How do I roll back packages



  • I am running the latest pfSense 2.4.5-RELEASE-p1 (amd64).

    The package manager is calling for an update of the following packages:

    -haproxy
    -iperf
    -sudo

    Before I update, I would like to know how to roll back/restore the current package in the
    event that I have isses with any of the packages in the upgraade.


  • LAYER 8 Global Moderator

    AFAIK, there is not an official supported way of doing this?

    But in all my years of using pfsense, really since its been available.. I can not recall an issue with a package that would of warranted rollback to an previous version. Now I do not use all packages, so can not say its never happened on any package.

    But been very active on the forums for 10 some years.. And don't really recall any threads where such a thing is an issue..

    If your concerned... Prob just suggest you wait for a X amount of time after a new version of whatever package before updating it.

    I can tell you running the latest version of haproxy-devel 0.60_9, and its working fine for my setup.

    If your curious to what an update has changed, you can click the package number and it will take you to github and you can look to see exactly what has changed.

    example for the latest haproxy-devel
    https://github.com/pfsense/FreeBSD-ports/commits/devel/net/pfSense-pkg-haproxy-devel

    Normally the updates are minor fixes for stuff with minimal code changes..



  • @johnpoz said in How do I roll back packages:

    AFAIK, there is not an official supported way of doing this?

    But in all my years of using pfsense, really since its been available.. I can not recall an issue with a package that would of warranted rollback to an previous version. Now I do not use all packages, so can not say its never happened on any package.

    But been very active on the forums for 10 some years.. And don't really recall any threads where such a thing is an issue..

    If your concerned... Prob just suggest you wait for a X amount of time after a new version of whatever package before updating it.

    I can tell you running the latest version of haproxy-devel 0.60_9, and its working fine for my setup.

    If your curious to what an update has changed, you can click the package number and it will take you to github and you can look to see exactly what has changed.

    example for the latest haproxy-devel
    https://github.com/pfsense/FreeBSD-ports/commits/devel/net/pfSense-pkg-haproxy-devel

    Normally the updates are minor fixes for stuff with minimal code changes..

    Thanks for the reply @Johnpoz.... If I save the config file before doing the update, and then do a restore, does it install the old plugin that was installed at the time the backup wias mede, or do you get stuck with the new ones.



  • @guardian said in How do I roll back packages:

    does it install the old plugin that was installed at the time the backup was made

    It will install whatever is known by the name of the pfSense package at that moment.
    The pfSense package server only has the latest version of everything. As far as I know, there are no official "old packages" available.



  • To add to what others have posted here. Packages in most cases consist of both binary and PHP GUI components. The binary portion of the package is compiled against a specific version of the operating system (in the case of pfSense that means a modified and hardened version of FreeBSD). That binary version, in most cases, cannot run on an operating system version different than the one it was compiled on. Thus the only way to "roll back" a package would be to also rollback the pfSense version to the older version to match the environment where the package was compiled. That introduces security issues.

    So the official packages repository is always populated with package versions compiled against the current pfSense version. If you try and force a rollback to an older package, one of two bad things can happen. First, the package may simply refuse to load and run due to issues with shared library versions. This is the most likely outcome. Or secondly, the installation of the older package may bring in older versions of critcal shared libraries and break the operating system (pfSense) to the extent it won't run. This would be the worst, albeit most rare, outcome.

    So rolling back to older package versions is really just not an option. If you are understandably nervous about upgrading to the latest version of a package, you can wait for a period of time and monitor the forums here to see if there any issues. Developers are quick to fix bugs that impact a package's operation.


  • LAYER 8 Global Moderator

    @bmeeks said in How do I roll back packages:

    So rolling back to older package versions is really just not an option.

    Completely agree when you update pfsense to new version. But way I read the question was more like on version 123 of pfsense, version A of package X, and version B comes out. Still on version 123 of pfsense.

    And something doesn't work as expected in this new version B of the package. So how to go back to version A?

    Which I really don't think is possible either..



  • @johnpoz said in How do I roll back packages:

    @bmeeks said in How do I roll back packages:

    So rolling back to older package versions is really just not an option.

    Completely agree when you update pfsense to new version. But way I read the question was more like on version 123 of pfsense, version A of package X, and version B comes out. Still on version 123 of pfsense.

    And something doesn't work as expected in this new version B of the package. So how to go back to version A?

    Which I really don't think is possible either..

    True, so long as the underlying pfSense version is unchanged, the binary from Package version A will work with Package version B and vice-versa. The real sticky point is the repository keeps only a single "version" of each package in the current tree. I'm not a pkg guru so I don't know if having multiple "current" versions is possible. I'm thinking not, and even if there were, it might open users up to a new way to shoot their foot off ... 😁


  • LAYER 8 Global Moderator

    @bmeeks said in How do I roll back packages:

    keeps only a single "version" of each package in the current tree.

    exactly... Guess its something someone could put a feature request in for.

    But as you mentioned on how fast package maintainers respond is something is wrong.. I think it would overly complex up everything to try and maintain different versions of packages.. And may end up causing more issues than it could possible prevent.

    I honestly can not recall and issue where I would of ever wanted to roll back a package.. While I don't use all of them.. I don't recall any major threads were there was any sort of issue with a package update that broke something bad..



  • @johnpoz said in How do I roll back packages:

    I think it would overly complex up everything to try and maintain different versions of packages.. And may end up causing more issues than it could possible prevent.

    Plus one on that point! I had to maintain two versions of Suricata for ARM and AMD/Intel hardware and it was a huge pain and an area full of potential landmines when making changes. It was difficult for me as a developer to keep the two versions updated.

    Something similar would likely occur with multiple versions of a package even on the same hardware platform.



  • Thanks @bmeeks, @johnpoz, @Gertjan - I can understand the difficulty on the multiple versions. The point I'd like to add to the discussion is that rule #1 with computers is BACKUP, BACKUP, BACKUP.

    I've been raising the issue of fallback for several years. I was suggesting some sort of imaging, but @jimp and others kept telling me that just reloading config.xml would solve all problems
    [https://forum.netgate.com/post/727596](link url) . What I am learning here is, this is not true.

    Admittedly pfSense has been very reliable, but not having a quick recovery fallback is troubling and seems to go against what are established industry best practice (BACKUP!).

    At very least I would think a built in image/restore would at least make sure a bad update could be fixed in minutes. This would make frequent updates almost NO RISK, so they could be done without the necessity of a lenghty "insurance maintenace window" just in case something went wrong.

    Thoughts?



  • @guardian said in How do I roll back packages:

    Thanks @bmeeks, @johnpoz, @Gertjan - I can understand the difficulty on the multiple versions. The point I'd like to add to the discussion is that rule #1 with computers is BACKUP, BACKUP, BACKUP.

    I've been raising the issue of fallback for several years. I was suggesting some sort of imaging, but @jimp and others kept telling me that just reloading config.xml would solve all problems
    [https://forum.netgate.com/post/727596](link url) . What I am learning here is, this is not true.

    Admittedly pfSense has been very reliable, but not having a quick recovery fallback is troubling and seems to go against what are established industry best practice (BACKUP!).

    At very least I would think a built in image/restore would at least make sure a bad update could be fixed in minutes. This would make frequent updates almost NO RISK, so they could be done without the necessity of a lenghty "insurance maintenace window" just in case something went wrong.

    Thoughts?

    Then you need to use a virtual machine with snapshots. Nothing quicker than that to restore a "gone bad" upgrade. pfSense runs fine on ESXi. A couple of the other hypervisors have given issues from time to time, but ESXi has been pretty stable as far as I know. And snapshots require nothing extra be installed on pfSense itself. I don't mean for this response to be flippant. Using a VM is an excellent way to have image backups and restores with minimal effort via snapshots. Just take a snapshot before any firewall change. If something goes wrong, revert to the previous snapshot.

    What @jimp says is 100% true for a plain-vanilla pfSense installation. With packages installed, things do get more complicated. But users need to understand two vital things about packages. First, they are optional and not required by pfSense. And second, they are created and maintained by volunteer non-paid maintainers in almost every case. So when you opt to use an add-on package, there are inherent risks in that decision as contrasted with using a plain-vanilla pfSense install. I get that some packages offer very popular or often needed features, but they are not part of the base pfSense install and are not (for the most part) maintained by the pfSense developer team. So when you install packages, you assume some risk there.

    I can understand the reluctance of the pfSense team to start adding "fluff" to a security system such as a firewall. An image backup ability would entail loading additional software into the pfSense core system and that will inevitably increase potential attack surfaces. Generally speaking, it's just never a good idea to put a lot of extra software on a firewall. And yes, that can apply to many of the available packages as well. There is certainly a valid argument to be made that they in some ways decrease the firewall's security posture by adding additional attack surfaces.

    I managed Checkpoint firewalls for many years, and from what I remember they had no equivalent of an image backup/restore method either. They offered essentially the same ability as pfSense. You could back up and restore your configuration, but you first had to reinstall the base OS firewall package, and then import your backup configuration. So pretty much the same way you restore pfSense. Don't know about the fancy Palo Alto firewalls. My company was just switching over to them when I retired and I never got to play with one. The closest thing I ever came across to what you would like is the old Nokia IP-series security appliances with their IPSO operating system. It could maintain a sort of dual-boot environment where you could boot into a new "upgrade", but if that failed, you could reboot back into your previous environment. However, as best I can remember, that only applied to the IPSO operating system itself. The Checkpoint packages we ran on top of IPSO still had to be reinstalled and their configuration restored as I previously described.



  • @bmeeks said in How do I roll back packages:

    Then you need to use a virtual machine with snapshots. Nothing quicker than that to restore a "gone bad" upgrade. pfSense runs fine on ESXi. A couple of the other hypervisors have given issues from time to time, but ESXi has been pretty stable as far as I know. And snapshots require nothing extra be installed on pfSense itself. I don't mean for this response to be flippant. Using a VM is an excellent way to have image backups and restores with minimal effort via snapshots. Just take a snapshot before any firewall change. If something goes wrong, revert to the previous snapshot.

    Good idea, but my hardware doesn't have the excess resources. I am still running a UFS install, but I'm wondering if there is a ZFS install available, and if anything has been done to support snapshot/rollback.

    What @jimp says is 100% true for a plain-vanilla pfSense installation. With packages installed, things do get more complicated. But users need to understand two vital things about packages. First, they are optional and not required by pfSense. And second, they are created and maintained by volunteer non-paid maintainers in almost every case. So when you opt to use an add-on package, there are inherent risks in that decision as contrasted with using a plain-vanilla pfSense install. I get that some packages offer very popular or often needed features, but they are not part of the base pfSense install and are not (for the most part) maintained by the pfSense developer team. So when you install packages, you assume some risk there.

    I can understand the reluctance of the pfSense team to start adding "fluff" to a security system such as a firewall. An image backup ability would entail loading additional software into the pfSense core system and that will inevitably increase potential attack surfaces. Generally speaking, it's just never a good idea to put a lot of extra software on a firewall. And yes, that can apply to many of the available packages as well. There is certainly a valid argument to be made that they in some ways decrease the firewall's security posture by adding additional attack surfaces.

    What would it take to add something to the install media? USB drives are getting quite big... boot into the install media, select an option and a script runs and copies system and configuration data to the USB.

    I managed Checkpoint firewalls for many years, and from what I remember they had no equivalent of an image backup/restore method either. They offered essentially the same ability as pfSense. You could back up and restore your configuration, but you first had to reinstall the base OS firewall package, and then import your backup configuration. So pretty much the same way you restore pfSense. Don't know about the fancy Palo Alto firewalls. My company was just switching over to them when I retired and I never got to play with one. The closest thing I ever came across to what you would like is the old Nokia IP-series security appliances with their IPSO operating system. It could maintain a sort of dual-boot environment where you could boot into a new "upgrade", but if that failed, you could reboot back into your previous environment. However, as best I can remember, that only applied to the IPSO operating system itself. The Checkpoint packages we ran on top of IPSO still had to be reinstalled and their configuration restored as I previously described.

    That is the strenght/weakness of proprietary solutions. On the + side, since the manufacturer has 100% control over hardware/software they can (if they are a quality provider) do very through testing/QA so problems should be very very rare. On the - side, if the provider doesn't do things the way you want, there is nothing you can do about it.



  • @guardian said in How do I roll back packages:

    Good idea, but my hardware doesn't have the excess resources. I am still running a UFS install, but I'm wondering if there is a ZFS install available, and if anything has been done to support snapshot/rollback.

    There is a ZFS install option for pfSense now. Here is a link to the official install documentation. Scroll down the page a bit to see the file system options: https://docs.netgate.com/pfsense/en/latest/install/install-pfsense.html.

    There is also an open Feature Request on the Redmine site for taking a snapshot on ZFS systems prior to performing an upgrade: https://redmine.pfsense.org/issues/10237.

    In terms of your USB suggestion, that is already available. You can create install media on USB with a previous config.xml configuration file on the media so that during the installation pfSense will restore the configuration. However, this does not include the binary bits of any packages. It would be only the user-customized configuration parameters. As I mentioned in my first post, most packages have binary pieces and GUI configuration pieces. The binary pieces (shared libraries and executable machine code for the service itself) are pulled down from the pkg respository.


Log in to reply