Partial restore from command line?



  • My question is specifically  DNS related but I am asking in the general forum because I can see if this gets answered it may help people with similar issues for other areas.

    I am getting quite a fleet of "NEARLY" identical virtual appliance installs of PFsense. By the time I am done, I will have ~80 of them that all need DNS whitelist management. I would love to be able to do this centrally. My whitelist is implemented via transparent local zones under the DNS resolver. So, I'm down to trying using the following method:

    1. Make change on a central test platform.
    2. Save only the DNS Resolver configuration xml to a stock name on a secure web or SFTP server.
    3. Have a scheduled script run on each remote pfsense to download the file
    4. Run the command to restore just the unbound config on the server and get the server to recognize and implement the change

    The command to do #4 is what I have not yet located in my searches. Can someone please help? For various reasons the autoconfig backup package does not fulfill the need here, because the backup/restore is 1 to many and partial.


  • Rebel Alliance Developer Netgate

    There is no way to do that at the moment. We're working on a central management platform to accomplish that sort of task, it's in development now.



  • You mean there is no console command that can restore a partial config file? I am willing to script the rest of this, I am hoping to not have to wait on the final solution.

    The gui has to be running a command in the background for IT to be able to save. Is it possible to get the command that the web gui runs to restore a partial config? If I just have that I can run with it. In fact I think I'd probably prefer a self scripted solution even if the central management utility were already here.


  • Rebel Alliance Developer Netgate

    @getut:

    You mean there is no console command that can restore a partial config file? I am willing to script the rest of this, I am hoping to not have to wait on the final solution.

    Correct. There is no such command.

    @getut:

    The gui has to be running a command in the background for IT to be able to save. Is it possible to get the command that the web gui runs to restore a partial config? If I just have that I can run with it. In fact I think I'd probably prefer a self scripted solution even if the central management utility were already here.

    It does not run a command, it is running PHP code directly. You could dig at the source and find the PHP code and cut it up and maybe make a script – but that is miles away from it being a readily-available utility.



  • What about restoring the entire config.xml from the command line?  It shouldn't be difficult for a user to write a quick program/script to pull a copy of config.xml, replace the entire unbound section, and write it back…

    (Obviously, all this would be completely unsupported.)


  • Rebel Alliance Developer Netgate

    Not easily, because you'd also have to track down and run the commands that rewrite the config and refresh/reload/restart the services in the parts that changed. You'd have to do that latter part even for a partial restore.

    It's possible, sure, but you'd have to write a ton of custom code to get it done. That sort of thing will be handled by an API in the future but we're not to that point yet.



  • Wow… all I really need is the php command that submitted when I have chosen a dns resolver conf file, chosen the dns resolver option in the dropdown and clicked submit.

    I bet this is one single line of code. I really have no idea why a restore and backup sub command don't exist under the pfssh command.

    Would this be possible using the record functionality of pfssh? Record the includes, set the variable, and run the command?


  • Rebel Alliance Developer Netgate

    It's nowhere near that simple, but go ahead and try.



  • @jimp:

    It's nowhere near that simple, but go ahead and try.

    I understand that it would be complex to support all of the changes and options supported in the gui. But in this instance, the file name (I will probably name the file dns-resolver.conf) and its location (cron job will download updated version of exactly the same file to exactly the same location on the local file system every time) and all options needed would always be 100% identical.


  • Banned

    There is no such simple command. Feel free to burn yourself (and make a backup before).



  • @doktornotor:

    There is no such simple command. Feel free to burn yourself (and make a backup before).

    With the lack of such a BASIC command set (backup and restore) available in the command line tools, which with 100% certainty could not have been an oversight, coupled with the hostility toward working on this… I'm beginning to believe this is on purpose to limit availability of these features so they can be monetized under the Gold plan or something similar once this central management product reaches general availability.

    I'll be sure and publish anything I find to help the public avoid this. But we all know, first step is make it difficult with simple lack of support. If there becomes a way around it, then next step will be to actively cripple the software. I have seen the beginnings of the framework of this with the product "serial" number showing up on the main screen.

    Why would they need to uniquely identify installs unless this is coming? Crippling features so they can be sold. Well at least until now it is open sourced. Someone will fork. Oh wait!!! thats already happened.


  • Banned

    The backup is done automatically on every change. You can restore any of those recent automatic backups from CLI menu - 15) Restore recent configuration.

    What's NOT there and what's absolutely non-trivial (despite your imagination) is replacing an arbitrary part of the config with something else.

    Will  not comment on the monetization crap, waste of time.