Update openvpn-client-export leads to total network outtage

A Former User

Hi,

I decided an hour ago to upgrade the openvpn-client-export Addon - what should go wrong?!

Well that was the last thing I got from the pfSense:

At this point I was on the clock to get the network back up before my head end up on a stick in the lobby.

Sorry but WHAT THE FUCK was that? Why does a simple package upgrade of an totally unimportant add-on uninstalls another package which provides core functionality of a network?

jimp

What version are you on?

Somehow it removed FRR which isn't something that would normally happen when updating a package.

Usually that kind of thing only happens when you have not upgraded to the latest release before updating packages. For example if you are still on 2.4.4-p3 or 2.4.5 and not 2.4.5-p1.

A Former User

The Firewall is running on 2.4.5-p1 for month now. I've updated from 2.4.4-p3 couple of days after the Release Day of 2.4.5-p1.

Update Branch is set to Latest stable version 2.4.x.

jimp

What's curious to me is that it didn't attempt to remove the GUI packages (e.g. pfSense-pkg-frr) just the binary parts.

Did you install those manually at the CLI without the GUI components? Or anything else non-standard? Any third party package repositories enabled?

A Former User

No, this Firewall (and all other productive Firewalls) using only official packages and repositories. Every package was installed or updated through the GUI. There is no experimental stuff happening on this device.

Spoiler

cat /usr/local/share/pfSense/pkg/repos/pfSense-repo.conf
FreeBSD: { enabled: no }

pfSense-core: {
url: "pkg+https://pkg.pfsense.org/pfSense_v2_4_5_amd64-core",
mirror_type: "srv",
signature_type: "fingerprints",
fingerprints: "/usr/local/share/pfSense/keys/pkg",
enabled: yes
}

pfSense: {
url: "pkg+https://pkg.pfsense.org/pfSense_v2_4_5_amd64-pfSense_v2_4_5",
mirror_type: "srv",
signature_type: "fingerprints",
fingerprints: "/usr/local/share/pfSense/keys/pkg",
enabled: yes
}

A Former User

@jimp I took a look at the log of the openvpn-client-export package update.

Spoiler

cat pkg_log_pfSense-pkg-openvpn-client-export.txt

Upgrading pkg... done.
Updating repositories metadata...
pkg-static: Warning: Major OS version upgrade detected. Running "pkg bootstrap -f" recommended
Updating pfSense-core repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.txz: . done
Processing entries: . done
pfSense-core repository update completed. 7 packages processed.
Updating pfSense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.txz: .......... done
Processing entries: .......... done
pfSense repository update completed. 525 packages processed.
All repositories are up to date.
Upgrading pfSense-pkg-openvpn-client-export...
pkg-static: Warning: Major OS version upgrade detected. Running "pkg bootstrap -f" recommended
Updating pfSense-core repository catalogue...
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
pfSense repository is up to date.
All repositories are up to date.
The following 5 package(s) will be affected (of 0 checked):

Installed packages to be REMOVED:
frr7: 7.3.1
net-snmp: 5.7.3_20,1
pfSense-pkg-frr: 0.6.7_6

Installed packages to be UPGRADED:
openvpn-client-export: 2.4.9 -> 2.5.0 [pfSense]
pfSense-pkg-openvpn-client-export: 1.4.23_2 -> 1.5_1 [pfSense]

Number of packages to be removed: 3
Number of packages to be upgraded: 2

The operation will free 21 MiB.
14 MiB to be downloaded.
[1/2] Fetching pfSense-pkg-openvpn-client-export-1.5_1.txz: ... done
[2/2] Fetching openvpn-client-export-2.5.0.txz: .......... done
Checking integrity... done (0 conflicting)
[1/5] Deinstalling pfSense-pkg-frr-0.6.7_6...
Removing frr components...
Menu items... done.
Services... done.
Loading package instructions...
[1/5] Deleting files for pfSense-pkg-frr-0.6.7_6: .......... done
Removing frr components...
Configuration... done.
[2/5] Deinstalling frr7-7.3.1...
[2/5] Deleting files for frr7-7.3.1: .......... done
==> You should manually remove the "frr" user.
==> You should manually remove the "frr" group
==> You should manually remove the "frrvty" group
[3/5] Deinstalling net-snmp-5.7.3_20,1...
[3/5] Deleting files for net-snmp-5.7.3_20,1: .......... done
[4/5] Upgrading openvpn-client-export from 2.4.9 to 2.5.0...
[4/5] Extracting openvpn-client-export-2.5.0: .......... done
[5/5] Upgrading pfSense-pkg-openvpn-client-export from 1.4.23_2 to 1.5_1...
[5/5] Extracting pfSense-pkg-openvpn-client-export-1.5_1: .......... done
Removing openvpn-client-export components...
Loading package instructions...
Saving updated package information...
overwrite!
Loading package configuration... done.
Configuring package components...
Loading package instructions...
Custom commands...
Writing configuration... done.

Cleaning up cache... done.
__RC=0

What's the meaning of this ?

Major OS version upgrade detected

jimp

Usually that only gets printed if you are pointed at a repository for a different version of pfSense. For example if you are running pfSense 2.4.5-p1 but the update branch is set to 2.5 snapshots.

A Former User

May this also happen if you change branch to 2.5 snapshot and change it back without updating any packages? I switched on this firewall couple of weeks ago the branch just to see whats the latest snapshot version is. But I switched it back to stable immediately - may this cause some sort of mixup which leads to unintended package removal?
At the time of the package update the firewall was definitely on stable branch.

Rico

You can check for Snapshots here: https://snapshots.pfsense.org/amd64/pfSense_master/installer/

-Rico