed3b6d8b6a858a0f7793601677d847f6ed2464e4b3
caImage: icr.io/cpopen/ibm-hlfsupport/ibm-hlfsupport-ca
caInitDigest: sha256:675a92556aebd06d276f24c5e72adc183d93839b3c251bf8e7fa6888ed6e708f
caInitImage: icr.io/cpopen/ibm-hlfsupport/ibm-hlfsupport-init
caInitTag: 1.0.9-20260122-amd64
caTag: 1.5.16-20260122-amd64
enrollerDigest: sha256:504e3bf7250decae14479ad76b271cae1855181e597e66885131505590a321a8
enrollerImage: icr.io/cpopen/ibm-hlfsupport/ibm-hlfsupport-enroller
enrollerTag: 1.0.9-20260122-amd64
version: 1.5.16-1
orderer:
2.5.12-6:
default: true
image:
enrollerDigest: sha256:504e3bf7250decae14479ad76b271cae1855181e597e66885131505590a321a8
enrollerImage: icr.io/cpopen/ibm-hlfsupport/ibm-hlfsupport-enroller
enrollerTag: 1.0.9-20260122-amd64
grpcwebDigest: sha256:404bf6e0e707540ad9ecf2ea03eeec4609642a71c13f3863041caa19bf0078dc
grpcwebImage: icr.io/cpopen/ibm-hlfsupport/ibm-hlfsupport-grpcweb
grpcwebTag: 1.0.9-20260122-amd64
ordererDigest: sha256:a0941c96e92b510fcbd853c1c8f00e10efcffc0f2f0a5afc50f648fe5ddf4db9
ordererImage: icr.io/cpopen/ibm-hlfsupport/ibm-hlfsupport-orderer
ordererInitDigest: sha256:675a92556aebd06d276f24c5e72adc183d93839b3c251bf8e7fa6888ed6e708f
ordererInitImage: icr.io/cpopen/ibm-hlfsupport/ibm-hlfsupport-init
ordererInitTag: 1.0.9-20260122-amd64
ordererTag: 2.5.12-20260122-amd64
version: 2.5.12-6
peer:
2.5.12-6:
default: true
image:
builderDigest: sha256:3d2fbd740afd0ad35d8d08318af493e9d5754b77fdbc29a4e9d2b60971bb9922
builderImage: icr.io/cpopen/ibm-hlfsupport/ibm-hlfsupport-ccenv
builderTag: 2.5.12-20260122-amd64
chaincodeLauncherDigest: sha256:84ad99ff8b1d3d7e2ed17750275a1e7cabb31f6ebc47db30cf95eccb80ef5abf
chaincodeLauncherImage: icr.io/cpopen/ibm-hlfsupport/ibm-hlfsupport-chaincode-launcher
chaincodeLauncherTag: 2.5.12-20260122-amd64
couchdbDigest: sha256:54f580b5b75aa6ad0de06795c2514bb9d875ff9d71090479cfc955d621de1294
couchdbImage: icr.io/cpopen/ibm-hlfsupport/ibm-hlfsupport-couchdb
couchdbTag: 3.4.2-20260122-amd64
enrollerDigest: sha256:504e3bf7250decae14479ad76b271cae1855181e597e66885131505590a321a8
enrollerImage: icr.io/cpopen/ibm-hlfsupport/ibm-hlfsupport-enroller
enrollerTag: 1.0.9-20260122-amd64
goEnvDigest: sha256:6bc6cae26bec2781ce60460e176f35544ad54c09bb2bfb61583f2a61ef48a374
goEnvImage: icr.io/cpopen/ibm-hlfsupport/ibm-hlfsupport-goenv
goEnvTag: 2.5.12-20260122-amd64
grpcwebDigest: sha256:404bf6e0e707540ad9ecf2ea03eeec4609642a71c13f3863041caa19bf0078dc
grpcwebImage: icr.io/cpopen/ibm-hlfsupport/ibm-hlfsupport-grpcweb
grpcwebTag: 1.0.9-20260122-amd64
javaEnvDigest: sha256:48d30ddf6d17fef6806f9bb58512fc11162dc344ddb3227ddbc2f8314779f559
javaEnvImage: icr.io/cpopen/ibm-hlfsupport/ibm-hlfsupport-javaenv
javaEnvTag: 2.5.12-20260122-amd64
nodeEnvDigest: sha256:b26eb4df1aaa862ec610ff6dc05780ad7ddef7a969ffc9330b3e0b2c0259cb96
nodeEnvImage: icr.io/cpopen/ibm-hlfsupport/ibm-hlfsupport-nodeenv
nodeEnvTag: 2.5.12-20260122-amd64
peerDigest: sha256:9ddc68c7f1f406dce96266b1744996772423daef811f1b3a6ce54303c3bb3431
peerImage: icr.io/cpopen/ibm-hlfsupport/ibm-hlfsupport-peer
peerInitDigest: sha256:675a92556aebd06d276f24c5e72adc183d93839b3c251bf8e7fa6888ed6e708f
peerInitImage: icr.io/cpopen/ibm-hlfsupport/ibm-hlfsupport-init
peerInitTag: 1.0.9-20260122-amd64
peerTag: 2.5.12-20260122-amd64
version: 2.5.12-6
Step five: Apply fixes to your blockchain nodes
Use your console UI to update the nodes in your blockchain network. Browse to the console UI and open the nodes overview tab. To upgrade a node, open the node tile and click the Upgrade available button. You cannot upgrade nodes that you imported to the console.
Apply upgrades to nodes one at a time. Your nodes are unavailable to process requests or transactions while the patch is being applied. Therefore, to avoid any disruption of service, you need to ensure that another node of the same type is available to process requests whenever possible. Installing upgrades on a node takes about a minute to complete and when it is complete, the node is ready to process requests.
Rolling back the fix pack installation
When you apply the fix pack to your operator, it saves the secrets, deployment spec, and network information of your deployment before it restarts and attempts to apply the fixes to the console. If the fix pack installation fails for any reason, IBM Support can roll back your upgrade and restore your previous deployment by using the information on your cluster. If you need to roll back your upgrade, you can submit a support case from the support page.
You can roll back an upgrade after you use the console to operate your network. However, after you use the console to upgrade your blockchain nodes, you can no longer roll back your console to a previous version of the platform.