Stay organized with collections
Save and categorize content based on your preferences.
This page describes the steps to update and patch your Google Distributed Cloud (GDC) air-gapped appliance device.
Prepare for the upgrade
Make sure you meet the requirements listed in this section before the upgrade.
Before you begin
Review the Laptop prerequisites to ensure that the laptop you use for the update and
patch upgrades meets physical specifications and other requirements.
You must first complete the following actions regarding the gdcloud command-line interface (CLI) tools:
Copy the update to the air-gapped environment, using your USB drive.
Copy both the downloader script and the gdch directory that you downloaded to your USB drive in step 1 to the upgrade machine in the air-gapped environment.
In the upgrade machine, verify the contents and extract the files using the same information you used to download the package. For example, the following code copies the package to the /root directory.
Upgrades the appliance software and firmware, including:
GDC root-admin cluster.
GDC services.
The operating systems (OSes) of physical and virtual nodes.
The switch.
Storage
The command drives the updates in sequence, and waits for each step to complete. After completing the steps and if the upgrade is successful, you see a message similar to the following:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eThis guide provides step-by-step instructions on how to update and patch a Google Distributed Cloud (GDC) air-gapped appliance device.\u003c/p\u003e\n"],["\u003cp\u003eBefore beginning the update, users must download, install, upgrade, and authenticate the \u003ccode\u003egdcloud\u003c/code\u003e command-line interface (CLI) tools, as well as ensure that their upgrade machine and appliance meet specific requirements.\u003c/p\u003e\n"],["\u003cp\u003eThe update process involves configuring access to the GDC, transferring necessary artifacts to the upgrade machine, and then executing the \u003ccode\u003egdcloud appliance upgrade\u003c/code\u003e command, which will handle several processes including preflight checks, network setup, authentication, and pushing artifacts to the artifact registry.\u003c/p\u003e\n"],["\u003cp\u003eAfter the appliance software and firmware are upgraded, users will also need to upgrade the firmware version of servers, which involves preparing the firmware URL and updating both iLO firmware and BIOS.\u003c/p\u003e\n"],["\u003cp\u003eTo successfully run the upgrades, the user must be granted the predefined role of Upgrade Debugger by the Organization IAM Admin.\u003c/p\u003e\n"]]],[],null,["# Update and patch device\n\nThis page describes the steps to update and patch your Google Distributed Cloud (GDC) air-gapped appliance device.\n\nPrepare for the upgrade\n-----------------------\n\nMake sure you meet the requirements listed in this section before the upgrade.\n\n### Before you begin\n\nReview the [Laptop prerequisites](/distributed-cloud/hosted/docs/latest/appliance/install/device-prerequisites) to ensure that the laptop you use for the update and\npatch upgrades meets physical specifications and other requirements.\n\nYou must first complete the following actions regarding the `gdcloud` command-line interface (CLI) tools:\n\n1. [Download](/distributed-cloud/hosted/docs/latest/appliance/resources/gdcloud-download) the `gdcloud` CLI tools.\n2. [Install](/distributed-cloud/hosted/docs/latest/appliance/resources/gdcloud-install) the `gdcloud` CLI tools.\n3. [Upgrade](/distributed-cloud/hosted/docs/latest/appliance/resources/gdcloud-upgrade) the `gdcloud` CLI tools as required.\n4. Ensure the [`docker-credential-gdcloud`](/distributed-cloud/hosted/docs/latest/appliance/infrastructure/io-operations-30/push-container-image#before-you-begin) is present.\n\n### Transfer the artifacts to the upgrade machine\n\nYou must have access to the Cloud Storage bucket.\n\nFollow these steps to transfer the artifacts to the laptop you use for the update and patch upgrades:\n\n1. Download the package based on the selected patch version:\n\n VERSION=\u003cx.x.x-gdch.yyy\u003e\n RELEASE_SUFFIX=\"_te\"\n DOWNLOADER=gdch-downloader-prod${RELEASE_SUFFIX}-$VERSION.sh\n gcloud storage cp \"gs://$GCS_BUCKET/$VERSION/$DOWNLOADER\" .\n gcloud storage cp \"gs://$GCS_BUCKET/$VERSION/${DOWNLOADER}.sig\" .\n\n PUBLIC_KEY=$(cat \u003c\u003c-PUBEND\n -----BEGIN PUBLIC KEY-----\n MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEn46iVSyFXsvuKLZ4dVOr2AqlXDnR\n 5cKztkpraexHDxn/ozq03EvrdkRmZkSACFfcaEFyitpraidgAx8sPjvzXQ==\n -----END PUBLIC KEY-----\n PUBEND\n )\n echo \"${PUBLIC_KEY}\" \u003e \"key.pub\"\n DOWNLOADER=gdch-downloader-${PRODUCT}-$VERSION.sh\n\n gcloud storage cp \"gs://${GCS_BUCKET:-private-cloud-release}/$VERSION/$DOWNLOADER*\" .\n openssl dgst -sha256 -verify \"key.pub\" -signature \"${DOWNLOADER}.sig\" ${DOWNLOADER} && chmod +x $DOWNLOADER && ./$DOWNLOADER --skip-unzip\n\n This command fetches the update package and the downloader script to the current directory, for example, `/home/download`.\n2. Run `tree -L 3 /home/download`.\n\n Example output: \n\n /home/download\n ├── gdch\n │ └── x.x.x-gdch.x\n │ ├── bootstrapper\n │ │ ├── bootstrapper.iso\n │ │ └── bootstrapper.iso.sig\n │ ├── gdch-prod_te-x.x.x-gdch.x-sbom.tar.gz\n │ ├── gdch-prod_te-x.x.x-gdch.x-sbom.tar.gz.sig\n │ ├── prod_te_gdch.tar.gz\n │ └── prod_te_gdch.tar.gz.sig\n ├── gdch-downloader-prod_te-x.x.x-gdch.x.sh\n ├── gdch-downloader-prod_te-x.x.x-gdch.x.sh.1.sig\n ├── gdch-downloader-prod_te-x.x.x-gdch.x.sh.sig\n └── key.pub\n\n3. Copy the update to the air-gapped environment, using your USB drive.\n\n Copy both the downloader script and the `gdch` directory that you downloaded to your USB drive in [step 1](#download-pkg-step) to the upgrade machine in the air-gapped environment.\n4. In the upgrade machine, verify the contents and extract the files using the same information you used to download the package. For example, the following code copies the package to the `/root` directory.\n\n Unpack the package: \n\n VERSION=x.x.x-gdch.x\n PRODUCT=prod_te\n DOWNLOADER=gdch-downloader-${PRODUCT}-$VERSION.sh\n openssl dgst -sha256 -verify \"key.pub\" -signature \"${DOWNLOADER}.sig\" ${DOWNLOADER} && chmod +x $DOWNLOADER && ./$DOWNLOADER --skip-download\n\n The package is unpacked at the `/root/gdch/full-release-x.x.x-gdch.x` path.\n5. Confirm that the version matches the one that you set in VERSION:\n\n /root/gdch/full-release-x.x.x-gdch.x/gdcloud version\n\n Sample output: \n\n gdcloud version: 1.14.4-gdch.0\n\n | **Note:** From here on, all CLI commands must use the gdcloud binary from the recently downloaded artifacts.\n\nAuthenticate\n------------\n\nTo authenticate with your configured identity provider and request a kubeconfig file for your user identity and cluster, see [Authenticate](/distributed-cloud/hosted/docs/latest/appliance/resources/gdcloud-auth).\n\n1. [Sign in](/distributed-cloud/hosted/docs/latest/appliance/platform/pa-user/iam/sign-in) and request the following [roles](/distributed-cloud/hosted/docs/latest/appliance/platform/pa-user/iam/set-up-role-bindings#gdcloud):\n\n - Upgrade Appliance Admin\n - System Artifact Management Admin\n - System Artifact Management Secrets Admin\n - DNS Suffix Viewer\n - System Artifact Registry Monitor\n2. Configure the docker:\n\n gdcloud auth configure-docker\n\nStart the upgrade\n-----------------\n\nGo through the following steps to start the appliance upgrade: \n\n gdcloud appliance upgrade \n\nSee [`gdcloud appliance upgrade`](/distributed-cloud/hosted/docs/latest/appliance/resources/gdcloud-reference/gdcloud-appliance-upgrade) for more information.\n\nThe command runs the following steps:\n\n1. Runs the preflight checks on the upgrade machine.\n2. Runs the preflight checks for OTS storage\n3. Pushes the artifacts to the artifact registry.\n4. Upgrades the appliance software and firmware, including:\n 1. GDC root-admin cluster.\n 2. GDC services.\n 3. The operating systems (OSes) of physical and virtual nodes.\n 4. The switch.\n 5. Storage\n\nThe command drives the updates in sequence, and waits for each step to complete. After completing the steps and if the upgrade is successful, you see a message similar to the following: \n\n The GDC appliance upgrade completed successfully"]]