2.4.5 Update Caution
-
@kevindd992002 said in 2.4.5 Update Caution:
Do not update packages before upgrading pfSense!** Either
What they mean by that is exactly what they stated, don't look in the package manager and see oh there is an update to package XYZ, update it.. Then see oh there is update to pfsense and update the whole thing.
The problem that can happen is that new packages come out, meant for 2.4.5, but if your not actually on 2.4.5 you run into an issue, etc.
I just updated my sg4860 without any issues, and didn't touch the packages.. and have quite a few installed. Upgrade went fine..
You can quite often just click upgrade... But on the off chance there is an issue, don't say you weren't warned ;) With any update of any system you should always have media available for clean install, and current backup of your config..
-
@johnpoz Oh ok, that makes much more sense now! Thanks for the clarification.
-
Unfortunately, I took the package updates not knowing that 2.4.5 was even out. There has to be a better way to prevent package updating if these packages are not meant for the current release. So far all is working fine on 2.4.4p3 and I am inclined to wait a few days until the dust settles. Keeping fingers crossed.
-
@revengineer said in 2.4.5 Update Caution:
Unfortunately, I took the package updates not knowing that 2.4.5 was even out
Like the red light on the dashboard that lights up when oil is low and you still start the car and drive away ?
To use "package update", you have to pass by the pfSense dashboard ..... and true, it wasn't red .... but blue (green ?)I saw Youtube proposing me a video of a guy called Lawrence mentioning the "2.4.5 is here".
Entering the GUI, I saw :
True, it wasn't flashing neither printed in red.
(but 'some of us' were waiting for it ....)Btw : 2.4.5 'core' looks really good.
If there is an issue, then it would be with one of these huge packages that root deeply in the system.
If you have none, go upgrade, you'll be fine. Now or over one week, the code stays the same. -
To be honest I don't think there was any even out or that have been updated... Its a warning from when moved to 2.4 from 2.3 or 2.2. to 2.3 - a while back is my point ;)
Guess then there were new packages updated. And users still on old version updated to them, etc..
I do believe they worked on splitting the repositories up to prevent such a thing from happening again.
None of the packages I have showed any updates before 2.4.5 dropped or after.. Its not the before that could get you it could be the later..
Scenario... Your one of those users that has your head in the sand and doesn't pay attention to what is released or not released just completely oblivious to the software your using as your router and firewall. Not like its important or anything, bet you have the latest bleeding edge version of super game X you play and latest tweaks on your over clocked graphics card so you can get 0.3 fps more, etc. . But when it comes to your security software - meh it works! Who cares if version is 3 years old ;)
few weeks from now, your tooling around pfsense, ie don't know trying to figure out how to make sure you don't have any dns leaks <rolleyes> and you not paying any attention to the big update available info right there in the main system widget.. Maybe you have it turned off, or maybe you turn off checking for updates??? And you happen to land in package manager and there you notice hey look at that xyz has an update, or gee look at that package let me try that out..
And you update something, now 3 weeks later you figure out oh shit look at that new version is out - and update..
It shouldn't be an issue.. But if they didn't mention it, there would be that one user - why didn't you tell me the safety was off on that gun... Now I went and shot myself in the foot - and its your fault sort of people..
-
Yeah, that warning was added to the update notes when PHP was updated across a major version. Almost every package had to be updated and then were dependent on the new php version. Whew the new version went live the new packages also did and if you installed them into a system with the old php version bad things happened! Until you updated at least. It was ugly!
I am not aware of any such issues with the step from 2.4.4p3 to 2.4.5. I've updated numerous systems with packages installed and did not see an issue.
However the safest option is always to uninstall packages first or install clean restore the old config.
Steve
-
FYI. There is at least one freshly updated package that has an issue on 2.4.4_p3 but not on 2.4.5. That package is Snort. The
libpcaplibrary in FreeBSD 11.3 (which is what pfSense-2.4.5 is based on) has a different internal library dependency that is NOT satisfied on pfSense-2.4.4_p3. Found that out yesterday from a poster having a problem after updating Snort on pfSense-2.4.4_p3. There are no issues on pfSense-2.5 DEVEL either, just on 2.4.4_p3. Unfortunately that did not shake out during my pre-release testing. The newer Snort binary worked fine there for me on my test VM.So as has been stated in this thread, when new pfSense versions are released, update to the lastest pfSense FIRST, and only then update any installed packages (or let the upgrade update the packages for you when it installs). So as @johnpoz cautioned, pay attention and follow the pfSense updates!
-
Mmm, we are now investigating an issue with Suricata too. The version 5 package should not be installed in 2.4.4p3 but is shown as available.
Steve
-
@bmeeks Snort is one of the packages I updated yesterday to v3.2.9.10_2 on pfSense 2.4.4p3. I see no obvious issues. Did I understand correctly that this is problematic? If so, can I revert to the previous version?
-
@revengineer said in 2.4.5 Update Caution:
@bmeeks Snort is one of the packages I updated yesterday to v3.2.9.10_2 on pfSense 2.4.4p3. I see no obvious issues. Did I understand correctly that this is problematic? If so, can I revert to the previous version?
No, if you updated and it started, then it must be okay for you. The issue would prevent it from even starting. At least it did for me on a VM when I tested shortly after the first report. Maybe the supporting library got updated on the repository ???. I haven't checked that out, though.
-
@stephenw10 said in 2.4.5 Update Caution:
Mmm, we are now investigating an issue with Suricata too. The version 5 package should not be installed in 2.4.4p3 but is shown as available.
Steve
There are two different "current" versions of Suricata out there, one for each pfSense architecture type (amd64/aarch64 and armv6/armv7). This is because of the upstream decision to use Rust and make it a runtime requirement. There is currently no way to build Rust for armv6 or armv7 hardware, thus a Suricata binary that needs Rust can't run on those hardware platforms. So there is a suricata4 binary in the repositories that is based on Suricata v4.1.7, and that binary along with an accompanying custom PHP package should show up for armv6 and armv7 machines. The Suricata 5.0.2 binary must have a runtime Rust package available for the hardware platform, so that binary is now limited to just the amd64 and aarch64 hardware repositories.
Renato was going to use some under-the-hood magic to make all this work.
-
@bmeeks said in 2.4.5 Update Caution:
Renato was going to use some under-the-hood magic to make all this work.
Exactly, and that part works fine. If you had Suricata installed (4.1.7) and you update to 2.4.5 you will end up either in 5.0.2 or 4.1.7_1 depending on the architecture.
However it looks like currently if you're running 2.4.4p3 you may see the 5.0.2 package but you should not update to that before upgrading to 2.4.5.Steve
-
@stephenw10 said in 2.4.5 Update Caution:
@bmeeks said in 2.4.5 Update Caution:
Renato was going to use some under-the-hood magic to make all this work.
Exactly, and that part works fine. If you had Suricata installed (4.1.7) and you update to 2.4.5 you will end up either in 5.0.2 or 4.1.7_1 depending on the architecture.
However it looks like currently if you're running 2.4.4p3 you may see the 5.0.2 package but you should not update to that before upgrading to 2.4.5.Steve
Gotcha
I so wish Suricata upstream would lose their current fascination with Rust.
-
@stephenw10 said in 2.4.5 Update Caution:
I am not aware of any such issues with the step from 2.4.4p3 to 2.4.5. I've updated numerous systems with packages installed and did not see an issue.
Thank you Steve, these is good to know. In the pandemic, I am doing critical work from home and I cannot afford to screw up my internet right now. It looks like I will be able to continue using my current configuration until at least next weekend when any major issues should be apparent.
-
@bmeeks Thank you. My system including snort are definitely working. That's good enough for me in the near term, no need for me to understand why it's working.
-
@johnpoz said in 2.4.5 Update Caution:
None of the packages I have showed any updates before 2.4.5 dropped or after.. Its not the before that could get you it could be the later..
The following packages showed updates yesterday that did not show 2 days ago when I last checked: squid, squiguard, snort, iperf.
Scenario... Your one of those users that has your head in the sand and doesn't pay attention to what is released or not released just completely oblivious to the software your using as your router and firewall. Not like its important or anything, bet you have the latest bleeding edge version of super game X you play and latest tweaks on your over clocked graphics card so you can get 0.3 fps more, etc. . But when it comes to your security software - meh it works! Who cares if version is 3 years old ;)
few weeks from now, your tooling around pfsense, ie don't know trying to figure out how to make sure you don't have any dns leaks <rolleyes> and you not paying any attention to the big update available info right there in the main system widget.. Maybe you have it turned off, or maybe you turn off checking for updates??? And you happen to land in package manager and there you notice hey look at that xyz has an update, or gee look at that package let me try that out..
And you update something, now 3 weeks later you figure out oh shit look at that new version is out - and update..
This scenario does not apply to me... at all... not a single sentence applies to my situation.
-
-
Just to be clear though any package updates you do see may be intended for 2.4.5. Do not update any packages before updating to 2.4.5.
Steve
-
@stephenw10 Understood. Now that I am aware of the new release, I will not update package until I update the release next weekend.
-
Followed the instructions; made backup, re-booted and then updated. Smooth as silk.
Uptime before re-boot was 155 days.
Very pleasant experience. Thanks.
