Suricata Uninstalled on Updates?

Lurick

@SteveITS That is correct, it does the uninstall but never the reinstall, I have to manually do that.
No later log entry until I went in to manually install via the GUI.

SteveITS

@Lurick Do other pfSense packages reinstall OK?

Lurick

@SteveITS Yes, all the rest I have installed come back just fine which is what I find most odd

SteveITS

@Lurick said in Suricata Uninstalled on Updates?:

@SteveITS Yes, all the rest I have installed come back just fine which is what I find most odd

@bmeeks may have some insight. We don't normally run dev versions.

bmeeks

@SteveITS said in Suricata Uninstalled on Updates?:

@bmeeks may have some insight. We don't normally run dev versions.

I have no clue. The Suricata package itself is not in charge of the automated removal nor the reinstall. It's up to pfSense to make the calls to the pkg utility to accomplish these tasks. I don't know what process is being used within pfSense to do this.

Lurick

@SteveITS or @bmeeks
Hmmm, any chance you might know of a good place to check for logs to see if I can narrow things down a bit?
It's a bit difficult when watching the VM console to get anything so wasn't sure if there might be a log file saved somewhere I'm missing.

bmeeks

Everything related to package removals and installs is logged in the pfSense system log so far as I am aware.

Lurick

@bmeeks Werid, yah basically what I posted earlier is all I see in the logs =/

Lurick

@bmeeks Is it possibly due to the fact that 7.0.0 Suricata isn't released and is still in preview or whatever it's called?
I know 6.0 was the latest available for 23.05 before I upgraded so just wondering.

bmeeks

@Lurick said in Suricata Uninstalled on Updates?:

@bmeeks Is it possibly due to the fact that 7.0.0 Suricata isn't released and is still in preview or whatever it's called?
I know 6.0 was the latest available for 23.05 before I upgraded so just wondering.

No, there would be no relation to Suricata 7.0.0 being available in the snapshots branch.

Lurick

@bmeeks Dang, I was hoping that might have something to do with it, kind of at a loss then. Still happening even with the beta branch now.

bmeeks

@Lurick said in Suricata Uninstalled on Updates?:

@bmeeks Dang, I was hoping that might have something to do with it, kind of at a loss then. Still happening even with the beta branch now.

I will test this today in my RELEASE virtual environment. I do not currently have a functioning DEVEL snapshots virtual environment, so I can't test there.

But if this were a widespread problem, I would expect to be seeing a ton of posts here about it.

bmeeks

@Lurick said in Suricata Uninstalled on Updates?:

@bmeeks Dang, I was hoping that might have something to do with it, kind of at a loss then. Still happening even with the beta branch now.

I just tested this on a 2.7.0 CE virtual machine and was unable to reproduce your stated issue. I installed, removed, and then reinstalled the Suricata 6.0.13 package and did not lose any of the previous configuration data.

Are you sure your GLOBAL SETTINGS tab has this option checked as shown below?

I do not currently have a functional DEVEL snapshot testing environment, so I can't test the 23.09 beta snapshots.

Lurick

@bmeeks Yah, keep settings is there so I can reinstall Suricata after updating between builds and it restores all the settings no issue there at least.

bmeeks

@Lurick said in Suricata Uninstalled on Updates?:

@bmeeks Yah, keep settings is there so I can reinstall Suricata after updating between builds and it restores all the settings no issue there at least.

Okay, maybe I'm confused or misunderstood your initial post. I thought you meant anytime you removed and reinstalled the package it lost the configuration. Your statement I quoted above contradicts that.

So do you mean that only when doing an update to pfSense itself you lose the configuration? If so, describe exactly what you mean by "losing the configuration". Do all the Suricata interfaces disappear? Or do you really mean Suricata is not appearing under the SERVICES menu? If the latter, that simply means the reinstall is either not happening, is not finished, or started and bailed out. I would expect something to be logged in the pfSense system log in any of those events.

Never mind -- went back and read the whole thread again and realized I confused this one with something else. I have no idea why pfSense is removing the package and then failing to reinstall.

The only possibility is it needs more time. How long have you waited to see if it would do anything on its own?

Lurick

@bmeeks Good point, I've only waited a couple minutes after the GUI came back.
I'll give it about 10 minutes next time and see if anything happens :)

Lurick

Waited 30 minutes after upgrade today and still no install :(

SteveITS

@Lurick I don't know if this is helpful but if WAN wasn't connected, or IPv6, or DNS, or something, the package (re)install might try and fail. Though, I'd think that would affect all packages.

Usually I follow the upgrade guide and uninstall at least "big" packages like Suricata and pfBlocker, though I leave things like OpenVPN export or System Patches for the system to reinstall.

Have you upgraded to the 23.09 beta that was released this weekend?

bmeeks

@Lurick said in Suricata Uninstalled on Updates?:

Waited 30 minutes after upgrade today and still no install :(

Hmmm... I don't know. As I said, I do not currently have a Plus snapshot testing environment and thus cannot check that out.

I would assume there are some other Suricata users running the devel snapshots, though. If it is a generic pfSense Plus issue I would expect additional complaints from other users to be showing up.

I do now recall why pfSense automatically removes and reinstalls the packages. It was in response to an old issue where with certain operating system updates you needed to install the packages that were compiled under the new OS kernel version. It's a long story, but there were scenarios where the package itself needed no updates, so its version remained the same. But the OS did get an update and some of the shared libraries used by a package may have changed. In that instance, the package would need recompiling with the new shared library. A forced-remove and reinstall of packages was then needed in those cases to pull in the package compiled with the new OS kernel and shared libraries, otherwise the existing package installation would fail to start properly with the new shared library after the OS update.

This forced remove and reinstall is technically only really needed if the underlying OS version in pfSense is updated (that is, a new kernel version is included). Some pfSense update that only provides fixes in PHP code, for example, would not need the forced remove and reinstall. But maybe for simplicity the team decided to do the package forced update for all pfSense updates ???

Lurick

@SteveITS Interesting, WAN is definitely connected although I've got a Dual Stack environment but never had issues going from say 23.01 to 23.05 or 23.05 to 23.05.01 either. I just installed the latest build from this morning and same issue sadly. I did also upgrade to the beta released this weekend as well but no change.