This document guides an administrator through the patch update to Cray Systems Management 1.7.1-patch.1
from CSM 1.7.1 onwards only.
USS 1.5.1-1's blancapeak boot failureCVE-2026-31431 - CVE Copy FailCVE-2026-46333 - Fixed CVE ptraceproduct_vars.yamlValidate CSM health.
See Validate CSM Health.
Run the CSM health checks to ensure that everything is working properly before the upgrade starts. After the upgrade is completed, another health check is performed. It is important to know if any problems observed at that time existed prior to the upgrade.
(ncn-m001#) Start a typescript on ncn-m001 to capture the commands and output from this procedure.
script -af csm-update.$(date +%Y-%m-%d).txt
export PS1='\u@\H \D{%Y-%m-%d} \t \w # '
Download and extract the CSM v1.7.1-patch.1 release to ncn-m001.
(ncn-m001#) Set CSM_DISTDIR to the directory of the extracted files.
IMPORTANT: Modify the command as necessary to match the actual location of the extracted files.
export CSM_DISTDIR="$(pwd)/csm-1.7.1-patch.1"
echo "${CSM_DISTDIR}"
(ncn-m001#) Set CSM_RELEASE_VERSION to the CSM release version.
export CSM_RELEASE_VERSION="$(${CSM_DISTDIR}/lib/version.sh --version)"
echo "${CSM_RELEASE_VERSION}"
Download and install/upgrade the latest CSM documentation on ncn-m001.
Follow steps 1 - 4 of the Prepare for the Install or Upgrade
The CSM product distribution file should be available in the media directory now.
product_vars.yamlIn the MEDIA_DIR directory configured in preparation step, create a new product_vars.yaml file with the following content:
# Copyright 2022-2026 Hewlett Packard Enterprise Development LP
---
# override product specific branch values with product specific
# entries in site_vars.yaml
csm:
version: 1.7.1-patch1
Save the file and proceed to next step.
Using the IUF activity configured in the previous step, run the process-media stage as mentioned in the Execute the IUF process-media and pre-install-check stages
This should ensure that the CSM product distribution file is unpacked and available in the media directory.
Run the deliver-product stage of IUF with the below command:
iuf -a ${ACTIVITY_NAME} -m "${MEDIA_DIR}" run \
-rv "${MEDIA_DIR}"/product_vars.yaml -r deliver-product
At the end of this stage, check the file /etc/cray/upgrade/csm/myenv.
It should have the content similar to example below:
export CSM_ARTI_DIR=/etc/cray/upgrade/csm/patch-install/csm-1.7.1-patch.11
export CSM_RELEASE=1.7.1-patch.1
export CSM_REL_NAME=csm-1.7.1-patch.1
export SECURE_STORAGE_IMAGE_ID=10bb9f73-0ca0-46dc-bb0f-d5e15dbeef36
export SECURE_K8S_IMAGE_ID=04e06407-4b12-4401-8168-cd7683e1fa4d
export MASTER_CONFIG=management-25.9.0-rc.4-prodinst
export WORKER_CONFIG=management-25.9.0-rc.4-prodinst
export STORAGE_CONFIG=storage-25.9.0-rc.4-prodinst
export FINAL_MASTER_IMAGE_ID=97d5a71e-0c50-4ad2-bcce-5fff8f130f5d
export FINAL_WORKER_IMAGE_ID=ccc2cce7-2fee-4d2a-8115-69e6a76fca28
export FINAL_STORAGE_IMAGE_ID=0bb6a504-cc96-4684-80bc-57da92104be0
This stage creates the new image based on the base images provided by the patch with the CFS configuration currently used by the master, worker and storage nodes.
The myenv file shown above has the image IDs and CFS configurations
to be used for the next step.
Run the management-nodes-rollout stage of IUF to rollout the image and configuration for master, worker and storage nodes.
(ncn-m001#) Set upgrade variables.
source /etc/cray/upgrade/csm/myenv
Follow the order mentioned here.
Use the command below by replacing the node names from the order mentioned in above step:
For Storage Nodes:
(ncn-m001#)
iuf -a "${ACTIVITY_NAME}" -m "${MEDIA_DIR}" run \
--set-management-config "${STORAGE_CONFIG}" \
--set-management-image "${FINAL_STORAGE_IMAGE_ID}" \
-r management-nodes-rollout --limit-management-rollout ${NODE_NAME}
For Master Nodes: ncn-m002,ncn-m003
(ncn-m001#)
iuf -a "${ACTIVITY_NAME}" -m "${MEDIA_DIR}" run \
--set-management-config "${MASTER_CONFIG}" \
--set-management-image "${FINAL_MASTER_IMAGE_ID}" \
-r management-nodes-rollout --limit-management-rollout ${NODE_NAME}
For Worker Nodes:
(ncn-m001#)
iuf -a "${ACTIVITY_NAME}" -m "${MEDIA_DIR}" run \
--set-management-config "${WORKER_CONFIG}" \
--set-management-image "${FINAL_WORKER_IMAGE_ID}" \
-r management-nodes-rollout --limit-management-rollout ${NODE_NAME}
For Master Nodes: ncn-m001
(ncn-m002#)
iuf -a "${ACTIVITY_NAME}" -m "${MEDIA_DIR}" run \
--set-management-config "${MASTER_CONFIG}" \
--set-management-image "${FINAL_MASTER_IMAGE_ID}" \
-r management-nodes-rollout --limit-management-rollout ${NODE_NAME}
NOTE: More than one node can be rolled out at a time using the above command.
(ncn-m001#) Update select RPMs on the NCNs.
/usr/share/doc/csm/upgrade/scripts/upgrade/util/upgrade-test-rpms.sh
On success, the output should end with the following:
Enabling and restarting goss-servers
SUCCESS
Verify that the new CSM version is in the product catalog.
(ncn-m001#) Verify that the new CSM version is listed in the output of the following command:
kubectl get cm cray-product-catalog -n services -o jsonpath='{.data.csm}' | yq r -j - | jq -r 'to_entries[] | .key' | sort -V
Example output that includes the new CSM version (1.7.1-patch.1):
0.9.2
0.9.3
0.9.4
0.9.5
0.9.6
1.0.1
1.0.10
1.2.0
1.2.1
1.2.2
1.3.0
1.3.1
1.4.0
1.4.1
1.4.2
1.4.3
1.4.4
1.5.0
1.5.1
1.5.2
1.5.3
1.7.0
1.7.1
1.7.1-patch.1
Confirm that the product catalog has an accurate timestamp for the CSM upgrade.
(ncn-m001#) Confirm that the import_date reflects the timestamp of the upgrade.
kubectl get cm cray-product-catalog -n services -o jsonpath='{.data.csm}' | yq r - '"1.7.1-patch.1".configuration.import_date'
(ncn-m001#) Remember to exit the typescript that was started at the beginning of the upgrade.
exit
It is recommended to save the typescript file for later reference.