Update Trust KPIs in an Air-Gapped Installation
Overview
Routing Director enables you to update Trust-related KPIs such as PBNs, Advisories,
and so on to the latest version when your on-premise installation does not have
access to the Internet. You can update Trust-related KPIs using the request
paragon trust data update hostname hostname Paragon
Shell CLI command.
After you update the Trust-related KPIs, you can view the updated information on the Trust tab of the Health Dashboard (Observability > Health > Health Dashboard > Trust). The Trust tab displays the percentage and health of Trust-related KPIs on different accordions. Use this information to detect any changes in the Trust score and perform corrective actions, when necessary.
You must run this command only in a maintenance window to ensure there are no disruptions to network operation.
Update Trust KPIs using Paragon Shell
Perform the following steps to update the trust-related KPIs when your on-premise installation does not have access to the Internet:
Log in to a controller cluster node as the root user.
You are logged in to Paragon Shell.
Type
exitto exit to the Linux root shell.Create a
/data/trustfolder on the node at the root level.- Securely copy the
sirts.json,ascSWEol.json,ascHWEol.json, andpbn.json.gzfiles to the/data/trustfolder on the node. Identify the hostname of the node on which you copied the files, using the
kubectl get nodes -o wide --show-labels | awk -v OFS=' \t\t' '{print $1, $6, $13}'command.
Map the IP address of the node on which the files are located to the hostname.root@hostname1:~# kubectl get nodes -o wide --show-labels | awk -v OFS=' \t\t' '{print $1, $6, $13}' NAME INTERNAL-IP hostname1 10.1.2.3 beta.kubernetes.io/arch=amd64,beta.kubernetes.io/instance-type=rke2,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=hostname1,kubernetes.io/os=linux,node-role.kubernetes.io/control-plane=true,node-role.kubernetes.io/etcd=true,node-role.kubernetes.io/master=true,node.kubernetes.io/instance-type=rke2,role=master hostname2 10.1.3.4 beta.kubernetes.io/arch=amd64,beta.kubernetes.io/instance-type=rke2,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=hostname2,kubernetes.io/os=linux,node-role.kubernetes.io/control-plane=true,node-role.kubernetes.io/etcd=true,node-role.kubernetes.io/master=true,node.kubernetes.io/instance-type=rke2,role=master <Output Snipped>The hostname is displayed in the
kubernetes.io/hostname=hostnameformat. For example, in the sample output, hostname1 is the hostname with IP address 10.1.2.3.Type
clito re-enter Paragon Shell.Update Trust-related KPIs using the
request paragon trust data update hostname hostnamecommand.Where, hostname is the hostname of the node where the copied files are located.
This command shuts down all the Trust pods and then starts a new Trust pod to update the data. Once the update process is completed, the command restarts Trust pods in the
runmode and automatically resets their default replica values. The default replica values are minReplicas:2 and maxReplicas:5.For more information, see request paragon trust data update hostname.
(Optional) Monitor the status of the update job using the
request paragon debug logs namespace trust service networkcommand.The command generates a
logs-network-date_time.tar.gzlog file. This log file is saved in the/root/troubleshooting/logdirectory.Note:The logs are available only for a short period after the Trust pods have been restarted.
The following log indicates a successful update:
{"caller":"cmd:serve.go:1144","level":"info","message":"Update file for sirts.json found.","timestamp":"1737990749063","ts":"2025-01-27T15:12:29.063465117Z"} {"caller":"cmd:serve.go:1160","level":"info","message":"Update file for pbn.json.gz found.","timestamp":"1737990749076","ts":"2025-01-27T15:12:29.076234873Z"} {"caller":"cmd:serve.go:1029","level":"info","message":"Update file for ascSwEol.json found.","timestamp":"1737990752433","ts":"2025-01-27T15:12:32.433507543Z"} {"caller":"cmd:serve.go:1049","level":"info","message":"Update file for ascHwEol.json found.","timestamp":"1737990752458","ts":"2025-01-27T15:12:32.458457932Z"}The following log indicates a partial update:
{"caller":"cmd:serve.go:1740","level":"info","message":"Preload Checksum for sirts has not changed. No Update.","org_id":"76c5b9b7-0ad9-4614-ad8d-baddfb46108a","timestamp":"1737992169212","ts":"2025-01-27T15:36:09.212820833Z"} {"caller":"cmd:serve.go:1740","level":"info","message":"Preload Checksum for pbns has not changed. No Update.","org_id":"76c5b9b7-0ad9-4614-ad8d-baddfb46108a","timestamp":"1737992169215","ts":"2025-01-27T15:36:09.215643375Z"} {"caller":"cmd:serve.go:1744","id":"sweol","level":"info","message":"Preloading metadata","org_id":"76c5b9b7-0ad9-4614-ad8d-baddfb46108a","timestamp":"1737992169216","ts":"2025-01-27T15:36:09.216304717Z"} {"caller":"cmd:serve.go:1744","id":"hweol","level":"info","message":"Preloading metadata","org_id":"76c5b9b7-0ad9-4614-ad8d-baddfb46108a","timestamp":"1737992169394","ts":"2025-01-27T15:36:09.394893267Z"}The Trust database is automatically updated when Routing Director detects new or changed information.
Check the Trust tab on the Health Dashboard (Observability > Health > Health Dashboard > Trust) of the Routing Director GUI to verify the updates.
(Optional) To troubleshoot any errors that may occur when you update Trust-related KPIs, contact the Juniper Networks Technical Assistance Center (JTAC) team.