Upgrading

New versions of Puppet Comply are released regularly. Upgrading to the current version ensures you are always taking advantage of the latest features, fixes, and improvements.

Upgrade Comply in an online environment

Check for download and deploy updates from the Version history tab in the Puppet Application Manager UI.

  1. In the platform admin console, click Version history.
  2. Click Check for updates.
    Configure an automatic update check by clicking Configure automatic updates. You can check for updates hourly, every four hours, daily, weekly, or at a custom interval.
  3. If an update is available, Puppet Application Manager downloads it for you and performs preflight checks on your system to make sure your cluster meets system requirements for the new version. Review the outcome of these checks by clicking View preflight.
  4. When you're ready to upgrade to the new version of Comply, click Deploy.

Upgrade Comply in an offline environment

If your environments do not have direct access to the internet, use the links below to upgrade to the latest version of Comply.

  1. Navigate to the portal provided to you by Puppet in the licence email, for example, https://get.replicated.com/airgap/#/kots/comply/, and login with the password.
  2. Select Embeded cluster and download the latest Comply release .airgap file.
  3. Log into Puppet Application Managerhttps://<PLATFORM-ADMIN-CONSOLE-ADDRESS>:8800.
  4. Select Version history, and upload the new version of the .airgap file that you downloaded in step 2.
  5. Click Deploy.

Upgrade the comply module

Upgrade to the latest version of the comply module in Puppet Enterprise (PE).

Note: Take note of module dependencies when upgrading to a new major version — you need to upgrade these as well.
  1. Update your Puppetfile with the latest version of the comply module and its dependencies. For example:
    # Puppet comply module
    mod 'puppetlabs-comply', '1.0.5'
    
    # dependencies for comply
    mod 'puppet/archive', '4.6.0'
    mod 'puppetlabs/chocolatey', '5.2.1'
    mod 'puppetlabs/inifile', '4.4.0'
    mod 'puppetlabs/java', '6.5.0'
    mod 'puppetlabs/ruby_task_helper', '0.6.0'
    mod 'puppetlabs/stdlib', '6.6.0'
    mod 'puppetlabs/powershell', '4.1.0'
    mod 'puppetlabs/registry', '3.2.0'
    mod 'puppetlabs/pwshlib', '0.8.0'
  2. SSH into your PE primary server and deploy code by running the puppet-code deploy --all command.

Upgrade the CIS assessor

When you upgrade the comply module, new nodes are classified with the latest CIS assessor version. Existing nodes stay on the previous CIS assessor version. This lets you select when you want to upgrade the assessor on each node.

  1. Navigate to Comply — located at https://[COMPLY-HOSTNAME]/ — and click Settings.
  2. Download the new CIS assessor file and save it in a location accessible to your nodes.
  3. Navigate to Puppet Enterprise (PE), and click Node groups.
  4. Update the scanner_source parameter of your comply class node group with the new assessor file.
  5. Run Puppet to install the latest version of the assessor.
    Note: If this fails, you can revert changes to the scanner_source parameter of your comply class node group to get the old assessor back.
  6. When you have upgraded the new assessor, remove the backup assessor. Run comply::backup_assessor task with the operation = delete parameter.
What to do next
Reset desired compliance to use the latest CIS benchmarks.