Docker upgrades

Upgrading PingAuthorize Server using Docker

When using Docker, instead of upgrading PingAuthorize Server, you deploy a container with the new PingAuthorize version and use the same server profile.

About this task

If you deployed a container using a server profile, when you want to deploy a newer PingAuthorize Server version, you deploy a container with that version using the same server profile.

Steps

For more information, see https://devops.pingidentity.com/reference/config/.

The server profiles for Docker deployments differ from those discussed in Deployment automation and server profiles.

Upgrading the PingAuthorize Policy Editor using Docker

If you originally installed the Policy Editor with Docker per Deploying PingAuthorize Policy Editor using Docker, use this procedure to upgrade the PingAuthorize Policy Editor when a new version is released.

Steps

In your current Policy Editor, complete the steps in Backing up policies.

Stop the old Docker container and start the new one.

When a new Docker image for the PingAuthorize Policy Editor is available, you stop the existing Docker container and start the new container from the new image while mounting the same volumes.

If you use a shared volume, you should always stop the Docker container running the older version of the Policy Editor before you start the new container.

The following commands stop the running container and run a new image named <pap_new>. This image uses the volumes from <pap_old> to house the policy database. Also, the command uses the same PING_H2_FILE location from Example: Override the configured policy database location.

The Ping Identity DevOps Docker images use the PingAuthorize setup tool to update the H2 policy database on the mounted volume. If you store your policies in a PostgreSQL database, follow the instructions in Deploying PingAuthorize Policy Editor using Docker to update your policy database.
For proper communication between containers, create a Docker network using a command such as docker network create --driver <network_type> <network_name>, and then connect to that network with the --network=<network_name> option.

$ docker container stop  <pap_old>
$ docker run --network=<network_name>  --name  <pap_new>  \
    -p 443:1443 -d --env-file ~/.pingidentity/config \
    --volumes-from  <pap_old>  \
    --env PING_H2_FILE=/opt/out/Symphonic \
    pingidentity/{PAP_CONTAINER_NAME}:<TAG>

The Docker image <TAG> used in the example is only a placeholder. For actual tag values, see Docker Hub (https://hub.docker.com/r/pingidentity/pingauthorizepap).

The setup tool uses the default credentials to upgrade the policy database. If the credentials no longer match the default values, the server administrator should pass the correct credentials to the setup tool using the PING_DB_ADMIN_USERNAME, PING_DB_ADMIN_PASSWORD, PING_DB_APP_USERNAME, and PING_DB_APP_PASSWORD UNIX environment variables.

For example, if the old policy database admin credentials have been previously set to admin/Passw0rd, and the application credentials have been set to app/S3cret, the docker run command should include those environment variables as shown in this example.

  $ docker container stop  <pap_old>
  $ docker run --network=<network_name>  --name  <pap_new>  \
  -p 443:1443 -d --env-file ~/.pingidentity/config \
  --env PING_H2_FILE=/opt/out/Symphonic \
  --env PING_DB_ADMIN_USERNAME=admin \
  --env PING_DB_ADMIN_PASSWORD=Passw0rd \
  --env PING_DB_APP_USERNAME=app \
  --env PING_DB_APP_PASSWORD=S3cret \
  pingidentity/{PAP_CONTAINER_NAME}:<TAG>

The Docker image <TAG> used in the example is only a placeholder. For actual tag values, see Docker Hub (https://hub.docker.com/r/pingidentity/pingauthorizepap).

This command ensures that the setup tool has the correct credentials to access the policy database, and that it does not reset credentials to their defaults.

In the new Policy Editor, complete the steps in Upgrading the Trust Framework and policies.