Upgrading

Upgrade instructions for Keeper Connection Manager

Upgrading from 2.20.0

From the Linux command line, update to the latest installer script using the curl command.

curl -O https://keepersecurity.com/kcm/kcm-setup.run

To update all of the underlying software and Docker containers when using the Docker Automated Install method, run the below commands:

sudo ./kcm-setup.run stop
sudo ./kcm-setup.run upgrade

Select "Y" when prompted.

Upgrading from 2.19.3 or Older

If you are migrating from a KCM version 2.19.3 or older, there is a breaking change with Remote Browser Isolation (RBI) documented below.

IMPORTANT: Some of the changes to RBI required additional services and sandboxing not required in previous releases. The operations used for this sandboxing have required updates to the seccomp profile used for Docker deployments, as well as the creation of an AppArmor profile.

This AppArmor profile must be loaded for RBI to function on any platform using AppArmor, such as Ubuntu.

Required Action: Download the latest version of the kcm-setup.run script:

curl -O https://keepersecurity.com/kcm/kcm-setup.run

Option 1: Add the AppArmor profile automatically using kcm-setup.run

If you have not modified your own docker-compose.yml since installing KCM, you can apply these changes automatically by:

  1. Downloading the latest copy of kcm-setup.run from Keeper Security.

  2. Running sudo ./kcm-setup.run upgrade to upgrade to the latest release.

  3. Running sudo ./kcm-setup.run reconfigure to regenerate docker-compose.yml.

If you manually changed docker-compose.yml, follow Option 2 below.

Option 2: Adding the AppArmor profile to a modified docker-compose.yml

If you have modified your own docker-compose.yml, these changes require some manual editing of docker-compose.yml to point the “guacd” container at the new profile:

  1. Downloading the latest copy of kcm-setup.run from Keeper Security.

  2. Running sudo ./kcm-setup.run upgrade to upgrade to the latest release.

  3. Editing /etc/kcm-setup/docker-compose.yml, adding an additional "apparmor:..." option to the security_opt section of the “guacd” container such that the section now matches the following:

security_opt:
    - "seccomp:/etc/kcm-setup/guacd-docker-seccomp.json"
    - "apparmor:guacd-apparmor-profile"

  1. Running sudo ./kcm-setup.run apply to apply these latest changes from docker-compose.yml.

Manually extracting the AppArmor profile

Only if necessary, the AppArmor profile is bundled in a standard location and can be extracted from the Docker image:

sudo docker run --rm --entrypoint=/bin/cat keeper/guacd /opt/keeper/share/guacd/guacd-apparmor-profile > guacd-apparmor-profile

The profile should then be copied beneath /etc/apparmor.d so that it is automatically loaded on boot:

sudo cp guacd-apparmor-profile /etc/apparmor.d/

The new profile can then be loaded either by rebooting or by manually running apparmor_parser:

sudo apparmor_parser -r /etc/apparmor.d/guacd-apparmor-profile

Important notice regarding Ubuntu Docker Installations

Do not use the docker.io package provided by Ubuntu. Testing has suggested that this older Docker package may not function correctly with AppArmor profiles. Containers have been observed to not correctly resume using the configured AppArmor profile after a reboot.

Instead, use the official Docker packages provided by Docker themselves: https://docs.docker.com/engine/install/ubuntu/

As long as Docker isn’t already installed, kcm-setup.run will install the official Docker packages automatically. This can be an easy method to both install KCM and the proper version of Docker.

PreviousKeeper Connection ManagerNextKCM Version 2.22.0

Last updated

Was this helpful?