Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
PhoneBoy
Admin
Admin

Central Deployment Tool v1.5 (CDT) has been released

I am happy to announce the release of version 1.5 of the CDT – Central Deployment Tool.

 

While previous versions of CDT introduced automatic upgrades or HF installations on multiple gateways and clusters, the new version introduces new ways to automate your deployments:

 

-          Basic Flow – same as previous versions, and with the same syntax – you can use the CDT to upgrade or install hotfixes on multiple gateways. Clusters upgrades are performed automatically, and the management objects are upgraded automatically.

-          Advanced Flow – you can now prepare a complete deployment plan that will be executed on all gateways and clusters by the CDT. The deployment plan is a set of actions such as: install a package, uninstall a package, download package from cloud, push/pull files, take snapshot, run script, etc. As with the basic flow, CDT automatically controls cluster upgrades, and upgrades the management objects as well.

-          RMA – CDT now allows you to automate your RMA process. You can use the CDT to collect version and configuration information from all of your gateways, and use the CDT to automatically restore the GW on a new appliance after RMA. All you need to do is set the IP on the new appliance, and run CDT to restore the gateway.

 

Please visit SK111158 for download and usage instructions.

25 Replies
Yasushi_Kono1
Contributor
Contributor

Hi Daemon,

I had spendid experience with the version 1.0 of this tool. It was a joy to upgrade many of Check Point clusters almost unattendedly. There was only one file to be configured (CentralDeploymentTool.xml) and everything was quite easy to accomplish upgrade procedures. You could specify whether to perform "MINOR" Upgrades (i.e. hotfix installations) or "MAJOR" Upgrades (i.e. from R77.30 to R80.10). 

In the upgrade admin guide of v1.5, there is no mentioning about upgrading from R77.30 to R80.10 anymore. The only options mentioned there is SmartUpdate and CPUSE. Why not CDT?

Say 'hello' to Dmitry!

Kind regards,
Yasushi

PhoneBoy
Admin
Admin

I assume CDT would simply be using CPUSE to perform the major upgrade anyway, but maybe I'm missing something.

 https://community.checkpoint.com/people/tsahi330fad5c-65ab-41ad-8761-bd74072bb273‌?

Vincent_Bacher
Advisor
Advisor

Yes, CDT just uses CPUSE for packet installation. All commands are being sent to the gateways using cprid.

Recently I upgraded round about 20 clusters from 77.30 to 80.10 and jumbo take 56 in one deployment plan and it worked well. 

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
K__P__Kennedy
Employee Alumnus
Employee Alumnus

Can the CDT be used in conjunction with the API? It doesn't sound like it based on this. Are there any plans to allow the API to leverage the CDT?

0 Kudos
Tsahi_Etziony
Employee
Employee

The CDT is not based on the API because it supports different versions including versions without API. However, based on the success of the CDT, we are working on adding central deployment capabilities as part of SmartConsole, and all of these capabilities will have APIs. 

Tsahi_Etziony
Employee
Employee

Yasushi Kono wrote:

In the upgrade admin guide of v1.5, there is no mentioning about upgrading from R77.30 to R80.10 anymore. The only options mentioned there is SmartUpdate and CPUSE. Why not CDT?

 

Are you talking about the CDT admin guide or the R80.10 upgrade guide?

CDT v1.5 can do everything previous versions did and much more.

As a matter of fact, you don't even need to configure MINOR, MAJOR or HOTFIX anymore because CDT now examines the packages before sending them and automatically detects the upgrade type.

Tsahi

G_W_Albrecht
Legend
Legend

CDT is a powerfull tool that really can do a lot!

CCSE CCTE CCSM SMB Specialist
Vincent_Bacher
Advisor
Advisor

Just for info in case anybody runs into the same issues: i just faced two issues in cdt.

Cdt hung in post policy preparation stage.

First issue was that fingerprint changed and cdt could not handle to answer the question to accept the new fingerprint. In our case it was because of migrate import and upgrade before cdt was run.

Solution was to run the mgmt_cli command manually and accept the fingerprint, then run cdt again.

Second issue was because of Gaia portal runs on different port than 443 on sms. So cdt was stuck.

Entering "export MGMT_CLI_PORT=<port number> solved it.

Cdt team will fix that.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
Robert_Decker
Advisor

Hi Vincent,

Your actions to the problems listed are accurate.

How did you come to these actions? On your own or got some help?

Robert.

0 Kudos
Vincent_Bacher
Advisor
Advisor

Hi Robert,

unfortunately not on myself.

A guy from cdt team and one of the management team helped me. Smiley Happy

Best regards

 Vincent

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
Borut
Collaborator
Collaborator

Hi

I'm trying to learn and use CDT and stumble on the first step - Candidate list generation.

When trying the syntax from the manual, CDT reports Invalid number of arguments:

[Expert@mgmt:0]# ./CentralDeploymentTool -generate -candidates=test.csv
Thu Jun 28 13:01:27 2018 *A* [Main]: Central Deployment Tool (version 1.5.2 build #990180476)
Thu Jun 28 13:01:27 2018 *A* [Main]: ========================================================

Thu Jun 28 13:01:27 2018 *A* [Main]: Current execution logs are in: /var/log/CPcdt/logs_2018-06-28-13-01-26/
Thu Jun 28 13:01:27 2018 *E* [Main]: Invalid number of arguments.

Advanced (Deployment Plan) Usage:
=================================

Candidate list generation:
Generates the installation candidates list and saves it to a file.

-generate -candidates=<file name> -deploymentplan=<filename.xml> [-server=<Domain Management Server IP>] [-filter=<file name>]
generate candidate list following deployment plan [using a Domain Management Server] and save it to a file.
optional - use a filter list to generate a candidate list on the machines in the filter list.

I then try the syntax proposed by CDT itself:

[Expert@mgmt:0]# ./CentralDeploymentTool -generate -candidates=test.csv -deploymentplan=CentralDeploymentTool.xml
Thu Jun 28 13:02:04 2018 *A* [Main]: Central Deployment Tool (version 1.5.2 build #990180476)
Thu Jun 28 13:02:04 2018 *A* [Main]: ========================================================

Thu Jun 28 13:02:04 2018 *A* [Main]: Current execution logs are in: /var/log/CPcdt/logs_2018-06-28-13-02-03/
Thu Jun 28 13:02:04 2018 *E* [Main]:
************************************************
Deployment Plan error has occurred:

Error code 23 - Error loading deployment plan file.
Make sure that the deployment plan file is valid.

Details:
--------
Failed to get the root of DeploymentPlan configuration file: CentralDeploymentTool.xml

I'm stuck at this point and don't know what to do. Can someone point me in the right direction? 

The management server is running R80.10 Jumbo 103 and CDT v1.5.2.

Best regards

0 Kudos
Yasushi_Kono1
Contributor
Contributor

Hi Borut,

you need to insert the DepPlan.xml als Deployment Plan.

Kind regards

Yasushi

Von: Borut Vozelj

Gesendet: Donnerstag, 28. Juni 2018 13:18

An: Yasushi Kono <Yasushi.Kono@experteach.de>

Betreff: Re: - Re: Central Deployment Tool v1.5 (CDT) has been released

CheckMates <https://community.checkpoint.com/?et=watches.email.thread>

Re: Central Deployment Tool v1.5 (CDT) has been released

reply from Borut Vozelj<https://community.checkpoint.com/people/boruta2cd43c4-f354-4a4f-8972-1f498da0b38a?et=watches.email.thread> in Appliances and Gaia - View the full discussion<https://community.checkpoint.com/message/22309-re-central-deployment-tool-v15-cdt-has-been-released?commentID=22309&et=watches.email.thread#comment-22309>

0 Kudos
Arik_Ovtracht
Employee
Employee

Hi,

The candidates list generation can be done in 2 ways - the Basic mode and the Advanced mode. They have different syntax, so I'll describe both:

In the Basic mode, all you need to do is to specify that you want to generate a candidates list, and specify the file to contain that list, without the prefix '-candidates='. So the command will be:

./CentralDeploymentTool -generate test.csv

In the Advanced mode, you first must create a 'deployment plan' - this is an .xml file which instructs CDT on the sequence of actions to do on each GW/cluster member. You can use one of the example deployment plans found in the admin guide, and edit it to fit your needs. After you have done it, you can use the Advanced mode syntax as follows:

./CentralDeploymentTool -generate -candidates=test.csv -deploymentplan=DepPlan.xml

0 Kudos
Borut
Collaborator
Collaborator

The first command you propose for basic mode is not working for me

[Expert@mgmt:0]# ./CentralDeploymentTool -generate test.csv

Thu Jun 28 14:00:37 2018 *A* [Main]: Central Deployment Tool (version 1.5.2 build #990180476)
Thu Jun 28 14:00:37 2018 *A* [Main]: ========================================================

Thu Jun 28 14:00:37 2018 *A* [Main]: Current execution logs are in: /var/log/CPcdt/logs_2018-06-28-14-00-36/
Thu Jun 28 14:00:37 2018 *E* [Main]: Invalid number of arguments.

Advanced (Deployment Plan) Usage:
=================================

Candidate list generation:
Generates the installation candidates list and saves it to a file.

-generate -candidates=<file name> -deploymentplan=<filename.xml> [-server=<Domain Management Server IP>] [-filter=<file name>]
generate candidate list following deployment plan [using a Domain Management Server] and save it to a file.
optional - use a filter list to generate a candidate list on the machines in the filter list.

[Expert@mgmt:0]# ./CentralDeploymentTool -b -generate test.csv

Basic Usage:
============

Candidate list generation:
Generates the installation candidates list and saves it to a file.

-generate <file name> [Domain Management Server IP]
generate candidate list from [Domain] management server and save it to a file.

Not sure what I'm missing here.

0 Kudos
Arik_Ovtracht
Employee
Employee

I forgot to add this: For Basic mode, you must specify which package to install in the main configuration file (CentralDeploymentTool.xml), otherwise CDT assumes you are using Advnaced mode. Use the PackageToInstall entry to do that - you can see an example in the admin guide.

Note that you must remove that entry if you wish to use the Advanced mode.

Vincent_Bacher
Advisor
Advisor

Hi,
just upgrading some clusters from R77.30 to R8.10 using CDT 1.5.2 . Send R80.10 package does not work on some of the nodes.

        ************************************************
        Remote Control error has occurred. IP = ***.***.***.***, command =

        Error code 15 - Error sending a file to a remote machine.
        Check SIC connectivity.

        Details:
        --------
        File is too large.
        ************************************************

Any idea what to do?
At the affected nodes i transfered the file using scp as workaround. Using cdt would be better, indeed Smiley Happy

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
Vincent_Bacher
Advisor
Advisor

Just found the cause of the issue (thanks to Eliran):
I upgraded from beta to ga release of cdt.

The package was originally in /home/admin/ and I copied it (with the split files and the split_info.txt file) to $CDTDIR (and newly created subdirectory). The content of the split file still contain /home/admin paths.

So had to delete these file and keep only the FCS package.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
JozkoMrkvicka
Mentor
Mentor

Okay, so I am trying to test CDT 1.5.2 from single SMS R80.10 management and I have to say that I am very confused. The instructions are very bad written and admin is totally confused how to simply generate candidate list and so on...

After 30 minutes I figured out that candidate list can be generated via following command:

./CentralDeploymentTool -generate -candidates=list.csv -deploymentplan=DepPlan.xml

All needed options have been modified (commented) in DepPlan.xml and CentralDeploymentTool.xml.

The candidate list has been generated.

Now, I want to move both packages (RPM + TGZ) to the candidate members, install RPM and verify TGZ - means I need to use EXTENDED PREPARATIONS option of BASIC mode.

According to manual, I need to use following syntax:

I have tried following variants:

./CentralDeploymentTool -execute -extended_preparations -candidates=list.csv -deploymentplan=DepPlan.xml
./CentralDeploymentTool -execute -extended_preparations -candidates=list.csv
./CentralDeploymentTool -execute -extended_preparations list.csv
./CentralDeploymentTool -extended_preparations list.csv

None of above mentioned commands are working (Invalid argument: -extended_preparations).

Can someone, please, figure out for me what is the correct syntax ?

EDIT:

So, finally I solved it  What I did was .... read whole documentation from page 1 to the last page

What I need is just modify CentralDeploymentTool.xml, NOT DepPlan.xml. I modified both.

After that, the candidate list was generated:

./CentralDeploymentTool -generate test.csv

And at the moment the extended_preparations is in progress:

./CentralDeploymentTool -extended_preparations test.csv

Kind regards,
Jozko Mrkvicka
Arik_Ovtracht
Employee
Employee

Hi Jozko,

Sorry to hear about the confusion in our documentation. I will try to make it clearer.

Meanwhile, let me explain:

The CDT Basic Mode command ‘extended_preparations’, as you have figured out, is used to send packages from the management machine to the connected firewalls. The same could also be done in the Advanced Mode, but in a different way – In Advanced Mode, you can construct a Deployment Plan (the xml file which contains a list of actions to perform on each machine) with any combination of actions you want. If you just need to send the packages to the firewalls, you can create a deployment plan with just 1 action (import_package) and then execute it. You can create another deployment plan to do the actual installation.

Most of your commands have not worked because you were trying to use an Advanced Mode command (-execute) with a Basic Mode parameter (-extended_preparations). The 4th command you mentioned (with just the –extended_preparations parameter) should have worked. Do you remember if you used a copy&pasted command? If you did, that could have been the issue. If not – please share the exact output that you get when trying to run ./CentralDeploymentTool -extended_preparations list.csv

Regards,

Arik Ovtracht

Packaging Team Leader

Device Operations Group

0 Kudos
JozkoMrkvicka
Mentor
Mentor

Hi Arik Ovtracht‌,

Thank you very much for your response Smiley Happy

The issue I had was caused that I have modified both .xml files in wrong order and with wrong arguments.

What I wanted was to just update CPUSE agent (RPM), import R80.10 upgrade package to R70.30 gateways and verify it -  definition of extended_preparations of Basic mode.

This is the content of CentralDeploymentTool.xml I have used:

<?xml version="1.0" encoding="UTF-8" ?>
<CentralDeploymentTool>
<PackageToInstall Path="/var/log/Check_Point_R80.10_T462_Fresh_Install_and_Upgrade_from_R7X.tgz" ConnectivityUpgrade="false"/>
<Logging FileLevel="DEBUG" ScreenLevel="DEBUG" SyslogLevel="NONE" Colors="true"/>
<CPUSE RPMPath="/var/log/CPda-00-00.i386.rpm" />
<Batch MaxMachinesCount="UNLIMITED" />
</CentralDeploymentTool>

This is the content of DepPlan.xml I have used:

<?xml version="1.0" encoding="UTF-8"?>

<!--
This is an example of a Check Point Central Deployment Tool Deployment Plan file.
Refer to the CDT SK for additional information about configuring and using CDT:
https://supportcenter.us.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&so...
-->

<CDT_Deployment_Plan>
<!--
The plan_settings element contains the name and the description of the deployment plan
and additional configuration.
-->
<plan_settings>
<name value="Example deployment plan" />
<description value="Example deployment plan provided with CDT" />
<update_cpuse value="true" />
<connectivityupgrade value="true" />
</plan_settings>

<!-- Execute script -->
<execute_script path="/home/admin/cdt/preScript.sh" iscritical="false" />

<!-- Remove custom jumbo -->
<uninstall_cpuse_package filename="R75.46_JUMBO_HF.tgz" />

<!-- Major R77.30 upgrade -->
<import_package path="/var/log/Check_Point_R80.10_T462_Fresh_Install_and_Upgrade_from_R7X.tgz" />
<install_package path="/var/log/Check_Point_R80.10_T462_Fresh_Install_and_Upgrade_from_R7X.tgz" />

<!-- Notifications during execution -->
<log level="NORMAL" value="Finished installing major upgrade." />
<!-- <send_email to="cdt.admin@checkpoint.com" subject="Major upgrade completed" body="Finished installation of R77.30 major upgrade, preparing to install R77.30 HF2." /> -->

<!-- Install HF for R77.30 -->
<!-- <import_package path="/home/admin/R77.30_HF2.tgz" /> -->
<!-- <install_package path="/home/admin/R77.30_HF2.tgz" /> -->

<!-- Get a file from the gateway to /home/admin/ -->
<!-- <pull_file remote_path="/home/admin/file_to_pull.txt" local_dir="/home/admin/" /> -->

</CDT_Deployment_Plan>

As I figured out, the content of DepPlan.xml is irrelevant in this case, as I want to go via Basic mode and extended_preparations.

So finally I was able to run CDT with syntax:

./CentralDeploymentTool -extended_preparations test.csv

and waited around 2 hours to finish the job.

Once finished, I checked both gateways which were mentioned in candidate list test.csv.

R80.10 upgrade package was transfered and was located in /var/log/upload on both gateways.

The CPUSE agent (RPM) was NOT upgraded at all. In addition, the RPM package is not visible in /var/log/upload directory on both gateways. Not sure if this can be related to the fact that on one gateway I have already installed the build version which I want to upgrade (1573). On second node I have older build number, which was supposed to be upgraded from currect 1567 to the latest 1573. It wasnt upgraded.

Second issue I see is that on the management server where I run CDT, the following files were created and wasnt removed after CDT finished the job:

Kind regards,
Jozko Mrkvicka
0 Kudos
Arik_Ovtracht
Employee
Employee

Hi Jozko,

You are correct that when using the Basic Mode, there is no deployment plan involved - so the DepPlan.xml file is indeed irrelevant.

Regarding your first issue - CDT takes the CPUSE rpm from the configured path in CentralDeploymentTool.xml (in you case it was /var/log/CPda-00-00.i386.rpm), and installs it on each of the members. Are you sure that you put the rpm for build 1573 in that location? If you did - please share your CDT log files (in /var/log/CPcdt/ , if you executed CDT multiple times then just share the directory with the relevant execution time).

Regarding your 2nd issue - the files you see are parts of the R80.10 upgrade package. CDT splits big files before it sends them, due to infrastructure limitations. It keeps the split package to mark that it doesn't need to be split again. You can delete these files manually if you want.

0 Kudos
Martin_Valenta
Advisor

did somebody use it to upgrade gateways from r80.10 to r80.20?

0 Kudos
Vincent_Bacher
Advisor
Advisor

Not yet but I will surely use it for my first R80.20 upgrade Smiley Happy

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
Martin_Valenta
Advisor

It works fine even for 80.10 to .20 🙂


0 Kudos
Arik_Ovtracht
Employee
Employee

Hi All,

I am very happy to announce the release of version 1.6 of the CDT - Central Deployment Tool, which now also supports VSX.

Version 1.6 introduces the following new features, as well as bug fixes and minor additions:

  • VSX support – including gateways, HA clusters and VSLS clusters
  • Customized RMA backup & restore - add additional files to the backup
  • Resume mode – quickly resume after resolving issues with failed deployment plans
  • CloudGuard support - Gateways and CloudGuard Controllers R80.10 and above

 

Version 1.6 will also be included in version releases starting R80.30 on all Security Management and Multi-Domain Management machines.

 

Please visit sk111158 for download and usage instructions.

Any comments or suggestions for CDT will be appreciated!

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events