Skip to main content

Upgrade Self-Hosted Teleport Clusters on Linux

This guide explains how to upgrade self-hosted Teleport clusters running on Linux servers.

Prerequisites

  • Familiarity with the Upgrading Compatibility Overview guide, which describes the sequence in which to upgrade components of your cluster.

  • A self-hosted Teleport cluster in which the Auth Service and Proxy Service run on Linux servers.

    If you are running more than one Auth Service instance, you must reduce the size of the Auth Service instance pool to one in order to perform an upgrade.

  • The tctl and tsh client tools version >= 14.3.33.

    $ tctl version
    # Teleport v14.3.33 go1.21

    $ tsh version
    # Teleport v14.3.33 go1.21
  • To check that you can connect to your Teleport cluster, sign in with tsh login, then verify that you can run tctl commands using your current credentials. tctl is supported on macOS and Linux machines.

    For example:

    $ tsh login --proxy=teleport.example.com --user=email@example.com
    $ tctl status
    # Cluster teleport.example.com
    # Version 14.3.33
    # CA pin sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678

    If you can connect to the cluster and run the tctl status command, you can use your current credentials to run subsequent tctl commands from your workstation. If you host your own Teleport cluster, you can also run tctl commands on the computer that hosts the Teleport Auth Service for full permissions.

Upgrade Teleport binaries

Complete the following steps on all servers that run the Auth Service and Proxy Service, then on each of your agents:

  1. Install the latest Teleport version on the host.

    Select an edition, then follow the instructions for that edition to install Teleport.

    The following command updates the repository for the package manager on the local operating system and installs the provided Teleport version:

    $ curl https://cdn.teleport.dev/install-v14.3.33.sh | bash -s 14.3.33
  2. Confirm that the version of the teleport binary is the one you expect:

    $ teleport version
  3. Now that you have installed a more recent teleport binary on your Auth Service and Proxy Service servers, restart Teleport on these servers to run the new version.

    Configure your Teleport instance to start automatically when the host boots up by creating a systemd service for it. The instructions depend on how you installed your Teleport instance.

    On the host where you will run your Teleport instance, enable and start Teleport:

    $ sudo systemctl enable teleport
    $ sudo systemctl start teleport

    You can check the status of your Teleport instance with systemctl status teleport and view its logs with journalctl -fu teleport.