Upgrading from IBM Cloud Pak for Data Version 4.5 to Version 4.6

A Red Hat® OpenShift® Container Platform cluster administrator and project administrator can work together to prepare the cluster and upgrade IBM Cloud Pak for Data from Version 4.5 to Version 4.6.

Your Cloud Pak for Data deployment will be unavailable during the upgrade.

Before you begin

Before you upgrade Cloud Pak for Data:
  1. 4.6.3 If you are upgrading to Cloud Pak for Data 4.6.3, ensure that you are running Red Hat OpenShift Container Platform Version 4.10, which is supported by Cloud Pak for Data Version 4.5 and Cloud Pak for Data Version 4.6.3.
  2. Review the information in the Planning section.

    Specifically, ensure that you review the System requirements. Your cluster must have sufficient resources.

  3. Ensure that you have a copy of script that defines the installation environment variables for your deployment.
    Remember: The script enables you to run most of the installation and upgrade commands without modifying them.
  4. Determine which install plan the IBM Cloud Pak foundational services operators and Cloud Pak for Data operators are using:
    oc get installplan
    • If the install plan approval is Automatic, you can proceed to the next step.
    • If the install plan approval is Manual, review the following options:
      Option Details
      Change the install plan to Automatic (recommended) It is strongly recommended that you change the install plan for the IBM Cloud Pak foundational services operators and Cloud Pak for Data operators to Automatic. This enables the cpd-cli manage commands to seamlessly update the operators.

      To update the install plan for the operators:

      1. For the IBM Cloud Pak foundational services operators, see the Changing approval strategy from Manual to Automatic in the IBM Cloud Pak foundational services documentation.
      2. For the Cloud Pak for Data operators, update the install plans for each operator through the Red Hat OpenShift Container Platform console. Open each subscription, view the subscription details, and edit the Update approval setting. For a list of the Cloud Pak for Data operators, see Creating operator subscriptions in the IBM Cloud Pak for Data Version 4.0 documentation.
      Important: Ensure that the install plan of all the operators in the ${PROJECT_CPFS_OPS} project and ${PROJECT_CPD_OPS} project are set to Automatic. If any of the install plans are set to Manual, Operator Lifecycle Manager (OLM) will automatically update the install plans to Manual when you run the cpd-cli manage apply-olm command.
      Leave the install plan as Manual You can optionally leave the install plan for the IBM Cloud Pak foundational services operators and Cloud Pak for Data operators Manual.
      Important: If you choose this option, you must watch the install plans and manually approve them during the upgrade to ensure that the cpd-cli manage apply-olm commands complete successfully.

      Additionally, you must repeat this process each time that you upgrade the operators to a newer release.

      Run the appropriate commands based on where your operators are installed:

      The IBM Cloud Pak foundational services operators and Cloud Pak for Data operators are installed in the same project (express installation)
      1. After you run the cpd-cli manage apply-olm command, open a new terminal window.
      2. Run the following command to watch the project where the operators are installed:
        watch oc get installplan -n ${PROJECT_CPFS_OPS}
      3. Manually approve each install plan as it is created.
      The IBM Cloud Pak foundational services operators and Cloud Pak for Data operators are installed in different projects (specialized installation)
      1. After you run the cpd-cli manage apply-olm command, open two new terminal windows.
      2. In the first terminal window, run the following command to watch the project where the IBM Cloud Pak foundational services operators are installed:
        watch oc get installplan -n ${PROJECT_CPFS_OPS}
      3. In the second terminal window, run the following command to watch the project where the Cloud Pak for Data operators are installed:
        watch oc get installplan -n ${PROJECT_CPD_OPS}
      4. Manually approve each install plan as it is created by setting spec.approved to true.
  5. If you have any of the following services on your cluster, check for expired or expiring SSL certificates:

    Db2

    Repeat the following steps for each Db2 database instance associated with this installation of Cloud Pak for Data:

    1. Get the name of each instance of Db2U that is associated with this installation of Cloud Pak for Data:
      oc get db2u -n=${PROJECT_CPD_INSTANCE}
    2. Set the DB2U_NAME environment variable to the name of the Db2 database instance to check:
      export DB2U_NAME=<db2oltp-id>
    3. Run the following command to determine when the certificate expires:
      oc -n=${PROJECT_CPD_INSTANCE} exec -it c-${DB2U_NAME}-db2u-0 -- /bin/su - db2inst1 -c 'cd /mnt/blumeta0/db2/ssl_keystore;gsk8capicmd_64 -cert -details -db bludb_ssl.kdb -stashed -label CN=zen-ca-cert | grep "Not After"'

      The command returns output with the following format:

      Not After : September 12, 2023 7:44:34 AM GMT+00:00
    4. If the date is in the past or in the near future, update the certificate by following the guidance in Updating the Db2 SSL certificate.

    Db2 Big SQL

    Repeat the following steps for each Db2 Big SQL service instance associated with this installation of Cloud Pak for Data:

    1. Run the following command to get the IDs of the Db2 Big SQL service instances associated with this installation of Cloud Pak for Data:
      oc get -A cm \
      -n=${PROJECT_CPD_INSTANCE} \
      -l component=db2bigsql \
      -o custom-columns="Instance Id:{.data.instance_id},Instance Name:{.data.instance_name},Created:{.metadata.creationTimestamp}"
    2. Set the BIG_SQL_ID environment variable to the name of the Db2 Big SQL service instance to check:
      export BIG_SQL_ID=<bigsql-id>
    3. Get the name of the head pod for the Db2 Big SQL service instance:
      HEAD_POD=$(oc get pod -n=${PROJECT_CPD_INSTANCE} -l app=bigsql-${BIG_SQL_ID},name=dashmpp-head-0 --no-headers=true -o=custom-columns=NAME:.metadata.name)
    4. Run the following command to determine when the certificate expires:
      oc -n=${PROJECT_CPD_INSTANCE} exec -it ${HEAD_POD} -- /bin/su - db2inst1 -c 'cd /mnt/blumeta0/db2/ssl_keystore;gsk8capicmd_64 -cert -details -db bludb_ssl.kdb -stashed -label CN=zen-ca-cert | grep "Not After"'

      The command returns output with the following format:

      Not After : September 12, 2023 7:44:34 AM GMT+00:00
    5. If the date is in the past or in the near future, update the certificate by following the guidance in Refreshing the SSL certificate used by Db2 Big SQL.

    Db2 Warehouse

    Repeat the following steps for each Db2 Warehouse database instance associated with this installation of Cloud Pak for Data:

    1. Get the name of each instance of Db2U that is associated with this installation of Cloud Pak for Data:
      oc get db2u -n=${PROJECT_CPD_INSTANCE}
    2. Set the DB2U_NAME environment variable to the name of the Db2 Warehouse database instance to check:
      export DB2U_NAME=<db2wh-id>
    3. Run the following command to determine when the certificate expires:
      oc -n=${PROJECT_CPD_INSTANCE} exec -it c-${DB2U_NAME}-db2u-0 -- /bin/su - db2inst1 -c 'cd /mnt/blumeta0/db2/ssl_keystore;gsk8capicmd_64 -cert -details -db bludb_ssl.kdb -stashed -label CN=zen-ca-cert | grep "Not After"'

      The command returns output with the following format:

      Not After : September 12, 2023 7:44:34 AM GMT+00:00
    4. If the date is in the past or in the near future, update the certificate by following the guidance in Updating the Db2 Warehouse SSL certificate.

    Watson Knowledge Catalog
    1. Run the following command to determine when the certificate expires:
      • For the full version of Watson Knowledge Catalog, run the following commands:
        1. oc -n=${PROJECT_CPD_INSTANCE} exec c-db2oltp-wkc-db2u-0 -- ksh -lc "cd /mnt/blumeta0/db2/ssl_keystore; gsk8capicmd_64 -cert -details -db bludb_ssl.kdb -stashed -label CN=zen-ca-cert" 2>&1
        2. oc -n=${PROJECT_CPD_INSTANCE} exec c-db2oltp-iis-db2u-0 -- ksh -lc "cd /mnt/blumeta0/db2/ssl_keystore; gsk8capicmd_64 -cert -details -db bludb_ssl.kdb -stashed -label CN=zen-ca-cert" 2>&1
      • For the core version of Watson Knowledge Catalog, run the following command:
        oc -n=${PROJECT_CPD_INSTANCE} exec c-db2oltp-wkc-db2u-0 -- ksh -lc "cd /mnt/blumeta0/db2/ssl_keystore; gsk8capicmd_64 -cert -details -db bludb_ssl.kdb -stashed -label CN=zen-ca-cert" 2>&1
    2. If the date is in the past or in the near future, update the certificate by following the guidance in Renewing the Db2 SSL certificate.

    Watson Query (previously Data Virtualization)
    1. Run the following command to determine when the certificate expires:
      oc -n=${PROJECT_CPD_INSTANCE} exec -it c-db2u-dv-db2u-0 -- /bin/su - db2inst1 -c 'cd /mnt/blumeta0/db2/ssl_keystore;gsk8capicmd_64 -cert -details -db bludb_ssl.kdb -stashed -label CN=zen-ca-cert | grep "Not After"'

      The command returns output with the following format:

      Not After : September 12, 2023 7:44:34 AM GMT+00:00
    2. If the date is in the past or in the near future, update the certificate by following the guidance in Refreshing the SSL certificate used by Data Virtualization.

  6. If you have any of the following services on your cluster, complete the required prerequisite steps:

    For upgrades to 4.6.3 or 4.6.4 only: You must make a backup of your data.

    For more information, see the appropriate topic for the service in the product documentation:
  7. Check whether any of the entries in the Cloud Pak for Data database include an apostrophe ('):
    1. Open a remote shell in the zen-metastoredb-0 pod and copy the certificate that's required to connect to the database:
      oc exec -it zen-metastoredb-0 \
      --namespace=${PROJECT_CPD_INSTANCE} \
      -- bash \
      -c "cp -r /certs/ /tmp/;cd /tmp/ && chmod -R  0700 certs/;cd /cockroach"
    2. Query the database for any apostrophes:
      oc exec -it zen-metastoredb-0 \
      --namespace=${PROJECT_CPD_INSTANCE} \
      -- /cockroach/cockroach sql \
      --certs-dir=/tmp/certs/ \
      --host=zen-metastoredb-0.zen-metastoredb  \
      --database=zen \
      --execute="SELECT uid, username, \"displayName\" FROM platform_users WHERE username LIKE '%'||chr(39)||'%' OR \"displayName\" LIKE '%'||chr(39)||'%';SELECT uid, vault_name, description FROM vaults where description LIKE '%'||chr(39)||'%' OR vault_name LIKE '%'||chr(39)||'%';SELECT group_id, description, name FROM user_groups where description LIKE '%'||chr(39)||'%' OR name LIKE '%'||chr(39)||'%';SELECT uid, secret_name, description FROM secrets where description LIKE '%'||chr(39)||'%' OR secret_name LIKE '%'||chr(39)||'%';SELECT id, display_name, description FROM connections where description LIKE '%'||chr(39)||'%' OR display_name LIKE '%'||chr(39)||'%';SELECT id, extension_name FROM custom_extensions where extension_name LIKE '%'||chr(39)||'%';"
      The query returns output with the following format:
        uid | username | displayName
      ------+----------+--------------
      (N rows)
      
        uid | vault_name | description
      ------+------------+--------------
      (N rows)
      
        group_id | description | name
      -----------+-------------+-------
      (N rows)
      
        uid | secret_name | description
      ------+-------------+--------------
      (N rows)
      
        id | display_name | description
      -----+--------------+--------------
      (N rows)
      
        id | extension_name
      -----+-----------------
      (N rows)
      • If all the entries in the output return (0 rows), proceed with the upgrade.
      • If any entries in the output include a value other than (0 rows), contact IBM Software Support
  8. Best practice Backup your Cloud Pak for Data installation before you upgrade.

    In the event of an unrecoverable failure, you can use the backup to recover your existing installation. For details, see Backing up and restoring Cloud Pak for Data.

1. Updating the cpd-cli and the olm-utils image on client workstations

Before you upgrade IBM Cloud Pak for Data, you must download the latest version of the cpd-cli and ensure that the cpd-cli manage plug-in is using the latest image.

Important: If you have multiple client workstations, you must complete this task on each workstation.
What to do
  1. Complete the appropriate task for your environment in Updating client workstations (Upgrading from Version 4.5 to Version 4.6).
  2. Go to 2. Collecting required information.

2. Collecting required information

Before you upgrade from Version 4.5, confirm which components are installed on your cluster. In addition, determine whether you want to install any additional services on your cluster.

What to do
  1. Complete Determining which components to upgrade (Upgrading from Version 4.5 to Version 4.6).
  2. Go to 3. Updating your environment variables script.

3. Updating your environment variables script

Before you upgrade from Version 4.5, ensure that your environment variables script includes information about the version of Cloud Pak for Data that you want to upgrade to.

What to do
  1. Complete Updating your environment variables script (Upgrading from Version 4.5 to Version 4.6).
  2. Go to 4. Preparing your cluster.

4. Preparing your cluster

Before you upgrade Cloud Pak for Data, you must prepare your cluster.

a. Do you plan to upgrade any services that require custom SCCs?

Services that require custom SCCs
If you had any of the following services installed on IBM Cloud Pak for Data Version 4.5, you can use the SCCs that you created as part of your Version 4.5 installation or upgrade:
  • Db2
  • Db2 Big SQL
  • Db2 Warehouse
  • OpenPages®
  • Watson Knowledge Catalog
  • Watson Query
If you have any of the following services on IBM Cloud Pak for Data Version 4.5, you might need to create custom SCCs before you upgrade to Version 4.6:

Options What to do
You plan to upgrade one or more of these services
  1. Create the appropriate SCCs for your environment. For details, see Creating custom security context constraints for services (Upgrading from Version 4.5 to Version 4.6).
  2. Go to b. Do you need to mirror the updated software images to a private container registry?
You don't plan to upgrade any of these services
  1. Go to b. Do you need to mirror the updated software images to a private container registry?
b. Do you need to mirror the updated software images to a private container registry?

If you pull images from a private container registry, you must mirror the updated images to the private container registry before you upgrade your environment.

Options What to do
You are pulling images from the IBM® Entitled Registry
  1. Go to 5. Upgrading the Cloud Pak for Data platform and services.
You are pulling images from a private container registry
  1. Complete Mirroring images to a private container registry (Upgrading from Version 4.5 to Version 4.6).
  2. Go to 5. Upgrading the Cloud Pak for Data platform and services

5. Upgrading the Cloud Pak for Data platform and services

After you prepare your cluster, you can upgrade the Cloud Pak for Data platform and services.

What to do
  1. Complete the appropriate tasks for your environment in Upgrading the IBM Cloud Pak for Data platform and services (Upgrading from Version 4.5 to Version 4.6).
  2. Go to 6. Completing post-upgrade tasks.

6. Completing post-upgrade tasks

After you upgrade Cloud Pak for Data, determine whether there are any additional tasks that you should complete to configure your Cloud Pak for Data cluster.

What to do
Complete the appropriate tasks for your environment in Setting up services after install or upgrade.

7. Upgrading services

Options What to do
You upgraded the services when you upgraded the platform Your environment is ready to use.
You didn't upgrade the services when you upgraded the platform Instructions for upgrading IBM services are available in Services.