Upgrading - following the pfSense docs 'Installing and Upgrading' includes having a fall back plan

greeners · Jun 28, 2020, 1:09 PM

I am about to upgrade my 2.4.4-p3 installs to 2.4.5-p1. Like a good IT pro I read the docs - 'Installing and Upgrading' sections. There I see I should have the old version installation just in case the update fails miserably. However I haven't got it and I can't download it. So, what do do?

(TLDR) the docs say, preinstallation tasks #1 and #2 should be done before attempting an upgrade:

Take a configuration a backup
Have a fall-back plan - if the worst happens
Do the upgrade, with note taken of old to new version specifics

I have no problem with #1 and #3. However, #2 is not so simple (or I misread it).

From the docs:
"Downgrading a full installation to previous releases directly in-place is not supported. Very rarely is it desirable or necessary to go back to a prior release. Should that be necessary, the previous version must be reinstalled and a configuration backup from that version must be restored. Configurations from newer versions cannot be restored to older versions."

I don't have the 2.4.4-p3 installation media still, and now I find I can't download it. I have searched these forums - I found a post from the forum admins when someone else asked how to get old versions, saying they remove the old version downloads when a new one is relased (as they don't want to allow access to a version with known vulnerabilities).

I agree its a bad idea to install any version other than the current release for a new firewall build - but what should I do about having a fall-back plan, should the worst happen to the CE installation I use at home? I can put in an SG1100 I guess, but not too happy with losing the extras I get from the CE install to a PC with the crypto CPU extensions.

I have requested the old install USB image for my two Netgate SG1100 appliances (and received it, thanks to support responding on a Sunday). What about the community edition installation?

Maybe the gods are telling me to out try Untangle?

If anyone has the AMD64 2.4.4-p3 CE USB install media (serial or VGA), send me a (https://send.firefox.com?) download link?

provels · Jun 28, 2020, 1:11 PM

@greeners I have the iso.gz if that would do. Ignore as needed. Otherwise, you may be able to open a ticket at Netgate and they may provide a link.

DaddyGo · Jun 28, 2020, 1:34 PM

@greeners

Netgate will remove older versions for well thought out reasons!
(take that into account and they are absolutely right...)

They don’t even like it when we help each other in this (because it is a step backwards):

(there is no support for this, this is understandable)

I have one, but I’m definitely not opting for a browser-based share, maybe Dropbox(?)

greeners · Mar 4, 2021, 8:42 PM

I have got the image now. Thanks to all for offers of help.

I will be keeping a complete archive of install images locally from here on.

fabrizior · Mar 4, 2021, 8:42 PM

@greeners
resurecting this thread... how to get 2.4.5-RELEASE-p1 amd64 so I can revert if [when] the 2.5 install/config goes FUBAR?
Never contemplated the idea that the most-recent prior version would be hard to get... !#@$^@$^!#^!^

SteveITS · Mar 4, 2021, 9:07 PM

If you have a Netgate device you can open a ticket at go.netgate.com and they'll send the file for it. (Factory Edition, now Plus)

If you have CE, do you have an older version? You can install that, set System/Update to 2.4.5 and upgrade to 2.4.5. Then restore config.

lohphat · Mar 5, 2021, 7:13 AM

I would add:

Get a USB console connection setup before the upgrade.

I use putty.exe on Win10 as a terminal to watch what's happening during the upgrade and access the console if necessary.

Check the documentation for your NetGate model as each may require a different driver. On windows, you need to manually install the UART driver before Putty will work.

e.g. SG-3100 you need the Silicon Labs CP210x USB to UART Bridge driver

https://docs.netgate.com/pfsense/en/latest/solutions/sg-3100/connect-to-console.html

Gertjan · Mar 5, 2021, 7:13 AM

@lohphat said in Upgrading - following the pfSense docs 'Installing and Upgrading' includes having a fall back plan:

Get a USB console connection setup before the upgrade.

Yep.
As the 3100 manual states : There are times when directly accessing the console is required.

fabrizior · Mar 5, 2021, 1:00 PM

@teamits No, I do not have a memstick installer archived for any releasec and I’m running 3rd-party hardware.Never occurred to me that downloads of prior versions of opensource software would be so viciously restricted.

fabrizior · Mar 5, 2021, 5:32 PM

Can anybody help?

DaddyGo · Mar 6, 2021, 1:33 PM

@fabrizior said in Upgrading - following the pfSense docs 'Installing and Upgrading' includes having a fall back plan:

Never occurred to me that downloads of prior versions of opensource software would be so viciously restricted.

Hi,

because it is meaningless...
think about it, why not,.... hmmm "say", it is not possible to get a f.e. 1.1 image today...(?!)

because it is obsolete, in the world of informatics, every minute counts

I have written several times here, pls. use Win95 and pls. be satisfied with its security features...

It's a safety tool in your hand, keep it up to date (!)

fabrizior · Mar 6, 2021, 2:23 PM

@daddygo That’s ridiculous. Your attempt at exaggerated humor is snide and petty.

Netgate docs say have a restore plan.
Netgate immediately removes access to the prior release download upon a new release.

Keeping a copy of the installer for the release you’re running really means: every time we do an in-place online upgrade, we must also manually go download and archive the corresponding memstick/iso installer archive.

Otherwise, you’re backup plan (or lack thereof) is screwed.

Show me any other company who removes access to the prior release downloads immediately upon launch of the new release?

Show me any other “opensource“ repo that restricts its binary packages this way?

Netgate: At least leave the prior release available for 90 days... for roll-back purposes.

One-way upgrades without continuing to providing the tools to support roll-back is a smack in the face to your users.

I realize this will change nothing other than more manual labor on my ever-evolving operations SOP, though: thanks for the opportunity to rant.

DaddyGo · Mar 6, 2021, 2:27 PM

@fabrizior said in Upgrading - following the pfSense docs 'Installing and Upgrading' includes having a fall back plan:

That’s ridiculous. Your attempt at exaggerated humor is snide and petty.

Just for you (ONLY!)

I say this is consistent, even if you don't agree with that...
I hope it stays that way, to avoid stupidity ....

fabrizior · Mar 6, 2021, 2:38 PM

@daddygo
To each their own...

Just to clarify:
Are you equating the ability to roll-back an upgrade to the last functional release & configuration to stupidity?

Or perhaps rather the approach of say a user setting up a new ofSense deployment using 2.4.5p1 instead of immediately jumping on 2.5 while so many people are having functional and configuration problems with the new release?

Or just calling those of us who didn’t keep their old memstick installer stupid?

DaddyGo · Mar 6, 2021, 2:45 PM

@fabrizior said in Upgrading - following the pfSense docs 'Installing and Upgrading' includes having a fall back plan:

Just to clarify:

hmmmm and hmmmm

Do you want an old installer?
I'll upload it to a DropBox account

fabrizior · Mar 6, 2021, 11:53 PM

@daddygo appreciate the offer, thank you. Others have already done so.

guardian · Mar 21, 2021, 9:40 AM

How difficult is it to make a disk image clone? (Likely drop to single user mode to keep the system from changing too much), That way all plugins can be accommodated.

Tzvia · Mar 22, 2021, 3:08 PM

As much as I would like to see the previous version ISO available for say a month, along side the new version, that is not a backout plan. That would be for those who didn't have a backout plan, if they find they need it after upgrading. Therefore, it should not be part of a backout plan. When there is a new release, even though I run the 'upgrade', the first thing I do is grab the ISO and make a memstick. I then upload the ISO to my NAS just in case. It's there for when the next version comes out, just as the previous version was saved. How hard it that... We all knew that 2.50 was due 'any day now', how hard would it have been to grab 2.45p1 then 'just in case' if you hadn't when it was released.

Total cost of this backout plan? A few minutes time + one memory stick. Have a router with removable drive or provision for second drive? How about adding second drive, installing PFSense on it and importing your backup. Run on it for long enough to verify it works the same as the original. When the update comes out, update it, leaving the original alone. I did this, and I did need to back out. Cake, shut it off, swap the cables back, boot back to 2.45p1. I needed that as I have to be able to work from home and can't have downtime over some bug in the new code. The next weekend, I swapped the cables back and worked through the problems, knowing that I could go back in a couple of minutes so that I could be back 'at work' come Monday.

Maybe I over thought it. But the internet has gone from a toy of tinkerers to an appliance like a refrigerator. And these days, downtime may be lost income as so many are working from home as I am. Downtime is a big deal, but it only takes a few minutes to cover your ass.

fabrizior · Mar 22, 2021, 4:10 PM

@tzvia That's solid advise, and a reasonable plan. The point here is that the docs could do a better job of warning that saving and personally archiving the ISO/memstick image is a necessary step at each upgrade and that their is no availability to download on-demand once a new release has become available. (Though that seems too much to ask...)

Perhaps including a simple warning note and a link to download the current installed and new images on the System Update page in the UI would help take care of some of this "archive or else" situation.

I have the memstick I did my install with back in not-so-recent history. The prior upgrades have been done online and in-place. As such, I never downloaded the memstick installer for 4.5x - which I'd need for a 4.5 upgrade back-out plan.

Is that my failure? yes.

Though Netgate is the only company that seems to have this policy that I'm aware of... accounting for either close or open-source distros.

Is it an obsurd inconvenience that I cannot rectify that directly with the ability to download the last-most-recent production release version prior to the newly-released [current] update? I say yes, and most seem to agree...

This sort of management behavior, along with the BS recently regarding WireGuard... really says that NetGate isn't treating pfSense or it's pfSense customers/potential-customers, or it's back-end supporting development community in a serious or professional manner.

One man's professional opinion...

A Former User · Mar 22, 2021, 4:53 PM

@fabrizior Agreed. It's an odd policy at best that on day one the "older" versions become inaccessible.

You can open a ticket with them and they will get you a 2.4.5_p1 image. No support contract required. That's a pain for both users and Netgate.

As to the other drama I'll not say anything more than I've said in other threads. I, speaking only for myself, will move on to another product when the time is convenient. I have exactly zero interest in upgrading to 2.5. I'm done...