Suricata Uninstalled on Updates?
-
Just curious but I'd like to get confirmation at least, when I updated from 23.05.01 to 23.09 the other day I noticed Suricata didn't get upgraded which kind of makes sense? Just now however I updated from 23.09.a.20230929.1537 or .1350 something from 23.09 to the latest build from yesterday 23.09.a.20230929.2350 and the same thing happened, I had to go to the repo and reinstall Suricata. It kept the settings both times but just wondering if this is expected for the Dev builds or I need to file a bug?
I don't recall if Suricata 7.0.0 got a bump in there or not though but I can see now it's on 7.0.0.1 and looking at github it doesn't seem like there was a revision bump in the past month. -
Just confirmed the build I first updated to was 23.09.a.20230929.1307 and then to 2350 from 23.05.01
-
After updating to today's build I saw the same thing, grabbed this from system.log
Nothing really stands out here but if there is another place to check let me know.Oct 3 14:09:42 firewall SuricataStartup[27159]: Suricata STOP for LAN(46014_ix1)...
Oct 3 14:09:50 firewall php[25784]: /etc/rc.packages: Configuration Change: (system): Intermediate config write during package removal for suricata.
Oct 3 14:09:51 firewall php[25784]: [Suricata] Suricata package uninstall in progress...
Oct 3 14:09:53 firewall php[25784]: /etc/rc.packages: Configuration Change: (system): Removed cron job for /usr/local/pkg/suricata/suricata_check_for_rule_updates.php
Oct 3 14:09:54 firewall php[25784]: /etc/rc.packages: Configuration Change: (system): Removed cron job for /usr/local/pkg/suricata/suricata_check_cron_misc.inc
Oct 3 14:09:56 firewall php[25784]: /etc/rc.packages: Configuration Change: (system): Removed cron job for /usr/local/pkg/suricata/suricata_geoipupdate.php
Oct 3 14:09:57 firewall php[25784]: /etc/rc.packages: Configuration Change: (system): Suricata pkg removed Dashboard Alerts widget.
Oct 3 14:09:58 firewall php[25784]: [Suricata] Flushing all blocked hosts from <snort2c> table due to package removal...
Oct 3 14:09:58 firewall php[25784]: /etc/rc.packages: Configuration Change: (system): Removed the Suricata package.
Oct 3 14:09:58 firewall php[25784]: [Suricata] The package has been removed from this system, but the configuration settings were retained...
Oct 3 14:09:59 firewall php[91337]: /etc/rc.packages: Configuration Change: (system): Removed suricata package.
Oct 3 14:09:59 firewall pkg-static[25664]: pfSense-pkg-suricata-7.0.0_1 deinstalled
Oct 3 14:10:00 firewall pkg-static[25664]: suricata-7.0.0 deinstalled -
@Lurick In general, if packages are left installed during an upgrade, my understanding is that it's normal for the upgrade process to uninstall and reinstall the packages, to get them current (on the right PHP version, etc.). It sounds like your issue is more that the upgrade process does not reinstall the package. Is there a later log entry for that attempt?
-
@SteveITS That is correct, it does the uninstall but never the reinstall, I have to manually do that.
No later log entry until I went in to manually install via the GUI. -
@Lurick Do other pfSense packages reinstall OK?
-
@SteveITS Yes, all the rest I have installed come back just fine which is what I find most odd
-
@Lurick said in Suricata Uninstalled on Updates?:
@SteveITS Yes, all the rest I have installed come back just fine which is what I find most odd
@bmeeks may have some insight. We don't normally run dev versions.
-
@SteveITS said in Suricata Uninstalled on Updates?:
@bmeeks may have some insight. We don't normally run dev versions.
I have no clue. The Suricata package itself is not in charge of the automated removal nor the reinstall. It's up to pfSense to make the calls to the
pkg
utility to accomplish these tasks. I don't know what process is being used within pfSense to do this. -
-
Everything related to package removals and installs is logged in the pfSense system log so far as I am aware.
-
@bmeeks Werid, yah basically what I posted earlier is all I see in the logs =/
-
@bmeeks Is it possibly due to the fact that 7.0.0 Suricata isn't released and is still in preview or whatever it's called?
I know 6.0 was the latest available for 23.05 before I upgraded so just wondering. -
@Lurick said in Suricata Uninstalled on Updates?:
@bmeeks Is it possibly due to the fact that 7.0.0 Suricata isn't released and is still in preview or whatever it's called?
I know 6.0 was the latest available for 23.05 before I upgraded so just wondering.No, there would be no relation to Suricata 7.0.0 being available in the snapshots branch.
-
@bmeeks Dang, I was hoping that might have something to do with it, kind of at a loss then. Still happening even with the beta branch now.
-
@Lurick said in Suricata Uninstalled on Updates?:
@bmeeks Dang, I was hoping that might have something to do with it, kind of at a loss then. Still happening even with the beta branch now.
I will test this today in my RELEASE virtual environment. I do not currently have a functioning DEVEL snapshots virtual environment, so I can't test there.
But if this were a widespread problem, I would expect to be seeing a ton of posts here about it.
-
@Lurick said in Suricata Uninstalled on Updates?:
@bmeeks Dang, I was hoping that might have something to do with it, kind of at a loss then. Still happening even with the beta branch now.
I just tested this on a 2.7.0 CE virtual machine and was unable to reproduce your stated issue. I installed, removed, and then reinstalled the Suricata 6.0.13 package and did not lose any of the previous configuration data.
Are you sure your GLOBAL SETTINGS tab has this option checked as shown below?
I do not currently have a functional DEVEL snapshot testing environment, so I can't test the 23.09 beta snapshots.
-
@bmeeks Yah, keep settings is there so I can reinstall Suricata after updating between builds and it restores all the settings no issue there at least.
-
@Lurick said in Suricata Uninstalled on Updates?:
@bmeeks Yah, keep settings is there so I can reinstall Suricata after updating between builds and it restores all the settings no issue there at least.
Okay, maybe I'm confused or misunderstood your initial post. I thought you meant anytime you removed and reinstalled the package it lost the configuration. Your statement I quoted above contradicts that.So do you mean that only when doing an update to pfSense itself you lose the configuration? If so, describe exactly what you mean by "losing the configuration". Do all the Suricata interfaces disappear? Or do you really mean Suricata is not appearing under the SERVICES menu? If the latter, that simply means the reinstall is either not happening, is not finished, or started and bailed out. I would expect something to be logged in the pfSense system log in any of those events.Never mind -- went back and read the whole thread again and realized I confused this one with something else. I have no idea why pfSense is removing the package and then failing to reinstall.
The only possibility is it needs more time. How long have you waited to see if it would do anything on its own?
-
@bmeeks Good point, I've only waited a couple minutes after the GUI came back.
I'll give it about 10 minutes next time and see if anything happens :)