How to automatically load a new configuration in every boot
-
Updating lots of pfsense VM's takes too long. Would be nice if they all had a common hard drive in nonpersistent mode (which means the drive would be seen by each VM as fresh and brand new in every powerup of the VM), and each VM also had its own private hard drive that held its configuration which were loaded at boot time.
Does a config file exist that is loaded at boot time and can be replaced with a soft link pointing to a file in the VM's private drive?
If not, how can a config file be automatically loaded at boot with a script?
-
If you had a virtual USB device attached to each VM it will automatically pull a config named config.xml from it at boot:
https://docs.netgate.com/pfsense/en/latest/backup/automatically-restore-during-install.html#external-configuration-locator-eclSteve
-
Unfortunately vmware does not support virtual USB drives. But there is a config file under /cf/conf/config.xml that appears to be loaded in every boot. Replacing it with a soft link to a config.xml in the VM's private drive works, you can edit the config.xml and the changes show up in the next boot. Here's how, with a fat-formatted private drive:
mkdir /myconfig echo "/dev/ada1s1 /myconfig msdosfs rw,noatime 1 1" >> /etc/fstab mount /dev/ada1s1 mv /cf/conf/config.xml /myconfig/ ln -s /myconfig/config.xml /cf/conf/config.xml -
That's the main config file so it is loaded at each boot and also updated any time you make a change. No guarantees that won't break at upgrade etc...
The ECL will actually look for config in all attached disks not just USB:
https://github.com/pfsense/pfsense/blob/master/src/etc/ecl.php#L48So you can likely still use that. That would not require any changes to pfSense, only that a far32 formatted drive is present. It would load the config at every boot though overriding any changes made in the webgui.
Steve
-
Changes made with the web interface should be persistent. Is it safer if the entire /cf/conf/ directory becomes the mount point for the private drive?
-
Neither is safe really. Both are untested and unsupported. It would be entirely down to you to decide if it's functional.
If it works then great but, as I say, it may well fail somewhere down the line when you update the firmware etc.
Steve
-
Does it make any difference if you specify additional drives and mounting directories during installation? Or these too may not be honored in future versions?
-
By the way, a config.xml in the separate drive mounted at /myconfig does not seem to be read at all during boot. That is, after these commands in a brand new VM:
mkdir /myconfig echo "/dev/ada1s1 /myconfig msdosfs rw,noatime 1 1" >> /etc/fstab mount /dev/ada1s1 cp /cf/conf/config.xml /myconfig/ sed -ic 's/bannedsite/nothing/g' /myconfig/config.xmlBannedsite is still banned in the DNS resolver after this and a reboot.
EDIT: forgot the mount command above. But still the same problem.
-
That's with the linked config file?
Did that actually alter it as expected?
Where/when is that script run?
Steve
-
@stephenw10 said in How to automatically load a new configuration in every boot:
That's with the linked config file?
No, this is brand new, starting from scratch in a freshly installed pfsense. EDIT: Plus a few sites configured in the DNS resolver to point to the local host so they are effectively banned.
Did that actually alter it as expected?
There is no linked file and the actual config.xml file in the second drive has been modified as expected, but going to the DNS resolver after boot no modification appears there.
Where/when is that script run?
Commands run one by one in the web interface under Diagnostics.
-
Just an untested idea.
What if you configure the xml rpc sync from master to slave, in a daisy chain fashion.
Changing something on master would make a ripple propagation to all.
The downside is that if one pf is missing the chain breaks.. -
stephenw10 Netgate Administratorlast edited by stephenw10 Jul 28, 2020, 7:31 PM Jul 28, 2020, 7:31 PM
Ah OK check the boot log. Just after root is mounted you will see the ECL looking for config files.
If it finds one:External config loader 1.0 is now starting... da0s1 -> found config.xml Backing up old configuration... Restoring [da0s1] /tmp/mnt/cf/config.xml... Cleaning up...Steve
-
OK, it works as long as you do NOT mount the extra drive with a line in /etc/fstab. Or my line in /etc/fstab is wrong. Here it is again:
/dev/ada1s1 /myconfig msdosfs rw,noatime 1 1It is useful to have an extra drive mounted automatically for reasons other than config. Should a bug be filed for this?
-
There is almost certainly a feature request open for this already. It's a request most often asked by folks wanting to use a separate driver as a cache or for logs etc.
pfSense does not support a config running from multiple drives though and that's unlikely to change.Steve
-
Let's not mount that extra drive at boot then but well after the ECL does its thing. Where's a proper place to put the mount command? Would also need to remember to manually save (backup) any changes to the config to the extra drive or perhaps modify another script?