2.4.5 Update Caution
-
@link470 said in 2.4.5 Update Caution:
same install?!
Basically, yes. Changed the hardware ones, in 2011, I guess.
In the beginning, I thought that I 'understood' the system. So, I blew it up several times, and had to learn that I had keeping on learning. I became pretty good at applying the Phoenix concept. These days I use two systems, the second in a VM, so I don't have to mess around with my 'main' system, which is a company router. I'm using some FreeBSD packages that are not from pfSense, like nano ^^ and Munin. -
@Gertjan said in 2.4.5 Update Caution:
This is the list of packages I use :
Avahi, acme, Cron, FreeRadius3, Notes, Nut, openvpn-client-export, pfBlockerNG-devel, Shellcmd and System_Patches.
Updated two system : it went perfectly well.
edit : I didn't remove any packages.
Again : was updating from 2.4.4-p3.r.2020.03xx1500 - the latest RC, not the stock 2.4.4-p3.I've been using nearly every 2.4.5 RC version before, so I knew my up-to-date packeges worked fine 'yesterday'.
If you are using a mission critical system : just wait, visit this forum for possible future issues, give it a week or so, or more, these are strange times. Use a spare system to clone your setup and look yourself for issues. Then swap. If issues, you're back to a working situation with the swap of a cable.
Always :
Get a config.xml copy.
Clean (using GUI) reboot your pfSense.
Check principal logs for any after-reboot-issues.
Check main services of your pfSense. This could be as easy as 'Internet is fine' up until huge HAProxy web farm systems. TEST !
Then hit the update button.
When the system says it's rebooting, copy the entire green GUI log for later inspection, so you can spot any error messages if needed.Also :
Have a console up and running all the time. Or, at least, know you can have one up and running when needed.
Take 5 minutes, build a bootable USB key with freshly downloaded pfSense version.
Or, for VM guys : hit that 'backup' button.I'm updating since 1.x, somewhere from 2005 / 2006 ? (15 years
)Nice, thanks for the detailed response. When you say clean reboot, so just reboot pfsense before the upgrade?
-
@kevindd992002 said in 2.4.5 Update Caution:
so just reboot pfsense before the upgrade?
Yep.
This raises the chance that I - we all - can find issues that already existed before the upgrade, and need to be resolved first. -
@kevindd992002 said in 2.4.5 Update Caution:
Do not update packages before upgrading pfSense!** Either
What they mean by that is exactly what they stated, don't look in the package manager and see oh there is an update to package XYZ, update it.. Then see oh there is update to pfsense and update the whole thing.
The problem that can happen is that new packages come out, meant for 2.4.5, but if your not actually on 2.4.5 you run into an issue, etc.
I just updated my sg4860 without any issues, and didn't touch the packages.. and have quite a few installed. Upgrade went fine..
You can quite often just click upgrade... But on the off chance there is an issue, don't say you weren't warned ;) With any update of any system you should always have media available for clean install, and current backup of your config..
-
@johnpoz Oh ok, that makes much more sense now! Thanks for the clarification.
-
Unfortunately, I took the package updates not knowing that 2.4.5 was even out. There has to be a better way to prevent package updating if these packages are not meant for the current release. So far all is working fine on 2.4.4p3 and I am inclined to wait a few days until the dust settles. Keeping fingers crossed.
-
@revengineer said in 2.4.5 Update Caution:
Unfortunately, I took the package updates not knowing that 2.4.5 was even out
Like the red light on the dashboard that lights up when oil is low and you still start the car and drive away ?
To use "package update", you have to pass by the pfSense dashboard ..... and true, it wasn't red .... but blue (green ?)I saw Youtube proposing me a video of a guy called Lawrence mentioning the "2.4.5 is here".
Entering the GUI, I saw :
True, it wasn't flashing neither printed in red.
(but 'some of us' were waiting for it ....)Btw : 2.4.5 'core' looks really good.
If there is an issue, then it would be with one of these huge packages that root deeply in the system.
If you have none, go upgrade, you'll be fine. Now or over one week, the code stays the same. -
To be honest I don't think there was any even out or that have been updated... Its a warning from when moved to 2.4 from 2.3 or 2.2. to 2.3 - a while back is my point ;)
Guess then there were new packages updated. And users still on old version updated to them, etc..
I do believe they worked on splitting the repositories up to prevent such a thing from happening again.
None of the packages I have showed any updates before 2.4.5 dropped or after.. Its not the before that could get you it could be the later..
Scenario... Your one of those users that has your head in the sand and doesn't pay attention to what is released or not released just completely oblivious to the software your using as your router and firewall. Not like its important or anything, bet you have the latest bleeding edge version of super game X you play and latest tweaks on your over clocked graphics card so you can get 0.3 fps more, etc. . But when it comes to your security software - meh it works! Who cares if version is 3 years old ;)
few weeks from now, your tooling around pfsense, ie don't know trying to figure out how to make sure you don't have any dns leaks <rolleyes> and you not paying any attention to the big update available info right there in the main system widget.. Maybe you have it turned off, or maybe you turn off checking for updates??? And you happen to land in package manager and there you notice hey look at that xyz has an update, or gee look at that package let me try that out..
And you update something, now 3 weeks later you figure out oh shit look at that new version is out - and update..
It shouldn't be an issue.. But if they didn't mention it, there would be that one user - why didn't you tell me the safety was off on that gun... Now I went and shot myself in the foot - and its your fault sort of people..
-
Yeah, that warning was added to the update notes when PHP was updated across a major version. Almost every package had to be updated and then were dependent on the new php version. Whew the new version went live the new packages also did and if you installed them into a system with the old php version bad things happened! Until you updated at least. It was ugly!
I am not aware of any such issues with the step from 2.4.4p3 to 2.4.5. I've updated numerous systems with packages installed and did not see an issue.
However the safest option is always to uninstall packages first or install clean restore the old config.
Steve
-
FYI. There is at least one freshly updated package that has an issue on 2.4.4_p3 but not on 2.4.5. That package is Snort. The
libpcaplibrary in FreeBSD 11.3 (which is what pfSense-2.4.5 is based on) has a different internal library dependency that is NOT satisfied on pfSense-2.4.4_p3. Found that out yesterday from a poster having a problem after updating Snort on pfSense-2.4.4_p3. There are no issues on pfSense-2.5 DEVEL either, just on 2.4.4_p3. Unfortunately that did not shake out during my pre-release testing. The newer Snort binary worked fine there for me on my test VM.So as has been stated in this thread, when new pfSense versions are released, update to the lastest pfSense FIRST, and only then update any installed packages (or let the upgrade update the packages for you when it installs). So as @johnpoz cautioned, pay attention and follow the pfSense updates!
-
Mmm, we are now investigating an issue with Suricata too. The version 5 package should not be installed in 2.4.4p3 but is shown as available.
Steve
-
@bmeeks Snort is one of the packages I updated yesterday to v3.2.9.10_2 on pfSense 2.4.4p3. I see no obvious issues. Did I understand correctly that this is problematic? If so, can I revert to the previous version?
-
@revengineer said in 2.4.5 Update Caution:
@bmeeks Snort is one of the packages I updated yesterday to v3.2.9.10_2 on pfSense 2.4.4p3. I see no obvious issues. Did I understand correctly that this is problematic? If so, can I revert to the previous version?
No, if you updated and it started, then it must be okay for you. The issue would prevent it from even starting. At least it did for me on a VM when I tested shortly after the first report. Maybe the supporting library got updated on the repository ???. I haven't checked that out, though.
-
@stephenw10 said in 2.4.5 Update Caution:
Mmm, we are now investigating an issue with Suricata too. The version 5 package should not be installed in 2.4.4p3 but is shown as available.
Steve
There are two different "current" versions of Suricata out there, one for each pfSense architecture type (amd64/aarch64 and armv6/armv7). This is because of the upstream decision to use Rust and make it a runtime requirement. There is currently no way to build Rust for armv6 or armv7 hardware, thus a Suricata binary that needs Rust can't run on those hardware platforms. So there is a suricata4 binary in the repositories that is based on Suricata v4.1.7, and that binary along with an accompanying custom PHP package should show up for armv6 and armv7 machines. The Suricata 5.0.2 binary must have a runtime Rust package available for the hardware platform, so that binary is now limited to just the amd64 and aarch64 hardware repositories.
Renato was going to use some under-the-hood magic to make all this work.
-
@bmeeks said in 2.4.5 Update Caution:
Renato was going to use some under-the-hood magic to make all this work.
Exactly, and that part works fine. If you had Suricata installed (4.1.7) and you update to 2.4.5 you will end up either in 5.0.2 or 4.1.7_1 depending on the architecture.
However it looks like currently if you're running 2.4.4p3 you may see the 5.0.2 package but you should not update to that before upgrading to 2.4.5.Steve
-
@stephenw10 said in 2.4.5 Update Caution:
@bmeeks said in 2.4.5 Update Caution:
Renato was going to use some under-the-hood magic to make all this work.
Exactly, and that part works fine. If you had Suricata installed (4.1.7) and you update to 2.4.5 you will end up either in 5.0.2 or 4.1.7_1 depending on the architecture.
However it looks like currently if you're running 2.4.4p3 you may see the 5.0.2 package but you should not update to that before upgrading to 2.4.5.Steve
Gotcha
I so wish Suricata upstream would lose their current fascination with Rust.
-
@stephenw10 said in 2.4.5 Update Caution:
I am not aware of any such issues with the step from 2.4.4p3 to 2.4.5. I've updated numerous systems with packages installed and did not see an issue.
Thank you Steve, these is good to know. In the pandemic, I am doing critical work from home and I cannot afford to screw up my internet right now. It looks like I will be able to continue using my current configuration until at least next weekend when any major issues should be apparent.
-
@bmeeks Thank you. My system including snort are definitely working. That's good enough for me in the near term, no need for me to understand why it's working.
-
@johnpoz said in 2.4.5 Update Caution:
None of the packages I have showed any updates before 2.4.5 dropped or after.. Its not the before that could get you it could be the later..
The following packages showed updates yesterday that did not show 2 days ago when I last checked: squid, squiguard, snort, iperf.
Scenario... Your one of those users that has your head in the sand and doesn't pay attention to what is released or not released just completely oblivious to the software your using as your router and firewall. Not like its important or anything, bet you have the latest bleeding edge version of super game X you play and latest tweaks on your over clocked graphics card so you can get 0.3 fps more, etc. . But when it comes to your security software - meh it works! Who cares if version is 3 years old ;)
few weeks from now, your tooling around pfsense, ie don't know trying to figure out how to make sure you don't have any dns leaks <rolleyes> and you not paying any attention to the big update available info right there in the main system widget.. Maybe you have it turned off, or maybe you turn off checking for updates??? And you happen to land in package manager and there you notice hey look at that xyz has an update, or gee look at that package let me try that out..
And you update something, now 3 weeks later you figure out oh shit look at that new version is out - and update..
This scenario does not apply to me... at all... not a single sentence applies to my situation.
-
