Now Available: pfSense® CE 2.8.0-RELEASE

pfFog29

@stephenw10 said in Now Available: pfSense CE 2.8.0-RELEASE:

It should look something like:

Here are some snippets...

find: -delete: unlink(/etc/ssl/certs/cd8c0d63.1): Permission denied
find: -delete: unlink(/etc/ssl/untrusted/157753a5.0): Permission denied
find: -delete: unlink(/etc/ssl/untrusted/861a399d.0): Permission denied
find: -delete: unlink(/etc/ssl/untrusted/f90208f7.0): Permission denied
find: -delete: unlink(/etc/ssl/untrusted/cb59f961.0): Permission denied
find: -delete: unlink(/etc/ssl/untrusted/442adcac.0): Permission denied
find: -delete: unlink(/etc/ssl/untrusted/c47d9980.0): Permission denied
find: -delete: unlink(/etc/ssl/untrusted/0b7c536a.0): Permission denied
find: -delete: unlink(/etc/ssl/untrusted/349f2832.0): Permission denied

...

install: symlink ../../../usr/share/certs/trusted/emSign_ECC_Root_CA_-_G3.pem -> /etc/ssl/certs/14bc7599.0: Permission denied
install: symlink ../../../usr/share/certs/trusted/emSign_Root_CA_-_C1.pem -> /etc/ssl/certs/406c9bb1.0: Permission denied
install: symlink ../../../usr/share/certs/trusted/emSign_Root_CA_-_G1.pem -> /etc/ssl/certs/2923b3f9.0: Permission denied
Scanning /usr/local/share/certs for certificates...
install: symlink ../../../usr/local/share/certs/ca-root-nss.crt -> /etc/ssl/certs/cd8c0d63.0: Permission denied

pfFog29

@SteveITS said in Now Available: pfSense CE 2.8.0-RELEASE:

logged in as “admin?

Yes.

stephenw10

Hmm. Try running it from Diag > Command Prompt in the gui. That should always have the right permissions.

If it still fails try to create any file in the filesystem. Make sure the filesystem is not read-only.

pfFog29

@stephenw10 said in Now Available: pfSense CE 2.8.0-RELEASE:

Try running it from Diag > Command Prompt in the gui.

Running command seems to fail when running "certctl rehash".
pfSense_Command Prompt.jpg

@stephenw10 said in Now Available: pfSense CE 2.8.0-RELEASE:

If it still fails try to create any file in the filesystem. Make sure the filesystem is not read-only.

Sorry, I do not have any idea what your talking about. What filesystem? Where? How would I create?

pfFog29

@stephenw10
I think I figured out part of what you were saying. I uploaded a text file titled "test1.txt". It didn't complain.
"Uploaded file to /tmp/test1.txt."

I have no idea how to check if filesystem is read-only. But I would guess it is not if I was able to upload a file.

pfFog29

@stephenw10
I now realize I put the command in the wrong field for PHP and not Command Prompt. So reentered "certctl rehash" and it showed 3 lines:

Scanning /usr/share/certs/untrusted for certificates...
Scanning /usr/share/certs/trusted for certificates...
Scanning /usr/local/share/certs for certificates...

I think that did do something. The System Update now shows 2.7.1 as latest base system that is available. Previously this was 2.7.0.
So I presume that I should apply that version and then hopefully apply 2.7.2 and then 2.80 will show and I can apply that. I let you know how it goes.

stephenw10

@pfFog29 said in Now Available: pfSense CE 2.8.0-RELEASE:

Running command seems to fail when running "certctl rehash".

That's because it's not a PHP command. Run it in the 'Execute Shell Command' field.

To test the filesystem create a file in /root (for example) by running: touch /root/testfile.txt

Then reboot and check the file is still there.

stephenw10

Ah, missed your reply!

Yes upgrade to whatever it offers you.

That's interesting though. It implies your 'admin' user may not be the default admin user which is the root user.

pfFog29

@stephenw10
I did successfully upgrade to 2.8.0. But I have a comment and question.

Comment: The reason I was 2 iterations behind is because when I login the first thing I see is a widget on the dashboard that "always" says I'm up to date. This is not accurate. It should says there are other releases not applied even if they are not in the current train. Also, it would be great if there was a way to receive an email when there is an update or upgrade available for pfSense.

Question: Is there something I need to do with my certs or users? Its not clear to me what the command "certctl rehash" does. I have only 2 admin, one was built in and the other has all the same rights & privileges as the built in admin but just a different name. Both are members of the admin group. I want to avoid repeating this mess ;-)

Lastly, Thanks for your help.

stephenw10

There was a bug in 2.7.0 that required manually running that before it can connect to check the repos if it was rebooted after the first check.

That is both why it didn't updates and why you couldn't upgrade. Additionally in 2.8 it will report a failure of the connection check rather than just that it hasn't seen an update.

Both are fixed in 2.8. You shouldn't see that going forward.

SteveITS

@pfFog29 said in Now Available: pfSense CE 2.8.0-RELEASE:

great if there was a way to receive an email when there is an update or upgrade available for pfSense.

This comes up occasionally here. Netgate has a email newsletter and blog, or watch https://docs.netgate.com/pfsense/en/latest/releases/index.html. For instance https://docs.netgate.com/pfsense/en/latest/releases/2-7-1.html#troubleshooting. There’s also a dashboard widget to view blog posts IIRC.

jiri.zemanek

@stephenw10 pfSense-repoc -NDJ:

{
    "repos": {
        "repo": [

        ]
    },
    "links": {
        "next": null,
        "previous": null
    },
    "count": 0,
    "messages": [

    ],
    "messages_text": [

    ],
    "pubkey": {
        "type": "RSA",
        "key": "MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0ww4DLZ1KPhOubCefojk\n+KrkFZ3mvi96AoADnM9ogJ/nykAmAZnAtQeErJyVCQztnKt0OKspHas6grTC4w7O\nt7fw0Lizj2JmY1enA+exmzk2fktY0Bdq1vp+2Y+bZLxdKCs87ocdZtpskC2AbyAf\n48P0pvnr9ueVPO3RotCBUBULAZPr111cHWiDfZbkAQaQ25H9Eh3kcBO7tuwUX0xq\nooDnWzMTPyRX36pczcXu3vqQJwCTvzpozT7D0Qucyf0hwqm3ab4XZmqaIXgjjcj6\nra2tuAIfupXQLZRZnH/hFhqQmBI7UfOVnFLGkZRO1LCQDjSoN3l9Qpiz1o8ARs1r\n94MeSn982worQjdMxvTrGeZSy2mOAexz8c3TH9G5GYN9YSzz4PYYjp0yjgmPfl/6\nSYv7Rp8lEuIklFIjkr3h3gyPi/daIXTZnN8+O3NGc58mfqgQ+kAajQStgnj9kOLZ\noJa3KEie5ravaO961BC9NC6dYJJ5ADl9lznIGfinLxy0TJlstnmavAWbP51lC2F8\newRq0yyJTb+kq7++ZaRHi4xqe7yrkYF/I5gyMR42Heoeq1TQKKiYVkF3X7oWNshq\ntbjaZSOR5ATzTDFehVTDcljBrzeYqIFj0mfgoZ0fIo3QF5iQQcfIOUq/JuFpd0+s\nxWA3MJ4Oq28LRvkMnnVkU40CAwEAAQ=="
    },
    "signature": {
        "type": "RSA",
        "signature": "qel7lnz2U/hrKcuUZUt0sNFNCpzlIo7zXeHWi2wKp4f+xa/yz6J8hjkt56CxuKOym07OSVuYlB5xXaFHLo7koBXpN9cly7Gq2eA4W7xtE5gnaFUluf+pAYam/PlxFcRnVv8WnhGN8NftmO4MLv7BULe+JvFp3I64gzBaogW3fhtNjrleMMQV6jvckJEfh9bcRwnQtdyMcSeruJJWB6XW7mfO60ExbIooY8+x18slqQM5KJlWwm9aKlC4F7xtXRkyNUXn9l1GdRNnlLbXGEomi2rIgQ89iipT8bcG3ZmqkW+F5s4NkdcM6sGiN9yr0ZEAWsEW7Ul2lc1t1y8g+i3px/HawsITsmTkvJP7g0Yi8QxLx9SJb5GeiZVi2S4nIh+FcQahMgSzkGeQdm+oD0L+mhT7z80VhkcWIxGYNPqJO6U300rmSIiEiC3bRAMHE6FaZ3eQZhtBFCqYQeTLDfxfwGJmP6kRSVbHwmoo0qjaXchXvsLbo84xTmIXerQZMBbXEOzFzO8sTAlk5KLlKKvMApvWAtIHsQaCLmgXAAiiQD60rmR4fRfag8neHHDtvoJQ8nrsKctx7em36MBWJuvvQnHO9w7BWwhXOTdjzTQJQW1UAv8g5cXynIEsayo7wS0igEXLFZn92UwJ5k00QPE4oaDjfzXvs9BXr8ia8rgOjVM=",
        "key_signed": "repos.repo"
    }
}

I am not running it in Azure, but even if I did I do not see how this should be relevant. I can connect to the instance over SSH/HTTPS so why it would not see a repository?

Anyway, I am not allowed to burn my time on this anymore, sorry.
As I can't even make clean install to work properly, I do not have confidence the software is up to the task I meant it for (I have working PoC on linux, unfortunately without any GUI :-/ )

stephenw10

Hmm, so it's actually sending you an empty repos list.

If you can send me the NDI from that in chat I can try to check what the server end is doing.

What does the output from repoc show for the 'Model'? Is it incorrectly showing Azure? If so that's something I'd very much like to fix.

Sissy

The upgrade went smoothly, but the thermal dashboard widget has an issue on my system with an Intel N100 CPU:

As the image shows, the Core temperature bar graphs are using the Zone Warning and Zone Critical to set their color coding. I mucked around with various values for Warning and Critical in both Zone and Core and only the "Core Warning and Core Critical values influence the bar graph colors.

The full sensor names are:

dev.cpu.0.temperature
dev.cpu.1.temperature
dev.cpu.2.temperature
dev.cpu.3.temperature
hw.acpi.thermal.tz0.temperature

Is this a bug or have I done something wrong?

Sissy

#ff2600CORRECTION:

As the image shows, the Core temperature bar graphs are using the Zone Warning and Zone Critical to set their color coding. I mucked around with various values for Warning and Critical in both Zone and Core and only the "~~Core~~ Zone Warning and ~~Core~~ Zone Critical values influence the bar graph colors.

stephenw10

Hmm, OK I see here. Digging....

stephenw10

Just to be clear you didn't see this in 2.7.2 with the same hardware?

stephenw10

Yeah, I see how this is failing. And would always have failed.

https://redmine.pfsense.org/issues/16266

Sissy

@stephenw10 said in Now Available: pfSense CE 2.8.0-RELEASE:

Yeah, I see how this is failing. And would always have failed.

https://redmine.pfsense.org/issues/16266

Sorry for my delay in replying. Working through the 2.8.0 update process today pushed the cores well above where I had the Zone Warning set. That's probably why this problem only today caught my eye.

Thank you for so quickly jumping on this and determining the root cause. I see that you've targeted the fix for 2.9.0, which I fear could be a long way off. Is there any chance of creating a patch for 2.8.0 sometime in the next few months? I mean that as a humble ask, not an entitled demand.

stephenw10

Yup you can test the patch if you're able to:

1231.diff