<resolved>Can't Install FreeRadius2 After Update</resolved>

reggie14

Well, at least I'm not the only one…

One reason it is particularly annoying is that after I try to install freeradius2, I can't install/update any other packages until I restart the box.  Until then, I just get a "not_ready" message when I try to update something.

cmb

Hm, that's not happening here. Full or nanobsd? 32 or 64 bit?

reggie14

@cmb:

Hm, that's not happening here. Full or nanobsd? 32 or 64 bit?

Hmmm… That's not what I want to hear...

I'm running full, AMD64.  As I said above, this was a clean install initially (on a new SSD), but I immediately restored a 2.2.4 backup config that had freeradius installed.

reggie14

Is there a way to get more detailed information about what's hanging during the custom_php _install_command?  And would it make sense to do some sort of manual uninstall of freeradius?  I'm not sure what that would be, other than finding deleting it's files… But without knowing what's causing the installer to hang I'm a bit reluctant to do that.

PiBa

What you could try is something opening a ssh session, then go to option '12) pfSense developer shell' and paste the following code in there, this is most of the code ran from the custom_php _install_command procedure..:
Assuming all 'files' are present this should be able to run from there..

include('freeradius.inc');
echo "1";
// We create here different folders for different counters.
@mkdir("/var/log/radacct/datacounter/daily", 0755, true);
@mkdir("/var/log/radacct/datacounter/weekly", 0755, true);
@mkdir("/var/log/radacct/datacounter/monthly", 0755, true);
@mkdir("/var/log/radacct/datacounter/forever", 0755, true);
@mkdir("/var/log/radacct/timecounter", 0755, true);
@mkdir(FREERADIUS_ETC . "/raddb/scripts", 0755, true);

echo "2";
unlink_if_exists("/usr/local/etc/raddb");
@symlink(FREERADIUS_ETC . "/raddb", "/usr/local/etc/raddb");
if (!file_exists("/var/log/radutmp")) { exec("touch /var/log/radutmp");	}
if (!file_exists("/var/log/radwtmp")) {	exec("touch /var/log/radwtmp");	}
exec("chown -R root:wheel " . FREERADIUS_ETC . "/raddb /var/log/radacct");
if (file_exists($frlib))
	exec("chown -R root:wheel {$frlib}");

echo "3";
// creating a backup file of the original policy.conf no matter if user checked this or not
if (!file_exists(FREERADIUS_ETC . "/raddb/policy.conf.backup")) {
	log_error("FreeRADIUS: Creating backup of the original file to " . FREERADIUS_ETC . "/raddb/policy.conf.backup");
	copy(FREERADIUS_ETC . "/raddb/policy.conf", FREERADIUS_ETC . "/raddb/policy.conf.backup");
}

echo "4";
// creating a backup file of the original /modules/files no matter if user checked this or not
if (!file_exists(FREERADIUS_ETC . "/raddb/files.backup")) {
	log_error("FreeRADIUS: Creating backup of the original file to " . FREERADIUS_ETC . "/raddb/files.backup");
	copy(FREERADIUS_ETC . "/raddb/modules/files", FREERADIUS_ETC . "/raddb/files.backup");
}

echo "5";
// Disable virtual-server we do not need by default
if (file_exists(FREERADIUS_ETC . "/raddb/sites-enabled/control-socket")) { unlink(FREERADIUS_ETC . "/raddb/sites-enabled/control-socket"); }
if (file_exists(FREERADIUS_ETC . "/raddb/sites-enabled/inner-tunnel")) { unlink(FREERADIUS_ETC . "/raddb/sites-enabled/inner-tunnel"); }

echo "6";
// We run this here just to suppress some warnings on syslog if file doesn't exist
freeradius_authorizedmacs_resync();

echo "7a";
// These two functions create the module and the dictionary entry for Mobile-One-Time-Password
freeradius_dictionary_resync();
echo "7b";
freeradius_modulesmotp_resync();

echo "8a";
// Here we create the modules and scripts for the datacounter
freeradius_modulesdatacounter_resync();
echo "8b";
freeradius_datacounter_acct_resync();
echo "8c";
freeradius_datacounter_auth_resync();

echo "9a";
// Some initial module configuration
freeradius_modulesmschap_resync();
echo "9b";
freeradius_modulesrealm_resync();
echo "9c";
freeradius_modulescounter_resync();

echo "10a";
// Initialize some config files - the functions below call other functions
freeradius_sqlconf_resync();
echo "10b";
freeradius_eapconf_resync();
echo "10c";
freeradius_clients_resync();
echo "10d";
freeradius_modulesldap_resync();
exec

Then see what report back what numbers are printed, that should provide some info about which command might be hanging..

reggie14

@PiBa:

What you could try is something opening a ssh session, then go to option '12) pfSense developer shell' and paste the following code in there, this is most of the code ran from the custom_php _install_command procedure..:
Assuming all 'files' are present this should be able to run from there..

include('freeradius.inc');
echo "1";
// We create here different folders for different counters.
@mkdir("/var/log/radacct/datacounter/daily", 0755, true);
@mkdir("/var/log/radacct/datacounter/weekly", 0755, true);
@mkdir("/var/log/radacct/datacounter/monthly", 0755, true);
@mkdir("/var/log/radacct/datacounter/forever", 0755, true);
@mkdir("/var/log/radacct/timecounter", 0755, true);
@mkdir(FREERADIUS_ETC . "/raddb/scripts", 0755, true);

echo "2";
unlink_if_exists("/usr/local/etc/raddb");
@symlink(FREERADIUS_ETC . "/raddb", "/usr/local/etc/raddb");
if (!file_exists("/var/log/radutmp")) { exec("touch /var/log/radutmp");	}
if (!file_exists("/var/log/radwtmp")) {	exec("touch /var/log/radwtmp");	}
exec("chown -R root:wheel " . FREERADIUS_ETC . "/raddb /var/log/radacct");
if (file_exists($frlib))
	exec("chown -R root:wheel {$frlib}");

echo "3";
// creating a backup file of the original policy.conf no matter if user checked this or not
if (!file_exists(FREERADIUS_ETC . "/raddb/policy.conf.backup")) {
	log_error("FreeRADIUS: Creating backup of the original file to " . FREERADIUS_ETC . "/raddb/policy.conf.backup");
	copy(FREERADIUS_ETC . "/raddb/policy.conf", FREERADIUS_ETC . "/raddb/policy.conf.backup");
}

echo "4";
// creating a backup file of the original /modules/files no matter if user checked this or not
if (!file_exists(FREERADIUS_ETC . "/raddb/files.backup")) {
	log_error("FreeRADIUS: Creating backup of the original file to " . FREERADIUS_ETC . "/raddb/files.backup");
	copy(FREERADIUS_ETC . "/raddb/modules/files", FREERADIUS_ETC . "/raddb/files.backup");
}

echo "5";
// Disable virtual-server we do not need by default
if (file_exists(FREERADIUS_ETC . "/raddb/sites-enabled/control-socket")) { unlink(FREERADIUS_ETC . "/raddb/sites-enabled/control-socket"); }
if (file_exists(FREERADIUS_ETC . "/raddb/sites-enabled/inner-tunnel")) { unlink(FREERADIUS_ETC . "/raddb/sites-enabled/inner-tunnel"); }

echo "6";
// We run this here just to suppress some warnings on syslog if file doesn't exist
freeradius_authorizedmacs_resync();

echo "7a";
// These two functions create the module and the dictionary entry for Mobile-One-Time-Password
freeradius_dictionary_resync();
echo "7b";
freeradius_modulesmotp_resync();

echo "8a";
// Here we create the modules and scripts for the datacounter
freeradius_modulesdatacounter_resync();
echo "8b";
freeradius_datacounter_acct_resync();
echo "8c";
freeradius_datacounter_auth_resync();

echo "9a";
// Some initial module configuration
freeradius_modulesmschap_resync();
echo "9b";
freeradius_modulesrealm_resync();
echo "9c";
freeradius_modulescounter_resync();

echo "10a";
// Initialize some config files - the functions below call other functions
freeradius_sqlconf_resync();
echo "10b";
freeradius_eapconf_resync();
echo "10c";
freeradius_clients_resync();
echo "10d";
freeradius_modulesldap_resync();
exec

Then see what report back what numbers are printed, that should provide some info about which command might be hanging..

Thanks!

It reported back: 1234567a7b8a8b8c9a9b9c10a10b10c10d

PiBa

After that did it return to the "pfSense shell:", or did it hang after showing 10d ? perhaps try the short version?:

include('freeradius.inc');
echo "10d";
freeradius_modulesldap_resync();
echo "10e";
// not testing writing a new rc file..
echo "10f";
start_service("radiusd");
echo "10g";
exec

If those succeed as well then i'm running out of ideas..

reggie14

The previous commands did give me back a pfsense shell.

The shorter version does give me an error, though:

pfSense shell: include('freeradius.inc');
pfSense shell: echo "10d";
pfSense shell: freeradius_modulesldap_resync();
pfSense shell: echo "10e";
pfSense shell: // not testing writing a new rc file..
pfSense shell: echo "10f";
pfSense shell: start_service("radiusd");
pfSense shell: echo "10g";
pfSense shell: exec

Fatal error: Cannot redeclare freeradius_deinstall_command() (previously declared in /usr/local/pkg/freeradius.inc:61) in /usr/local/pkg/freeradius.inc on line 61

Call Stack:
    0.0021     214952   1\. {main}() /usr/local/sbin/pfSsh.php:0
 6181.5320    1690296   2\. playback_text() /usr/local/sbin/pfSsh.php:243
 6181.5322    1693576   3\. eval('require_once('functions.inc');
require_once('globals.inc');
require_once('config.inc');
include('freeradius.inc');
echo "10d";
freeradius_modulesldap_resync();
echo "10e";
// not testing writing a new rc file..
echo "10f";
start_service("radiusd");
echo "10g";

') /usr/local/sbin/pfSsh.php:345

PHP ERROR: Type: 1, File: /usr/local/pkg/freeradius.inc, Line: 61, Message: Cannot redeclare freeradius_deinstall_command() (previously declared in /usr/local/pkg/freeradius.inc:61)

That one gave me an error.

I should note that I ran this after trying to reinstall freeradius with the package manager.  But oddly, I only get this when I run the shorter version.  The longer one still completes.

PiBa

Um you should start a 'fresh' developer shell, or not include the include command the second time during the same developer shell session ;) sorry..

On the other hand, if you deinstalled freeradius, the freeradius.inc should nolonger be on the system, and thus throw a 'cannot find file' error..

reggie14

@PiBa:

Um you should start a 'fresh' developer shell, or not include the include command the second time during the same developer shell session ;) sorry..

Sorry, I didn't know.  With a fresh shell, the commands complete, and return me to a pfsense shell with the following output:

10d10e10f10g

@PiBa:

On the other hand, if you deinstalled freeradius, the freeradius.inc should nolonger be on the system, and thus throw a 'cannot find file' error..

I can't seem to deinstall freeradius.  At least, freeradius.inc is still present in /usr/local/pkg (along with the config files), and the service is still running (and working).

PiBa

Sorry im kinda out of options. I dont see any reason why initially the custom_php_install_command did not work.
But now you cant uninstall either.?

I would say while its 'working' don't break it further. If you can clone the machine into a vm or something it would be interesting to try and find the underlying cause further.

What does the uninstall log show when trying to remove the package.?.

reggie14

@PiBa:

What does the uninstall log show when trying to remove the package.?.

Well, the package manager says it isn't installed, so I can't uninstall it.  Is there a manual way to do it? Or is there a log tucked away somewhere I should be looking at?

I've thought about removing/renaming radiusd, but is that likely to make thing worse?

I don't particularly want to rebuild the system again…  It wasn't a smooth process to begin with, and I don't really see what I could do differently this time around. I guess I could remove freeradius from my config file, but is that likely to screw things up?

As a side note, pfsense doesn't seem to gracefully handle missing plugins when you restore a config file.  When I did my ill-fated upgrade, it seemed to recognize things like ntop didn't exist, but when I did the clean install, followed by a restore, I have a bunch of references to missing plugins all over the place.  I can clean them out manually, by removing them from the config.xml, but it seems strange that I had to do that.

Edit:
I tried renaming radiusd and rebooting.  I still wasn't able to successfully install the freeradius2 package, but I did notice that the installer did create radiusd before it hung.

I also tried reinstalling all the packages.  As far as I could tell, it didn't even try to reinstall freeradius2.

reggie14

This is still a problem…  and I'd really like to be able to update the freeradius package when there are updates.

So, barring new ideas on how to fix my current installation, what would I need to do to rebuild it?  I already tried reinstalling packages- that didn't work.  I'm guessing restoring a backup config is unlikely to work, too.  So would I need to do a new clean install?  That's what I initially did.  Is there something I should do to limit the chances this would happen again.  I'd really like to restore my current radius configuration, since I have a bunch of users and clients configured.

PiBa

What shows up if you run? (should show two packages.):

pkg info | grep freeradius

Or try installing it again from command line.?:

pkg install -F pfSense-pkg-freeradius2

reggie14

@PiBa:

What shows up if you run? (should show two packages.):

pkg info | grep freeradius

Nothing shows up.  It doesn't see freeradius installed.

@PiBa:

Or try installing it again from command line.?:

pkg install -F pfSense-pkg-freeradius2

It completes, and brings me back to a shell, but it still doesn't actually install freeradius.  Here's the output:

[2.3-RC][admin@pfsense]/root: pkg install -F pfSense-pkg-freeradius2
Updating pfSense-core repository catalogue...
pkg install -F pfSense-pkg-freeradius2
pfSense-core repository is up-to-date.
Updating pfSense repository catalogue...
pfSense repository is up-to-date.
All repositories are up-to-date.
Checking integrity... done (0 conflicting)
The following 6 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
        pfSense-pkg-freeradius2: 1.7.3_1 [pfSense]
        bash: 4.3.42_1 [pfSense]
        freeradius: 2.2.9 [pfSense]
        krb5: 1.14 [pfSense]
        pkgconf: 0.9.12_1 [pfSense]
        postgresql93-client: 9.3.11 [pfSense]

The process will require 22 MiB more space.

Proceed with this action? [y/N]: Please type 'Y[es]' or 'N[o]' to make selection

Proceed with this action? [y/N]: y

reggie14

So, I was able to fix my problem tonight!  The problem was me trying to restore a backup configuration that had packages installed and enabled.  Notably, I was running pfblocker-ng, snort, and freeradius2.  Complicating matters, that was the only backup config I  had.  Now I know better.

With BBcan177's help, I was able to get my pfSense box partially running after restoring my backup configuration, then I disabled packages, took a new backup, and did another clean install and config restore.  Once I did that, the restore process went much smoother.

I should also note that I installed the freeradius2 package before I restored my backup configuration.  I don't know if that was critical to getting the package to install, but it seemed prudent, given the problems I've had with it.

I'm not sure about the cause, but I can speculate a bit.  Because pfblocker-ng was enabled in my backup config, various things were broken as the config and package restoration process started.  Notably, unbound wouldn't start, due to missing pfblocker-ng files, and my firewall rules were screwed up. As a result, my pfSense box couldn't download packages.  But, as far as I can tell, the base pfSense build must include radiusd (and ran it with the config pulled out of my config.xml), which seemed to leave my pfSense box partially thinking the package had already been installed, and partially knowing otherwise.

By installing freeradius2 first, before restoring my old config, and by ensuring that most packages were disabled in that config, everything went well.

dlasher

Was having this same problem, multiple devices, and doing a force from the CLI resolved it.

pkg install -F pfSense-pkg-freeradius2