open-vault/website/pages/docs/upgrading/plugins.mdx

---
layout: docs
page_title: Upgrading Plugins - Guides
sidebar_title: Upgrade Plugins
description: These are general upgrade instructions for Vault plugins.
---

# Upgrading Vault Plugins

The following procedure details steps for upgrading a plugin that has already
been registered to the catalog on a running server. This procedure is applicable
to secret, auth, and database plugins.

## Upgrade Procedure

Vault executes plugin binaries when they are configured and roles are established
around them. The binary cannot be modified or replaced while running, so
upgrades cannot be performed by simply swapping the binary and updating the hash
in the plugin catalog.

Instead, you can restart or reload a plugin with the
`sys/plugins/reload/backend` [API][plugin_reload_api]. Follow these steps to
replace or upgrade a Vault plugin binary:

1. Register plugin_v1 to the catalog
2. Mount the plugin backend
3. Register plugin_v2 to the catalog under the same plugin name, but with
   updated command to run plugin_v2 and updated sha256 of plugin_v2
4. Trigger a plugin reload with `sys/plugins/reload/backend` to reload all
   mounted backends using that plugin or a subset of the mounts using that plugin
   with either the `plugin` or `mounts` parameter respectively.

Until step 4, the mount will still use plugin_v1, and when the reload is
triggered, Vault will kill plugin_v1’s process and start a plugin_v2 process.

-> **Important:** Plugin reload of a new plugin binary must be
performed on each Vault instance. Performing a plugin upgrade on a single
instance or through a load balancer can result in mismatched
plugin binaries within a cluster.

[plugin_reload_api]: /api/system/plugins-reload-backend
-												docs: add section on upgrading plugins (#7984)

* docs: add section on upgrading plugins

* docs: move plugin upgrade to its own guides page

* docs: reword step 4

* docs: add page to sidebar

											
										
										
											2019-12-10 18:15:01 +00:00
+								---
-												New Website! (#8154)

* new documentation website

* ci job adjustment

* update to latest version on downloads page

* remove transition-period scripts

* add netlify toml file

* fix docs patch

* fix ci config?

* revert go.mod changes

* a couple last markdown formatting fixes

											
										
										
											2020-01-18 00:18:09 +00:00
+								layout: docs
 								page_title: Upgrading Plugins - Guides
 								sidebar_title: Upgrade Plugins
 								description: These are general upgrade instructions for Vault plugins.
-												docs: add section on upgrading plugins (#7984)

* docs: add section on upgrading plugins

* docs: move plugin upgrade to its own guides page

* docs: reword step 4

* docs: add page to sidebar

											
										
										
											2019-12-10 18:15:01 +00:00
+								---
 								# Upgrading Vault Plugins
 								The following procedure details steps for upgrading a plugin that has already
 								been registered to the catalog on a running server. This procedure is applicable
 								to secret, auth, and database plugins.
 								## Upgrade Procedure
 								Vault executes plugin binaries when they are configured and roles are established
 								around them. The binary cannot be modified or replaced while running, so
 								upgrades cannot be performed by simply swapping the binary and updating the hash
 								in the plugin catalog.
 								Instead, you can restart or reload a plugin with the
 								`sys/plugins/reload/backend` [API][plugin_reload_api]. Follow these steps to
 								replace or upgrade a Vault plugin binary:
 . Register plugin_v1 to the catalog
 . Mount the plugin backend
 . Register plugin_v2 to the catalog under the same plugin name, but with
-												New Website! (#8154)

* new documentation website

* ci job adjustment

* update to latest version on downloads page

* remove transition-period scripts

* add netlify toml file

* fix docs patch

* fix ci config?

* revert go.mod changes

* a couple last markdown formatting fixes

											
										
										
											2020-01-18 00:18:09 +00:00
+								   updated command to run plugin_v2 and updated sha256 of plugin_v2
-												docs: add section on upgrading plugins (#7984)

* docs: add section on upgrading plugins

* docs: move plugin upgrade to its own guides page

* docs: reword step 4

* docs: add page to sidebar

											
										
										
											2019-12-10 18:15:01 +00:00
+. Trigger a plugin reload with `sys/plugins/reload/backend` to reload all
-												New Website! (#8154)

* new documentation website

* ci job adjustment

* update to latest version on downloads page

* remove transition-period scripts

* add netlify toml file

* fix docs patch

* fix ci config?

* revert go.mod changes

* a couple last markdown formatting fixes

											
										
										
											2020-01-18 00:18:09 +00:00
+								   mounted backends using that plugin or a subset of the mounts using that plugin
 								   with either the `plugin` or `mounts` parameter respectively.
-												docs: add section on upgrading plugins (#7984)

* docs: add section on upgrading plugins

* docs: move plugin upgrade to its own guides page

* docs: reword step 4

* docs: add page to sidebar

											
										
										
											2019-12-10 18:15:01 +00:00
 								Until step 4, the mount will still use plugin_v1, and when the reload is
 								triggered, Vault will kill plugin_v1’s process and start a plugin_v2 process.
-												New Website! (#8154)

* new documentation website

* ci job adjustment

* update to latest version on downloads page

* remove transition-period scripts

* add netlify toml file

* fix docs patch

* fix ci config?

* revert go.mod changes

* a couple last markdown formatting fixes

											
										
										
											2020-01-18 00:18:09 +00:00
+								-> **Important:** Plugin reload of a new plugin binary must be
 								performed on each Vault instance. Performing a plugin upgrade on a single
 								instance or through a load balancer can result in mismatched
 								plugin binaries within a cluster.
-												Docs: Add note about needing to do plugin reload on each node (#8108)

* Add note about needing to do this on each node

Specifically calling this out will heed off operators doing this on a single node and thinking it is a bug that it didn't propagate to the other nodes, secondaries, etc.

* Updated to reflect not needing to do registration on each

											
										
										
											2020-01-09 00:09:41 +00:00
-												[website] Link Cleaning (#8205)

* update dependencies

* remove hard-coded vaultproject.io on local links

* remove 'index.html' from internal links

* remove '.html' at end of internal links

* manual review cleanup

Co-authored-by: Calvin Leung Huang <cleung2010@gmail.com>

											
										
										
											2020-01-22 20:05:41 +00:00
+								[plugin_reload_api]: /api/system/plugins-reload-backend