2.4.5 Update Caution



  • So I was reading this article and saw this caution:

    **Do not update packages before upgrading pfSense!** Either remove all packages or do not update packages before running the upgrade.
    

    The update seems to be vague at best (no offense meant). I upgraded to 2.4.5 just now and it was successful. What does it really mean? I have my packages all up-to-date every single time. It was a couple of days ago since my last freeradius package update. Technically, that is "before" I update to 2.4.5. So does that mean I'm screwed? Are you saying that all packages should be out-of-date before I ran the update? I've read the message over and over and I really don't understand what it means.

    Anyone can help? Thanks.



  • I have the same question. Just updated my packages yesterday and want to upgrate to 2.4.5 today.



  • Just remove your packages before you upgrade. Follow the guide- https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html



  • Or "leave the packages alone" as the guide says. What does "do not upgrade packages before the upgrade" really mean? I've updated to several releases without ever removing any of my packages.



  • Heh, I see what the OP means for sure; definitely a bit confusing. The documentation says:

    The safest practice is to remove all packages before upgrading pfSense to a new release. The upgrade process will reinstall packages afterward

    Oh neat, sounds like the upgrade process automatically reinstalls those packages that I removed before the upgrade, after the upgrade. Great!

    To ensure a smooth upgrade, note the installed packages, remove them, perform the upgrade, and then reinstall necessary packages.

    Oh...wait so I'm doing that manually now? It's hard to tell if that's an automated process or not; those 2 things seem to contradict each other in the same paragraph. The only thing I can assume is that by "The upgrade process will reinstall packages afterward", what they really mean is "while following these upgrade procedures, one of the steps you'll be performing is reinstalling packages afterwards".



  • What I "assume" with that section in the guide is that it will only reinstall the packages after the update IF you don't remove them.

    If you do remove them manually (which is more recommended), you need to reinstall them manually, which sucks :(



  • "The safest practice is to remove all packages before upgrading pfSense to a new release."

    "The upgrade process will reinstall packages afterward,(if you choose to not uninstall them) but packages are frequently a source of problems."

    Or could be written- If you decide not to uninstall the packages before upgrading they will be reinstalled as the installer finishes. But the packages are a frequent source of problems.

    "To ensure a smooth upgrade, note the installed packages, remove them, perform the upgrade, and then reinstall necessary packages."



  • @chpalmer
    "but packages are frequently a source of problems."

    Ah. That but is indeed important. Makes sense now!



  • What kind of "problems" are we risking if we choose not to uninstall them before the upgrade? The ones I use are these:

    ecbd950b-2561-44e0-9984-5d39361bb22b-image.png



  • This is the list of packages I use :

    Avahi, acme, Cron, FreeRadius3, Notes, Nut, openvpn-client-export, pfBlockerNG-devel, Shellcmd and System_Patches.

    Updated two system : it went perfectly well.
    edit : I didn't remove any packages.
    Again : was updating from 2.4.4-p3.r.2020.03xx1500 - the latest RC, not the stock 2.4.4-p3.

    I've been using nearly every 2.4.5 RC version before, so I knew my up-to-date packeges worked fine 'yesterday'.

    If you are using a mission critical system : just wait, visit this forum for possible future issues, give it a week or so, or more, these are strange times. Use a spare system to clone your setup and look yourself for issues. Then swap. If issues, you're back to a working situation with the swap of a cable.

    Always :
    Get a config.xml copy.
    Clean (using GUI) reboot your pfSense.
    Check principal logs for any after-reboot-issues.
    Check main services of your pfSense. This could be as easy as 'Internet is fine' up until huge HAProxy web farm systems. TEST !
    Then hit the update button.
    When the system says it's rebooting, copy the entire green GUI log for later inspection, so you can spot any error messages if needed.

    Also :
    Have a console up and running all the time. Or, at least, know you can have one up and running when needed.
    Take 5 minutes, build a bootable USB key with freshly downloaded pfSense version.
    Or, for VM guys : hit that 'backup' button.

    I'm updating since 1.x, somewhere from 2005 / 2006 ? (15 years ☺ )



  • @Gertjan

    I'm updating since 1.x, somewhere from 2005 / 2006 ? (15 years ☺ )

    Whoa, same install?!



  • @link470 said in 2.4.5 Update Caution:

    same install?!

    Basically, yes. Changed the hardware ones, in 2011, I guess.
    In the beginning, I thought that I 'understood' the system. So, I blew it up several times, and had to learn that I had keeping on learning. I became pretty good at applying the Phoenix concept. These days I use two systems, the second in a VM, so I don't have to mess around with my 'main' system, which is a company router. I'm using some FreeBSD packages that are not from pfSense, like nano ^^ and Munin.



  • @Gertjan said in 2.4.5 Update Caution:

    This is the list of packages I use :

    Avahi, acme, Cron, FreeRadius3, Notes, Nut, openvpn-client-export, pfBlockerNG-devel, Shellcmd and System_Patches.

    Updated two system : it went perfectly well.
    edit : I didn't remove any packages.
    Again : was updating from 2.4.4-p3.r.2020.03xx1500 - the latest RC, not the stock 2.4.4-p3.

    I've been using nearly every 2.4.5 RC version before, so I knew my up-to-date packeges worked fine 'yesterday'.

    If you are using a mission critical system : just wait, visit this forum for possible future issues, give it a week or so, or more, these are strange times. Use a spare system to clone your setup and look yourself for issues. Then swap. If issues, you're back to a working situation with the swap of a cable.

    Always :
    Get a config.xml copy.
    Clean (using GUI) reboot your pfSense.
    Check principal logs for any after-reboot-issues.
    Check main services of your pfSense. This could be as easy as 'Internet is fine' up until huge HAProxy web farm systems. TEST !
    Then hit the update button.
    When the system says it's rebooting, copy the entire green GUI log for later inspection, so you can spot any error messages if needed.

    Also :
    Have a console up and running all the time. Or, at least, know you can have one up and running when needed.
    Take 5 minutes, build a bootable USB key with freshly downloaded pfSense version.
    Or, for VM guys : hit that 'backup' button.

    I'm updating since 1.x, somewhere from 2005 / 2006 ? (15 years ☺ )

    Nice, thanks for the detailed response. When you say clean reboot, so just reboot pfsense before the upgrade?



  • @kevindd992002 said in 2.4.5 Update Caution:

    so just reboot pfsense before the upgrade?

    Yep.
    This raises the chance that I - we all - can find issues that already existed before the upgrade, and need to be resolved first.


  • LAYER 8 Global Moderator

    @kevindd992002 said in 2.4.5 Update Caution:

    Do not update packages before upgrading pfSense!** Either

    What they mean by that is exactly what they stated, don't look in the package manager and see oh there is an update to package XYZ, update it.. Then see oh there is update to pfsense and update the whole thing.

    The problem that can happen is that new packages come out, meant for 2.4.5, but if your not actually on 2.4.5 you run into an issue, etc.

    I just updated my sg4860 without any issues, and didn't touch the packages.. and have quite a few installed. Upgrade went fine..

    You can quite often just click upgrade... But on the off chance there is an issue, don't say you weren't warned ;) With any update of any system you should always have media available for clean install, and current backup of your config..



  • @johnpoz Oh ok, that makes much more sense now! Thanks for the clarification.



  • Unfortunately, I took the package updates not knowing that 2.4.5 was even out. There has to be a better way to prevent package updating if these packages are not meant for the current release. So far all is working fine on 2.4.4p3 and I am inclined to wait a few days until the dust settles. Keeping fingers crossed.



  • @revengineer said in 2.4.5 Update Caution:

    Unfortunately, I took the package updates not knowing that 2.4.5 was even out

    Like the red light on the dashboard that lights up when oil is low and you still start the car and drive away ?
    To use "package update", you have to pass by the pfSense dashboard ..... and true, it wasn't red .... but blue (green ?)

    I saw Youtube proposing me a video of a guy called Lawrence mentioning the "2.4.5 is here".
    Entering the GUI, I saw :

    7488be0a-a77a-47e6-b60b-ab69b1ae6681-image.png

    True, it wasn't flashing neither printed in red.
    (but 'some of us' were waiting for it ....)

    Btw : 2.4.5 'core' looks really good.
    If there is an issue, then it would be with one of these huge packages that root deeply in the system.
    If you have none, go upgrade, you'll be fine. Now or over one week, the code stays the same.


  • LAYER 8 Global Moderator

    To be honest I don't think there was any even out or that have been updated... Its a warning from when moved to 2.4 from 2.3 or 2.2. to 2.3 - a while back is my point ;)

    Guess then there were new packages updated. And users still on old version updated to them, etc..

    I do believe they worked on splitting the repositories up to prevent such a thing from happening again.

    None of the packages I have showed any updates before 2.4.5 dropped or after.. Its not the before that could get you it could be the later..

    Scenario... Your one of those users that has your head in the sand and doesn't pay attention to what is released or not released just completely oblivious to the software your using as your router and firewall. Not like its important or anything, bet you have the latest bleeding edge version of super game X you play and latest tweaks on your over clocked graphics card so you can get 0.3 fps more, etc. . But when it comes to your security software - meh it works! Who cares if version is 3 years old ;)

    few weeks from now, your tooling around pfsense, ie don't know trying to figure out how to make sure you don't have any dns leaks <rolleyes> and you not paying any attention to the big update available info right there in the main system widget.. Maybe you have it turned off, or maybe you turn off checking for updates??? And you happen to land in package manager and there you notice hey look at that xyz has an update, or gee look at that package let me try that out..

    And you update something, now 3 weeks later you figure out oh shit look at that new version is out - and update..

    It shouldn't be an issue.. But if they didn't mention it, there would be that one user - why didn't you tell me the safety was off on that gun... Now I went and shot myself in the foot - and its your fault sort of people..


  • Netgate Administrator

    Yeah, that warning was added to the update notes when PHP was updated across a major version. Almost every package had to be updated and then were dependent on the new php version. Whew the new version went live the new packages also did and if you installed them into a system with the old php version bad things happened! Until you updated at least. It was ugly! 😬

    I am not aware of any such issues with the step from 2.4.4p3 to 2.4.5. I've updated numerous systems with packages installed and did not see an issue.

    However the safest option is always to uninstall packages first or install clean restore the old config.

    Steve



  • FYI. There is at least one freshly updated package that has an issue on 2.4.4_p3 but not on 2.4.5. That package is Snort. The libpcap library in FreeBSD 11.3 (which is what pfSense-2.4.5 is based on) has a different internal library dependency that is NOT satisfied on pfSense-2.4.4_p3. Found that out yesterday from a poster having a problem after updating Snort on pfSense-2.4.4_p3. There are no issues on pfSense-2.5 DEVEL either, just on 2.4.4_p3. Unfortunately that did not shake out during my pre-release testing. The newer Snort binary worked fine there for me on my test VM.

    So as has been stated in this thread, when new pfSense versions are released, update to the lastest pfSense FIRST, and only then update any installed packages (or let the upgrade update the packages for you when it installs). So as @johnpoz cautioned, pay attention and follow the pfSense updates!


  • Netgate Administrator

    Mmm, we are now investigating an issue with Suricata too. The version 5 package should not be installed in 2.4.4p3 but is shown as available.

    Steve



  • @bmeeks Snort is one of the packages I updated yesterday to v3.2.9.10_2 on pfSense 2.4.4p3. I see no obvious issues. Did I understand correctly that this is problematic? If so, can I revert to the previous version?



  • @revengineer said in 2.4.5 Update Caution:

    @bmeeks Snort is one of the packages I updated yesterday to v3.2.9.10_2 on pfSense 2.4.4p3. I see no obvious issues. Did I understand correctly that this is problematic? If so, can I revert to the previous version?

    No, if you updated and it started, then it must be okay for you. The issue would prevent it from even starting. At least it did for me on a VM when I tested shortly after the first report. Maybe the supporting library got updated on the repository ???. I haven't checked that out, though.



  • @stephenw10 said in 2.4.5 Update Caution:

    Mmm, we are now investigating an issue with Suricata too. The version 5 package should not be installed in 2.4.4p3 but is shown as available.

    Steve

    There are two different "current" versions of Suricata out there, one for each pfSense architecture type (amd64/aarch64 and armv6/armv7). This is because of the upstream decision to use Rust and make it a runtime requirement. There is currently no way to build Rust for armv6 or armv7 hardware, thus a Suricata binary that needs Rust can't run on those hardware platforms. So there is a suricata4 binary in the repositories that is based on Suricata v4.1.7, and that binary along with an accompanying custom PHP package should show up for armv6 and armv7 machines. The Suricata 5.0.2 binary must have a runtime Rust package available for the hardware platform, so that binary is now limited to just the amd64 and aarch64 hardware repositories.

    Renato was going to use some under-the-hood magic to make all this work.


  • Netgate Administrator

    @bmeeks said in 2.4.5 Update Caution:

    Renato was going to use some under-the-hood magic to make all this work.

    Exactly, and that part works fine. If you had Suricata installed (4.1.7) and you update to 2.4.5 you will end up either in 5.0.2 or 4.1.7_1 depending on the architecture.
    However it looks like currently if you're running 2.4.4p3 you may see the 5.0.2 package but you should not update to that before upgrading to 2.4.5.

    Steve



  • @stephenw10 said in 2.4.5 Update Caution:

    @bmeeks said in 2.4.5 Update Caution:

    Renato was going to use some under-the-hood magic to make all this work.

    Exactly, and that part works fine. If you had Suricata installed (4.1.7) and you update to 2.4.5 you will end up either in 5.0.2 or 4.1.7_1 depending on the architecture.
    However it looks like currently if you're running 2.4.4p3 you may see the 5.0.2 package but you should not update to that before upgrading to 2.4.5.

    Steve

    Gotcha 👍

    I so wish Suricata upstream would lose their current fascination with Rust.



  • @stephenw10 said in 2.4.5 Update Caution:

    I am not aware of any such issues with the step from 2.4.4p3 to 2.4.5. I've updated numerous systems with packages installed and did not see an issue.

    Thank you Steve, these is good to know. In the pandemic, I am doing critical work from home and I cannot afford to screw up my internet right now. It looks like I will be able to continue using my current configuration until at least next weekend when any major issues should be apparent.



  • @bmeeks Thank you. My system including snort are definitely working. That's good enough for me in the near term, no need for me to understand why it's working.



  • @johnpoz said in 2.4.5 Update Caution:

    None of the packages I have showed any updates before 2.4.5 dropped or after.. Its not the before that could get you it could be the later..

    The following packages showed updates yesterday that did not show 2 days ago when I last checked: squid, squiguard, snort, iperf.

    Scenario... Your one of those users that has your head in the sand and doesn't pay attention to what is released or not released just completely oblivious to the software your using as your router and firewall. Not like its important or anything, bet you have the latest bleeding edge version of super game X you play and latest tweaks on your over clocked graphics card so you can get 0.3 fps more, etc. . But when it comes to your security software - meh it works! Who cares if version is 3 years old ;)

    few weeks from now, your tooling around pfsense, ie don't know trying to figure out how to make sure you don't have any dns leaks <rolleyes> and you not paying any attention to the big update available info right there in the main system widget.. Maybe you have it turned off, or maybe you turn off checking for updates??? And you happen to land in package manager and there you notice hey look at that xyz has an update, or gee look at that package let me try that out..

    And you update something, now 3 weeks later you figure out oh shit look at that new version is out - and update..

    This scenario does not apply to me... at all... not a single sentence applies to my situation.


  • LAYER 8 Global Moderator

    @revengineer said in 2.4.5 Update Caution:

    This scenario does not apply to me

    Nobody said it did...


  • Netgate Administrator

    Just to be clear though any package updates you do see may be intended for 2.4.5. Do not update any packages before updating to 2.4.5.

    Steve



  • @stephenw10 Understood. Now that I am aware of the new release, I will not update package until I update the release next weekend.



  • Followed the instructions; made backup, re-booted and then updated. Smooth as silk.

    Uptime before re-boot was 155 days.

    Very pleasant experience. Thanks.



  • seen update notice on dashboard yesterday. uninstalled packages and updated. It took 5 or 6 minutes and took a few attempts to auto reconnect. it keep saying not ready yet so I was getting worried but then it came up with no issues. re-installed packages and all is good. thank you Devs


  • LAYER 8

    uhm my 2.4.5 ended up with suricata 5.0.2
    I didn't noticed this until i read this thread because it's working 😌


  • Netgate Administrator

    That is correct if it's amd64 or aarch64. Only armv6 should get 4.1.7_1 in 2.4.5.

    Steve


  • LAYER 8

    ah ok, great 😀


Log in to reply