How-To: Update a dockered UCS without internet connection

Knowledge Base Community
, , , ,
#1

How to Update a UCS system running in a docker without internet connection and save this new status

Environment

  1. UCS system in a docker environment

Note 1: If the docker have an internet connection you can skip “Setup a local repository” and start with “Preparing the UCS docker system”

Note 2: I assume the host where the docker systems are running is NOT a UCS system. If the host is a UCS system you could use the host and can skip the creation of a VM. You only need to run step 2 of Setup a local repository. The local repo could be created in a virtual environment of a technician laptop, that could be connected on site to the network of the dockered UCS system

Setup a local repository

You need a local repository if the machines will not have access to the internet!
You need to be able to resolve all dependencies so you need all packages in the major release tree. It is not possible to update via single DVD!

Step 1: Create a VM and install UCS

  • Create a VM with at least 120GB better would be 150GB diskspace.
  • Install a UCS 4.x and choose no role (usecase given in the GUI is firewall installations); the machine needs no LDAP no samba only space and apache. You can use a different role, but no role would be enough.
  • The VM must be reachable on port 80 from the docker systems. How you can reach this, depends on the virtualisation you use and the choosen networking. If port 80 ist used on the host, you need to change the used port in the docker machine → ucr set repository/online/port=‘8080’

Step 2: Install/create repository server

The documentation can be found here.

root@ucs-loc-repo:~# univention-repository-create

Step 3: Configuration repository server

root@ucs-loc-repo:~# ucr set repository/online/unmaintained='no'

Update the local repository server

If the repository server has internet access you simply enter:

root@ucs-loc-repo:~# univention-repository-update net

If the reposerver has no internet access you need to get the update DVD images and copy them to the reposerver. You find the DVD images here.

F.e. UCS 4.4-3 to 4.4-4
must be copied to the reposerver and mount the image:

root@ucs-loc-repo:~# losetup -fP --show UCS_Update_4.4-3_-_4.4-4-amd64.iso
/dev/loop0
root@ucs-loc-repo:~# mount /dev/loop0 /mnt/

now you need to copy these (attention adjust the path to the mounted release image) packages to /var/lib/univention-repository/mirror/4.4/maintained/4.4-4/all/

root@ucs-loc-repo:~# cp /mnt/ucs-updates/4.4-4/* /var/lib/univention-repository/mirror/4.4/maintained/4.4-4/all/

You need to do this for all releases in the major (f.e. UCS 4) tree! It is a good idea to grant the repo server internet access and let univention-repository-update net do the magic.

Preparing the UCS docker system

These steps must be done with an actual UCS 4 docker image (UCS 4.4-4)

Step 1: Create a fresh UCS in a docker (optional: if you have a running one jump to step 2)

A fresh image can be deployed by:

root@dockerHost:~# docker run -d --name master_container --hostname=dockerUCS -e domainname=dockereducs.intranet -e rootpwd=univention -e nameserver1=127.0.0.1 -e ldap_base=dc=dockereducs,dc=intranet -e join_password=mypassword -e create_spn_account_timeout=12 -e container=docker -v /sys/fs/cgroup:/sys/fs/cgroup:ro -v /root/test_dockeredUCS/profile-master:/var/cache/univention-system-setup/profile --tmpfs /run --tmpfs /run/lock --cap-add=SYS_ADMIN --restart unless-stopped univention/ucs-generic-amd64 /sbin/init

In the docker (docker exec -it /bin/bash) run the configuration:

root@dockerUCS:~ # /usr/lib/univention-system-setup/scripts/setup-join.sh

Optional I import the license to the UCS system; I transfered it to the repository:

root@dockerUCS:/# scp root@10.200.36.87:/root/test_dockeredUCS/DockeresUCS_2022-01-10.license /root/
root@dockerUCS:/# univention-license-import /root/DockeresUCS_2022-01-10.license

Step 2: Fix gpg Key Bug (optional)

If you are using the actual UCS image (UCS 4.4-4) you have to fix this issue by doing the steps in this article. I only show really necessary step you can verify the key. See other articles.

root@reposerver: wget https://updates.software-univention.de/univention-archive-key-ucs-5x.gpg -O /etc/apt/trusted.gpg.d/univention-archive-key-ucs-5x.gpg

root@dockerUCS:/# scp root@10.200.36.87:/root/test_dockeredUCS/univention-archive-key-ucs-5x.gpg /etc/apt/trusted.gpg.d/univention-archive-key-ucs-5x.gpg

Step 3: Configure UCS in the docker to use local repository

You need to set secure apt to no as the local repository server do not support https.

root@dockerUCS:/# ucr set update/secure_apt='no'

You need to configure the repository online server via ucs:

root@dockerUCS:/# ucr set repository/online/server='http://10.200.36.83/univention-repository/'

Step 4: Backup the status

I recommend to create a image of this status! Assumed your docker is named master, please adjust to your given name.

root@dockerHost:~ # docker container commit -a 'DirkS' -m 'configured-master' $(docker ps -f name=master -q) local:master1

You have created a new image in the local repository named master1. Always your fire a docker run with that image, you start at this point.

Update the docker:

Step 1

Jump into the docker and enter:

root@dockerUCS:/# univention-upgrade --ignoressh --noninteractive --disable-app-updates --ignoreterm --updateto=4.4-8

It should run through smooth.

Step 2 Backup the status

I recommend to create a new image of that status:

root@dockerHost:~ # docker container commit -a 'DirkS' -m 'Updated_to_4.4-8-master' $(docker ps -f name=master1 -q) local:master2

We stop the old image:

root@dockerHost:~ # docker stop master1

and fire up the actual one:

root@dockerHost:~ # docker run -d --name master2 --hostname=dc0 -e domainname=dockereducs.intranet -e container=docker -e create_spn_account_timeout=12 -v /mnt:/PseudoDVD -v /sys/fs/cgroup:/sys/fs/cgroup:ro --tmpfs /run --tmpfs /run/lock --cap-add=SYS_ADMIN --restart unless-stopped local:master2 /sbin/init

Cleanup Docker environment (optional)

As the docker images need much space you could delete older images and container. What images do I have:

root@dc0:~ # docker image ls
REPOSITORY                     TAG                 IMAGE ID            CREATED             SIZE
local                          master1             a4241ccc98a8        34 minutes ago      3.88GB
configuredmaster               master1             ef7a05947d43        3 hours ago         1.15GB
univention/ucs-generic-amd64   latest              36bd0a541430        21 months ago       956MB

What container do I have:

root@dc0:~ # docker ps -a
CONTAINER ID        IMAGE                          COMMAND             CREATED             STATUS                       PORTS               NAMES
6d5827e2a5fd        local:master1                  "/sbin/init"        11 minutes ago      Up 11 minutes                                    master2
e9f173bd8b80        configuredmaster:master1       "/sbin/init"        2 hours ago         Exited (137) 9 minutes ago                       master1
b7659d121076        univention/ucs-generic-amd64   "/sbin/init"        9 hours ago         Exited (137) 3 hours ago                         master_container

Delete a container (must be done before removing the image!)

root@dc0:~ # docker rm master1

Delete a image:

root@dc0:~ # docker image rm configuredmaster:master1
#2
#3
#4
Mastodon