Upgrade Guide
Upgrade procedures for the Nefia CLI and agents, including rolling updates and rollback.
Overview
Nefia upgrades are performed on both the CLI (operator side) and the agent (target PC side). All binaries are verified with Ed25519 signatures, ensuring that tampered binaries are never applied.
CLI Upgrade
Automatic Update
Use the nefia update command to update to the latest version:
nefia updateChecking for updates... Updated successfully: v1.0.0 -> v1.1.0
The update process:
- Fetches the latest version information from the update server
- Downloads the new binary
- Verifies the Ed25519 signature
- Replaces the current binary
Check for Updates Only
To check for a new version without installing:
nefia update --checkUpdate available: v1.0.0 -> v1.1.0 Run 'nefia update' to apply the update.
Update Notifications
Nefia checks for new versions in the background during command execution and displays a notification when an update is available. This notification is not shown for the update and version commands.
Manual Update
If automatic updates are not available (e.g., dev builds):
- Download the latest binary from the Releases page
- Replace the existing binary
- Verify the version:
bash
nefia version
Agent Upgrade
There are two methods for upgrading agents.
Method 1: Remote Update (Pull-based)
The agent pulls the latest version from its own update server. This is the recommended method for large-scale environments.
# Update agents on all hosts to the latest version
nefia agent update --host "all"
# Specific host only
nefia agent update --host my-server
# Specify a particular version
nefia agent update --host my-server --version v1.1.0This command performs the following:
- Enables auto-update in the remote
agent.yaml - (When
--versionis specified) Sets the pinned version - Restarts the agent service to trigger an update check
Method 2: Operator Push (Push-based)
Pushes the binary directly from the operator. This is for environments where the update server is not available.
nefia agent upgrade --host my-server
nefia agent upgrade --host my-server --agent-dir /path/to/binariesRolling Upgrade
When upgrading a large number of hosts at once, use --batch-size or --batch-percent to perform the upgrade in stages:
# Upgrade 5 hosts at a time
nefia exec --host "all" --batch-size 5 "sudo systemctl restart nefia-agent"
# 20% of all hosts at a time
nefia exec --host "all" --batch-percent 20 "sudo systemctl restart nefia-agent"Auto-Update Configuration
Auto-update can be configured in the agent's agent.yaml:
update:
enabled: true
interval: "1h" # Check interval (default: value of --auto-update-interval flag)
pinned_version: "" # Pin to a specific version (empty = latest)
auto_rollback: true # Automatic rollback on failureOr configure via flags when starting the agent:
nefia-agent run --auto-update-interval 24hMCP Tools
Agent management tools available via MCP:
| Tool | Description |
|---|---|
nefia.agent.status | Check agent health and version across the fleet. |
nefia.agent.upgrade | Upgrade agents on target hosts with automatic rollback on failure. |
nefia.agent.pin | Pin a host's agent to a specific version, preventing auto-updates. |
Version Pinning
You can pin an agent to a specific version to prevent unintended updates:
# Pin to a version (version is a positional argument)
nefia agent pin v1.0.5 --host my-server
# Unpin
nefia agent unpin --host my-serverWhile pinned, even if auto-update runs, the agent will not be updated to any version other than the pinned one.
Rollback
Automatic Rollback
When auto_rollback: true is set in agent.yaml, automatic rollback is performed if an update fails.
How automatic rollback works:
The current binary is backed up as a .bak file before the update
After applying the new binary, the expected version is recorded in a marker file
On agent restart, the version is verified. If there is a mismatch, automatic rollback is performed from the .bak file
After a successful rollback, the agent automatically restarts
Manual Rollback
If automatic rollback is not available:
Download or prepare the previous version binary
Stop the agent service:
# Linux
sudo systemctl stop nefia-agent
# macOS
sudo launchctl unload /Library/LaunchDaemons/com.nefia.agent.plistReplace the binary:
# Linux / macOS
sudo cp /path/to/previous/nefia-agent /usr/local/bin/nefia-agent
sudo chmod +x /usr/local/bin/nefia-agentRestart the agent service:
# Linux
sudo systemctl start nefia-agent
# macOS
sudo launchctl load /Library/LaunchDaemons/com.nefia.agent.plistSignature Verification
All updates are verified with Ed25519 digital signatures.
| Platform | Additional Signatures |
|---|---|
| macOS | Apple Developer ID + Notarization |
| Windows | DigiCert Authenticode (HSM) |
| All platforms | Ed25519 |
To check version information and signatures:
nefia versionnefia 1.1.0 commit: abc1234 built: 2026-03-10T12:00:00Z go: go1.25.0 os/arch: darwin/arm64
Configuration Compatibility
After an upgrade, the configuration format of nefia.yaml or agent.yaml may change.
Automatic Configuration Migration
In general, new versions maintain backward compatibility with older configuration formats. New configuration fields operate with default values.
Post-Upgrade Verification
After upgrading, verify configuration integrity with nefia doctor:
nefia doctorIf a configuration validation error (E4001) occurs, check the latest configuration format in the Configuration Reference.
Upgrade Best Practices
- Run
nefia doctorbefore upgrading -- Identify any existing issues - Verify in a test environment first -- Test before rolling out to production
- Gradual rollout -- Deploy incrementally with
--batch-percent - Enable auto-rollback -- Update safely with
auto_rollback: true - Run
nefia doctoragain after upgrading -- Confirm there are no issues
Next Steps
Diagnose and resolve common issues, including post-upgrade problems.
A complete reference for all configuration options.
Initial installation procedures for the Nefia CLI and agent.