Features Available During Zero-Downtime Upgrade
During Zero-Downtime Upgrade (ZDU) PrivX enters maintenance mode. In this mode the available features are limited to:
- Logging into PrivX
- Connecting to hosts
Maintenance mode starts when first-stage upgrade is performed on any PrivX Server, and ends when the second-stage upgrade is finalized. For more information about ZDU, see Zero-Downtime Upgrade.
Exceptions With User Login During ZDU
Existing PrivX users including OIDC users can log in. OIDC users can even perform first-time login. However, user data will be read-only, which causes the following limitations:
- Local users cannot change their account data, such as passwords.
- Users who have MFA enabled but unconfigured cannot configure or log into PrivX.
Directory configurations cannot be changed, though new users can be added via user directory scanning or pushing (SCIM). However, we recommended minimizing manual scanning and pushing during upgrade.
Exceptions With Host Connections During ZDU
Note that the following connection features are unavailable during ZDU:
- Network-target connections (OT sessions).
- Assigning access roles to connections
- Indexing SSH connections
Note that connection metadata is created once and will be read-only until maintenance mode is over. Network-related data for ongoing connections is updated, but administrative data is frozen. Users can create, monitor, terminate, search, and index-search connections. Session recording (including file transfers) works normally.
Other Exceptions During ZDU
Some other notable exceptions to features during ZDU include:
- Housekeeping task that are not required for user login or connections are stopped for the duration of the upgrade.
- Creating, updating, and deleting any entries is restricted.
- Updates from external directories will be saved only in system memory: the user may encounter inconsistencies when served by different PrivX Servers. Inconsistencies may also occur when using API endpoints that have changed between versions.
- Explicit secret checkout (for a managed account in target domain) is not supported.
- Triggering password rotation is restricted: Periodic and on-demand password rotation is delayed until PrivX exits maintenance mode.