Messages

I tried to reinstall pkg using pkg bootstrap -f. It ran for a bit as expected then stopped with this error:

Code Select Expand

UFS /dev/gpt/rootfs (/) cylinder checkhash failed: cg 324, cgp: 0x0 != bp: 0xf7e725e5
I will give it a single-user mode fsck treatment next.

May be worth reinstalling the "pkg" package and see if that helps. If not the package database may be damaged and "opnsense-bootstrap" could help.

I will work on these two options over the weekend. BTW: I just read the documentation about "opnsense-bootstrap":

https://github.com/opnsense/update?tab=readme-ov-file#opnsense-bootstrap

If there are filesystem corruption issues, I should also do single user and fsck etc, yes? Or does this tool also handle smoothing over any filesystem problems as part of its process?

I tried the cleanup audit recommended in other threads. It allowed the update to run again, but it fails with the following:

Code Select Expand

***GOT REQUEST TO UPDATE***
Currently running OPNsense 25.7 (amd64) at Mon Aug  4 15:45:09 UTC 2025
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking for upgrades (13 candidates): .......... done
Processing candidates (13 candidates): .......... done
The following 13 package(s) will be affected (of 0 checked):

Installed packages to be UPGRADED:
boost-libs: 1.88.0_1 -> 1.88.0_2
curl: 8.14.1 -> 8.15.0
ivykis: 0.43.2 -> 0.43.2_1
jq: 1.8.0 -> 1.8.1
libucl: 0.9.2_1 -> 0.9.2_2
nss: 3.113.1_1 -> 3.114
opnsense: 25.7 -> 25.7.1_1
os-ddclient: 1.27_3 -> 1.27_4
os-wol: 2.5_1 -> 2.5_3
py311-duckdb: 1.3.1_1 -> 1.3.2
py311-s3transfer: 0.13.0 -> 0.13.1
sudo: 1.9.17p1 -> 1.9.17p2
syslog-ng: 4.8.2_3 -> 4.8.2_4

Number of packages to be upgraded: 13

36 MiB to be downloaded.
[1/13] Fetching boost-libs-1.88.0_2.pkg: .......... done
[2/13] Fetching nss-3.114.pkg: .......... done
[3/13] Fetching jq-1.8.1.pkg: .......... done
[4/13] Fetching syslog-ng-4.8.2_4.pkg: .......... done
[5/13] Fetching py311-s3transfer-0.13.1.pkg: .......... done
[6/13] Fetching ivykis-0.43.2_1.pkg: .......... done
[7/13] Fetching os-wol-2.5_3.pkg: . done
[8/13] Fetching curl-8.15.0.pkg: .......... done
[9/13] Fetching os-ddclient-1.27_4.pkg: .... done
[10/13] Fetching libucl-0.9.2_2.pkg: .......... done
[11/13] Fetching opnsense-25.7.1_1.pkg: .......... done
[12/13] Fetching py311-duckdb-1.3.2.pkg: .......... done
[13/13] Fetching sudo-1.9.17p2.pkg: .......... done
Checking integrity...Assertion failed: (strcmp(uid, p->uid) != 0), function pkg_conflicts_check_local_path, file pkg_jobs_conflicts.c, line 315.
Child process pid=7184 terminated abnormally: Abort trap
Starting web GUI...done.
***DONE***

During the upgrade there was a crash of some kind. The device restarted and reverted to 25.7. Now, when trying to upgrade again I get the following:

Code Select Expand

***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 25.7 (amd64) at Mon Aug  4 15:13:10 UTC 2025
Fetching changelog information, please wait... done
Updating OPNsense repository catalogue...
Waiting for another process to update repository OPNsense
All repositories are up to date.
Checking integrity... done (0 conflicting)
Your packages are up to date.
Checking for upgrades (13 candidates): .......... done
Processing candidates (13 candidates): .......... done
Checking integrity...Assertion failed: (strcmp(uid, p->uid) != 0), function pkg_conflicts_check_local_path, file pkg_jobs_conflicts.c, line 315.
Child process pid=66704 terminated abnormally: Abort trap
***DONE***
I read other threads requesting a health audit. I tried that and there is a crash during the audit. Here is what was on the screen when the crash occurred:

Code Select Expand

***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 25.7 (amd64) at Mon Aug  4 15:19:00 UTC 2025
>>> Root file system: /dev/gpt/rootfs
>>> Check installed kernel version
Version 25.7 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 25.7 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check installed repositories
OPNsense (Priority: 11)
>>> Check installed plugins
os-ddclient 1.27_3
os-wol 2.5_1
>>> Check locked packages
No locks found.
>>> Check for missing package dependencies
Checking all packages: ....

I can see from the source code that CVE-2023-42325 can't affect OPNsense because that code doesn't exist in OPNsense. However, CVE-2023-42327 and CVE-2023-42326 are a bit less clear looking at the source code.

Is OPNsense affected by CVE-2023-42327 or CVE-2023-42326?

Is this a bug in the migration process?

Yes.

https://github.com/opnsense/core/issues/6550

i think native config uses bool for this field

No.

https://github.com/opnsense/core/commit/01922175549b3db79b20c9fb1ec19cc52c784b15

I have observed this same bug again in a recent update. First, please apologise for the snark: you are wrong about which format of boolean the native config uses.

You can verify that older stock installs of OPNsense from the official ISO did indeed use "on" rather than "1" for the Unbound configuration that I am talking about. These are changes that occur when the choices about Unbound are made during the initial wizard. If you start with "OPNsense-21.1-OpenSSL-dvd-amd64.iso.bz2" from this location:
https://mirror.wdc1.us.leaseweb.net/opnsense/releases/21.1/

Perform a plain vanilla install and then during the install wizard choose the DNSSEC configuration settings. Then take a look at the diff of the config.xml. You will see the the "on" booleans that are causing this bug. Here is a screenshot or two.

On the most recent update an error "Unbound Migration failed" was in the update logs. This may have started with an earlier upgrade, but I am just noticing the error because it stands out. The error message says to check log for details. Here is what is shown in the log.

Code Select Expand

[ERROR] Model OPNsense\Unbound\Unbound can't be saved, skip ( OPNsense\Phalcon\Filter\Validation\Exception: [OPNsense\Unbound\Unbound:advanced.dnssecstripped] value should be a boolean (0,1){on}
[ERROR] [OPNsense\Unbound\Unbound:advanced.dnssecstripped] value should be a boolean (0,1){on}

Here is the exact text of the error in the update log:

Code Select Expand

>>> Invoking update script 'refresh'
*** OPNsense\Unbound\Unbound Migration failed, check log for details

I can see exactly what to fix: change the entry in the config XML from "on" to "1" and then the scripts should work. However, I hesitate to fix this manually when there are probably many others with the same problem.

Is this a bug in the migration process?

I've made code contributions to the wireguard plugin in the past. I'm definitely willing to see how to fix this. I just wanted to check in here and discuss before going forward.

The problem is that if one had the os-wireguard plugin installed before this update, after the update, there is a new plugin named os-wireguard-go that is not installed. However, on the dashboard, there is a red stopped entry in the services pane. This indicates a problem. However, from what I gather in the discussion so far, this is not a problem, and the user should manually have that entry in the pane ignored.

Should that dashboard pane entry just be part of the os-wireguard-go plugin only and not appear at all if the os-wireguard plugin is installed alone?

Question about default behavior:

Setting the widget in the services dashboard to be ignored is definitely a solution to this issue. However, the widget should be installed and uninstalled with the wireguard-go plugin, correct?

Checking the instance that I just upgraded: os-wireguard-go is not installed and os-wireguard is.

Shouldn't the dashboard widget follow the particular plugins that are installed rather than needing a user to disable/ignore the widget manually?

Perhaps this is actually a bug?

Thanks so much. That is exactly what I was looking for.

If an update requires a restart, is there a way to schedule the process to occur at a particular time in the future? And another situation: even without an involved update, is there a way to schedule a restart?

I have searched the documentation and the forums here and didn't see anything that stood out that would answer this question.

Bummer - oh well. Thanks for the quick response.

Is it possible to make DHCP changes over the API? I have looked the API documentation up and down and I don't see any endpoints that pretain to the DHCPv4 service. My goal is to check existing leases and then convert one of them to static.

What API endpoint is used to configure DHCPv4 service?