# Upgrading

### Upgrading from 2.20.0 or newer

From the Linux command line, update to the latest installer script using the curl command.

```
curl -O https://keepersecurity.com/kcm/kcm-setup.run
```

To update all of the underlying software and Docker containers when using the Docker Automated Install method, run the below commands:

```
sudo ./kcm-setup.run stop
sudo ./kcm-setup.run upgrade
```

Select "Y" when prompted.

***

### Upgrading from 2.19.3 or Older

If you are migrating from a KCM version 2.19.3 or older, there is a breaking change with **Remote Browser Isolation (RBI)** documented below.

{% hint style="info" %}
**IMPORTANT:** Some of the changes to RBI required additional services and sandboxing not required in previous releases. The operations used for this sandboxing have required updates to the `seccomp` profile used for Docker deployments, as well as the creation of an AppArmor profile.&#x20;

**This AppArmor profile must be loaded for RBI to function on any platform using AppArmor, such as Ubuntu.**
{% endhint %}

**Required Action**: Download the latest version of the `kcm-setup.run` script:

```
curl -O https://keepersecurity.com/kcm/kcm-setup.run
```

#### Option 1: Add the AppArmor profile automatically using `kcm-setup.run` <a href="#adding-the-apparmor-profile-automatically-using-kcm-setup.run" id="adding-the-apparmor-profile-automatically-using-kcm-setup.run"></a>

If you have not modified your own `docker-compose.yml` since installing KCM, you can apply these changes automatically by:

1. Downloading the latest copy of `kcm-setup.run` from Keeper Security.
2. Running `sudo ./kcm-setup.run upgrade` to upgrade to the latest release.
3. Running `sudo ./kcm-setup.run reconfigure` to regenerate `docker-compose.yml`.

{% hint style="info" %}
If you manually changed `docker-compose.yml`, follow **Option 2 below.**
{% endhint %}

#### Option 2: Adding the AppArmor profile to a modified `docker-compose.yml` <a href="#adding-the-apparmor-profile-to-a-modified-docker-compose.yml" id="adding-the-apparmor-profile-to-a-modified-docker-compose.yml"></a>

If you have modified your own `docker-compose.yml`, these changes require some manual editing of `docker-compose.yml` to point the “guacd” container at the new profile:

1. Downloading the latest copy of `kcm-setup.run` from Keeper Security.
2. Running `sudo ./kcm-setup.run upgrade` to upgrade to the latest release.
3. Editing `/etc/kcm-setup/docker-compose.yml`, adding an additional `"apparmor:..."` option to the `security_opt` section of the “guacd” container such that the section now matches the following:

```
security_opt:
    - "seccomp:/etc/kcm-setup/guacd-docker-seccomp.json"
    - "apparmor:guacd-apparmor-profile"
```

4. Running `sudo ./kcm-setup.run apply` to apply these latest changes from `docker-compose.yml`.

#### Manually extracting the AppArmor profile

*Only if necessary*, the AppArmor profile is bundled in a standard location and can be extracted from the Docker image:

{% code overflow="wrap" %}

```
sudo docker run --rm --entrypoint=/bin/cat keeper/guacd /opt/keeper/share/guacd/guacd-apparmor-profile > guacd-apparmor-profile
```

{% endcode %}

The profile should then be copied beneath `/etc/apparmor.d` so that it is automatically loaded on boot:

```
sudo cp guacd-apparmor-profile /etc/apparmor.d/
```

The new profile can then be loaded either by rebooting or by manually running `apparmor_parser`:

```
sudo apparmor_parser -r /etc/apparmor.d/guacd-apparmor-profile
```

***

{% hint style="danger" %}
**Important notice regarding Ubuntu Docker Installations**
{% endhint %}

**Do not use the** `docker.io` **package provided by Ubuntu.** Testing has suggested that this older Docker package may not function correctly with AppArmor profiles. Containers have been observed to not correctly resume using the configured AppArmor profile after a reboot.

Instead, use the official Docker packages provided by Docker themselves: <https://docs.docker.com/engine/install/ubuntu/>

As long as Docker isn’t already installed, `kcm-setup.run` will install the official Docker packages automatically. This can be an easy method to both install KCM and the proper version of Docker.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/release-notes/enterprise/keeper-connection-manager/upgrading.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.