|
| 1 | +Migrate an existing deployment to FIPS-compliant containers |
| 2 | +============================================================ |
| 3 | + |
| 4 | +.. include:: ../../../_static/badges/all-commercial.rst |
| 5 | + :start-after: :nosearch: |
| 6 | + |
| 7 | +From Mattermost v11, each release ships in two image variants: a standard Enterprise build (``mattermost/mattermost-enterprise-edition``) and a FIPS-compliant build (``mattermost/mattermost-enterprise-fips-edition``). Migrating an existing deployment to the FIPS image is primarily a matter of replacing the image and restarting Mattermost. No data migration is required, and rollback is symmetric. |
| 8 | + |
| 9 | +This guide covers migrating an existing Mattermost Server deployment running on Docker or Kubernetes. FIPS images are only supported for Docker- and Kubernetes-based deployments; Linux package and tarball installations can't be migrated to FIPS in place. |
| 10 | + |
| 11 | +Mattermost's FIPS offering also covers the Mattermost Operator and a self-hosted Push Proxy. Migrating those components is out of scope for this guide. |
| 12 | + |
| 13 | +For background on what the FIPS build is and how it's constructed, see the :doc:`FIPS overview </deployment-guide/server/deploy-containers>`. |
| 14 | + |
| 15 | +Before you begin |
| 16 | +---------------- |
| 17 | + |
| 18 | +1. **Back up your database and configuration.** Always take a full backup before changing the image. See the :doc:`backup and disaster recovery </deployment-guide/backup-disaster-recovery>` documentation. |
| 19 | + |
| 20 | +2. **Confirm your deployment type.** FIPS images are supported on Docker, Docker Compose, and Kubernetes only. If you're running Mattermost from a Linux package or tarball, you can't migrate in place. |
| 21 | + |
| 22 | +3. **Check your Mattermost version.** FIPS images are available from v11.0 onward and use the same release tags as the standard Enterprise images. Plan to migrate to the matching FIPS tag for your current version. |
| 23 | + |
| 24 | +4. **Plan for additional plugins.** The FIPS image includes Boards, Playbooks, and Agents prepackaged and running in FIPS mode. Any additional plugins you've installed will continue to run inside the FIPS image, but they run in non-FIPS mode. This is expected behavior, not a configuration error. |
| 25 | + |
| 26 | +5. **PostgreSQL password length.** Beginning with Mattermost v11.7, the Postgres password used by the Mattermost server must be at least 14 characters when running the FIPS image. If your current password is shorter, rotate it and update the connection string in your Mattermost configuration before migrating. |
| 27 | + |
| 28 | +6. **Plan for downtime.** The migration requires pulling the new image and restarting the Mattermost container or pod. |
| 29 | + |
| 30 | +Migrate a Kubernetes deployment |
| 31 | +------------------------------- |
| 32 | + |
| 33 | +These steps assume your deployment is managed by the Mattermost Operator using a ``Mattermost`` custom resource. |
| 34 | + |
| 35 | +1. Edit the ``Mattermost`` custom resource to point at the FIPS image. You can edit the live resource directly: |
| 36 | + |
| 37 | + .. code-block:: sh |
| 38 | +
|
| 39 | + kubectl edit mattermost <installation-name> |
| 40 | +
|
| 41 | + Or update your manifest file and re-apply it. |
| 42 | + |
| 43 | +2. In ``spec.image``, change the value from ``mattermost/mattermost-enterprise-edition`` to ``mattermost/mattermost-enterprise-fips-edition``. Keep ``spec.version`` aligned with your current release tag. For example: |
| 44 | + |
| 45 | + .. code-block:: yaml |
| 46 | +
|
| 47 | + spec: |
| 48 | + image: mattermost/mattermost-enterprise-fips-edition |
| 49 | + version: 11.6.1 |
| 50 | +
|
| 51 | +3. If you edited a manifest file, apply it: |
| 52 | + |
| 53 | + .. code-block:: sh |
| 54 | +
|
| 55 | + kubectl apply -f <your-mattermost-manifest>.yaml |
| 56 | +
|
| 57 | +4. Watch the rollout to confirm the new pods come up healthy: |
| 58 | + |
| 59 | + .. code-block:: sh |
| 60 | +
|
| 61 | + kubectl rollout status deployment/<installation-name> |
| 62 | +
|
| 63 | +5. Verify the running pods are using the FIPS image: |
| 64 | + |
| 65 | + .. code-block:: sh |
| 66 | +
|
| 67 | + kubectl describe pod <pod-name> | grep Image |
| 68 | +
|
| 69 | +Migrate a Docker or Docker Compose deployment |
| 70 | +--------------------------------------------- |
| 71 | + |
| 72 | +These steps are written for the official `Mattermost Docker deployment <https://github.com/mattermost/docker>`_. If you're using a custom Docker setup, adapt the container and service names accordingly. |
| 73 | + |
| 74 | +1. Stop the Mattermost container: |
| 75 | + |
| 76 | + .. code-block:: sh |
| 77 | +
|
| 78 | + docker compose stop mattermost |
| 79 | +
|
| 80 | +2. Edit ``docker-compose.yml``. In the ``mattermost`` service, change the ``image:`` value from ``mattermost/mattermost-enterprise-edition:<tag>`` to ``mattermost/mattermost-enterprise-fips-edition:<tag>``. Keep the same release tag. For example: |
| 81 | + |
| 82 | + .. code-block:: yaml |
| 83 | +
|
| 84 | + services: |
| 85 | + mattermost: |
| 86 | + image: mattermost/mattermost-enterprise-fips-edition:11.6.1 |
| 87 | +
|
| 88 | +3. Pull the FIPS image: |
| 89 | + |
| 90 | + .. code-block:: sh |
| 91 | +
|
| 92 | + docker compose pull mattermost |
| 93 | +
|
| 94 | +4. Recreate the Mattermost container so the new image is applied: |
| 95 | + |
| 96 | + .. code-block:: sh |
| 97 | +
|
| 98 | + docker compose up -d mattermost |
| 99 | +
|
| 100 | +5. Verify the running container is using the FIPS image: |
| 101 | + |
| 102 | + .. code-block:: sh |
| 103 | +
|
| 104 | + docker inspect mattermost --format '{{.Config.Image}}' |
| 105 | +
|
| 106 | +After migration |
| 107 | +--------------- |
| 108 | + |
| 109 | +1. Confirm Mattermost starts cleanly. Tail the logs and watch for startup errors: |
| 110 | + |
| 111 | + .. code-block:: sh |
| 112 | +
|
| 113 | + kubectl logs -f deployment/<installation-name> |
| 114 | +
|
| 115 | + Or, on Docker: |
| 116 | + |
| 117 | + .. code-block:: sh |
| 118 | +
|
| 119 | + docker compose logs -f mattermost |
| 120 | +
|
| 121 | +2. Sign in and verify core functionality (sending messages, file uploads, search). |
| 122 | + |
| 123 | +3. Confirm the prepackaged plugins (Boards, Playbooks, Agents) load successfully. In the System Console, go to **Plugins > Plugin Management** and confirm they're enabled and healthy. |
| 124 | + |
| 125 | +4. If you have additional plugins installed, confirm they still load. They'll run in non-FIPS mode inside the FIPS image — this is expected. |
| 126 | + |
| 127 | +Roll back |
| 128 | +--------- |
| 129 | + |
| 130 | +If the migration doesn't go as planned, rolling back is symmetric: revert the image reference and redeploy. No data migration is involved. |
| 131 | + |
| 132 | +- **Kubernetes:** Edit the ``Mattermost`` custom resource and change ``spec.image`` back to ``mattermost/mattermost-enterprise-edition``. Re-apply or save, and watch the rollout. |
| 133 | +- **Docker / Docker Compose:** Restore the original ``image:`` value in ``docker-compose.yml`` and run ``docker compose pull mattermost`` followed by ``docker compose up -d mattermost``. |
0 commit comments