Upgrades and Reinstallations

The Sudo Policy Server installers are designed to enable easy upgrades of an installed version to a new version. During an upgrade, the current configuration can be retained, or a new Sudo Policy Server configuration can be put in place.

Sudo Policy Server installation scripts pbinstall and pbmakeremotetar can also be used to perform upgrades and reinstallations.

Pre-upgrade Instructions

Before performing an upgrade or reinstallation, do the following:

  1. Obtain the new release, either on a CD or using FTP.
  2. Read the release notes and installation instructions.
  3. Determine the order for updating the Policy Server host machines. If your current installation includes Policy Server host failover machines, you may want to consider upgrading the Policy Server hosts failover machines first, followed by the submit hosts and run hosts, followed by the primary Policy Server hosts.

The settings files on the Policy Server hosts may need to be updated as each Policy Server host is upgraded.

  1. If your current installation includes one or more Policy Server host failover machines, then ensure that the security policy files on the primary Policy Server host and the Policy Server host failover machines are synchronized.
  2. Verify the current location of the administration programs, user programs, and log files. This information is in the pb.cfg file (/etc/pb.cfg or pb/install/pb.cfg.{flavor}) and the settings file, /etc/pb.settings.
  3. If you do not have a recent backup of the host, or if it is imperative that no log entries can be lost, then create a save directory (for example, /var/tmp/pb.{rev_rel}) that can be used to restore Sudo Policy Server files from in case the upgrade fails. After creating the directory, copy (do not use move) the files that are listed below to the new save directory (a shell script can be created to copy the necessary files).

    Sudo Policy Server files for all host types
    /etc/pb.cfg (and pb.cfg.* on older installations)
    /etc/pb.key (if encryption is in use on the system)
    pb* log files (typically in /var/adm, /var/log or /usr/adm)

    Files for Sudo Policy Server

    Database files (contents of databasedir which default to /opt/pbul/dbs)

    /etc/inetd.conf (or your xinetd, launchd, or SMF configuration file)

    Any event log or I/O log files to save
    Sudo Policy Server Log Server files
    /etc/inetd.conf (or your xinetd, launchd, or SMF configuration file), /etc/inetd.conf
    Any event log or I/O log files to save
    Sudo Policy Server GUI Host files
    /etc/inetd.conf (or your xinetd, launchd, or SMF configuration file), /etc/inetd.conf
  4. Determine in which directories to install the new log files, administration programs, and user programs. If you chose different directories for the Sudo Policy Server programs, you might need to update the path variable for the root user and other users.
  5. Be aware that users cannot submit monitored task requests while Sudo Policy Server updates are in progress. Consider writing a Sudo Policy Server configuration policy file that rejects all users from executing pbrun and echoes a print statement to their screen, informing them that a Sudo Policy Server upgrade is in progress.
  6. Sudo Policy Server releases are always upward-compatible when encryption is not used. We recommend that you perform an uninstall if a release is replaced by a Sudo Policy Server version older than v2.8.1.
  7. If you use an encrypted settings file and intend to do an upgrade or reinstall, then the unencrypted version of the settings file needs to be restored before performing an upgrade or reinstall; otherwise, the settings file cannot be read.
  8. If you have a previous installation of Sudo Policy Server for v5.1 or earlier and your encryption is set to none, then when you install Sudo Policy Server v5.2, all the encryption options (options 98 through 103) will be set to none. You can change these options during installation.

For more information on changing these options, please see Step-by-Step Instructions for a Basic Installation Using pbinstall.

pbinstall Install Upgrades

To upgrade or reinstall Sudo Policy Server with the same configuration as the currently installed version, run pbinstall in batch mode:

./pbinstall -b

If you perform a reinstall of an older version, be aware that the older version may not have the same features as the newer version. In this case, the upgrade process discards the configuration of the features that are not available in the older version of Sudo Policy Server. When you upgrade to the newer version, make sure to configure the newer features when running pbinstall.

To change the configuration of Sudo Policy Server during the upgrade or reinstall, run pbinstall in interactive mode:


The present configuration is read into pbinstall. Make the desired configuration changes and then use the c command to continue. pbinstall then installs Sudo Policy Server with the new configuration.

For step-by-step instructions for using pbinstall, please see Step-by-Step Instructions for a Basic Installation Using pbinstall.

Post-Upgrade Instructions

If you want to encrypt your settings file after upgrading Sudo Policy Server, then save a copy of the unencrypted file (for future upgrades) and re-encrypt the settings file.