2.4.5 Update Caution

kevindd992002

So I was reading this article and saw this caution:

**Do not update packages before upgrading pfSense!** Either remove all packages or do not update packages before running the upgrade.

The update seems to be vague at best (no offense meant). I upgraded to 2.4.5 just now and it was successful. What does it really mean? I have my packages all up-to-date every single time. It was a couple of days ago since my last freeradius package update. Technically, that is "before" I update to 2.4.5. So does that mean I'm screwed? Are you saying that all packages should be out-of-date before I ran the update? I've read the message over and over and I really don't understand what it means.

Anyone can help? Thanks.

mrsunfire

I have the same question. Just updated my packages yesterday and want to upgrate to 2.4.5 today.

chpalmer

Just remove your packages before you upgrade. Follow the guide- https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html

kevindd992002

Or "leave the packages alone" as the guide says. What does "do not upgrade packages before the upgrade" really mean? I've updated to several releases without ever removing any of my packages.

link470

Heh, I see what the OP means for sure; definitely a bit confusing. The documentation says:

The safest practice is to remove all packages before upgrading pfSense to a new release. The upgrade process will reinstall packages afterward

Oh neat, sounds like the upgrade process automatically reinstalls those packages that I removed before the upgrade, after the upgrade. Great!

To ensure a smooth upgrade, note the installed packages, remove them, perform the upgrade, and then reinstall necessary packages.

Oh...wait so I'm doing that manually now? It's hard to tell if that's an automated process or not; those 2 things seem to contradict each other in the same paragraph. The only thing I can assume is that by "The upgrade process will reinstall packages afterward", what they really mean is "while following these upgrade procedures, one of the steps you'll be performing is reinstalling packages afterwards".

kevindd992002

What I "assume" with that section in the guide is that it will only reinstall the packages after the update IF you don't remove them.

If you do remove them manually (which is more recommended), you need to reinstall them manually, which sucks :(

chpalmer

"The safest practice is to remove all packages before upgrading pfSense to a new release."

"The upgrade process will reinstall packages afterward,(if you choose to not uninstall them) but packages are frequently a source of problems."

Or could be written- If you decide not to uninstall the packages before upgrading they will be reinstalled as the installer finishes. But the packages are a frequent source of problems.

"To ensure a smooth upgrade, note the installed packages, remove them, perform the upgrade, and then reinstall necessary packages."

link470

@chpalmer
"but packages are frequently a source of problems."

Ah. That but is indeed important. Makes sense now!

kevindd992002

What kind of "problems" are we risking if we choose not to uninstall them before the upgrade? The ones I use are these:

Gertjan

This is the list of packages I use :

Avahi, acme, Cron, FreeRadius3, Notes, Nut, openvpn-client-export, pfBlockerNG-devel, Shellcmd and System_Patches.

Updated two system : it went perfectly well.
edit : I didn't remove any packages.
Again : was updating from 2.4.4-p3.r.2020.03xx1500 - the latest RC, not the stock 2.4.4-p3.

I've been using nearly every 2.4.5 RC version before, so I knew my up-to-date packeges worked fine 'yesterday'.

If you are using a mission critical system : just wait, visit this forum for possible future issues, give it a week or so, or more, these are strange times. Use a spare system to clone your setup and look yourself for issues. Then swap. If issues, you're back to a working situation with the swap of a cable.

Always :
Get a config.xml copy.
Clean (using GUI) reboot your pfSense.
Check principal logs for any after-reboot-issues.
Check main services of your pfSense. This could be as easy as 'Internet is fine' up until huge HAProxy web farm systems. TEST !
Then hit the update button.
When the system says it's rebooting, copy the entire green GUI log for later inspection, so you can spot any error messages if needed.

Also :
Have a console up and running all the time. Or, at least, know you can have one up and running when needed.
Take 5 minutes, build a bootable USB key with freshly downloaded pfSense version.
Or, for VM guys : hit that 'backup' button.

I'm updating since 1.x, somewhere from 2005 / 2006 ? (15 years )

link470

@Gertjan

I'm updating since 1.x, somewhere from 2005 / 2006 ? (15 years )

Whoa, same install?!

Gertjan

@link470 said in 2.4.5 Update Caution:

same install?!

Basically, yes. Changed the hardware ones, in 2011, I guess.
In the beginning, I thought that I 'understood' the system. So, I blew it up several times, and had to learn that I had keeping on learning. I became pretty good at applying the Phoenix concept. These days I use two systems, the second in a VM, so I don't have to mess around with my 'main' system, which is a company router. I'm using some FreeBSD packages that are not from pfSense, like nano ^^ and Munin.

kevindd992002

@Gertjan said in 2.4.5 Update Caution:

This is the list of packages I use :

Avahi, acme, Cron, FreeRadius3, Notes, Nut, openvpn-client-export, pfBlockerNG-devel, Shellcmd and System_Patches.

Updated two system : it went perfectly well.
edit : I didn't remove any packages.
Again : was updating from 2.4.4-p3.r.2020.03xx1500 - the latest RC, not the stock 2.4.4-p3.

I've been using nearly every 2.4.5 RC version before, so I knew my up-to-date packeges worked fine 'yesterday'.

If you are using a mission critical system : just wait, visit this forum for possible future issues, give it a week or so, or more, these are strange times. Use a spare system to clone your setup and look yourself for issues. Then swap. If issues, you're back to a working situation with the swap of a cable.

Always :
Get a config.xml copy.
Clean (using GUI) reboot your pfSense.
Check principal logs for any after-reboot-issues.
Check main services of your pfSense. This could be as easy as 'Internet is fine' up until huge HAProxy web farm systems. TEST !
Then hit the update button.
When the system says it's rebooting, copy the entire green GUI log for later inspection, so you can spot any error messages if needed.

Also :
Have a console up and running all the time. Or, at least, know you can have one up and running when needed.
Take 5 minutes, build a bootable USB key with freshly downloaded pfSense version.
Or, for VM guys : hit that 'backup' button.

I'm updating since 1.x, somewhere from 2005 / 2006 ? (15 years )

Nice, thanks for the detailed response. When you say clean reboot, so just reboot pfsense before the upgrade?

Gertjan

@kevindd992002 said in 2.4.5 Update Caution:

so just reboot pfsense before the upgrade?

Yep.
This raises the chance that I - we all - can find issues that already existed before the upgrade, and need to be resolved first.

johnpoz

@kevindd992002 said in 2.4.5 Update Caution:

Do not update packages before upgrading pfSense!** Either

What they mean by that is exactly what they stated, don't look in the package manager and see oh there is an update to package XYZ, update it.. Then see oh there is update to pfsense and update the whole thing.

The problem that can happen is that new packages come out, meant for 2.4.5, but if your not actually on 2.4.5 you run into an issue, etc.

I just updated my sg4860 without any issues, and didn't touch the packages.. and have quite a few installed. Upgrade went fine..

You can quite often just click upgrade... But on the off chance there is an issue, don't say you weren't warned ;) With any update of any system you should always have media available for clean install, and current backup of your config..

kevindd992002

@johnpoz Oh ok, that makes much more sense now! Thanks for the clarification.

revengineer

Unfortunately, I took the package updates not knowing that 2.4.5 was even out. There has to be a better way to prevent package updating if these packages are not meant for the current release. So far all is working fine on 2.4.4p3 and I am inclined to wait a few days until the dust settles. Keeping fingers crossed.

Gertjan

@revengineer said in 2.4.5 Update Caution:

Unfortunately, I took the package updates not knowing that 2.4.5 was even out

Like the red light on the dashboard that lights up when oil is low and you still start the car and drive away ?
To use "package update", you have to pass by the pfSense dashboard ..... and true, it wasn't red .... but blue (green ?)

I saw Youtube proposing me a video of a guy called Lawrence mentioning the "2.4.5 is here".
Entering the GUI, I saw :

True, it wasn't flashing neither printed in red.
(but 'some of us' were waiting for it ....)

Btw : 2.4.5 'core' looks really good.
If there is an issue, then it would be with one of these huge packages that root deeply in the system.
If you have none, go upgrade, you'll be fine. Now or over one week, the code stays the same.

johnpoz

To be honest I don't think there was any even out or that have been updated... Its a warning from when moved to 2.4 from 2.3 or 2.2. to 2.3 - a while back is my point ;)

Guess then there were new packages updated. And users still on old version updated to them, etc..

I do believe they worked on splitting the repositories up to prevent such a thing from happening again.

None of the packages I have showed any updates before 2.4.5 dropped or after.. Its not the before that could get you it could be the later..

Scenario... Your one of those users that has your head in the sand and doesn't pay attention to what is released or not released just completely oblivious to the software your using as your router and firewall. Not like its important or anything, bet you have the latest bleeding edge version of super game X you play and latest tweaks on your over clocked graphics card so you can get 0.3 fps more, etc. . But when it comes to your security software - meh it works! Who cares if version is 3 years old ;)

few weeks from now, your tooling around pfsense, ie don't know trying to figure out how to make sure you don't have any dns leaks <rolleyes> and you not paying any attention to the big update available info right there in the main system widget.. Maybe you have it turned off, or maybe you turn off checking for updates??? And you happen to land in package manager and there you notice hey look at that xyz has an update, or gee look at that package let me try that out..

And you update something, now 3 weeks later you figure out oh shit look at that new version is out - and update..

It shouldn't be an issue.. But if they didn't mention it, there would be that one user - why didn't you tell me the safety was off on that gun... Now I went and shot myself in the foot - and its your fault sort of people..

stephenw10

Yeah, that warning was added to the update notes when PHP was updated across a major version. Almost every package had to be updated and then were dependent on the new php version. Whew the new version went live the new packages also did and if you installed them into a system with the old php version bad things happened! Until you updated at least. It was ugly!

I am not aware of any such issues with the step from 2.4.4p3 to 2.4.5. I've updated numerous systems with packages installed and did not see an issue.

However the safest option is always to uninstall packages first or install clean restore the old config.

Steve