How do I roll back packages

ProperCactus

@johnpoz said in How do I roll back packages:

https://github.com/pfsense/FreeBSD-ports/commit/a5b1eda67c40592e14806a4a4bbdd946f0461045#comments

It says that the patch can't apply clean and won't show me the apply button

bmeeks

@propercactus said in How do I roll back packages:

@johnpoz said in How do I roll back packages:

https://github.com/pfsense/FreeBSD-ports/commit/a5b1eda67c40592e14806a4a4bbdd946f0461045#comments

It says that the patch can't apply clean and won't show me the apply button

That posted patch link is for someone who has their own GitHub clone of the package repo and builds the package themselves. Nobody much does that -- really only package developers.

You can still manually apply the changes by making the edits to /usr/local/pkg/syslog-ng.inc shown in the diff file. That means deleting the text in red and adding the text in green at the locations shown. Make a copy of the original file before attempting this, so you can quickly recover. You can use either the built-in option in the GUI under DIAGNOSTICS > EDIT FILE, or obtain a shell prompt on the firewall and use vi.

The above instructions are given in the event you are in a rush for the fix. If not, it may be better to wait for the package to get updated in the Packages repo, and then update from the Package Manager in the GUI.

ProperCactus

I think this is a really strong case for needing package roll back.

The offending commit that broke TLS is 16 days old, so even if I had of waited 14 days before upgrade i still would have upgraded and broken.

It is fortunate that the commit author very promptly supplied a patch once alerted. But if they did not, what can we do? We are stuck with a broken package!

guardian

@propercactus said in How do I roll back packages:

I think this is a really strong case for needing package roll back.

The offending commit that broke TLS is 16 days old, so even if I had of waited 14 days before upgrade i still would have upgraded and broken.

It is fortunate that the commit author very promptly supplied a patch once alerted. But if they did not, what can we do? We are stuck with a broken package!

@propercactus thanks for chiming in.... I need SyslogNG, and if I had updated I'd be f%ck'd. It looks like the patch doesn't work... at least it's not straight forward.

How hard would it be to include a scripts in the install disk to make it easy to save the system/packages? If things go south, at least you can roll everything back.

If the original install is available, then there should be a way to just backup key directories with the packages.

Once I can get through this upgrade, I think I'll try converting to a ZFS install, hopefully a ZFS snapshot will solve these problems - or is that just wishful thinking?

ProperCactus

@guardian said in How do I roll back packages:

It looks like the patch doesn't work...

The patch is working, I was initially confusing myself and pulling the offending commit as the patch in stead of the actual patch.

But yah for the first time in a while I felt completely hopeless, my reporting from the device to SOC was down and what could I do? Not a good position to be in at all.

@guardian said in How do I roll back packages:

hopefully a ZFS snapshot will solve these problems - or is that just wishful thinking?

Good question I'll have to have a look at that myself as it's not something I know anything about yet.

guardian

@propercactus thanks for the reply.

What would it take to add something to rescue mode on the install so it would be easily possible to copy everything to the unused space on the installation USB drive?

ProperCactus

@guardian said in How do I roll back packages:

What would it take to add something to rescue mode on the install so it would be easily possible to copy everything to the unused space on the installation USB drive?

No idea, asking wrong person. I'm brand new to pfSense and BSD

bmeeks

Package rollback is not an impossible task, but it has many nuances and some outright "hard stops" in many cases.

Packages are not standalone, because they depend on shared libraries installed on the system. Many other things on the firewall also depend on those libraries, and most times on a specific version of them. So maintaining a "rollback capability" across a pfSense operating system update would really not be possible. If package "xyz" needed a rollback, it might need to bring back now outdated versions of some shared libraries (meaning they were compiled under the older pfSense OS). Those older shared libraries wouldn't load and work on the updated pfSense. And if you forced them to install, they would then break everything else on the system.

It would be possible to offer a rollback capability of sorts so long as the underlying pfSense version is exactly the same. But right now the pkg system used by FreeBSD does not offer that natively. The entire ecosystem is aimed at the "current" version of things. It would take quite a bit of coding to hack in something like a rollback feature.

You can enter it as a feature request on the pfSense Redmine Site here: https://redmine.pfsense.org/projects/pfsense. Rollback is much more likely to work under ZFS using the snapshots feature. It would be similar to what you do with a virtual machine today by reverting to a previous snapshot. I think the pfSense team is heading towards making ZFS the default install method in the not too distant future. After that happens is when rollback will be more viable.

guardian

@bmeeks said in How do I roll back packages:

Package rollback is not an impossible task, but it has many nuances and some outright "hard stops" in many cases.

Packages are not standalone, because they depend on shared libraries installed on the system. Many other things on the firewall also depend on those libraries, and most times on a specific version of them. So maintaining a "rollback capability" across a pfSense operating system update would really not be possible. If package "xyz" needed a rollback, it might need to bring back now outdated versions of some shared libraries (meaning they were compiled under the older pfSense OS). Those older shared libraries wouldn't load and work on the updated pfSense. And if you forced them to install, they would then break everything else on the system.

It would be possible to offer a rollback capability of sorts so long as the underlying pfSense version is exactly the same. But right now the pkg system used by FreeBSD does not offer that natively. The entire ecosystem is aimed at the "current" version of things. It would take quite a bit of coding to hack in something like a rollback feature.

You can enter it as a feature request on the pfSense Redmine Site here: https://redmine.pfsense.org/projects/pfsense. Rollback is much more likely to work under ZFS using the snapshots feature. It would be similar to what you do with a virtual machine today by reverting to a previous snapshot. I think the pfSense team is heading towards making ZFS the default install method in the not too distant future. After that happens is when rollback will be more viable.

For now what about a stop gap of just being able to roll the system back to where it was before update? Doesn't seem too hard...

1. Attempt update,
   (a) everything works... good... nothing more to do...
   (b) Problems that you can't live with...
   (c) take some diagnostics, submit bug reports, post in forum etc.
   (d) roll back,
   (e) search for solutions, and then return to 1

This make a potentially urgent situation, something that can be dealt with in an non-urgent way.

Either add a rollback to the install media or even just create a well documented script/collection of scripts.

ProperCactus

@bmeeks I think, if a package knows exactly what it changes on update, it can revert what it changes on rollback. It's true if another package is updated or installed after the bad one that it might rely on a dependancy of that bad update but then in that case maybe a roll back then causes a reinstall of remaining packages which will pick up any dependancies. That should work I think?

guardian

@propercactus said in How do I roll back packages:

@bmeeks I think, if a package knows exactly what it changes on update, it can revert what it changes on rollback. It's true if another package is updated or installed after the bad one that it might rely on a dependancy of that bad update but then in that case maybe a roll back then causes a reinstall of remaining packages which will pick up any dependancies. That should work I think?

I think the problem occurs with the rollback is required at the same time as a version upgrade. IIUC A package that works with 2.4.5 may not (or won't) work with 2.5.x, so you can't just roll back that one package, you have to roll back the whole system.

I'd be prepared to backup/restore the whole system as long as it is quick and easy. Hopefully ZFS snapshots will solve a lot of the problems. It should certainly solve a single package upgrade. Run snapshot, update package, if package update isn't good, just revert the snapshot. On an OS upgrade, the system may fail to boot. I had that happen with FreeNAS (now TrueNAS). Fortunately a clean install followed by a config update worked. Hopefully that will apply to pfSense -- except in this case I know there is a problem with SyslogNG.

Did you find out how to apply the patch?

ProperCactus

@guardian said in How do I roll back packages:

Did you find out how to apply the patch?

aYep, however the fixed package has been pushed now so everyone can upgrade