CLOUD SOLUTIONS

Update the operating system of the Security Server to Ubuntu 20.04 LTS

This topic provides all the information you need to upgrade Security Servers in your environment to use Ubuntu 20.04.

Introduction

Why updating the OS of the Security Server?

Security. Currently, Security Server relies on Ubuntu 16.04 LTS, which becomes officially EOL on April 30th, 2021. This means it will stop receiving critical fixes and security patches, exposing the appliance to potential threats.

Because you can. You do not need to redeploy any of the appliances like in the past. Since the April 2021 update, GravityZone offers the option to update Security Servers through the Update Security Server task. The task is available for both GravityZone platforms, cloud and on-premises, and all integrations with virtualized environments including cloud integrations.

It is easy. The OS update task is automatic, and you can schedule it to run in a maintenance window. The task applies to both multiplatform and agentless environments.

No icons with issues. After updating GravityZone, you may notice that the Security Server will appear as outdated. This means the Security Server version with OS update is available to download and install.

Warning

If you have a cloud integration (Azure or AWS) and choose to update the OS for your Security Servers, Bitdefender is not accountable for the billing changes that this update might generate according to your service-based model.

Prerequisites

  • The OS update task is available in GravityZone Control Center starting with the April 2021 update for cloud platform, and version 6.23.1-1 for on-premises platform.

  • Compatible Security Server versions:

    • Multiplatform: 6.2.1

    • For VMware NSX-V: 6.2.0

    • For VMware NSX-T: 1.1.0

  • The OS update on Citrix XenServer 7.1 LTSR requires you to apply the Citrix XS71ECU2060 hotfix first.

    Note

    You can install the hotfix automatically from Citrix XenCenter. The installation requires hypervisor reboot.

  • The update requires at least 2 GB of disk space available on the appliance to run.

  • Adjust resource allocation for the Security Server according to the new hardware requirements:

    Consolidation

    Number of protected VMs

    RAM

    CPU

    Low

    1 - 30

    2 GB

    2

    31 - 50

    4 GB

    2

    Medium

    51 - 100

    4 GB

    4

    High

    101 - 200

    4 GB

    6

  • Update location for the Security Servers must be one of the following:

    • update-onprem.2d585.cdn.bitdefender.net:80

    • upgrade.bitdefender.com

    Check the assigned policy, under the Relay > Update section, to have the option Define custom update locations enabled.

  • Bitdefender Endpoint Security Tools Relay for Linux version 6.2.21.141

    Warning

    Bitdefender Endpoint Security Tools Relay for Windows does not support the OS update.

Best practices

  • Take snapshots of the Security Server appliances, because the changes are major.

  • Since Bitdefender does not have any control on the infrastructure where Security Server runs, the update task does not limit the number or combination of Security Servers to be selected.

    The recommendation is to run several update tasks on groups of Security Servers, considering redundancy and availability. Do not run the task on all Security Servers at once, or you will lose protection.

  • Schedule the Security Server update in a maintenance window, especially for NSX and HVI environments, or migrate the VMs from one host to another one before starting the update.

  • Enable the Task status notification to know when the update is complete.

Updating steps

  1. Select the target Security Servers in the Network page.

  2. Run an Update Security Server task with the feature update option.

    This update will prepare the Security Servers for the OS update.

  3. Run again an Update Security Server task, this time with the OS update option.

  4. Select to run now or choose a date from the calendar to schedule the maintenance window.

To check the status of the update task, go to the Tasks page. Follow the links in the Status column to view the status of the task for each target Security Server.

How it will happen

The update process is incremental, the operating system being upgraded to Ubuntu 18.04 LTS, and then to Ubuntu 20.04 LTS, under Canonical official recommendation.

The process happens transparently, with no user intervention. During the update, the following operations will be performed in the backend:

  • Update requirements are checked.

  • Non-Bitdefender repositories are disabled.

  • Third-party packages are uninstalled.

    You can reinstall the third-party packages once the update is complete.

  • Existing Bitdefender services are stopped.

  • The OS is updated to Ubuntu 18.04 LTS.

  • The OS is updated to Ubuntu 20.04 LTS.

  • Repositories are changed to receive Ubuntu 20.04 updates and patches.

  • Non-Bitdefender repositories are enabled.

  • Bitdefender services are started.

Note

The appliances will automatically reboot several times.

Questions & answers

Q1: What happens with the protection during the update on agentless environments?

A: Protection on that host is lost. This is why we recommend moving the VMs on another protected host while the Security Server is updating. Plan this operation in a maintenance window.

Q2: How long does the OS update last and what is the expected downtime?

A: Depending on the networking and storage characteristics, the update duration can vary. In most cases, it will take between 20-30 minutes.

Q3: Will the update work if the Security Server has various minor Ubuntu 16.04 kernel versions?

A: Yes. Before starting the OS upgrade, all packages are updated to the latest versions available.

Q4: What happens with custom repositories or third-party packages during the update?

A: Any third-party packages will be uninstalled during the OS upgrade. They will not be automatically restored because Bitdefender repositories do not include them. The additional repositories will still be there, so you can reinstall the custom packages after the upgrade is complete.

Q5: How do I know if the update fails on a Security Server?

A: In Control Center, follow the Status link of the update task to open the Task Status window. You will view all target Security Servers and the status of the task on each of them. You can filter to view only where the task status is Failed. Select the Security Server with a failed update and check the error message in the lower part of the window.

Q6: Can I install the Security Server manually?

A: Yes. Follow the steps described in Bitdefender Security Server manual installation.

Q7: What happens if GravityZone is in an offline environment?

A: Follow the usual procedure to download the update archive. For details, refer to GravityZone products offline update.

Q8: Will the task run if Security Server runs on Ubuntu 12.04?

A: No. The task can only run if Security Server runs on Ubuntu 16.04. In this case, you need to redeploy the Security Server.

Q9: Will the task be available for the vShield integration?

A: No, it is not supported. You need to upgrade to VMware NSX.