Upgrading a Docker container

This section describes how to upgrade a Docker container that is running Swarm to a newer release.

The following process attempts to minimize downtime, but a short period of downtime for Swarm users is unavoidable. There should be no downtime for your Helix Core Server. After a successful upgrade, all Swarm users are logged out.

If you are using Swarm in a production environment, we encourage you to test this upgrade process in a non-production environment first.

To upgrade a Docker container, run the following commands in your Docker setup directory:

  1. Pull down the latest version of the Helix Swarm image. In the below code example, you can change the latest tag to the current version of your Helix Swarm installation, for example, 2022.2.

    docker pull perforce/helix-swarm:latest
  2. View what is currently running in your Docker container using docker ps command.

    docker ps
    CONTAINER ID   IMAGE                  COMMAND                  CREATED          STATUS          PORTS                               
    NAMES
    0b3baaf10387   perforce/helix-swarm   "/bin/sh -c /opt/per…"   22 seconds ago   Up 20 seconds   0.0.0.0:80->80/tcp,
    :::80->80/tcp
    helix-swarm
    f2030d449679   redis                  "docker-entrypoint.s…"   38 seconds ago   Up 37 seconds   6379/tcp helix-redis
  3. Stop and delete the running Helix Swarm image.

    docker stop helix-swarm
    docker rm helix-swarm
  4. Start a new Helix Swarm image using a docker run command. For more information on how to run a Helix Swarm image on a Docker container, see Run Swarm using a Docker container.

Secure your Swarm installation

To make your Swarm installation more secure apply the following recommendations for HTTP and Swarm implementation through security groups.

HTTP

Here is a list of best practices to use when port 80 is exposed for HTTP traffic:

  • Redirect to HTTPS: If Port 80 needs to be open to support legacy systems or specific use cases, ensure that all HTTP traffic is redirected to HTTPS to encrypt data in transit.

  • Use HSTS (HTTP Strict Transport Security) headers: Implement HSTS headers to force browsers only to use secure HTTPS connections when interacting with your server.

  • Close port 80: If there is no requirement to use HTTP, Port 80 must be closed entirely to prevent any unencrypted data transmission.

  • Implement SSL/TLS (secure sockets layer and transport layer security) certificates: Ensure that your server is configured with a valid SSL/TLS certificate to enable secure HTTPS connections.

  • Firewall configuration: Configure firewalls to block or filter access to Port 80, particularly from untrusted networks.

  • Continuous monitoring and auditing: Regularly monitor network traffic and audit server configurations to ensure that unnecessary ports are not exposed and that data is transmitted securely.

When you implement HTTPS, you must make the following changes:

  1. Modify your cron job for the Swarm workers.

    Edit the cron configuration file to point to your HTTPS URL, for example, https://HOSTNAME/. For more information about how to edit the cron configuration file, see Set up a recurring task to spawn workers.

    To verify if the cron configuration file points to your HTTPS URL, run the following curl statement:

    curl https://myswarm.host/queue/worker

  2. Modify the Swarm Extension or Trigger configuration.

    If you are using the Swarm extension run the following command and change ExtConfig’s Swarm URL to be your new HTTPS URL:

    p4 extension --configure Perforce:helix-swarm

    If you are using triggers, edit swarm-trigger.pl configuration file and set your SWARM_HOST to be https.

  3. Edit the external_url in the SWARM_ROOT/data/config.php file’s environment block to point to your HTTPS URL. This URL is used in emails, Jira links, and Swarm test’s pass-and-fail outgoing URL parameters.

    Tip

    If you make a configuration change, Swarm will not use it until the configuration cache has been reloaded, this forces Swarm to use the new configuration. You must be an admin or super user to reload the Swarm config cache. Navigate to the User id dropdown menu, select System Information, click the Cache Info tab, and click the Reload Configuration button.

  4. Modify the Helix Core Server's P4.Swarm.URL property. For more information about Helix Core Server integration, see Client integration.

    If your Apache server is listening on both HTTPS and HTTP in perforce-swarm-site.conf file, you must set the auto_register_urlconfigurable in the p4 block to false and correctly configure the P4.Swarm.URL property .

    If your Apache server is listening only on HTTPS and if the auto_register_urlconfigurable in the p4 block is set to true (default value), an Apache restart will correct the property.

    To get all your current values for P4.Swarm.URL property, run:

    p4 -Ztag property -A -l -n P4.Swarm.URL

    Ensure that the P4.Swarm.URL property points to your HTTPS URL.

  5. Modify the URL of all applications. Any other applications that reference the URL should be switched to using the HTTPS URL.

Swarm implementation through security groups

Here is a list of best practices for implementation using security groups or the user's preferred setup:

  • Use a trusted proxy: Ensure to only use a trusted proxy, such as allow lists, Content Delivery Networks (CDN), and API Gateways.

  • Backend servers and other proxies or load balancers should be disabled: Ensure that direct access to backend servers and other proxies or load balancers is disabled, except through the trusted proxy mentioned above. This will prevent unauthorized access while ensuring that all requests are filtered through the trusted proxy.

  • Continuous monitoring and logging of the X-Forwarded-For header: Implement monitoring and logging on the X-Forwarded-For header to track and identify any suspicious activities. This can help in identifying and preventing potential malicious activity or security threats.

  • Use a secure protocol: Implement a secure protocol such as HTTPS to encrypt the communications between the client and the load balancers, and between the load balancer and backend server to prevent eavesdropping or tampering with the X-Forwarded-For header.

  • Configure X-Forwarded-For header: Configure the processing mode of the X-Forwarded-For header (append, preserve, or remove) based on specific technical or security requirements.