In this guide, we will show you how to upgrade the teleport
binary on a Linux
host without sacrificing availability.
If you are running teleport
as a container, see
How to Run Teleport Using Docker for information on
specifying a version.
Prerequisites
This guide requires a host where the teleport
binary is running. The version
of the binary must be behind the latest.
For Teleport major version 11
the latest version is 11.3.1
.
Compare this to the version of Teleport you have installed on the host:
teleport versionTeleport v8.3.7 git:v8.3.7-0-ga8d066935 go1.17.3
Step 1/3. Download a new Teleport binary
Preserve the old binary, just in case the upgrade goes wrong.
DIR=$(which teleport | xargs dirname)sudo mv ${DIR}/teleport ${DIR}/teleport.bak
Install the newest version of Teleport on the host:
Next, use the appropriate commands for your environment to install your package.
Teleport Edition
Add the Teleport repository to your repository list:
Download Teleport's PGP public key
sudo curl https://apt.releases.teleport.dev/gpg \-o /usr/share/keyrings/teleport-archive-keyring.ascSource variables about OS version
source /etc/os-releaseAdd the Teleport APT repository for v11. You'll need to update this
file for each major release of Teleport.
Note: if using a fork of Debian or Ubuntu you may need to use '$ID_LIKE'
and the codename your distro was forked from instead of '$ID' and '$VERSION_CODENAME'.
Supported versions are listed here: https://github.com/gravitational/teleport/blob/master/build.assets/tooling/cmd/build-os-package-repos/runners.go#L42-L67
echo "deb [signed-by=/usr/share/keyrings/teleport-archive-keyring.asc] \https://apt.releases.teleport.dev/${ID?} ${VERSION_CODENAME?} stable/v11" \| sudo tee /etc/apt/sources.list.d/teleport.list > /dev/nullsudo apt-get updatesudo apt-get install teleport
Source variables about OS version
source /etc/os-releaseAdd the Teleport YUM repository for v11. You'll need to update this
file for each major release of Teleport.
Note: if using a fork of RHEL/CentOS or Amazon Linux you may need to use '$ID_LIKE'
and the codename your distro was forked from instead of '$ID'
Supported versions are listed here: https://github.com/gravitational/teleport/blob/master/build.assets/tooling/cmd/build-os-package-repos/runners.go#L133-L153
sudo yum-config-manager --add-repo $(rpm --eval "https://yum.releases.teleport.dev/$ID/$VERSION_ID/Teleport/%{_arch}/stable/v11/teleport.repo")sudo yum install teleportTip: Add /usr/local/bin to path used by sudo (so 'sudo tctl users add' will work as per the docs)
echo "Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin" > /etc/sudoers.d/secure_path
Optional: Use DNF on newer distributions
$ sudo dnf config-manager --add-repo https://rpm.releases.teleport.dev/teleport.repo
$ sudo dnf install teleport
In the example commands below, update $SYSTEM-ARCH
with the appropriate
value (amd64
, arm64
, or arm
). All example commands using this variable
will update after one is filled out.
curl https://get.gravitational.com/teleport-v11.3.1-linux--bin.tar.gz.sha256<checksum> <filename>
curl -O https://cdn.teleport.dev/teleport-v11.3.1-linux--bin.tar.gzshasum -a 256 teleport-v11.3.1-linux--bin.tar.gzVerify that the checksums match
tar -xvf teleport-v11.3.1-linux--bin.tar.gzcd teleportsudo ./install
In the example commands below, update $SYSTEM-ARCH
with the appropriate
value (amd64
, arm64
, or arm
). All example commands using this variable
will update after one is filled out.
After Downloading the .deb
file for your system architecture, install it with
dpkg
. The example below assumes the root
user:
dpkg -i ~/Downloads/teleport-ent_11.3.1_.debSelecting previously unselected package teleport-ent.
(Reading database ... 30810 files and directories currently installed.)
Preparing to unpack teleport-ent_11.3.1_$SYSTEM_ARCH.deb ...
Unpacking teleport-ent 11.3.1 ...
Setting up teleport-ent 11.3.1 ...
After Downloading the .rpm
file for your system architecture, install it with rpm
:
rpm -i ~/Downloads/teleport-ent-11.3.1..rpmwarning: teleport-ent-11.3.1.$SYSTEM-ARCH.rpm: Header V4 RSA/SHA512 Signature, key ID 6282c411: NOKEY
curl https://get.gravitational.com/teleport-ent-v11.3.1-linux--bin.tar.gz.sha256<checksum> <filename>
curl -O https://cdn.teleport.dev/teleport-v11.3.1-linux--bin.tar.gzshasum -a 256 teleport-v11.3.1-linux--bin.tar.gzVerify that the checksums match
tar -xvf teleport-v11.3.1-linux--bin.tar.gzcd teleportsudo ./install
For FedRAMP/FIPS-compliant installations of Teleport Enterprise, package URLs will be slightly different:
curl https://get.gravitational.com/teleport-ent-v11.3.1-linux--fips-bin.tar.gz.sha256<checksum> <filename>
curl -O https://cdn.teleport.dev/teleport-ent-v11.3.1-linux--fips-bin.tar.gzshasum -a 256 teleport-ent-v11.3.1-linux--fips-bin.tar.gzVerify that the checksums match
tar -xvf teleport-ent-v11.3.1-linux--fips-bin.tar.gzcd teleport-entsudo ./install
In the example commands below, update $SYSTEM-ARCH
with the appropriate
value (amd64
, arm64
, or arm
). All example commands using this variable
will update after one is filled out.
After Downloading the .deb
file for your system architecture, install it with
dpkg
. The example below assumes the root
user:
dpkg -i ~/Downloads/teleport-ent_11.2.1_.debSelecting previously unselected package teleport-ent.
(Reading database ... 30810 files and directories currently installed.)
Preparing to unpack teleport-ent_11.2.1_$SYSTEM_ARCH.deb ...
Unpacking teleport-ent 11.2.1 ...
Setting up teleport-ent 11.2.1 ...
After Downloading the .rpm
file for your system architecture, install it with rpm
:
rpm -i ~/Downloads/teleport-ent-11.2.1..rpmwarning: teleport-ent-11.2.1.$SYSTEM-ARCH.rpm: Header V4 RSA/SHA512 Signature, key ID 6282c411: NOKEY
curl https://get.gravitational.com/teleport-ent-v11.2.1-linux--bin.tar.gz.sha256<checksum> <filename>
curl -O https://cdn.teleport.dev/teleport-v11.2.1-linux-amd64-bin.tar.gzshasum -a 256 teleport-v11.2.1-linux-amd64-bin.tar.gzVerify that the checksums match
tar -xvf teleport-v11.2.1-linux-amd64-bin.tar.gzcd teleportsudo ./install
Before installing a teleport
binary with a version besides v11,
read our compatibility rules to ensure that the binary is compatible with
Teleport Cloud.
When running multiple teleport
binaries within a cluster, the following rules
apply:
- Patch and minor versions are always compatible, for example, any 8.0.1 component will work with any 8.0.3 component and any 8.1.0 component will work with any 8.3.0 component.
- Servers support clients that are 1 major version behind, but do not support
clients that are on a newer major version. For example, an 8.x.x Proxy Service
is compatible with 7.x.x resource services and 7.x.x
tsh
, but we don't guarantee that a 9.x.x resource service will work with an 8.x.x Proxy Service. This also means you must not attempt to upgrade from 6.x.x straight to 8.x.x. You must upgrade to 7.x.x first. - Proxy Services and resource services do not support Auth Services that are on
an older major version, and will fail to connect to older Auth Services by
default. This behavior can be overridden by passing
--skip-version-check
when starting Proxy Services and resource services.
Step 2/3. Fork the teleport
process
Fork a new teleport
process by sending it the USR2
signal:
sudo kill -USR2 $(pidof teleport)
The original teleport
process forked a new child process and passed existing file descriptors
to the child. You now have two processes handling requests on the same socket:
pidof teleport235276 235119
In our example, 235276
is a PID of the child process, and 235119
is a PID of the parent.
You can use the following command, which prints the parent for each PID returned
by pidof
:
ps -o ppid= -p $(pidof teleport)1494
1495
In the logs you will see that the parent process reports that it has forked a new child process, and the child accepts file descriptors from its parent.
2021-08-19T10:16:51-07:00 [PROC:1] INFO Forked new child process. path:/usr/local/teleport service/signals.go:457
2021-08-19T10:16:51-07:00 [PROC:1] INFO Using file descriptor diag 127.0.0.1:3434 passed by the parent process. service/signals.go:207
Step 3/3. Return to a single teleport
process
After forking the new teleport
process, check the logs to ensure that the
process is running as expected. After that, you should either roll back or
complete the upgrade:
If the new binary behaves with errors, shut down the child process:
sudo kill -TERM 2352762022-04-20T15:33:58Z INFO [PROC:1] Got signal "terminated", exiting immediately. service/signals.go:86
2022-04-20T15:33:58Z WARN [PROC:1] Forked teleport process 235276 has exited with status: 0. service/signals.go:506
Do not forget to restore the original binary
sudo mv ${DIR}/teleport.bak ${DIR}/teleport
You can retry the process again later.
If you are upgrading a teleport
daemon using an SSH connection established
via Teleport, make sure to connect to the newly upgraded teleport
process
and shut down the previous teleport
process from it.
You can see which teleport
process handles the connection by using
pstree
:
pstree -aps $$systemd,1 splash
└─systemd,6247 --user
└─teleport-,235276
└─bash,190718
└─pstree,242371 -aps 190718
Shut down the parent process gracefully using SIGQUIT
:
sudo kill -QUIT 235119
The parent process will log a graceful shutdown:
2021-08-19T10:32:10-07:00 INFO [PROXY:SER] Shutting down gracefully. service/service.go:2952
In a couple of minutes, all existing connections drain off and the parent will exit:
pidof teleport235276
If for some reason, the parent process gets stuck (e.g., waiting for existing connections to finish), you can shut it down non-gracefully:
sudo kill -TERM 235119
You are all set.
Further reading
In this guide, we explained how to upgrade the teleport
binary on a single
host. If you would like to learn how to upgrade all of the components in a
Teleport cluster while preserving compatibility, read
Upgrading a Teleport Cluster.
See the full list of supported signals in the Teleport Signals Reference.