Error during "Check for Updates"

[seamus]

I have gotten behind in my updates, and so today was a 'catch-up' day.

Things have gone x-well until just now; I first encountered a series of messages re missing packages during the OPNsense 21.1.9_1-amd64 update. And now, when I am attempting to update to 21.7 (my final destination for the time being), this message displayed for a very long time:

***GOT REQUEST TO CHECK FOR UPDATES***
Fetching changelog information, please wait... fetch: transfer timed out
Updating OPNsense repository catalogue...

Eventually, it seems to have worked through the process, and the complete message appeared:

***GOT REQUEST TO CHECK FOR UPDATES***
Fetching changelog information, please wait... fetch: transfer timed out
Updating OPNsense repository catalogue...
pkg: https://pkg.opnsense.org/FreeBSD:12:amd64/21.1/latest/meta.txz: No address record
repository OPNsense has no meta file, using default settings
pkg: https://pkg.opnsense.org/FreeBSD:12:amd64/21.1/latest/packagesite.txz: No address record
Unable to update repository OPNsense
Error updating repositories!
pkg: Repository OPNsense cannot be opened. 'pkg update' required
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***

I've not skipped any steps (e.g. when the pkg mgr required an update).

I did see that a couple of plugins were 'orphaned':

os-dyndns (orphaned)   1.24_2   169KiB   OPNsense   Dynamic DNS Support   
os-mdns-repeater (orphaned)   1.0_1   14.7KiB   OPNsense   Proxy multicast DNS between networks

I have the option to delete either or both of these two plugins... Should I

I've tried "Check for Updates" again, but it's headed for the same dead-end as above.

I've run an "Audit" on "Health"; it seems all "core package consistency" checks FAILED with the message: 'no upstream equivalent' as follows:

***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 21.1.9_1 (amd64/OpenSSL) at Mon Mar 28 17:02:10 CDT 2022
>>> Check installed kernel version
Version 21.1.8 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 21.1.8 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense" has 66 dependencies to check.
Checking packages: .
beep-1.0_1 has no upstream equivalent
Checking packages: .
ca_root_nss-3.68 has no upstream equivalent
Checking packages: .
choparp-20150613 has no upstream equivalent

...

Checking packages: .
wpa_supplicant-2.9_11 has no upstream equivalent
Checking packages: .
zip-3.0_1 has no upstream equivalent
***DONE***

What should I do? I don't seem to be able to get my next upgrade!

[franco]

"No address record"

Fix DNS first? Just fix DNS and all the "errors" will disappear. You simply need connectivity to the mirror in order for the package database to be properly populated.


Cheers,
Franco

[seamus]

A log of my investigation into "Fix the DNS" follows:

There is definitely something amiss with DNS. Using the diagnostics in OPNsense, I can't ping pkg.opnsense.org - or anything else for that matter. The output is:

Code: [Select]

# /sbin/ping -c '3' 'pkg.opnsense.org'
ping: cannot resolve pkg.opnsense.org: Host name lookup failure
Oddly, I get intermittently successful (but rather slow) DNS lookups (see attachment); sometimes I get a result - sometimes I don't!

I didn't (knowingly) change anything during my string of updates yesterday - except to disable the plugin for Dynamic DNS. This system has been running for years; I started with a much older version, and have updated it repeatedly without incident. My configuration tends to remain very stable. Here's how my DNS is set up currently:

Dnsmasq is enabled on both (LAN & WAN) interfaces, Port 53

MDNS Repeater is also enabled - on the LAN only; this is contrary to the "Help recommendation": "At least two interfaces must be selected."  I didn't change this during my machinations yesterday - at least not intentionally. No other DNS services are enabled; only Dnsmasq & MDNS Repeater. I do not recall why MDNS repeater is installed!! I have intermittently run a VPN on OPNsense - perhaps it was added to support that?

This may be relevant: Viewing my Firmware plugins, I see this:

Code: [Select]

os-dyndns (orphaned) 1.24_2 169KiB OPNsense Dynamic DNS Support
os-mdns-repeater (orphaned) 1.0_1 14.7KiB OPNsense Proxy multicast DNS between networks
Perhaps this is a result of the failure to resolve pkg.opnsense.org ?

On the LAN hosts I checked, DNS seems to work perfectly & prompt responses are received:

Code: [Select]

$ host pkg.opnsense.org
pkg.opnsense.org has address 89.149.211.205
pkg.opnsense.org has IPv6 address 2001:1af8:4f00:a005:5:: 

I have just now disabled MDNS Repeater (no reboot), and it seems to have no effect: pings are 100% failures, DNS lookups remain intermittent, updates remain "constipated".

I re-booted several times yesterday trying to clear the update failure with no effect, but I decided to try a reboot again today...   Voilà !!!
Updates are responsive again, all pings work, and DNS lookup is more responsive.

I am whole again, but please allow me to continue - I still have questions:

1. The only change I made was to disable MDNS Repeater. I expected OPNsense to prompt if a reboot were required, but got none. I'm left wondering exactly what the "fix" was???

2. Is an enable/disable of MDNS Repeater expected to throw a reboot prompt in the web gui?

3. In an effort to find an answer (by replicating the issue), I re-enable MDNS Repeater and Dynamic DNS under all options used previously, and test before and after a series of reboots:
   a. before reboot: ping works 100%, DNS Lookup seems more reliable, but failed to yield a result for 1 of 3 tests
   b. after reboot: ping works 100%, DNS Lookup worked 100%
   c. I find this result confusing as it implies that nothing I did made any difference at all. Any comments???

4. I have read the documentation for Dnsmasq. My 'take-away' from this is that OPNsense team recommends use of the Unbound DNS - is that a correct interpretation?

Looking forward to any and all replies & thank you for your help.

~ S

[SecCon]

Would be helpful if this was addressed in the initial configuration instructions in the manual.
https://docs.opnsense.org/manual/updates.html

or in the troubleshooting section:
https://docs.opnsense.org/troubleshooting.html

Don't tell me this is so easy you should now about it in your sleep. That is NOT an answer.

[seamus]

I'm sorry, but I am not clear on the point of your post. It seems to be out of context; perhaps you posted in the wrong place?