{"id":45102974,"url":"https://github.com/sshcom/ansible-upgrade-privx","last_synced_at":"2026-02-19T21:01:34.132Z","repository":{"id":335320061,"uuid":"1140369694","full_name":"SSHcom/ansible-upgrade-privx","owner":"SSHcom","description":"Ansible Playbooks for PrivX Core and other components version upgrade","archived":false,"fork":false,"pushed_at":"2026-01-29T15:50:34.000Z","size":41,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-01-30T04:36:47.318Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/SSHcom.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-01-23T07:22:10.000Z","updated_at":"2026-01-29T15:55:30.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/SSHcom/ansible-upgrade-privx","commit_stats":null,"previous_names":["sshcom/ansible-upgrade-privx"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/SSHcom/ansible-upgrade-privx","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SSHcom%2Fansible-upgrade-privx","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SSHcom%2Fansible-upgrade-privx/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SSHcom%2Fansible-upgrade-privx/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SSHcom%2Fansible-upgrade-privx/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/SSHcom","download_url":"https://codeload.github.com/SSHcom/ansible-upgrade-privx/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SSHcom%2Fansible-upgrade-privx/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29632708,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-19T18:02:07.722Z","status":"ssl_error","status_checked_at":"2026-02-19T18:01:46.144Z","response_time":117,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-02-19T21:01:33.360Z","updated_at":"2026-02-19T21:01:34.125Z","avatar_url":"https://github.com/SSHcom.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# PrivX Upgrade Automation – Ansible\n\n[![Ansible Tests](https://img.shields.io/github/actions/workflow/status/SSHcom/ansible-upgrade-privx/ansible-tests.yml?style=for-the-badge\u0026label=Ansible%20Tests)](https://github.com/SSHcom/ansible-upgrade-privx/actions)\n[![Last Commit](https://img.shields.io/github/last-commit/SSHcom/ansible-upgrade-privx.svg?style=for-the-badge)](https://github.com/SSHcom/ansible-upgrade-privx/commits)\n\nThis repository contains Ansible-based upgrade processes for multi-node PrivX deployments. Two upgrade methods are available:\n\n- **Staged Upgrade** (`upgrade_privx.yml`) - Traditional upgrade with manual validation gates and explicit operator control at each stage\n- **Zero Downtime Upgrade (ZDU)** (`upgrade_privx_zdu.yml`) - Automated upgrade using PrivX's built-in ZDU scripts with no service interruption\n\nBoth processes are designed for safe production upgrades with proper validation and rollback readiness.\n\n---\n\n## Overview\n\nThe upgrade process is now split into two separate playbooks for better organization:\n\n### PrivX Core Upgrade (`upgrade_privx.yml`):\n1. **Backup validation** (mandatory confirmation)\n2. **RPM availability validation** (check target version exists on primary node)\n3. **Stop PrivX on all secondary nodes** \n4. **Upgrade PrivX on primary node**\n5. **Manual validation of primary node**\n6. **Upgrade PrivX on secondary nodes**\n\n### PrivX Zero Downtime Upgrade (`upgrade_privx_zdu.yml`) - Alternative:\n1. **Backup validation** (mandatory confirmation)\n2. **ZDU version compatibility check** (max one major version behind)\n3. **RPM availability validation** (check target version exists on all nodes)\n4. **Execute upgrade_first_stage.sh on all nodes** (with 30s stabilization wait)\n5. **Validate all nodes have target version**\n6. **Execute upgrade_second_stage.sh on primary node only**\n\n### PrivX Extender Upgrade (`upgrade_extenders.yml`) - Optional:\n1. **Extender configuration file validation** (check required config files exist)\n2. **Extender RPM availability validation** (check on first extender node)\n3. **Configuration backup and upgrade process** (backup → upgrade → deploy config → postinstall)\n\n### PrivX Web Access Gateway Upgrade (`upgrade_wag.yml`) - Optional:\n1. **WAG configuration file validation** (check carrier and webproxy config files exist)\n2. **WAG RPM availability validation** (check PrivX-Carrier and PrivX-Web-Proxy packages)\n3. **Paired upgrade process** (upgrade carrier → webproxy pairs sequentially)\n\n**⚠️ CRITICAL: WAG Pairing Requirements**\n- Carrier and Web-Proxy nodes work in pairs and must be configured correctly\n- Nodes must be listed in the same order in both `[privxcarrier]` and `[privxwebproxy]` groups\n- Incorrect pairing can result in service downtime during upgrades\n\n---\n\n## Assumptions\n\n- **PrivX repository is enabled on all machines**\n- **PrivX-Extender repository is enabled on extender machines** (if using extenders)\n- **PrivX-Carrier and PrivX-Web-Proxy repositories are enabled on WAG machines** (if using WAG)\n- PrivX is assumed to automatically start after the package upgrade\n- PrivX-Extender works in pairs for High Availability and must be upgraded one by one\n- **PrivX-Carrier and PrivX-Web-Proxy work in pairs and must be configured in matching order**\n- The playbooks do not explicitly start the services\n\n---\n\n## Inventory Structure\n\nInventory must define separate host groups:\n\n```ini\n[privx_primary]\nprivx-node1.example.com\n\n[privx_additional_nodes]\nprivx-node2.example.com\nprivx-node3.example.com\nprivx-node4.example.com\n\n[privxextender]\n# Add your PrivX Extender nodes here\n# extender-node1.example.com\n# extender-node2.example.com\n\n[privxcarrier]\n# Add your PrivX Carrier nodes here\n# ⚠️ CRITICAL: List nodes in pairing sequence!\n# carrier-node1.example.com\n# carrier-node2.example.com\n\n[privxwebproxy]\n# Add your PrivX WebProxy nodes here\n# ⚠️ CRITICAL: Must match Carrier node order!\n# webproxy-node1.example.com  # Pairs with carrier-node1\n# webproxy-node2.example.com  # Pairs with carrier-node2\n\n[all:vars]\nprivx_target_version=40.0\nprivx_validation_file=\"/tmp/privx_validation_done-{{ privx_target_version }}\"\nextender_stabilization_wait=30\nwag_pair_stabilization_wait=30\nzdu_stabilization_wait=30\nREMOTE_USER=rocky\nBECOME=yes\nansible_ssh_extra_args='-o StrictHostKeyChecking=no'\n```\n\n---\n\n## Repository Structure\n\n```text\n.\n├── upgrade_privx.yml          # Main PrivX upgrade playbook\n├── upgrade_privx_zdu.yml      # PrivX Zero Downtime Upgrade playbook\n├── upgrade_extenders.yml      # PrivX-Extender upgrade playbook\n├── upgrade_wag.yml            # PrivX Web Access Gateway upgrade playbook\n├── inventory/\n│   └── hosts.ini             # Inventory file with host groups\n├── configuration_files/       # Component configuration files\n│   └── README.md             # Configuration file instructions\n└── tasks/                    # Individual task files (organized by component)\n    ├── upgrade_privx/        # PrivX core upgrade tasks\n    │   ├── backup_validation.yml\n    │   ├── rpm_validation.yml\n    │   ├── stop_secondary.yml\n    │   ├── upgrade_primary.yml\n    │   ├── upgrade_secondary.yml\n    │   ├── version_check.yml\n    │   ├── zdu_version_check.yml\n    │   ├── zdu_first_stage.yml\n    │   ├── zdu_version_validation.yml\n    │   └── zdu_second_stage.yml\n    ├── upgrade_extender/     # PrivX-Extender upgrade tasks\n    │   ├── extender_config_validation.yml\n    │   ├── extender_rpm_validation.yml\n    │   └── upgrade_extenders.yml\n    └── upgrade_wag/          # PrivX Web Access Gateway upgrade tasks\n        ├── wag_config_validation.yml\n        ├── wag_rpm_validation.yml\n        ├── upgrade_wag_pair.yml\n        ├── upgrade_carrier.yml\n        └── upgrade_webproxy.yml\n```\n\n---\n\n## Configuration Variables\n\n### Required\n\n- `privx_target_version`  \n  Target PrivX version to upgrade to (defined in inventory).\n  **⚠️ IMPORTANT**: Consult the \"Supported upgrade paths\" section in the PrivX product release notes before setting this value. Not all version upgrades are supported directly - some may require intermediate upgrades.\n\n- `privx_validation_file`  \n  Path to validation marker file (defined in inventory).\n\n### Safety / Control Variables\n\n- `privx_backup_confirmed` (boolean, default: false)  \n  Must be explicitly set to `true` to proceed with the primary upgrade.\n\n\n### ZDU Configuration Settings\n\n- `zdu_stabilization_wait` (integer, default: 30)  \n  Wait time in seconds for system stabilization after first stage upgrade execution.  \n  Applied once globally after all nodes complete first stage.\n\n### ZDU Version Compatibility\n\n- **Maximum version gap**: One major version behind target\n- **Valid upgrade paths**: \n  - `40.x → 41.x` (major version upgrade)\n  - `41.0 → 41.5` (minor version upgrade)\n  - `41.2 → 41.8` (patch version upgrade)\n- **Invalid upgrade paths**:\n  - `39.x → 41.x` (more than one major version gap)\n  - Use standard upgrade process for incompatible version gaps\n\n### Extender Configuration Files\n\nFor extender upgrades, configuration files are required in the `configuration_files/` directory:\n- **Naming convention**: `\u003cinventory_hostname\u003e-extender-config.toml`\n- **Source**: Downloaded from PrivX UI after core upgrade\n- **Timing**: Must be obtained after PrivX core upgrade completion\n- **Manual changes**: Apply any necessary configuration modifications before saving\n\n**ℹ️ Extender Configuration Versions**\n\nPrivX supports two extender configuration formats, both fully supported in PrivX 42.0 and future versions:\n\n**V1 Configuration:**\n```toml\nextender_mode = \"\"\n```\n- Traditional extender configuration format\n- Fully supported in all PrivX versions including 42.0+\n- Suitable for standard extender deployments\n\n**V2 Configuration (Available in PrivX 42.0+):**\n```toml\nextender_mode = \"normal\"   # Standard extender mode\nextender_mode = \"forward\"  # Forward mode\nextender_mode = \"passive\"  # Passive mode\n```\n- Introduces new operating modes for advanced use cases\n- Provides additional flexibility for complex deployments\n- Optional - use only if your deployment requires these modes\n\n**Configuration Selection:**\n- **Both V1 and V2 are fully supported** - choose based on your use case\n- Download the appropriate configuration from PrivX UI after core upgrade\n- The playbook will detect and display which version you're using\n- No action required if using V1 - it's fully compatible with PrivX 42.0+\n\n**Example**: If your inventory has:\n```ini\n[privxextender]\nextender-node1.example.com\nextender-node2.example.com\n```\n\nYou need these files:\n```\nconfiguration_files/extender-node1.example.com-extender-config.toml\nconfiguration_files/extender-node2.example.com-extender-config.toml\n```\n\n### Extender Upgrade Settings\n\n- `extender_stabilization_wait` (integer, default: 30)  \n  Wait time in seconds for extender service to stabilize after upgrade and configuration deployment.  \n  **Note**: Only applies when there are multiple extender nodes (for High Availability scenarios).\n\n### Extender Postinstall Timeout\n\n- **Timeout**: 120 seconds (2 minutes)\n- **Behavior**: If the extender postinstall script times out or fails:\n  - Script output (stdout/stderr) is displayed\n  - Detailed troubleshooting instructions are provided\n  - Playbook execution stops for manual intervention\n  - User must resolve the issue before continuing\n\n### Extender Backup Behavior\n\n- **Version-specific backups**: Each upgrade version creates its own backup file\n- **Naming convention**: `extender-config.toml.backup-pre-upgrade-\u003cversion\u003e`\n- **Idempotent**: Only creates backup once per version (safe to re-run)\n- **Example**: `extender-config.toml.backup-pre-upgrade-40.0`\n\n### WAG Configuration Files\n\nFor WAG upgrades, configuration files are required in the `configuration_files/` directory:\n- **Carrier naming convention**: `\u003cinventory_hostname\u003e-carrier-config.toml`\n- **WebProxy naming convention**: `\u003cinventory_hostname\u003e-web-proxy-config.toml`\n- **Source**: Downloaded from PrivX UI after core upgrade\n- **Timing**: Must be obtained after PrivX core upgrade completion\n- **Manual changes**: Apply any necessary configuration modifications before saving\n\n**Example**: If your inventory has:\n```ini\n[privxcarrier]\ncarrier-site1.example.com\ncarrier-site2.example.com\n\n[privxwebproxy]\nwebproxy-site1.example.com\nwebproxy-site2.example.com\n```\n\nYou need these files:\n```\nconfiguration_files/carrier-site1.example.com-carrier-config.toml\nconfiguration_files/carrier-site2.example.com-carrier-config.toml\nconfiguration_files/webproxy-site1.example.com-web-proxy-config.toml\nconfiguration_files/webproxy-site2.example.com-web-proxy-config.toml\n```\n\n### WAG Backup Behavior\n\n- **Version-specific backups**: Each upgrade version creates its own backup files\n- **Carrier naming**: `carrier-config.toml.backup-pre-upgrade-\u003cversion\u003e`\n- **WebProxy naming**: `web-proxy-config.toml.backup-pre-upgrade-\u003cversion\u003e`\n- **Idempotent**: Only creates backup once per version (safe to re-run)\n- **Examples**: \n  - `carrier-config.toml.backup-pre-upgrade-40.0`\n  - `web-proxy-config.toml.backup-pre-upgrade-40.0`\n\n### WAG Postinstall Timeout\n\n- **Timeout**: 120 seconds (2 minutes) for both carrier and webproxy postinstall scripts\n- **Behavior**: If any postinstall script times out or fails:\n  - Script output (stdout/stderr) is displayed\n  - Component-specific troubleshooting instructions are provided\n  - Playbook execution stops for manual intervention\n  - User must resolve the issue before continuing\n\n\n---\n\n## Safety Gates\n\n### Backup Confirmation\n\nBefore any upgrade begins, the operator must confirm backups are taken:\n\n```bash\n-e privx_backup_confirmed=true\n```\n\nIf not provided, the playbook will fail immediately with a clear message.\n\n---\n\n### Version-Specific Validation Marker\n\nAfter upgrading and validating the primary node, the operator must create a\nversion-specific validation file on the primary node:\n\n```text\n/tmp/privx_validation_done-\u003cPRIVX_TARGET_VERSION\u003e\n```\n\nExample for version 40.0:\n\n```bash\ntouch /tmp/privx_validation_done-40.0\n```\n\nSecondary nodes will not upgrade unless this file exists on the primary node.\n\n---\n\n## Execution\n\n### Standard PrivX Upgrade Process\n\n#### Phase 1 – Backup validation, RPM validation, stop secondary nodes, and upgrade primary\n\n```bash\nansible-playbook -i inventory --tags primary_upgrade upgrade_privx.yml \\\n  -e privx_backup_confirmed=true\n```\n\nThis phase performs:\n1. **Backup validation check** (runs once on primary)\n2. **RPM availability validation** (checks target version exists on all nodes)\n3. **Stops PrivX on ALL secondary nodes** simultaneously\n4. **Upgrades PrivX on the primary node**\n5. **Displays validation instructions**\n\n---\n\n#### Phase 2 – Manual validation\n\nValidate PrivX functionality on the primary node.\n\nWhen validation is complete, create the marker file on the **primary node**:\n\n```bash\ntouch /tmp/privx_validation_done-40.0\n```\n\n---\n\n#### Phase 3 – Upgrade secondary nodes\n\n```bash\nansible-playbook -i inventory --tags secondary_upgrade upgrade_privx.yml\n```\n\nThis phase:\n- Verifies the validation marker exists on the primary node\n- Upgrades PrivX on all secondary nodes\n\n---\n\n### Zero Downtime Upgrade (ZDU) Process - Alternative\n\n**⚠️ ZDU Requirements:**\n- Current PrivX version must be at most **one major version behind** the target\n- Valid upgrade paths: `40.x → 41.x`, `41.0 → 41.5`, etc.\n- Invalid paths: `39.x → 41.x` (use standard upgrade instead)\n\n#### Single Command ZDU Execution\n\n```bash\nansible-playbook -i inventory upgrade_privx_zdu.yml \\\n  -e privx_backup_confirmed=true\n```\n\nThis process performs:\n1. **Backup validation check** (mandatory confirmation)\n2. **ZDU version compatibility check** (validates upgrade path)\n3. **RPM availability validation** (checks target version on all nodes)\n4. **Execute upgrade_first_stage.sh** on all nodes (serial execution with 30s wait)\n5. **Validate target version** installed on all nodes\n6. **Execute upgrade_second_stage.sh** on primary node only\n7. **Service verification** and completion confirmation\n\n**Key ZDU Benefits:**\n- **No service downtime** during upgrade process\n- **Automatic rollback** if first stage fails on any node\n- **Built-in validation** at each stage\n- **Single command execution** (no manual intervention required)\n\n### Upgrade PrivX-Extender nodes (Optional - Separate Playbook)\n\n**Prerequisites**: After completing PrivX core upgrade, you must:\n1. Log into PrivX UI\n2. Download new version extender configuration files\n3. Make any necessary configuration changes manually\n4. Place files in `configuration_files/` directory using naming convention: `\u003cinventory_hostname\u003e-extender-config.toml`\n\n```bash\nansible-playbook -i inventory upgrade_extenders.yml\n```\n\nThis phase:\n- **Validates extender configuration files** exist for each node\n- Validates PrivX-Extender RPM availability on the first extender node\n- **Backs up existing configuration** (version-specific: `.backup-pre-upgrade-\u003cversion\u003e`)\n- **Only backs up once per version** (skips if backup already exists)\n- Upgrades PrivX-Extender nodes **one by one** to maintain High Availability\n- **Conditionally deploys new configuration** (only if RPM upgrade occurred)\n- **Conditionally runs postinstall script** (only if RPM upgrade occurred)\n- **Includes stabilization wait** between upgrades (only when multiple extenders present)\n\n### Upgrade PrivX Web Access Gateway (Optional - Separate Playbook)\n\n**⚠️ CRITICAL PAIRING REQUIREMENTS:**\n- Carrier and WebProxy nodes work in pairs for High Availability\n- Nodes must be listed in **identical order** in both inventory groups\n- First carrier pairs with first webproxy, second with second, etc.\n- **Incorrect pairing will cause service downtime during upgrades**\n\n**Prerequisites**: After completing PrivX core upgrade, you must:\n1. Log into PrivX UI\n2. Download new version carrier and webproxy configuration files\n3. Make any necessary configuration changes manually\n4. Place files in `configuration_files/` directory using naming conventions:\n   - `\u003cinventory_hostname\u003e-carrier-config.toml`\n   - `\u003cinventory_hostname\u003e-web-proxy-config.toml`\n\n```bash\nansible-playbook -i inventory upgrade_wag.yml\n```\n\nThis phase:\n- **Validates WAG configuration files** exist for each carrier and webproxy node\n- Validates PrivX-Carrier and PrivX-Web-Proxy RPM availability\n- **Validates node pairing** (equal number of carrier and webproxy nodes)\n- Upgrades WAG components **in pairs** (Carrier-1 → WebProxy-1 → Carrier-2 → WebProxy-2)\n- **Version-specific backups** for both carrier and webproxy configurations\n- **Conditional configuration deployment** and postinstall execution\n- **Configurable wait times** between pairs\n\n**Pairing Example:**\n```ini\n[privxcarrier]\ncarrier-site1.example.com    # Pair 1\ncarrier-site2.example.com    # Pair 2\n\n[privxwebproxy]  \nwebproxy-site1.example.com   # Pair 1 (matches carrier-site1)\nwebproxy-site2.example.com   # Pair 2 (matches carrier-site2)\n```\n\n**Note**: WAG components work in pairs and must be upgraded sequentially to maintain High Availability.\n\n---\n\n## Key Improvements\n\n- **Correct sequencing**: Secondary nodes are stopped BEFORE primary upgrade begins\n- **Parallel operations**: All secondary nodes are stopped simultaneously\n- **Clean structure**: Direct task inclusion without unnecessary role overhead\n- **Proper host targeting**: Each stage targets the appropriate host groups\n- **Organized task structure**: Tasks grouped by component (upgrade_privx/, upgrade_extender/)\n- **Version-specific backups**: Extender configs backed up per version with clear naming\n- **Conditional execution**: Config deployment and postinstall only run when needed\n- **Smart stabilization**: Wait time only applies when multiple extenders present\n- **Idempotent operations**: Safe to re-run without side effects\n\n---\n\n## Idempotency and Re-runs\n\n- The playbook is safe to re-run\n- Secondary upgrades cannot proceed without validation marker\n- Validation is tied to the target version\n- No reliance on inventory ordering\n\n---\n\n## Design Principles\n\n- **Explicit operator intent** required at each stage\n- **Manual validation gates** prevent automatic progression\n- **No long-running waits** or blocking operations\n- **CI/CD friendly** with clear stage separation\n- **Safe for production** PrivX clusters\n- **Idempotent operations** - safe to re-run multiple times\n- **Version-aware backups** - each upgrade version tracked separately\n- **Conditional execution** - only perform necessary operations\n- **High Availability aware** - respects HA requirements for extenders\n\n---\n\n## Troubleshooting\n\n### Common Issues\n\n1. **Variables not found**: Ensure all required variables are defined in inventory\n2. **Secondary nodes not stopping**: Check host group membership and connectivity\n3. **Validation file not found**: Ensure the file is created on the primary node with correct path\n4. **ZDU version compatibility failure**: Current version is more than one major version behind target\n5. **ZDU first stage failure**: Check PrivX logs and system resources on failed nodes\n6. **ZDU version validation failure**: First stage didn't properly install target version\n7. **Extender postinstall timeout**: Script exceeded 2-minute timeout (check logs and troubleshoot manually)\n8. **WAG config files missing**: Download from PrivX UI and place in `configuration_files/` directory\n9. **WAG node pairing mismatch**: Ensure equal number of carrier and webproxy nodes in correct order\n10. **WAG pairing sequence error**: Verify carrier and webproxy nodes are listed in matching order\n11. **WAG postinstall timeout**: Carrier or webproxy postinstall exceeded 2-minute timeout\n12. **Template rendering errors**: Ensure `privx_target_version` is properly defined as string or number\n13. **Backup already exists**: Normal behavior - version-specific backups prevent duplicates\n\n### Debug Commands\n\n```bash\n# Check inventory groups\nansible-inventory -i inventory --list\n\n# Test connectivity\nansible -i inventory all -m ping\n\n# Verify variables\nansible -i inventory all -m debug -a \"var=privx_target_version\"\n\n# Check WAG configuration files\nls -la configuration_files/*-carrier-config.toml configuration_files/*-web-proxy-config.toml\n\n# Verify WAG backup files\nansible -i inventory privxcarrier -m shell -a \"ls -la /opt/privx/etc/carrier-config.toml*\"\nansible -i inventory privxwebproxy -m shell -a \"ls -la /opt/privx/etc/web-proxy-config.toml*\"\n\n# Verify WAG node pairing\nansible-inventory -i inventory --list | jq '.privxcarrier.hosts, .privxwebproxy.hosts'\n\n# Test ZDU version compatibility\nansible -i inventory privx_primary:privx_additional_nodes -m shell -a \"rpm -q PrivX --queryformat '%{VERSION}'\"\n\n# Check ZDU script availability\nansible -i inventory privx_primary:privx_additional_nodes -m shell -a \"ls -la /opt/privx/scripts/upgrade_*_stage.sh\"\n\n# Check extender configuration version (V1 vs V2)\ngrep \"extender_mode\" configuration_files/*-extender-config.toml\n\n# Verify extender configuration files exist\nls -la configuration_files/*-extender-config.toml\n\n```\n\n---\n\n## Notes\n\n- The playbook does not start the PrivX service explicitly\n- Always test upgrades in non-production environments first\n- Ensure proper backups before running any upgrade\n- Extender configuration files must be downloaded from PrivX UI after core upgrade\n- Carrier and WebProxy configuration files must be downloaded from PrivX UI after core upgrade\n- Version-specific backups allow for easy rollback if needed\n- Configuration deployment and postinstall only run when RPM upgrade occurs\n- Stabilization wait only applies when multiple extenders are present\n\n---\n\n## License\n\n[![See LICENSE](https://img.shields.io/github/license/SSHcom/ansible-upgrade-privx.svg?style=for-the-badge)](LICENSE)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsshcom%2Fansible-upgrade-privx","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsshcom%2Fansible-upgrade-privx","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsshcom%2Fansible-upgrade-privx/lists"}