NSX-T Manager upgrade blocked by Backup passphrase precheck
Article ID: 324180
Updated On:
Products
VMware NSX Networking
Issue/Introduction
Symptoms:
- The environment is currently running NSX-T Data Center.
- An upgrade is being performed to NSX-T Data Center version 3.1.3.7 or 3.2.0.1
- The environment has previously run NSX-T Data Center version 2.3.0
- The Manager precheck fails with the error
NSX-T Backup passphrase requirements had changed after NSX-T 2.3. It must be at least 8 characters long and contain at least one each: lowercase, uppercase, numeric character and special character.The existing passphrase doesnt meet these requirements. Please edit backup configuration and update it to ensure backup and restore operations work as expected.
- After changing the passphrase to match the requirements, the precheck error is still present
Environment
VMware NSX-T Data Center
Cause
NSX-T Data Center 3.1.3.7 and 3.2.0.1 introduced a blocking upgrade precheck for a weak backup passphrase.
Under a very specific combination of NSX-T Data Center versions, this check may fail and block the upgrade.
This only impacts environments which at one time ran NSX-T Data Center 2.3.0.
If the backup passphrase was configured either strong or weak on NSX-T 2.3.0, the precheck will fail for
2.5.x upgrades directly to 3.1.3.7
or
3.2.0 upgrades to 3.2.0.1.
If the restore passphrase was configured on the NSX-T 2.3.0 and was a weak passphrase then the precheck will fail for NSX-T Data Center versions 2.5.x/3.0.x/3.1.x/3.2.0 upgrading to 3.1.3.7/3.2.0.1.
Under a very specific combination of NSX-T Data Center versions, this check may fail and block the upgrade.
This only impacts environments which at one time ran NSX-T Data Center 2.3.0.
If the backup passphrase was configured either strong or weak on NSX-T 2.3.0, the precheck will fail for
2.5.x upgrades directly to 3.1.3.7
or
3.2.0 upgrades to 3.2.0.1.
If the restore passphrase was configured on the NSX-T 2.3.0 and was a weak passphrase then the precheck will fail for NSX-T Data Center versions 2.5.x/3.0.x/3.1.x/3.2.0 upgrading to 3.1.3.7/3.2.0.1.
Resolution
This issue is resolved in NSX-T Data Center 3.1.3.8, 3.2.1 and above.
Workaround:
To workaround around this issue, it will be necessary to copy a file to the NSX Manager, see files attached to this KB.
1) From the NSX-T UI, identify which Manager is orchestrating the upgrade.
The upgrade UI page is only active on one Manager and this is the orchestrator node.
2) If upgrading to NSX-T Data Center 3.1.3.7, copy 3137_uc_helper.py file to /image directory on the orchestrator NSX Manager node.
If upgrading to NSX-T Data Center 3.2.0.1 from 3.2.0, copy 320_to_3201_uc_helper.py file to /image directory on the orchestrator NSX Manager node.
If upgrading to NSX-T Data Center 3.2.0.1 from 3.0.x or 3.1.x, copy 3x_to_3201_uc_helper.py file to /image directory on the orchestrator NSX Manager node.
3) ssh to the orchestrator node as root user.
If root access is not allowed, ssh as admin and switch to root user with the "st en" command followed by the root user password
4) Backup the file
cp /opt/vmware/upgrade-coordinator-tomcat/bin/uc_helper.py /opt/vmware/upgrade-coordinator-tomcat/bin/uc_helper.py.bak
5) Perform remediation
cat /image/3137_uc_helper.py > /opt/vmware/upgrade-coordinator-tomcat/bin/uc_helper.py
or
cat /image/320_to_3201_uc_helper.py > /opt/vmware/upgrade-coordinator-tomcat/bin/uc_helper.py
or
cat /image/3x_to_3201_uc_helper.py > /opt/vmware/upgrade-coordinator-tomcat/bin/uc_helper.py
6) From the NSX-T UI, rerun the Manager prechecks
Note: If the procedure above is not followed and instead a new file is created in the directory, ensure it has the correct permissions #chmod 754 uc_helper.py
Workaround:
To workaround around this issue, it will be necessary to copy a file to the NSX Manager, see files attached to this KB.
1) From the NSX-T UI, identify which Manager is orchestrating the upgrade.
The upgrade UI page is only active on one Manager and this is the orchestrator node.
2) If upgrading to NSX-T Data Center 3.1.3.7, copy 3137_uc_helper.py file to /image directory on the orchestrator NSX Manager node.
If upgrading to NSX-T Data Center 3.2.0.1 from 3.2.0, copy 320_to_3201_uc_helper.py file to /image directory on the orchestrator NSX Manager node.
If upgrading to NSX-T Data Center 3.2.0.1 from 3.0.x or 3.1.x, copy 3x_to_3201_uc_helper.py file to /image directory on the orchestrator NSX Manager node.
3) ssh to the orchestrator node as root user.
If root access is not allowed, ssh as admin and switch to root user with the "st en" command followed by the root user password
4) Backup the file
cp /opt/vmware/upgrade-coordinator-tomcat/bin/uc_helper.py /opt/vmware/upgrade-coordinator-tomcat/bin/uc_helper.py.bak
5) Perform remediation
cat /image/3137_uc_helper.py > /opt/vmware/upgrade-coordinator-tomcat/bin/uc_helper.py
or
cat /image/320_to_3201_uc_helper.py > /opt/vmware/upgrade-coordinator-tomcat/bin/uc_helper.py
or
cat /image/3x_to_3201_uc_helper.py > /opt/vmware/upgrade-coordinator-tomcat/bin/uc_helper.py
6) From the NSX-T UI, rerun the Manager prechecks
Note: If the procedure above is not followed and instead a new file is created in the directory, ensure it has the correct permissions #chmod 754 uc_helper.py
Attachments
Feedback
Yes
No
Powered by
