2.4.5 Update Caution
-
@revengineer said in 2.4.5 Update Caution:
@bmeeks Snort is one of the packages I updated yesterday to v3.2.9.10_2 on pfSense 2.4.4p3. I see no obvious issues. Did I understand correctly that this is problematic? If so, can I revert to the previous version?
No, if you updated and it started, then it must be okay for you. The issue would prevent it from even starting. At least it did for me on a VM when I tested shortly after the first report. Maybe the supporting library got updated on the repository ???. I haven't checked that out, though.
-
@stephenw10 said in 2.4.5 Update Caution:
Mmm, we are now investigating an issue with Suricata too. The version 5 package should not be installed in 2.4.4p3 but is shown as available.
Steve
There are two different "current" versions of Suricata out there, one for each pfSense architecture type (amd64/aarch64 and armv6/armv7). This is because of the upstream decision to use Rust and make it a runtime requirement. There is currently no way to build Rust for armv6 or armv7 hardware, thus a Suricata binary that needs Rust can't run on those hardware platforms. So there is a suricata4 binary in the repositories that is based on Suricata v4.1.7, and that binary along with an accompanying custom PHP package should show up for armv6 and armv7 machines. The Suricata 5.0.2 binary must have a runtime Rust package available for the hardware platform, so that binary is now limited to just the amd64 and aarch64 hardware repositories.
Renato was going to use some under-the-hood magic to make all this work.
-
@bmeeks said in 2.4.5 Update Caution:
Renato was going to use some under-the-hood magic to make all this work.
Exactly, and that part works fine. If you had Suricata installed (4.1.7) and you update to 2.4.5 you will end up either in 5.0.2 or 4.1.7_1 depending on the architecture.
However it looks like currently if you're running 2.4.4p3 you may see the 5.0.2 package but you should not update to that before upgrading to 2.4.5.Steve
-
@stephenw10 said in 2.4.5 Update Caution:
@bmeeks said in 2.4.5 Update Caution:
Renato was going to use some under-the-hood magic to make all this work.
Exactly, and that part works fine. If you had Suricata installed (4.1.7) and you update to 2.4.5 you will end up either in 5.0.2 or 4.1.7_1 depending on the architecture.
However it looks like currently if you're running 2.4.4p3 you may see the 5.0.2 package but you should not update to that before upgrading to 2.4.5.Steve
Gotcha
I so wish Suricata upstream would lose their current fascination with Rust.
-
@stephenw10 said in 2.4.5 Update Caution:
I am not aware of any such issues with the step from 2.4.4p3 to 2.4.5. I've updated numerous systems with packages installed and did not see an issue.
Thank you Steve, these is good to know. In the pandemic, I am doing critical work from home and I cannot afford to screw up my internet right now. It looks like I will be able to continue using my current configuration until at least next weekend when any major issues should be apparent.
-
@bmeeks Thank you. My system including snort are definitely working. That's good enough for me in the near term, no need for me to understand why it's working.
-
@johnpoz said in 2.4.5 Update Caution:
None of the packages I have showed any updates before 2.4.5 dropped or after.. Its not the before that could get you it could be the later..
The following packages showed updates yesterday that did not show 2 days ago when I last checked: squid, squiguard, snort, iperf.
Scenario... Your one of those users that has your head in the sand and doesn't pay attention to what is released or not released just completely oblivious to the software your using as your router and firewall. Not like its important or anything, bet you have the latest bleeding edge version of super game X you play and latest tweaks on your over clocked graphics card so you can get 0.3 fps more, etc. . But when it comes to your security software - meh it works! Who cares if version is 3 years old ;)
few weeks from now, your tooling around pfsense, ie don't know trying to figure out how to make sure you don't have any dns leaks <rolleyes> and you not paying any attention to the big update available info right there in the main system widget.. Maybe you have it turned off, or maybe you turn off checking for updates??? And you happen to land in package manager and there you notice hey look at that xyz has an update, or gee look at that package let me try that out..
And you update something, now 3 weeks later you figure out oh shit look at that new version is out - and update..
This scenario does not apply to me... at all... not a single sentence applies to my situation.
-
-
Just to be clear though any package updates you do see may be intended for 2.4.5. Do not update any packages before updating to 2.4.5.
Steve
-
@stephenw10 Understood. Now that I am aware of the new release, I will not update package until I update the release next weekend.
-
Followed the instructions; made backup, re-booted and then updated. Smooth as silk.
Uptime before re-boot was 155 days.
Very pleasant experience. Thanks.
-
seen update notice on dashboard yesterday. uninstalled packages and updated. It took 5 or 6 minutes and took a few attempts to auto reconnect. it keep saying not ready yet so I was getting worried but then it came up with no issues. re-installed packages and all is good. thank you Devs
-
uhm my 2.4.5 ended up with suricata 5.0.2
I didn't noticed this until i read this thread because it's working -
That is correct if it's amd64 or aarch64. Only armv6 should get 4.1.7_1 in 2.4.5.
Steve
-
ah ok, great
-
@stephenw10 said in 2.4.5 Update Caution:
Just to be clear though any package updates you do see may be intended for 2.4.5. Do not update any packages before updating to 2.4.5.
Steve
What if I do need to do a fresh Installation of 2.4.4_p3 and want to Install snort for example? Do I get a compatible version or the one which is indented for 2.4.5?
-
@Artes said in 2.4.5 Update Caution:
@stephenw10 said in 2.4.5 Update Caution:
Just to be clear though any package updates you do see may be intended for 2.4.5. Do not update any packages before updating to 2.4.5.
Steve
What if I do need to do a fresh Installation of 2.4.4_p3 and want to Install snort for example? Do I get a compatible version or the one which is indented for 2.4.5?
The one compiled for pfSense-2.4.5 won't load on pfSense-2.4.4_p3 due to FreeBSD shared library changes. And right now, short of building your own pfSense package builder and creating a custom Poudriere ports repo, you can't install the new Snort package on older pfSense versions. If you went the custom repo route, you could build and install the old Snort.
-
It's possible to do it by creating repo conf file and setting it to 2.4.4. The 2.4.4 pkgs are still accessible.
However I strongly recommend you don't unless you have no choice.Steve
-
Thank you for the Information. Am I right that the repo configuration file to setup is located in /usr/local/etc/pkg/repos/ ?
It's not that I'd like to stay on 2.4.4 - I have to make a rollback plan for upcoming upgrades of Bare Metal Firewalls - just in case if shit hits the fan.
-
Yes. Create a new file there. They are parsed in alphabetical order so I have used a file named
temp_repo.conf
.
Copy the values from the pfSense repo conf file and edit all the 2_4_5s to 2_4_4s.
Save the file, refresh the update check and you should be back pointing at 2.4.4 packages.
Just remove the temp_repo file when you're ready to upgrade.Steve
Edit: You no longer have to do this. You can now select the 2.4.4 repo from System > Update > Update Settings.