Forum Discussion

jomedusa's avatar
jomedusa
Icon for Altostratus rankAltostratus
Nov 30, 2023

Upgrade F5 Deploy Hotfix deployment

We are upgrading our LTM's to 16.1.4.1 Build 5 and had a question about installing the hotfix.  Should I install the hotfix intially when I upgrade the system? 

Thanks,

Joe

5 Replies

  • Hi Jomedusa,

     

    You cannot install on a current working partition.

    So use a unused partition or rewrite unused partition.

    Now you must upoad the necessary base OS files and Hotfixes in F5 /shared/images using WINSCP  as shown below in images or using your GUI which so ever is convenience to you, dont forget to take a Backup and license reactivation on standby else it will cause failover , do only ne box at a time if oyu are doing in a cluster, and once one box done make it primary and then primary to standby then ony do the 1st box , and check your boxes are covered under F5 Support before moving to OS installation on a new partition:

    We call it a OS upgrade but in technical we install a new partition with new OS and Hotfix and then reboot the F5 to the new partition, and never touch the present working partiotn as it can be used for any contingency or OS failure then for restore purpose by boting back to old working partition, Please be informed during the entire proecess present working partition is not touched for any changes.

    1. To install the hotfix image, use the following command syntax:

      Note: Include the create-volume option if you are adding a new volume to the system for the hotfix installation.

      install sys software hotfix <hotfix_name>.iso volume <volume_name> [create-volume]

      For example, to install a hotfix on HD1.1, the command appears similar to the following example in tmsh mode it will install the base file automatically conditionally all the OS file and HotFix and Enginnering HF must be available in F5 /shared/images before starting instation on a new partition.:

      install sys software hotfix Hotfix-BIGIP-16.1.4.1.0.50.5-ENG.iso volume HD1.1

       

       

       

       

      Post installation test:

       

      root@(TEST_LAB-002)(cfg-sync Disconnected)(Standby)(/Common)(tmos)# show sys software

      --------------------------------------------------------------------
      Sys::Software Status
      Volume Product Version Build Active Status Allowed Version
      --------------------------------------------------------------------
      HD1.1 BIG-IP 16.1.4.1 0.50.5 yes complete yes
      HD1.2 BIG-IP 16.1.3.5 0.0.5 no complete yes

      ---------------------------
      Sys::Software Update Check
      ---------------------------
      Check Enabled true
      Phonehome Enabled true
      Frequency weekly
      Status none
      Errors 0

      root@(TEST_LAB-002)(cfg-sync Disconnected)(Standby)(/Common)(tmos)# load sys config verify
      Validating system configuration...
      /defaults/asm_base.conf
      /defaults/config_base.conf
      /defaults/ipfix_ie_base.conf
      /defaults/ipfix_ie_f5base.conf
      /defaults/low_profile_base.conf
      /defaults/low_security_base.conf
      /defaults/policy_base.conf
      /defaults/analytics_base.conf
      /defaults/apm_base.conf
      /defaults/apm_oauth_base.conf
      /defaults/apm_pua_ssh_base.conf
      /defaults/apm_saml_base.conf
      /defaults/app_template_base.conf
      /defaults/classification_base.conf
      /var/libdata/dpi/conf/classification_update.conf
      /defaults/ips_base.conf
      /var/libdata/ips/ips_update.conf
      /defaults/daemon.conf
      /defaults/pem_base.conf
      /defaults/profile_base.conf
      /defaults/sandbox_base.conf
      /defaults/security_base.conf
      /defaults/urldb_base.conf
      /usr/share/monitors/base_monitors.conf
      /defaults/cipher.conf
      /defaults/ilx_base.conf
      Validating configuration...
      Loading schema version: 16.1.3.5
      /config/bigip_base.conf
      /config/bigip_user.conf
      /config/bigip.conf
      Loading schema version: 16.1.4.1
      There were warnings:
      diffie-hellman-group-exchange-sha256 not supported. Replacing with default "ECDH_SHA2_NISTP256"

      I have done 1000+ OS upgrades in last many years , please let me know if i can be of any help to answer your queries in regard to OS upgrade and , i will be glad to assist you.

      Reference document link

      https://my.f5.com/manage/s/article/K13123

      HTH

      🙏

       

       

    • jomedusa's avatar
      jomedusa
      Icon for Altostratus rankAltostratus

      Thanks so much for the responses...one final question is the host is not running the host fix it is running the base image of 16.1.4.1 will be an issue if the guest is running the hotfix?

      • Host/parent os and guest/child os are independent of each other.

        You can check the host guest compatibility matrix in F5 site

        They csn also be compatible on one on 26.x and child on 14.x but it's always recommended to have the latest version of is and hotfix on all the parent as well as guest as possible. When doing host guest upgrade change the state of guest to deploy to provision N vise versa to preserve their config from being corrupt. Same like we force offline similar way just shut down the all standby child vcmp gracefully on one side standalone parent before starting upgrading parent/host 

         

        K14088: vCMP host and compatible guest version matrix - MyF5 | Support https://my.f5.com/manage/s/article/K14088

        https://my.f5.com/manage/s/article/K75476930

  • Hi jomedusa,

    Yes, you have to install the hotfix before updating your system and test if the solution applied in the hotfix works correctly.

    The steps are:

    1. install the SO 16.1.4.1 base in a new disk partition for example disk 1.3.

    2. Install the Hotfix in the same disk partition 1.3.

    3. boot the partition 1.3 and test the new SO and Hotfix.

    Hope it works.