24.03-RC install long delays
-
@DefenderLLC The last three lines of my console output were
Netgate pfSense Plus 24.03-RC amd64 20240410-1729 Bootup complete Performing automatic boot verification...done. -
@jaltman said in 24.03-RC install long delays:
@DefenderLLC The last three lines of my console output were
Netgate pfSense Plus 24.03-RC amd64 20240410-1729 Bootup complete Performing automatic boot verification...done.I believe that's what mine said too. Just wondering if you were ever prompted in the GUI post-upgrade. I'm guessing that you weren't.
I was not prompted his time.
-
@DefenderLLC I was not prompted
-
To be clear you would only expect to see it if manual verification is set and it isn't by default.
-
@stephenw10 I do not have manual verification enabled
-
@stephenw10 Mine was already enabled for 300 seconds and I was never prompted in the GUI unlike the other 24.03 betas. As I mentioned on the other thread, I could have inadvertently verified it via console (if that's even possible) when I was frantically trying to establish a USB connection.
-
@DefenderLLC I appreciate that you have a different problem than I observed. I would appreciate it if discussion of that problem were held in a separate topic. Thanks.
-
@jaltman said in 24.03-RC install long delays:
@DefenderLLC I appreciate that you have a different problem than I observed. I would appreciate it if discussion of that problem were held in a separate topic. Thanks.
For the record, I also had the same problem as you. 10 minutes install on my 6100 MAX due to package failures. The main difference between our issues is Snort vs Suricata. They both appeared to be exhibiting similar issues during the upgrade.
-
@DefenderLLC Discussion of the delay problem is on topic. Discussion of manual boot verification is not. They are unrelated and hijacking my topic will make it more difficult for Netgate to obtain the necessary details to identify and fix the ordering of the package update process during a pfSense upgrade.
Please create a separate topic for "24.03-RC Manual Boot Verification failure" or something.
Thanks.
-
@jaltman But they MAY be related. I only brought that up to see if you were also not prompted for verification which is probably related to the unusually long install time. The last statement in console log support this theory.
Didn't mean to upset you, but we both have the same exact device experiencing the same exact issues.
-
Repliacted it and opened a bug:
-
@stephenw10 said in 24.03-RC install long delays:
Repliacted it and opened a bug:
Thanks, Steve! This explains it perfectly.
-
I have said it before and will say it again: Those updates for blocklists, DNSBL Feeds, Rule Sets, in short everything pulling from outside sources shouldn't be part of the upgrade process to begin with.
-
@Bob-Dig said in 24.03-RC install long delays:
shouldn't be part of the upgrade process to begin with
I've read somewhere in the past : "Before a pfSense upgrade, remove packages".
I'm not doing that. Most of us don't do that, I guess.
But it would accelerate upgrading for sure. -
That's the safest way to be sure. But it shouldn't normally be required.
-
@Bob-Dig The fetching of remote content are a step during the installation of the package. During an upgrade, the old package versions must be removed and the new package versions installed. This is because the old package binaries are linked against an older set of libraries that might not be present on the upgraded system. For example when the FreeBSD major version is updated as part of the pfSense upgrade.
The pfSense upgrade process isn't explicitly requesting the blocklists, DNSBL Feeds, Rule Sets, etc. Its just that when each package is installed with the prior configuration, it attempts to fetch the remote content required by the configuration.
Leaving the prior packages installed isn't an option. The question is when should packages be re-installed after a pfSense upgrade and the prior configuration is applied. It used to be that pfSense would upgrade, bring the network interfaces online and then begin to apply packages. The downside of this approach is that during the window after the network interfaces are active and the packages are fully re-installed the security posture of the router is incomplete. During that time there is an opportunity for unwanted traffic to pass.
The new Boot Environment upgrade process installs the packages before the network interfaces are configured. The theoretical benefit is that the router won't start with missing functionality. However, when the packages require fetching content as part of the installation this fails. If a security package such as snort, pfblockerng, suricata, etc is installed but doesn't obtain the required remote data, then not only will it fail to function properly when the network interfaces are brought up but its unclear how long it will be before the required data is fetched. For example I believe snort updates every six hours by default.
Perhaps there is a middle ground. @stephenw10, can the WAN interfaces be configured and brought online without the LAN interfaces and then perform the package installation? Doing so would permit the remote content to be obtained without allowing traffic to pass through the router until all of the packages are fully configured.
-
@jaltman Very good points and I like your last suggestion. In my case, I did see that there was a Suricata package update available right before upgrading from the latest 24.03 beta to the RC, but I know it's recommended not to upgrade the packages until the main OS is updated.
From this point forward, if I see that there is a package update and a pfSense update, I'll probably perform that upgrade from the console so I can see the entire upgrade process which is normally done in just a few minutes. I was freaking out when I couldn't get in via SSH or HTTPS after 10 minutes.
-
@jaltman said in 24.03-RC install long delays:
it attempts to fetch the remote content required by the configuration.
And that is problematic, not even related to the problem in this thread.
-
Yes it's an issue anyway beyond the delays noted here, I agree.
-
@stephenw10 said in 24.03-RC install long delays:
Yes it's an issue anyway beyond the delays noted here, I agree.
For instance, ISP "Deutsche Telekom" (known in the US as "T-Mobile", there they are playing the good guy) was blocking some AWS services. And by blocking I mean, they let you start a download but never finish it, it will go on forever.
Now I was a new customer of them, not knowing what they are up to, and was upgrading my pfSense installation. And it always failed or better never finished.
Took me some days to figure this out. I think I connected to my neighbors WiFi to get around this...
Conclusion, only upgrade from content that netgate is hosting or has somewhat under their control and do not pull from everywhere else where some "feed" is hosted.In hindsight I could just upgraded without the packages but I never needed that before so ...
