Migrating data from a pre-3.20 policy console
To migrate a previous version of the policy console that did not run on a Docker container (version 3.17 and earlier) to a console running on Docker (3.20+), follow the process in this article.
To upgrade a policy console that runs in a Docker container (version 3.20+) to a new version of the console running on Docker, see the upgrading info for your installation:
See below for details for each step.
- Install the new version.
- Migrate the data from the old version.
- Restart the new console.
Before you begin
To install the new policy console and migrate data from the old console, you need:
- Required software and files to install the new console. See Policy console requirements.
- Internet access: For option 1 (see below), the old policy console and the virtual machine running the new policy console must both be connected to the internet. See option 2 if internet access is not available.
- Virtual machine access:
- The new console must run in a different Ubuntu host from the old console.
- You need to be able to log in to the original VM using the original login account (mocana-map) and have the administrator password on hand to complete the update process.
- You also need the MySQL username and password from the old console if you have changed it from the default.
If you have modified your SQL server on the old console, make sure secure-file-priv is clear (set to an empty string):
Check the current value of secure-file-priv:
$ mysqld --verbose --help | grep secure-file-priv
To set the value to an empty string, edit /etc/mysql/my.cnf. Under [mysqld] insert this line:
[mysqld]
secure-file-priv=""
After clearing this value, restart the SQL server:
$ sudo service mysql restart
After the migration is complete, you may set secure-file-priv back to its original value.
Installing the policy console
See Ubuntu/Debian: Installing, upgrading, and uninstalling the policy console to install the new console.
Use a different Ubuntu host than your old console.
Option 1: Migrating the policy console data via network access
This option requires your old console to be accessible from the new console host.
Once you have the new console installed as described above, use this process to migrate the policy console data from the old console (3.17.x or earlier) to the new console (3.20.x or later).
Check before starting
The old version of the console and the new version should be installed on separate VMs, both connected to the internet.
The old console must be running MySQL.
Direct the new console to the old console by editing the following variables in the file /etc/policy-console-{version}.env so that they refer to the old console. You may need to uncomment one or more of these variables.
- Do not use quotation marks with the variable values, for example, CONSOLE_IP=10.12.15.9 instead of CONSOLE_IP="10.12.15.9".
- Leave other variables commented unless directed by Blue Cedar Support.
Variable | New setting (values for old console, 3.17 or earlier) |
---|---|
CONSOLE_IP | The IP address or hostname for the old console—the console which includes the database to import. Example: 10.12.15.9 or console.qwe.com If you have made no changes to the login credentials and MySQL credentials on your old console, this is the only field required to import the database. |
CONSOLE_USER | The old console (.ova) included a default user 'mocana-map'. If you changed this to use a different user on the old console, uncomment this variable and set it to the username on your console. If you did not change the old console user, leave this field commented. Accepted values: a valid user on CONSOLE_IP. If CONSOLE_IP is provided but CONSOLE_USER is left commented, CONSOLE_USER is mocana-map by default. |
CONSOLE_PASS | The old console (.ova) included a default user with default password mocana-map-admin. If you changed the password on the old console, uncomment this variable and set it to the password for the CONSOLE_USER. If you did not change the old password, leave this field commented. Accepted values: a valid password for CONSOLE_USER on CONSOLE_IP. If CONSOLE_IP is provided but CONSOLE_PASS is left commented, CONSOLE_PASS is mocana-map-admin by default. |
CONSOLE_SQLU | The old console (.ova) included a default MySQL user 'root'. If you changed the MySQL user on the old console, uncomment and set this to the MySQL username on your console. If you did not change this value, leave this field commented. Accepted values: a valid MySQL user with access to the console database on CONSOLE_IP. For example: root-mysql-user. Default: If CONSOLE_IP is provided but CONSOLE_SQLU is left commented, CONSOLE_SQLU is assumed to be root. |
CONSOLE_SQLP | The old console (.ova) included a default user (root) with default password admin101#. If you changed the MySQL password on the old console, u ncomment and set this to the password for CONSOLE_SQLU on your console. If you did not change this value, leave this field commented. Accepted values: a valid password for CONSOLE_SQLU on CONSOLE_IP. Default: If CONSOLE_SQLP is left commented, CONSOLE_SQLP is assumed to be admin101#. |
After setting these variables, reboot the new policy console:
$ sudo service policy-console reboot
The size of the apps and profiles included in your old console's database may affect how long it takes the new console to startup. You can see the progress of the upgrade by checking the logs. Ignore the error for root and look for the string "Import succeeded!"
$ sudo docker logs -f policy_console_database
...
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)
Warning: Permanently added '192.10.20.30' (ECDSA) to the list of known hosts.
[CONSOLEDB] Downloading database from 192.10.20.30. This may take some time..
[CONSOLEDB] Database downloaded! Initializing import..
[CONSOLEDB] Import succeeded!
Once the database migration is finished, you can restore the environment file and use the console at https://{CONSOLE_IP}. To restore the environment file, comment only the variables in the file /etc/policy-console-{version}.env) that you uncommented during this migration process.
Note: The console allows HTTPS access only.
Option 2: Manually migrating the policy console data
This option does not require your old console to be internet-accessible from the new console host.
On your old console, backup the database. Use your MySQL credentials for MySQLuser and MySQLpwd.
$ cd /tmp/
$ mkdir -p appcontrol-export/data
$ chmod a+rwx appcontrol-export/data
$ mysqldump -u MySQLuser -pMySQLpwd -f --routines --no-data appcontrol > appcontrol-export/appcontrol-schema.sql
$ mysqldump -u MySQLuser -pMySQLpwd -f --max-allowed-packet=1G --tab=/tmp/appcontrol-export/data appcontrol
$ zip -x '**/data/*.sql' -r appcontrol-export.zip appcontrol-export/
Copy the generated /tmp/appcontrol-export.zip to your new console.
On the new console, edit the environment file to point to the database backup zip file. Uncomment IMPORTED_DB_LOCATION in /etc/policy-console-{version}.env and set its value to the absolute path to your downloaded /tmp/appcontrol-export.zip file.
After setting these variables, reboot the new policy console:
$ sudo service policy-console reboot
The size of the apps and profiles included in your old console's database may affect how long it takes the new console to startup. You can see the progress of the upgrade by checking the logs. Ignore the error for root and look for the string "Import succeeded!"
$ sudo docker logs -f policy_console_database
...
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)
Warning: Permanently added '192.10.20.30' (ECDSA) to the list of known hosts.
[CONSOLEDB] Downloading database from 192.10.20.30. This may take some time..
[CONSOLEDB] Database downloaded! Initializing import..
[CONSOLEDB] Import succeeded!
Once the database migration is finished, you can restore the environment file and use the console at https://{CONSOLE_IP}. To restore the environment file, comment only the variables in the file /etc/policy-console-{version}.env) that you uncommented during this migration process.
Note: The console allows HTTPS access only.