I decided to upgrade my Elasticsearch installation over 3 nodes - following the documentation in Rolling Upgrades

After the initial steps:

curl -XPUT 'localhost:9200/_cluster/settings?pretty' -H 'Content-Type: application/json' -d'
{
  "transient": {
    "cluster.routing.allocation.enable": "none"
  }
}'
curl -XPOST 'localhost:9200/_flush/synced?pretty'

I upgraded elkserver1 with:

root@elkserver1:~# service elasticsearch stop
root@elkserver1:~# apt-get install elasticsearch
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
  linux-headers-4.4.0-53 linux-headers-4.4.0-53-generic linux-headers-4.4.0-57 linux-headers-4.4.0-57-generic
  linux-image-4.4.0-53-generic linux-image-4.4.0-57-generic linux-image-extra-4.4.0-53-generic
  linux-image-extra-4.4.0-57-generic
Use 'sudo apt autoremove' to remove them.
The following packages will be upgraded:
  elasticsearch
1 upgraded, 0 newly installed, 0 to remove and 63 not upgraded.
Need to get 33.4 MB of archives.
After this operation, 236 kB of additional disk space will be used.
Get:1 https://artifacts.elastic.co/packages/5.x/apt stable/main amd64 elasticsearch all 5.2.0 [33.4 MB]
Fetched 33.4 MB in 3s (9,591 kB/s)
(Reading database ... 218942 files and directories currently installed.)
Preparing to unpack .../elasticsearch_5.2.0_all.deb ...
Unpacking elasticsearch (5.2.0) over (5.1.1) ...
Processing triggers for systemd (229-4ubuntu13) ...
Processing triggers for ureadahead (0.100.0-19) ...
Setting up elasticsearch (5.2.0) ...

Configuration file '/etc/elasticsearch/elasticsearch.yml'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : start a shell to examine the situation
 The default action is to keep your current version.
*** elasticsearch.yml (Y/I/N/O/D/Z) [default=N] ?
Installing new version of config file /etc/elasticsearch/jvm.options ...
Installing new version of config file /usr/lib/systemd/system/elasticsearch.service ...
Installing new version of config file /etc/init.d/elasticsearch ...
Processing triggers for systemd (229-4ubuntu13) ...
Processing triggers for ureadahead (0.100.0-19) ...
root@elkserver1:~# service elasticsearch start

But it did not start - looking at the log I found:

[2017-02-07T19:56:57,523][ERROR][o.e.b.Bootstrap          ] Exception
java.lang.IllegalArgumentException: Plugin [x-pack] is incompatible with Elasticsearch [5.2.0]. Was designed for version [5.1.1]
	at org.elasticsearch.plugins.PluginInfo.readFromProperties(PluginInfo.java:108) ~[elasticsearch-5.2.0.jar:5.2.0]
	at org.elasticsearch.plugins.PluginsService.getPluginBundles(PluginsService.java:292) ~[elasticsearch-5.2.0.jar:5.2.0]
	at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:131) ~[elasticsearch-5.2.0.jar:5.2.0]
	at org.elasticsearch.node.Node.<init>(Node.java:297) ~[elasticsearch-5.2.0.jar:5.2.0]
	at org.elasticsearch.node.Node.<init>(Node.java:232) ~[elasticsearch-5.2.0.jar:5.2.0]
	at org.elasticsearch.bootstrap.Bootstrap$6.<init>(Bootstrap.java:241) ~[elasticsearch-5.2.0.jar:5.2.0]
	at org.elasticsearch.bootstrap.Boots

DOH - Read the fucking manual - Step 4: Upgrade any plugins

 

So I removed and added the X-Pack again:

root@elkserver1:/usr/share/elasticsearch# bin/elasticsearch-plugin remove x-pack
root@elkserver1:/usr/share/elasticsearch# bin/elasticsearch-plugin install x-pack
-> Downloading x-pack from elastic
[=================================================] 100%
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@     WARNING: plugin requires additional permissions     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
* java.lang.RuntimePermission accessClassInPackage.com.sun.activation.registries
* java.lang.RuntimePermission getClassLoader
* java.lang.RuntimePermission setContextClassLoader
* java.lang.RuntimePermission setFactory
* java.security.SecurityPermission createPolicy.JavaPolicy
* java.security.SecurityPermission getPolicy
* java.security.SecurityPermission putProviderProperty.BC
* java.security.SecurityPermission setPolicy
* java.util.PropertyPermission * read,write
* java.util.PropertyPermission sun.nio.ch.bugLevel write
* javax.net.ssl.SSLPermission setHostnameVerifier
See http://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html
for descriptions of what these permissions allow and the associated risks.

Continue with installation? [y/N]

And restarted Elasticsearch, and It cam up alright.

After a short while, elkserver3 and elkserver2 got the same (x-pack excluded) - between node upgrades went aproximatly 10 minutes.

And then I enabled Shard allocation again:

curl -XPUT 'localhost:9200/_cluster/settings?pretty' -H 'Content-Type: application/json' -d'
{
  "transient": {
    "cluster.routing.allocation.enable": "all"
  }
}'

During the entire upgrade, Cluster health was either red or yellow - and I was somewhat concerned about the state of everything in the cluster.

But it came back to green and the number of unassigned shards went towards a nice 0 (zero)

This actually costed me some data loss... first of all, after rebooting my elkserver1, the filebeat service did not start and I did not realized this for 2 days.

Before that realization, searching is the "syslog-*" index gave me "Courier Fetch: X of 5 shards failed" and looking at the Shards from the Upgrade time and onwards for the syslog-* index, size was closed to 0.

I never found the reason, but ended up deleting the "closed to 0 ones" in Kibana with "DELETE /syslog-dd.mm.yyyy" and then everything worked again. The X-Pack could be a possibility, but all other index'es works and have worked fine the entire time.

Also, the "Courier Fetch: X of 5 shards failed" is a common problem it seems, when googling it.

But I should have closed all Logstash instances before the upgrade....