Unable to update old OPNsense Box (17.7)

Started by Compad, July 26, 2021, 12:47:47 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 26, 2021, 12:47:47 PM
Hi there,

I recently was tasked with updating a bunch of old systems, among which was an OPNsense Box with firmware 17.7.12. Trying to update the system from the web-UI yields the message "Could not find the repository on the selected mirror.", which happens for all repos I tried.

Trying to update via CLI gave me these lines:
Code Select

pkg-static: Repository OPNsense load error: access repo file(/var/db/pkg/repo-OPNsense.sqlite) failed: No such file or directory
pkg-static: http://pkg.opnsense.org/FreeBSD:11:amd64/17.7/latest/meta.txz: Not Found
repository OPNsense has no meta file, using default settings
pkg-static: http://pkg.opnsense.org/FreeBSD:11:amd64/17.7/latest/packagesite.txz: Not Found
Unable to update repository OPNsense
Error updating repositories!


Further investigation showed that on July 1, the directories FreeBSD:11:amd64/17.1 and 17.7 were changed to not contain the /latest subdir anymore.
This change seems to be reflected on all repo mirrors, which leaves me unable to update.

My question: Is there a legacy repo that still has the information required for me to update the system, or how can I manually update the box instead? Furthermore, would I have to do a version-by-version update or is it safe to jump from 17.7 to 21.1?
July 26, 2021, 03:19:04 PM #1
Back up the config from the old version in System, Configuration, Backups and restore it on the new server.

If you can, try it on a different machine to avoid getting stuck without a roll-back option.

Bart...
July 26, 2021, 04:51:48 PM #2
I'm sorry, but there is no new server.

What I have is a single hardware device running OPNsense, which is incorporated into a complicated network structure.

Sure I could setup a VM and try restoring the config, but I would have no way of testing it's functionality, apart from logins.

Are you saying I would have to buy a second, identical hardware box, install the newest version, restore the config and then replace the old one? That seems a little harsh.

I can access the CLI via SSH, is there any way I can update/overwrite the existing 17.7 step-by-step with the subsequent versions via .pkg-files, and if there is, how would I do this?
July 26, 2021, 05:36:22 PM #3
I am wondering how much of a software issue this is.


Cheers,
Franco
July 27, 2021, 07:49:10 AM #4
Quote from: Compad on July 26, 2021, 12:47:47 PM
I recently was tasked with updating a bunch of old systems

That makes it sound like a corporate environment. Is there a project that looks at the costs of various options? Do you have (availability) requirements that flow form an SLA?

Quote from: Compad on July 26, 2021, 04:51:48 PM
Are you saying I would have to buy a second, identical hardware box, install the newest version, restore the config and then replace the old one?

You don't have to but without it you have increased risk to service. Your old hardware could brick, leaving you without any device until you build a new firewall - either on your current box or a new one if Franco is right and you have a hardware issue.

In any case, you should start with backing up what you have to give reasonable assurance that you can at least go back to the status quo.

Trying a manual upgrade will almost certainly result in a huge technical debt in the form of a fragile and unsupportable system.

Bart...
July 27, 2021, 10:32:50 AM #5
How can you say this is a hardware issue, when the problem clearly is the unavailable update files on the repositories?

And to be clear, what I mean by manual update is: the update process downloads a bunch of files to a certain location and then starts an update process, does it not?

Shouldn't there be a way to place these files onto the system (e.g. the files for 18.1) and have them installed on next boot, so the system can then use the update repository again, because the files for 18.1 and up are present.

And by the way, I was told that updating is simple, it just needs to be planned for a time when the least amount of people are using it. That was in June, and at the time, the update page on the system showed version 21.1 available.
When the planning was done and I wanted to execute, I got the error(s) you can see in the initial post.

Sure, in a company environment there probably should be redundancy, but depending on size you can not always afford that.

And even if there is no way to get the update files back, how would I re-install a newer version on the existing system, I have never worked with BSD before. I have experience in Linux though, so not a total noob here.
And this is important, even if there was a second implement, because after setting up the new one, I would have to get version 21.1 onto the old box as well.

Please don't get me wrong, I appreciate the time you're investing, but until now you have never directly answered my questions, why is that?

Oh, and I am totally willing to rule out hardware failure, if you can tell me how to convince you.
July 27, 2021, 11:11:55 AM #6
Nobody said it was a hardware issue - "your hardware could brick", "if Franco is right and you have a hardware issue."

The recommended upgrade method where there have been none for four years is to backup the config, boot from the 21.1 installation media and restore the config. https://opnsense.org/download/

Check your hardware for compatibility: https://www.freebsd.org/releases/12.1R/hardware/ BSD is a lot pickier than Linux.

Bart...
July 28, 2021, 01:53:30 PM #7 Last Edit: July 28, 2021, 01:55:24 PM by Compad
Thank you for pointing it out.

What I have here is a
Code Select
Deciso A10 DEC2630
with
Code Select
AMD GX-416RA SOC  (1597.14-MHz K8-class CPU)
currently running
Code Select
FreeBSD 11.0-RELEASE-p17 amd64

think it will be safe?

And can you give me any hint towards the installation medium to use?
As stated I have SSH access to the box, does this count as serial or do I need the nano image?
Or can I even use the VGA installer, even if there is no screen attachable to the box itself?
July 28, 2021, 01:59:06 PM #8
The A10 has a built in serial to USB connector. You just need to plug the cable and use screen on the other end to connect to the console. From there you can do the install from e.g. an USB stick.

Using latest OPNsense is of course possible on these.


Cheers,
Franco
July 28, 2021, 01:59:43 PM #9
You need the serial image and you need a serial cable connected to another box that has network connectivity and at least ssh access. Or a Windows system, RDP and some terminal program.

Your OPNsense will not have any network during installation. That's why you cannot use ssh to that system if an in-place update doesn't work.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
July 28, 2021, 02:20:18 PM #10 Last Edit: July 28, 2021, 02:29:02 PM by Compad
Woah, that was fast, thank you.

Do I understand correctly, that I connect the box to another live system like I would do with a cardreader or USB drive, just the A10 being the peripheral device.

Does this work with any mini-USB cable, or do I need a special one, assuming the original is long lost.

And then I would use a terminal application like putty on Windows or screen on Linux to connect to it, correct?

And how do I address the device, i.e. how do I tell the terminal application to which device to connect?
I suppose on Linux it would be listed under /dev, but what about Windows?
Print
Go Up Pages1
User actions