Docker upgrades
Upgrading PingAuthorize Server using Docker
When using Docker, instead of upgrading PingAuthorize Server, you deploy a container with the new PingAuthorize version and use the same server profile.
About this task
If you deployed a container using a server profile, when you want to deploy a newer PingAuthorize Server version, you deploy a container with that version using the same server profile.
Steps
-
For more information, see https://devops.pingidentity.com/reference/config/.
(The server profiles for Docker deployments differ from those discussed in Deployment automation and server profiles.)
Upgrading the PingAuthorize Policy Editor using Docker
If you originally installed the Policy Editor with Docker per Deploying PingAuthorize Policy Editor using Docker, use this procedure to upgrade the PingAuthorize Policy Editor when a new version is released.
Steps
-
In your current Policy Editor, complete the steps in Backing up policies.
-
Stop the old Docker container and start the new one.
When a new Docker image for the PingAuthorize Policy Editor is available, you stop the existing Docker container and start the new container from the new image while mounting the same volumes.
If you use a shared volume, you should always stop the Docker container running the older version of the Policy Editor before you start the new container.
The following commands stop the running container and run a new image named <pap_new>. This image uses the volumes from <pap_old> to house the policy database. Also, the command uses the same
PING_H2_FILE
location from pingauthorize_server_administration_guide:paz_start_pe.adoc#section_mv2_1kv_5lb.-
The Ping Identity DevOps Docker images use the PingAuthorize
setup
tool to update the H2 policy database on the mounted volume. If you store your policies in a PostgreSQL database, follow the instructions in Deploying PingAuthorize Policy Editor using Docker to update your policy database. -
For proper communication between containers, create a Docker network using a command such as
docker network create --driver <network_type> <network_name>
, and then connect to that network with the--network=<network_name>
option.
$ docker container stop <pap_old> $ docker run --network=<network_name> --name <pap_new> \ -p 443:1443 -d --env-file ~/.pingidentity/config \ --volumes-from <pap_old> \ --env PING_H2_FILE=/opt/out/Symphonic \ pingidentity/{PAP_CONTAINER_NAME}:<TAG>
The Docker image <TAG> used in the example is only a placeholder. For actual tag values, see Docker Hub (https://hub.docker.com/r/pingidentity/pingauthorizepap).
The
setup
tool uses the default credentials to upgrade the policy database. If the credentials no longer match the default values, the server administrator should pass the correct credentials to thesetup
tool using thePING_DB_ADMIN_USERNAME
,PING_DB_ADMIN_PASSWORD
,PING_DB_APP_USERNAME
, andPING_DB_APP_PASSWORD
UNIX environment variables.For example, if the old policy database admin credentials have been previously set to admin/Passw0rd, and the application credentials have been set to app/S3cret, the docker
run
command should include those environment variables as shown in this example.$ docker container stop <pap_old> $ docker run --network=<network_name> --name <pap_new> \ -p 443:1443 -d --env-file ~/.pingidentity/config \ --env PING_H2_FILE=/opt/out/Symphonic \ --env PING_DB_ADMIN_USERNAME=admin \ --env PING_DB_ADMIN_PASSWORD=Passw0rd \ --env PING_DB_APP_USERNAME=app \ --env PING_DB_APP_PASSWORD=S3cret \ pingidentity/{PAP_CONTAINER_NAME}:<TAG>
The Docker image <TAG> used in the example is only a placeholder. For actual tag values, see Docker Hub (https://hub.docker.com/r/pingidentity/pingauthorizepap).
This command ensures that the
setup
tool has the correct credentials to access the policy database, and that it does not reset credentials to their defaults. -
-
In the new Policy Editor, complete the steps in Upgrading the Trust Framework and policies.