OPNsense Forum
English Forums => General Discussion => Topic started by: yonas on May 09, 2016, 09:00:47 am
-
When I try to fetch updates under System > Firmware > Updates, I get "Repository problem".
I get the same error when checking for updates under Lobby > Dashboard > Updates.
I've made sure the server has access to the Internet by running `ping google.com` from the command line.
I'm using OPNsense 16.7.b_113-amd64, FreeBSD 11.0-CURRENT-HBSD.
The logs show:
configd.py: [2463ae76-bb96-46ce-9205-555cf47c921f] Script action stderr returned "pkg: http://pkgs.hardenedbsd.org/OPNSense/pkg/FreeBSD:11:amd64/16.1/libressl/meta.txz: Not Found pkg: http://pkgs.hardenedbsd.org/OPNSense/pkg/FreeBSD:11:amd64/16.1/libressl/packagesite.txz: Not Found pkg: http://pkgs.hardenedbsd.org/OPNSense/pkg/FreeBSD:"
which makes sense, because http://pkgs.hardenedbsd.org doesn't exist, but this address does:
http://pkg.hardenedbsd.org/HardenedBSD/pkg/FreeBSD:11:amd64/meta.txz
http://pkg.hardenedbsd.org/HardenedBSD/pkg/FreeBSD:11:amd64/packagesite.txz
Editing /usr/local/etc/pkg/repos/origin.conf and setting the url to:
pkg+http://pkg.hardenedbsd.org/HardenedBSD/pkg${ABI}
seems to have worked, but after running an upgrade, which upgraded `pkg` itself, no installed or available packages show up. Running `pkg` on the command line produces no output. I suspect this copy of pkg isn't compatible with HardenedBSD.
-
This won't fix as HardenedBSD/OPNsense combination does not allow for binary upgrades due their experimental nature.
The upgrade method is to boot the new image, import the config from the installer and then do a reinstall. It will retain your setup.
-
If the HardenedBSD version of OPNsense can't be binary upgraded, then should anyone really be using it? Are there any plans to make binary upgrades work?
-
The HardenedBSD images are used in a number pf deployments. It's different requirements, especially since they incorporate FreeBSD 11-CURRENT instead of a RELEASE version. For some this method of upgrading is very much desired.
OPNsense will merge portions of HardenedBSD additions, first of them being ASLR scheduled for the end of the month. We just can't maintain both equally and still offer everything for free. :)
-
If the HardenedBSD version of OPNsense can't be binary upgraded, then should anyone really be using it? Are there any plans to make binary upgrades work?
Yup. I've got it on my list of things to do. However, ENOTIME. Remember that I make the OPNsense + HardenedBSD builds solely for my own purposes, but publish the builds in case anyone finds them useful. The way to upgrade right now is: backup config, reinstall, restore config. It'll be that way for some time until either someone hands me patches + an infrastructure or I get to it myself. With me buying my first home while working 80-110 hours a week while still running and maintaining HardenedBSD, you'll probably understand my lack of time.
-
Hey Shawn! Thanks for working on this despite your busy schedule, we appreciate it.
Having all the goodies of HardenedBSD baked right into OPNsense seems like the perfect match for building a very secure router. I'm glad features have already been backported to FreeBSD 10 and integrated into OPNsense.
Although I might not fully understand, I'm curious about the technical reasons why binary upgrades don't work?
-
Hey Shawn! Thanks for working on this despite your busy schedule, we appreciate it.
Having all the goodies of HardenedBSD baked right into OPNsense seems like the perfect match for building a very secure router. I'm glad features have already been backported to FreeBSD 10 and integrated into OPNsense.
Although I might not fully understand, I'm curious about the technical reasons why binary upgrades don't work?
My pleasure. I'm grateful that OPNsense has created such an easy way to perform builds, allowing me to do what I do. The main reason why binary updates don't work is that I still need to stand up the infrastructure to host the files. I also need to patch the OPNsense codebase (which I have forked on GitHub) to point to my infrastructure rather than theirs. Since I started doing the new builds, I created a new binary update mechanism for HardenedBSD itself, called hbsd-update. I'd like to use that instead of opnsense-update for updating base. So that'll involve a little more than just replacing utilities. I gotta make sure that where those utilities (opnsense-update, pkg upgrade, etc.) are called call my utilities instead and call them in the right way. When all is said and done, there's not much work on the side of the code, but mostly I need to get the infrastructure piece working.
-
I also just realized that switching out opnsense-update for hbsd-update would also require changes to tools.git to use hbsd-update-build to build the distsets. Now you've got me curious about how this will work. ;)
-
Now you've got me curious about how this will work.
Sorry, I wish I knew more so I could help ;D