Search
Varnish Controller
Introduction Changelog Known Issues Upgrading Deprecation Version 6 Version 5 Version 4 Version 3 Version 2 Version 1 Versioning License Features System Overview Demo Concepts Agent Router RoutingRules Tag VCL Domain Deployment Certificates VCLGroup Deployment Types API Logs Private/Shared Config/ConfigSets Authentication System Admin Regular Users Identity Provider Sessions Examples Authorization Organization Account Permission Examples CLI CLI Examples CLI Manual User Interface API API examples Invalidations Integrations Varnish Statistics Installation Quickstart NATS PostgreSQL Brainz API-GW Agents Routers Containers Identity Provider VCLI Graphical User Interface Mapped Ports Routing Plugins gRPC FAQ Examples Deploying VCL files Change a VCL file Purging multiple paths Banning paths Using Labels Certificates HTTP Routing Routing Decisions Organizations Private Agents Debugging Multiple Regions OIDC - Microsoft Entra (Azure AD) Staged Deployment Drain Traffic Config/ConfigSet

Upgrading

From 5.* to 6.0.0

NOTE: For minor version changes you should follow the Upgrade Path, including a database backup.

Before upgrading please take a backup of your database, this will make it possible to rollback to the previously installed version.

The below topics are subject to changes that might affect an existing setup, especially if the REST API is used.

Upgrade Path

We recomend to upgrade in the following order, to avoid downtime:

  1. Upgrade brainz, api-gw, vcli, UI and NATS
  2. Agents will terminate. Upgrade them and make sure they restart.
  3. Upgrade Traffic Routers (make sure they restart)

To avoid traffic down time when upgrading the Traffic Router, it might be a good idea to set Start Healthy: true for the Routing Rule. This will make sure that the router keeps routing directly after restart, instead of waiting for the health check threshold that has been configured. This will however make the router redirect traffic to potentially unhealthy nodes, until the threshold has been reached after restart.

Routing Rules tags Migration

Note: No action is required from the user for this change. This is just upgrade information.

Version 6.0.0 adds support for a new type called TagRoute, which is an improved tags routing decision, that supports subdecisions. If the existing controller have RoutingRules with tags in the lookup-order, these will be automatically converted into TagRoutes. The lookup-order will change from tags to tags:<id>, where the ID points out a TagRoute that will be created automatically during the upgrade process.

To change the behavior of the tags routing decision, changes is done to the TagRoute object. The subdecision can then be changed from the default leastutilized to healthy, random or leastutilized.

Example:

# Pior to upgrade
lookup-order: tags,external,random
# After upgrade
lookup-order: tags:1,external,random

New vcli commands:

# List tagroutes
vcli tagroutes ls
# Change subdecision of a tag route
vcli u 1 --subdecision=random

Permissions

The permission system has been reworked a bit and has a more fine grained verification of nested permissions. A lot of these changes are automatically migrated during upgrade. But some permissions for users might require some tweaking. If you encounter any issues related to permissions in version 6.0, please check: Missing permissions.

HTTP Routing Headers

Instead of two fixed CORS headers that could be configured for HTTP routing, now an open list of headers can be specified. The old configuration is automatically migrated to the new headers field.

General

  • The staging functionality for VCLGroup’s has been removed. A staged VCLGroup will stay deployed but is converted to a regular VCLGroup, the Varnish Controller does not automatically delete the staged VCLGroup.

API Changes

  • Statistics JSON data has been lower cased to match other JSON data via the REST API.
  • ErrorKey has been removed from the error responses.
  • All varnishstat endpoints are renamed to stats as they no longer hold just Varnish Statistics. As of version 5 there was support for both endpoints, the following API endpoints need to be changed:
    • /api/v1/agents/varnishstats to /api/v1/agents/stats
    • /api/v1/agents/{id}/varnishstats to /api/v1/agents/{id}/stats
    • /api/v1/domains/varnishstats to /api/v1/domains/stats
    • /api/v1/domains/{id}/varnishstats to /api/v1/domains/{id}/stats
    • /api/v1/routers/varnishstats to /api/v1/routers/stats
    • /api/v1/routers/{id}/varnishstats to /api/v1/routers/{id}/stats
    • /api/v1/tags/varnishstats to /api/v1/tags/stats
    • /api/v1/tags/{id}/varnishstats to /api/v1/tags/{id}/stats
    • /api/v1/vclgroups/varnishstats to /api/v1/vclgroups/stats
    • /api/v1/vclgroups/{id}/varnishstats to /api/v1/vclgroups/{id}/stats

From 4.* to 5.0.0

Before upgrading please take a backup of your database, this will make it possible to rollback to the previously installed version.

General

Brainz should be the first component that is upgraded, after brainz has been upgraded upgrade the API-GW, VCLI, agents and routers.

In the database the Varnish Controller now forces the timezone to UTC. This might impact your own implementations if you are doing comparisons with time yourself.

Agents and routers may appear in Down state during upgrade. The deployed VCLs and routing configuration will still be active.

Components

Agent

There is a change for invalidations and TLS, the varnish-invalidation-tls now indicates if Varnish is running with TLS and the invalidation request should be with TLS. A new flag varnish-invalidation-tls-verify indicates if the TLS cert should be verified or not.

Brainz

Brainz now have a base-dir for storing files. This is by default /var/lib/varnish-controller/varnish-controller-brainz/. In a container environment, this needs to be configured using the VARNISH_CONTROLLER_BASE_DIR environment variable or the -base-dir flag.

Router

No changes required after upgrading

VCLI

  • All vcli vcl * commands have been removed, you can use the same command but instead of vcli vcls use vcli files.
  • The JSON output has been improved but might be different from the previous output.
  • The vcli inspect <command> now always outputs an array, even for results with one object where as previously it just returned the object.
  • The vcli <command> update now only return the changed element.
  • Commands perm, account, idp and org lists all entries after delete.
  • Delete no longer fails if there are no elements left to list.
  • Confirmation added for org update, tag update and perm add to avoid mistakes.
  • vcli org update now supports -y to avoid interactive confirmation.
  • Removed -idp flag from org add as the org needs to be created before adding an IDP to an org.
  • Removed -v from session (was showing same output).
  • Improved error handling when requesting json output, all errors are now shown in JSON format.

API-GW

  • All /api/v1/vcls/* endpoints have been removed,you can use the same endpoint and bodies but instead of /api/v1/vcls use /api/v1/files endpoints instead.
  • The /api/v1/agents/1/vclgroups endpoint has been removed, use /api/v1/vclgroups?agents.id=1&vg_states.deployed=true instead.
  • The /api/v1/tags/1/agents endpoint has been removed, use /api/v1/agents?tags.id=1 instead.
  • The /api/v1/vclgroups/1/agents endpoint has been removed, use /api/v1/agents?vcl_groups.id=1&vg_states.deployed=true instead.
  • The operator=and has been removed from the filters, instead of ?tags.id=1,2&operator=and use ?tags.id[all]=1,2.
  • In the VCLGroup response deployed: true/false has been changed to a deployment state deployState: 1/2/3.
    • 1 - Deployed (Deployed)
    • 2 - Deploying (Currently deploying)
    • 3 - Undeployed (Not deployed)

From 4.0 to 4.1

The router flag http-tls has been replaced by the flag https-routing. This needs to be updated if TLS routing is used. The https-port and https-host has been added for HTTPS routing in the router. These flags specify host and port for the TLS enabled endpoint of the router.

From 3.0.* to 4.0.0

There are some important changes for the agent configuration. The options for varnish-port and varnish-invalidation-port are removed. These should be entered in the varnish-host and varnish-invalidation-host fields. For the varnish-host the following formats should be used example.com:8080. The varnish-invalidation-host by default the varnish-host is used. The following formats can be used for the invalidation configuration:

  • To override the host example.com
  • To override the host and port example.com:8080
  • To only override the port :8080

If you are using the varnish-ext-ip in the agent configuration you will need to change this. This flag has been removed and will need to be replaced by the ipv4 and/or ipv6 flag.

If a custom root VCL is used for the agent, the template has slightly changed. The following template code:

{{range $index, $element := .}}

Should be replaced with:

{{range $index, $element := .Routes}}

Note the .Routes instead of just the ..

From 2.0.* to 3.0.0

There are 2 important changes to be aware of:

  1. Persistent statistics could grow your database significantly depending on the amount of agents, VCLGroups and counters to keep track of.
  2. When using a configuration file, the scopes are renamed:
    • [controller] is changed to [brainz] for brainz.
    • [api] is changed to [api-gw] for api-gw.

First upgrade brainz. If multiple brainz instances are running, they will back off until all have been upgraded and then the database will be migrated by one of the instances. brainz will make sure that no brainz instance has been running for the last 10 seconds before performing migrations and start.

After brainz has been upgraded, the agents and api-gw will stop since they are no longer compatible with the new version of brainz. Deployed VCLs will still be deployed to Varnish.

Upgrade agents and api-gw components. Then the VCLI and UI.

Components can be upgraded in any order, but it’s recommended to upgrade brainz first.

From 1.0.4 to 2.0.0

First upgrade brainz. If multiple brainz instances are running, they will back off until all have been upgraded and then the database will be migrated by one of the instances. brainz will make sure that no brainz instance has been running for the last 10 seconds before performing migrations and start.

After brainz has been upgraded, the agents and api-gw will stop since they are no longer compatible with the new version of brainz. Deployed VCLs will still be deployed to Varnish.

Upgrade agents and api-gw components. Then the VCLI and UI.

Components can be upgraded in any order, but it’s recommended to upgrade brainz first.

In most cases, no configuration changes is required after upgrade. It will be enough to upgrade packages and make sure that the component services gets restarted. Please read through changelog to make sure your setup isn’t using anything that has been changed (such as the -keep-deleted flag for brainz).

For more information regarding version compatibility, see Versioning.

Manuals
Varnish Enterprise
Varnish Cloud
Varnish Controller
Varnish High Availability
Varnish Custom Statistics
Varnish WAF
Varnish Broadcaster
Varnish Helm Chart
Packages
Docker
News
Varnish Enterprise 6.0.13r8
Varnish Helm Chart 1.6.1
Varnish Controller 6.5.0
Varnish Enterprise 6.0.13r7
Varnish Helm Chart 1.6.0
News archive
Cookie Settings Privacy Policy Contact Us Press Branding
®Varnish Software, Wallingatan 12, 111 60 Stockholm, Organization nr. 556805-6203