Upgrade notes

Before upgrading a Rudder server, you should make a backup by following the backup procedure.

Known bugs

Agent error after installation

On the first agent run, after initial installation or after an upgrade, the agent prints the following error message:

error: SERIOUS SECURITY ALERT: path race exploited in recursion to/from '/var/rudder/cfengine-community/modules'. Not safe for agent to continue - aborting
error: Fatal CFEngine error: Not safe to continue

It is a false positive and disappears on the next runs. It is being tracked in #27660, and will be fixed in upcoming patch releases.

Patch management hooks on Linux require running scripts from /var

Rudder 9.0 agents are capable of running with /var mounted with the readonly option, except for system update event hooks, which still run from var/rudder and hence require this directory to allow executions. This is tracked in #27777 and will be fixed in upcoming patch releases.

Plugins upgrade

If your server is connected to the Internet (directly or through a proxy), and you have configured your account in the setup wizard (or directly in /opt/rudder/etc/rudder-pkg/rudder-pkg.conf), the upgrade process will take care of upgrading to plugins to a compatible version.

If it is not the case, you will need to download the new ones from downloads.rudder.io. and install them following the usual installation procedure.

You can check the current state of plugins with:

rudder package list --all

Upgrade from Rudder 8.3 to 9.0

Upgrade from Rudder 8.3 is supported.

End of support for old operating systems

Rudder 9.0 no longer supports installation on the following operating systems, for servers and relayd:

  • SLES 15 < SP6

  • Ubuntu 22.04 LTS

  • Debian 11

  • RHEL 8

For agents:

  • RHEL 6

  • RHEL 7 32bits

  • RHEL on PPC architecture

  • SLES 12 < SP5

  • SLES 15 < SP2

  • SLES on PPC architecture

  • Ubuntu LTS < 18.04

  • Slackware 14

  • Windows Server < 2016

  • Windows < 10

  • AIX on any version

Windows systems older than Windows Server 2016 and Windows 10 version will stop working with Rudder 9.0 servers. The agent will stop with an error message indicating that the OS version is not supported.

The rudder-api-client package removal

The rudder-api-client package used to provide a CLI and Python library. It was not actively maintained and was removed from 9.0. It is possible to use the OpenAPI definition to generate clients, or to use generic HTTP tooling to replace it.

The package is not automatically removed if it was installed in an older version. If you don’t use it you can safely remove it after upgrade.

Enforced use of argon2id or bcrypt to hash local passwords

Rudder users can be authenticated against a remote server (LDAP, AD, OIDC) or use a locally stored password hash. The local hashes can use different algorithms, depending on the way they were created. Old versions of Rudder used simple non-salted hashes, which are not suited for storing passwords. Since Rudder 6.1, passwords created in the user management interface use the safer bcrypt algorithm, and 9.0 introduces argon2id as the new default algorithm.

Users created on an older Rudder server (without changing their passwords since), or manually created could still be using unsafe hashes. They must not be used, and their support is dropped in Rudder 9.0. To make sure you are not using them anymore, check the /opt/rudder/etc/rudder-users.xml file on your Rudder server(s). In the authentication section, check the value of the password attribute for each user. There are different cases:

  • The value starts with $2a$, $2b$, $2x$, $2y$ ou $argon2id$ , which means the bcrypt or argon2id algorithms are used. You donst need to do anything.

  • The value is an hexadecimal string (only using 0-9a-f), which means it uses an unsafe hash (depending on its length, either MD5, SHA1, SHA256 or SHA512).

    • You should replace the hash, and use a different password. You can enter the new password in the User management page in the interface or compute an argon2id hash manually. See the documentation for details.

  • The value is empty, or contains another string value (like “ldap”). This means the user can only authenticate against a remote server, you don’t need to do anything.

Upgrade from Rudder 8.2 or older to 9.0

Direct upgrades from 8.2 versions and older are no longer supported on 9.0. If you are still running one of those, either on servers or nodes, please first upgrade to one of the supported versions and then upgrade to 9.0.


← on SLES on Debian/Ubuntu →