Confluence发邮件报告了一个高危(critical)漏洞并提示升级,看描述这个漏洞有可能导致未认证的用户在服务器上执行任意代码,刚好Confluence 发布了7.13.0长期支持版,所以升级一下。
参考链接:
| 链接 | 说明 |
|---|---|
| https://confluence.atlassian.com/doc/upgrading-confluence-4578.html | 官方升级指导 |
| https://confluence.atlassian.com/doc/confluence-7-13-release-notes-1044114085.html | Confluence 7.13 发布说明 |
| https://confluence.atlassian.com/doc/confluence-7-13-upgrade-notes-1044114088.html | Confluence 7.13 升级说明 |
| https://confluence.atlassian.com/doc/confluence-7-11-upgrade-notes-1035239484.html | Confluence 7.11 升级说明(有一处MySQL 8数据库配置修改) |
升级之前
1. 确定是否有资格升级到新版本。Confluence购买的每个许可证都带1年的维护期,在维护期内可升级到最新版,超过维护期后不支持升级到新版,需要先延保,再升级。可在 站点管理-> 故障排除和技术支持工具 查看是否在维护期内,如下:
2. 确定使用哪种方式进行升级,这里使用安装包进行升级,需要提前下载7.13.0版本的安装包并上传到服务器。
3. 走读版本发布说明和更新说明,确定平台和环境相关的依赖是否要更新,比如数据库版本,JDK,以及一些特殊的设置。
升级准备
1. 站点管理-> 计划升级,查看官方推荐的升级版本和升级步骤。
2. 站点管理-> 故障排除和技术支持工具,查看当前运行状态是否正常,保证所有项都打勾。
3. 应用管理-> Confluence更新检查,选择对应版本后,看有没有需要更新的应用。
开始升级
1. 升级过程非常容易翻车,所以强烈推荐在升级之间先制作一份当前云服的镜像,这样即使升级失败,也可以通过回滚服务器的方式消除任何影响。
2. 先关闭当前的Confluence服务,在安装目录的bin文件夹下执行 ./shutdown.sh。
3. 参考https://confluence.atlassian.com/doc/confluence-7-11-upgrade-notes-1035239484.html,从7.10升级到7.13版本,需要调整MySQL 8的配置,在/etc/mysql/my.cnf文件的[mysqld]小节下增加一项配置log-bin-trust-function-creators = 1,并重启mysql服务。
4. 执行升级包,按提示操作。确保选择Upgrade an existing Confluence installation(选项3)以及提示的当前安装路径是正确的。中间有几个提示是是否备份安装目录和家目录,选是即可。升级结束后会提示是否启动Confluence,这里选n,先不启动,等下一步调整配置后再启动。
5. 调整配置。升级相当于删除原来的安装目录,再重新安装一次,所以安装目录下的修改需要重新设置。首先是数据库驱动,需要把原来安装目录下的confluence/WEB-INF/lib/mysql-connector-java-8.0.19.jar文件再拷到对应目录。接下来是调整conf/server.xml文件,把之前修改过的proxy和docbase再调整回来,参考安装Confluence Server。
6. 调整Java heap。这一步是保险起见,把Java head调大点,修改bin/setenv.sh,设置CATALINA_OPTS="-Xms4096m -Xmx4096m ${CATALINA_OPTS}",默认是1024MB,这里修改成4096MB。
7. 启动Confluence。如果使用了反向代理,则需要先启动Nginx。
8. 访问网站,提示升级成功:
附一份升级过程中的打印信息:
# ./atlassian-confluence-7.13.0-x64.bin
Installing fontconfig and fonts
Hit:1 https://mirrors.tuna.tsinghua.edu.cn/ubuntu focal InRelease
Get:2 https://mirrors.tuna.tsinghua.edu.cn/ubuntu focal-updates InRelease [114 kB]
Get:3 https://mirrors.tuna.tsinghua.edu.cn/ubuntu focal-backports InRelease [101 kB]
Get:4 https://mirrors.tuna.tsinghua.edu.cn/ubuntu focal-security InRelease [114 kB]
Get:5 https://mirrors.tuna.tsinghua.edu.cn/ubuntu focal-updates/main i386 Packages [522 kB]
Get:6 https://mirrors.tuna.tsinghua.edu.cn/ubuntu focal-updates/main amd64 Packages [1,169 kB]
Get:7 https://mirrors.tuna.tsinghua.edu.cn/ubuntu focal-updates/main amd64 c-n-f Metadata [13.9 kB]
Get:8 https://mirrors.tuna.tsinghua.edu.cn/ubuntu focal-updates/universe i386 Packages [629 kB]
Get:9 https://mirrors.tuna.tsinghua.edu.cn/ubuntu focal-updates/universe amd64 Packages [848 kB]
Get:10 https://mirrors.tuna.tsinghua.edu.cn/ubuntu focal-updates/universe Translation-en [179 kB]
Get:11 https://mirrors.tuna.tsinghua.edu.cn/ubuntu focal-updates/universe amd64 c-n-f Metadata [18.7 kB]
Get:12 https://mirrors.tuna.tsinghua.edu.cn/ubuntu focal-security/main amd64 Packages [828 kB]
Get:13 https://mirrors.tuna.tsinghua.edu.cn/ubuntu focal-security/main i386 Packages [275 kB]
Get:14 https://mirrors.tuna.tsinghua.edu.cn/ubuntu focal-security/universe i386 Packages [506 kB]
Get:15 https://mirrors.tuna.tsinghua.edu.cn/ubuntu focal-security/universe amd64 Packages [638 kB]
Get:16 https://mirrors.tuna.tsinghua.edu.cn/ubuntu focal-security/universe Translation-en [101 kB]
Get:17 https://mirrors.tuna.tsinghua.edu.cn/ubuntu focal-security/universe amd64 c-n-f Metadata [12.3 kB]
Hit:18 http://archive.ubuntu.com/ubuntu focal InRelease
Fetched 6,069 kB in 1s (4,258 kB/s)
Reading package lists... Done
Reading package lists... Done
Building dependency tree
Reading state information... Done
fontconfig is already the newest version (2.13.1-2ubuntu3).
0 upgraded, 0 newly installed, 0 to remove and 290 not upgraded.
Reading package lists... Done
Building dependency tree
Reading state information... Done
fonts-dejavu is already the newest version (2.37-1).
0 upgraded, 0 newly installed, 0 to remove and 290 not upgraded.
Reading package lists... Done
Building dependency tree
Reading state information... Done
fonts-noto-cjk is already the newest version (1:20190410+repack1-2).
0 upgraded, 0 newly installed, 0 to remove and 290 not upgraded.
Regenerating the font cache
Fonts and fontconfig have been installed
Unpacking JRE ...
Starting Installer ...
This will install Confluence 7.13.0 on your computer.
OK [o, Enter], Cancel [c]
o
Click Next to continue, or Cancel to exit Setup.
Choose the appropriate installation or upgrade option.
Please choose one of the following:
Express Install (uses default settings) [1],
Custom Install (recommended for advanced users) [2],
Upgrade an existing Confluence installation [3, Enter]
3
Existing installation directory:
[/opt/atlassian/confluence]
Back Up Confluence Home
The upgrade process will automatically back up your Confluence Installation
Directory. You can also choose to back up your existing Confluence Home
Directory. Both directories are backed up as zip archive files in their
respective parent directory locations.
We strongly recommend choosing this option in the unlikely event that you
experience problems with the upgrade and may require these backups to
restore your existing Confluence installation.
If you have many attachments in your Confluence Home Directory, the zip
archive of this directory may consume a significant amount of disk space.
Back up Confluence home ?
Yes [y, Enter], No [n]
y
Checking for local modifications.
List of modifications made within Confluence directories.
The following provides a list of file modifications within the confluence
directory.
Note that modifications to other directories will not be detected.
The modifications listed below would need to be manually applied to the
installed version. The Confluence home location will be automatically
migrated so there is no need to update the confluence-init.properties file.
The backup of the previous installation directory will contain the modified
files.
Modified files:
(none)
Removed files:
(none)
Added files:
confluence/WEB-INF/lib/mysql-connector-java-8.0.19.jar
confluence/WEB-INF/classes/log4j-diagnostic.properties
[Enter]
Checking if your instance of Confluence is running
Upgrade Checklist
Back up your external database
We strongly recommend you back up your Confluence database if you have not
already done so.
Please refer to the following URL for back up guidelines:
https://docs.atlassian.com/confluence/docs-713/Production+Backup+Strategy
Check app compatibility
Check that your non-bundled apps are compatible with Confluence 7.13.0.
For more information see our documentation at the following URL:
https://docs.atlassian.com/confluence/docs-713/Installing+and+Configuring+Plugins+using+the+Universal+Plugin+Manager
Please ensure you have read the above checklist before upgrading.
Your existing Confluence installation is about to be upgraded! Do you want to proceed?
Upgrade [u, Enter], Exit [e]
u
Your instance of Confluence is currently being upgraded.
Checking if Confluence has been shutdown...
Backing up the Confluence installation directory
Backing up the Confluence home directory
Deleting the previous Confluence installation directory...
Extracting files ...
Please wait a few moments while we configure Confluence.
Installation of Confluence 7.13.0 is complete
Start Confluence now?
Yes [y, Enter], No [n]
n
Installation of Confluence 7.13.0 is complete
Custom modifications
Your previous Confluence installation contains customisations that must be
manually transferred. Refer to our documentation more information:
https://docs.atlassian.com/confluence/docs-713/Upgrading+Confluence#UpgradingConfluence-custommodifications
Finishing installation ...
root@VM-0-4-ubuntu:~/download# |
总结
1. 一定要先备份云服,否则一旦出错就万事休矣。
2. 如果数据库是MySQL 8,那从7.10升级到7.13要按上面的描述调整MySQL 8配置,否则升级失败。