Upgrading Oracle Cloud Infrastructure Images

When new Oracle Cloud Infrastructure Images become available and supported for Oracle Private Cloud Appliance, you can make them available for use in all existing tenancies with a single upgrade command. The images are stored in the /nfs/shared_storage/oci_compute_images directory on the ZFS Storage Appliance.

If you perform a full rack or management cluster upgrade, the new images are automatically added to your environment, in which case this procedure can be skipped. The image versions are tracked through the upgrade plan. Review the upgrade plan to verify if the images need to be upgraded.

An upgrade adds new Oracle Cloud Infrastructure Images to your environment, but it never removes any existing images. If you no longer need an image, you have the option to delete it using the deletePlatformImage command.

Adding New Images

Using the Service Web UI

1. In the navigation menu, go to the Maintenance section and click Upgrade Plan. This provides an overview of current and target component versions.

2. Click Upgrade & Patching to display the Upgrade Jobs page.

3. In the top-right corner of the Upgrade Jobs page, click Create Upgrade or Patch.

   The Create Request window appears. Choose Upgrade as the Request Type.

4. Select the appropriate patch request type: Upgrade Rack.

5. Fill out the upgrade request parameters:

   • Action: To perform the upgrade or patch operation, select Apply.

   • Type: For upgrade, select ISO. The ULN option applies to patching.

   • Component: For Oracle Cloud Infrastructure images, select OCI Images.

   • Qualifier: This parameter is not required when adding Oracle Cloud Infrastructure images.

   • Verify Only: Enable this option to run the operation in verification only mode.

   • Force: Enable this option to force the operation. Use only when instructed by Oracle.

6. Click Create Request.

   The new upgrade request appears in the Upgrade Jobs table.

7. Confirm that the upgrade process is completed without errors.

   For more information, see Browse the Job Framework.

Using the Service CLI

1. Enter the upgrade command.

   PCA-ADMIN> upgradeRack type=ISO action=APPLY component=OCIIMAGES
   JobId: c21f2253-8ab9-4491-ab01-5d9702f96bc5
   Data: Service request has been submitted. Upgrade Job Id = 1737620389632-oci-668679 Upgrade Request Id = UWS-a2e17445-eb02-466f-9d16-6b644b89866e

2. Use the job ID to check the status of the upgrade process.

   PCA-ADMIN> getUpgradeJob upgradeJobId=1737620389632-oci-668679
   Data:
     Upgrade Request Id = UWS-a2e17445-eb02-466f-9d16-6b644b89866e
     Name = oci
     Pid = 668679
     Host = pcamn01
     Log File = /nfs/shared_storage/pca_upgrader/log/pca-upgrader_oci_instance_images_2025_01_23-08.19.49.log
     Arguments = {"component_names":null,"diagnostics":false,"display_task_plan":false,"dry_run_tasks":false,"expected_iso_checksum":null,"fail_halt":false,"fail_upgrade":null,"image_location":null,"online_upgrade":null,"precheck_status":false,"repo_config_override":null,"result_override":null,"task_time":0,"test_run":false,"upgrade":false,"upgrade_to":null,"user_uln_base_url":null,"verify_only":false,"host_ip":null,"log_level":null,"switch_type":null,"epld_image_location":null,"checksum":null,"composition_id":null,"request_id":"UWS-a2e17445-eb02-466f-9d16-6b644b89866e","uln":null,"patch":"false"}
     Status = Passed
     Execution Time(sec) = 1083
   [...]

3. Confirm that the upgrade process is completed without errors.

   For more information, see Browse the Job Framework.

Resolving Security Vulnerabilities in OKE Clusters

At the end of the Oracle Cloud Infrastructure images upgrade or patch process, the Upgrader launches a background job to resolve any known CVEs that might affect existing clusters deployed through the Oracle Private Cloud Appliance Kubernetes Engine (OKE). When the new images have been imported, an OKE Service tool ensures that the running control plane nodes receive the latest available CVE fixes delivered with the new images.

The CVE fixes are applied in a fully automated way, but the process could be derailed by timing issues in the appliance upgrade or patching workflow. Thus, it is important for an appliance administrator to monitor the OKE background job and verify that CVE fixes have been applied successfully to all existing OKE clusters. Note that an error in OKE cluster patching will NOT cause the appliance upgrade or patching process to fail.

The status of the Oracle Cloud Infrastructure images upgrade or patch process indicates that the OKE Service tool has been run. It also provides the OCIDs of the OKE clusters found, and any work requests for cluster patching operations that should be tracked.

getUpgradeJob upgradeJobId=1724442488245-oci-35655
Data:
  Log File = /nfs/shared_storage/pca_upgrader/log/pca-upgrader_oci_instance_images_<date>-<time>.log
[...]
  Tasks 12 - Message = OKE Clusters CVE Patching initiated:
  {"ocid1.cluster.<AK01234567>.<mypca>.63f7764a345d4d74a9abd5267ad55a28p6ixuw4ejzr73yugynu4lrwbcaao": "No operations performed", 
  "ocid1.cluster.<AK01234567>.<mypca>.ac198ab8583848e8947501f7061bde16mx17lm2u2rugld6u3ujxthgnygsj": "ocid1.workrequest.<AK01234567>.<mypca>.oke-g8l7kh306zlt59zb9vc4yvo532b1j4jwtffnmel83v1qif0q93lum7er"}

In the example, two active OKE clusters are found. The first cluster is using the latest image and does not need to be patched. The second cluster is out of date and needs to be updated with the latest available image. Use the work request to track the cluster update status from the OCI CLI, using the command: oci ce work-request get --work-request-id <workrequest_OCID>.

# oci ce work-request get --work-request-id ocid1.workrequest.<AK01234567>.<mypca>.oke-g8l7kh306zlt59zb9vc4yvo532b1j4jwtffnmel83v1qif0q93lum7er
{
  "data": {
    "compartment-id": "ocid1.compartment.<AK01234567>.<mypca>.ezbf00rrfc0qnoi8rofk3yzcbq0yeg9ly0gzf6caebv3ugogzm1v3qww5q9f",
    "id": "ocid1.workrequest.<AK01234567>.<mypca>.oke-g8l7kh306zlt59zb9vc4yvo532b1j4jwtffnmel83v1qif0q93lum7er",
    "operation-type": "UNKNOWN_ENUM_VALUE",
    "resources": [
      {
        "action-type": "UPDATED",
        "entity-type": "CLUSTER",
        "entity-uri": null,
        "identifier": "ocid1.cluster.<AK01234567>.<mypca>.ac198ab8583848e8947501f7061bde16mx17lm2u2rugld6u3ujxthgnygsj"
      }
    ],
    "status": "SUCCEEDED",
    "time-accepted": "2024-09-03T11:18:29.750438+00:00",
    "time-finished": "2024-09-03T11:36:19.313926+00:00",
    "time-started": "2024-09-03T11:18:36.451513+00:00"
  },
  "etag": "00fa0a51-a9dd-5455-f390-429a20817d6d"
}

If errors have occurred, and certain clusters were not updated based on the latest available image, first ensure that the cluster is in a good working state, then run the following command from one of the management nodes:

# kubectl exec -it -n oke <oke_pod_name> -c oke -- pca-oke-cluster-tool --action patch-cluster-cve