Version-Specific Upgrades (Docker)
Last updated
Was this helpful?
Last updated
Was this helpful?
Some Connectware upgrades require you to follow a few additional steps when upgrading Connectware to a newer version.
Please consider that this release includes breaking changes and requires manual upgrade steps. If the current changes aren't immediately necessary for your implementation, we recommend waiting for the upcoming 1.12.0 release, which will also require manual upgrade steps. In case of questions, our Customer Success team is able to advise you.
Connectware 1.11.0 introduces NATS as its new Control Plane message bus and distributed state storage. As a result, you’ll need to follow a few additional steps when updating to Connectware 1.11.0 or later.
Network Port Requirements: Make ports TCP/4222 and TCP/4223 accessible both within Connectware and by agents.
Prepare Certificate Changes: Configure the new cybus_nats_server.crt certificate to include the hostname nats and any external DNS names for Connectware when using external agents.
Configure DNS Names: Define the hostnames and IPs that will be included in the NATS Server certificate.
Configure mTLS Agents: Set up agents to connect via NATS port 4222 using mTLS authentication.
Configure non-mTLS Agents: Set up agents to connect via WebSocket Secure port 4223 without mTLS.
Upgrade Connectware: Download and install Connectware 1.11.0.
Hardware resources: Connectware 1.11.0 introduces two new microservices (resource-status-tracking and nats) to its architecture. This upgrade requires additional computing power. We recommend to add 3 CPU cores and 3 GB of memory to your current setup. However, these are general guidelines - check what your specific system needs and make adjustments accordingly.
Connectware 1.11.0 introduces new network port requirements. Configure your network so that the following ports are accessible both within Connectware and by agents:
TCP/4222
TCP/4223
Minimal requirements: For installations requiring minimal firewall openings, you can configure the following:
Port TCP/4222 must be accessible within the Connectware network
For agents using mTLS authentication, port TCP/4222 must be accessible
For agents using username/password authentication, port TCP/4223 must be accessible
Verify both internal and external port accessibility to ensure proper communication between Connectware and its agents.
Connectware 1.11.0 introduces a new cybus_nats_server.crt certificate which must contain the hostname nats, as well as the external DNS name of Connectware if you are using any external agents. The configuration depends on whether you are using the built-in certificate infrastructure or a custom infrastructure.
2.1 When Using the Built-in Certificate Infrastructure
If you're using the built-in certificate infrastructure:
When updating DNS names, you must add the DNS name used by external agents to connect to Connectware.
Be aware that the upgrade will regenerate the certificate.
This may affect systems using certificate pinning.
Update any certificate pinning configurations after the upgrade.
2.2 When Using Custom Certificates
If you have modified the certificate infrastructure or use a custom cybus_server.crt:
Prepare a new cybus_nats_server.crt certificate that meets these requirements:
Must be signed by your existing Certificate Authority (CA).
Must include nats as a Subject Alternative Name (SAN).
Must include your external Connectware DNS name as a SAN.
Installation steps:
Install the new certificate before starting the upgrade.
Certificate protection (optional): To prevent your custom certificate from being replaced during the upgrade, set the environment variable CYBUS_DISABLE_NATS_CERTIFICATE_CHECKS to true on the system-control-server in your docker-compose.override.yaml file.
The CYBUS_INGRESS_DNS_NAMES environment variable specifies the hostnames and IP addresses that will be included in the Subject Alternative Names (SAN) section of the NATS server certificate. This certificate is automatically generated by Connectware.
To enable agent connections to the Control Plane, you must configure the DNS names in the .env file located in the main Connectware installation directory.
Example
For a basic setup where Connectware runs on a host named company.io, set:
You can specify multiple values by separating them with commas. This allows you to define any hostnames, wildcard domains, and IP addresses that agents use to connect to the Control Plane. All values are added to the certificate's SAN field, enabling secure agent connections through any of the configured access points.
Example
For agents using mTLS authentication, configure the Control Plane connection using NATS and the port 4222.
For agents running with Docker Compose, set the CYBUS_CONTROLPLANE_URI environment variable in their docker-compose.yml file:
Example
For agents running without Docker Compose, set the CYBUS_CONTROLPLANE_URI environment variable according to your deployment method.
For agents not using mTLS authentication, configure the Control Plane connection using WebSocket Secure (WSS) and the port 4223.
For agents running with Docker Compose, set the CYBUS_CONTROLPLANE_URI environment variable in their docker-compose.yml file:
Example
For agents running without Docker Compose, set the CYBUS_CONTROLPLANE_URI environment variable according to your deployment method.
When using agents with username and password, you can configure the authentication of the agents to the Connectware server during Control Plane connections. You have two options:
Set the TRUST_ALL_CERTS environment variable on the agent to bypass certificate verification entirely
Authenticate using certificates. For certificate authentication, ensure that the agent trusts the CA certificate that signed Connectware's cybus_nats_server.crt. This is only done automatically if you are using a globally trusted certificate for Connectware - otherwise, you need to provide the agent with the appropriate CA certificate.
The following table shows the result of configuring TRUST_ALL_CERTS and providing the CA certificate.
CA certificate
Value of TRUST_ALL_CERTS
Behavior
Log shown during connection
Not Configured
true
Default: The connection to Control Plane (NATS) will not validate certs and will trust all certs.
CA certificate not found, trusting all certificates for NATS connection.
Not Configured
false
The connection to Control Plane (NATS) will try to use the system trust store to do certificate validation. This will only work when the CAs being used in Connectware are signed by a well known CA authority or when self-signed CAs were added to the system trust store.
CA certificate not found, using system trusted CAs for NATS connection.
Configured
true
The connection to Control Plane (NATS) will not validate server certs and will trust any cert.
CA certificate found, but trusting all certificates for NATS connection.
Configured
false
The connection to Control Plane (NATS) will validate server certs and will not trust any cert.
CA certificate found, using it for NATS connection with CA verification.
Connectware 1.7.0 affects the backward compatibility of the Connectware broker. Older broker data volumes are not compatible with brokers of Connectware 1.7.0 and newer. Upgrading to Connectware 1.7.0 requires additional upgrade procedures.
Additionally, multi-factor authentication (MFA) is now controlled via a dedicated configuration switch.
This upgrade will delete all persisted data of the Connectware broker. This includes client sessions, subscriptions, and retained data. If your configuration relies on any type of data persisted by the broker, make sure to properly initialize your applications after the upgrade.
If you rely on persisted data, create a backup or snapshot of the broker data volumes. This allows you to roll back in case of complications.
To stop Connectware, go to the Connectware installation directory (default: /opt/connectware) and run docker compose down.
Delete the broker data volume of Connectware. Find the broker data volume in the list of volumes with docker volume ls and delete it with docker volume rm <connectware_brokerData>.
If you are using multi-factor authentication (MFA), set the environment variable CYBUS_MFA_ENABLED to true inside your .env file.
This section describes the upgrade of a Cybus Connectware installation from a previous 1.x version to 1.5.0 and later.
The additional upgrade steps require you to use the docker-compose.override.yml file. If you already use such a file in your Connectware installation directory make sure to create a backup of this file to later restore.
In Connectware 1.5.0, we’ve enhanced security by primarily using a system user with limited permissions, following the principle of using the least amount of privilege needed for our software components.
As a result, you’ll need to follow a few additional steps when updating to Connectware 1.5.0 or later.
The first part of this document covers updating Connectware, while the second part focuses on agents.
With the introduction of Connectware 1.5.0, which prefers to use a system user with limited privileges whenever possible, you’ll need to modify the permissions of your volumes. This ensures that the system user has the necessary write access to the existing volumes in your setup.
The following protocols may not operate as expected in some constellations:
If you experience problems with these protocols after upgrading to Connectware 1.5.0, these affected services may require root permissions and are no longer supported by the internal protocol-mapper or agents without root permissions.
In this case, you should transfer the service that uses these protocols to a separate agent. This agent can have higher permissions but in a controlled manner.
As an additional step for this upgrade, we offer a docker-compose.override.yml file, which will help you adjusting volume permissions. The upgrade will consist of the following steps:
Shut down Connectware
Save the provided file as docker-compose.override.yml in the same folder as your Connectware docker-compose.yml
Start the the Docker composition to adjust volume permissions
Remove the docker-compose.override.yml file
Upgrade Connectware using the connectware-online-installer.sh script
Run docker compose down to remove the temporary permissions fix container. Run the command as you would usually do, be that as a regular user, using sudo or as the user root directly. Next, delete the file docker-compose.override.yml. If you used a docker-compose.override.yml in your installation before this update, restore your original file.
Download and run the Connectware online installer like for other updates:
Run the commands as you would usually do, be that as a regular user, using sudo or as the user root directly. After updating you can start Connectware as usual.
If you wish to verify that Connectware services run with an unprivileged user, you can optionally run this command:
Only the service container-manager should be using the user ID 0.
In case of any questions or trouble, feel free to contact Cybus Support.
In order to upgrade your agents, you need to decide between these two options:
Adjust volume permissions to allow the unprivileged system user to write data (recommended) OR
Adjust your docker composition to continue running with higher privileges
To benefit from the improvements to security, we recommend to adjust volume permissions over continuing to run with higher privileges.
If you are using HBM DAQ or OPC DA, you may need to follow the second option of continuing with higher privileges.
If you choose to adjust volume permissions, we offer a docker-compose.override.yml which will help you adjusting volume permissions. The upgrade will consist of the following steps:
Shut down the agent
Save the provided file as docker-compose.override.yml in the same folder as your agent’s docker-compose.yml
Start the the Docker composition to adjust volume permissions
Remove the docker-compose.override.yml file
Upgrade the agent by adjusting the image tag in your docker-compose.yml file
Use this file as docker-compose.override.yml:
If you use a different name for your agent Docker service and volume than our example, you need to adjust the highlighted line to the name you use for your agent and its volume inside your docker-compose.yml file.
If you already have a docker-compose.override.yml file for your agent’s installation directory, make sure to rename it before storing this file as docker-compose.override.yml.
Run docker compose down to remove the temporary permissions fix container. Run the command as you would usually do, be that as a regular user, using sudo or as the user root directly. Next, delete the file docker-compose.override.yml. If you used a docker-compose.override.yml for your agent before this update, restore your original file.
Set the image tag used for the agent to the same tag that your current Connectware installation uses, but at least 1.5.0. If you have not yet upgraded your Connectware to at least version 1.5.0, please do so now.
Example:
You can now start your agent as usual, for example by running docker compose up -d. Run the command as you would usually do, be that as a regular user, using sudo or as the user root directly.
In case of any questions or trouble, feel free to contact Cybus Support.
If you have not yet upgraded your Connectware to at least version 1.5.0, please do so first.
As an alternative to modifying volume permissions, or if you use a protocol that requires elevated permissions, you can modify your agent’s docker-compose.yml file to specify the system user which is used for the container.
To do so, simply add user: root to the docker compose service of your agent, while adjusting the image tag to the same tag that your current Connectware installation uses, but at least 1.5.0, as highlighted in this example:
You can now start your agent as usual, for example by running docker compose up -d. Run the command as you would usually do, be that as a regular user, using sudo or as the user root directly.
If you use a docker run command, you can simply add --user=root to the command.
In case of any questions or trouble, feel free to contact Cybus Support.
Here is an overview of the required steps to upgrade your Connectware installation to version 1.11.0. For complete step-by-step instructions, see .
Connectware version: Your Connectware version is 1.7.3 or above. If your Connectware installation is below 1.7.3, make sure that you have followed and before upgrading to 1.11.0.
Do NOT proceed with the upgrade until you've completed .
Update your .env file to include the same external DNS name used in your certificate (See ).
Each agent requires a Control Plane URI environment variable that references one of the CYBUS_INGRESS_DNS_NAMES hostnames that you have defined in . Configure this variable in the agent's docker-compose.yml file or via command line.
Agents will use their existing mTLS certificates as configured during the initial agent installation. No additional certificate configuration is required during the upgrade process, provided the agents were previously set up with valid mTLS certificates according to .
Each agent requires a Control Plane URI environment variable that references one of the CYBUS_INGRESS_DNS_NAMES hostnames that you have defined in . Configure this variable in the agent's docker-compose.yml file or via command line.
To upgrade Connectware to 1.11.0, see .
Important: If your Connectware installation is below 1.5.0, make sure that you have followed before upgrading to 1.7.0.
Download and install the new Connectware version. For more information, see .
To learn how to configure an agent to operate with root permissions, check out the section on .
Connectware agents are ideally orchestrated using Docker Compose as described in .