HOWTO: Update from 22.7

[baqwas]

Hello,

The Update button is no longer visible. I'm currently at 22.7 (yes, my fault for neglecting timely upgrades). The System: Firmware Updates reports:

Code Select Expand

***GOT REQUEST TO UPDATE***
Currently running OPNsense 22.7 (amd64/OpenSSL) at Sat Sep 16 09:01:16 CDT 2023
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking for upgrades (34 candidates): .......... done
Processing candidates (34 candidates): .......... done
Checking integrity... done (0 conflicting)
The following 34 package(s) will be affected (of 0 checked):

Installed packages to be UPGRADED:
bind916: 9.16.30 -> 9.16.36
...
suricata: 6.0.6 -> 6.0.9_1

Number of packages to be upgraded: 34

The process will require 2 MiB more space.
[1/34] Upgrading freeradius3 from 3.0.25 to 3.2.1_1...
===> Creating groups.
Using existing group 'freeradius'.
===> Creating users
Using existing user 'freeradius'.
===> Setting user and group in radiusd.conf
[1/34] Extracting freeradius3-3.2.1_1: .......... done
You should remove /usr/local/etc/raddb if you don't need it any more.
freeradius3-3.0.25: missing file /usr/local/lib/freeradius-3.0.25/libfreeradius-dhcp.a
...
pkg-static: Fail to set time on /var/run/radiusd:No such file or directory
Starting web GUI...done.
Generating RRD graphs...done.
***DONE***

In the past, I would simply click on the Update button to complete the upgrade but since it is not present currently, I don't know how to proceed. I've checked online docs and archived forum threads (there was one on 17.x upgrade) but there is no explanation on the next steps if the Update button is missing.

How do I upgrade to the latest stable release, please? Thanks.

Regards.

[newsense]

SSH in, choose option 12.

Post the full output here if having issues there too

[baqwas]

Thanks for fielding this request for assistance.

I did SSH in (first time to the OPNsense server after the initial install several years ago) and then I chose option 12 in accordance with your suggestion. After receiving the update information, the upgrade failed presumably owing to the following partial text from the server:

Code Select Expand

Installation out of date. The update to opnsense-22.7.11_1 is required.

*** OPNsense.parkcircus.org: OPNsense 22.7 (amd64/OpenSSL) ***

Is there some way to specify the intermediate update to 22.7.11_1? Thanks.

Regards.

P.S.
Some additional information regarding my SSH session:

Code Select Expand


Enter an option: 12

Fetching change log information, please wait... done

This will automatically fetch all available updates and apply them.

Proceed with this action? [y/N]: y


After the patch notes, there is no sub-option to specify a release number or identifier. I can use option 8 to shell out but I don't know the manual command(s) to complete the update/upgrade.

My settings are:

Code Select Expand


Mirror default
Flavor default
Type Community
Subscription <blank>


The web documentation at https://docs.opnsense.org/manual/updates.html#update-settings states that:

If you choose option 12 on the console menu on latest release, you are asked if you want to upgrade to the newest version or to the next major release. Type in the major release number (for example "19.1") and press enter. OPNsense will download all release files for an offline upgrade (kernel, packages etc.) and will reboot afterwards.

After a reboot, it will install all updates and when it is done, it will reboot again, then you should be on the desired release.

but I don't see that prompt in my environment.

[newsense]

After applying and update check for updates again and repeat the process.

Use q key to exit out of the release notes when presented.

[baqwas]

Before replying to your first suggestion on using option 12 from the console terminal (logged in via SSH), I performed the operation several times (including using q to quit the update notice). Unfortunately, the cycle just repeats and the main menu for the terminal session is presented.

After reading your last suggestion, I repeated the exercise to select option 12 and entered q at the first chance when the scrolling list of updates paused. I repeated these steps 3 times but there was no change in the responses from the server.

The server is pointing to the mirror at https://pkg.opnsense.org/FreeBSD:13:amd64/22.7.

Is there an alternate approach that you recommend? Thanks.

Regards.

[newsense]

the scrolling list of updates paused

When you think it paused leave it running and post the full output here. Some downloads take time.

[baqwas]

Thanks for your continuing support. Here is the output (with the credentials removed):

Code Select Expand

Last login: Thu Sep 21 08:37:59 2023 from
----------------------------------------------
|      Hello, this is OPNsense 22.7          |         @@@@@@@@@@@@@@@
|                                            |        @@@@         @@@@
| Website: https://opnsense.org/        |         @@@\\\   ///@@@
| Handbook: https://docs.opnsense.org/   |       ))))))))   ((((((((
| Forums: https://forum.opnsense.org/  |         @@@///   \\\@@@
| Code: https://github.com/opnsense  |        @@@@         @@@@
| Twitter: https://twitter.com/opnsense |         @@@@@@@@@@@@@@@
----------------------------------------------

*** OPNsense.parkcircus.org: OPNsense 22.7 (amd64/OpenSSL) ***

LAN (igb1)      -> v4:
WAN (igb0)      -> v4:

HTTPS:
SSH:   SHA256
SSH:   SHA256
SSH:   SHA256

  0) Logout                              7) Ping host
  1) Assign interfaces                   8) Shell
  2) Set interface IP address            9) pfTop
  3) Reset the root password            10) Firewall log
  4) Reset to factory defaults          11) Reload all services
  5) Power off system                   12) Update from console
  6) Reboot system                      13) Restore a backup

Enter an option: 12

Fetching change log information, please wait... done

This will automatically fetch all available updates and apply them.

Proceed with this action? [y/N]: y

Hello there,

This will be the end of life release for the 22.7 series with only a small
number of reliability updates.  Upgrades to 23.1-RC1 are possible from the
development version of this release.  We do expect an online update for RC2
next week.

The final 23.1 release will be on January 26.  As always the upgrade path
from the community version will be added as a hotfix shortly after the final
release announcement is published.  However, this time around LibreSSL will
no longer update and must be switched to the OpenSSL flavour prior to the
upgrade.

Here are the full patch notes:

o system: fix a few minor Coverity Scan reports in Python code[1]
o firewall: show automated "port 0" rule as actual port "0" on PHP 8
o reporting: fix incompatible regex syntax in FreeBSD 13.1 for firewall state health statistics
o unbound: safeguard retrieval of blocklist shortcode
o mvc: fix IntegerField minimum value (contributed by xbb)
o plugins: os-acme-client 3.15[2]
o plugins: os-stunnel fixes missing include in certificate script
o ports: curl 7.87.0[3]
o ports: nss 3.87[4]
o ports: pcre 10.42[5]
o ports: phalcon 5.1.4[6]
o ports: php 8.0.27[7]
o ports: sqlite 3.40.1[8]
o ports: strongswan 5.9.9[9]
o ports: unbound 1.17.1[10]

A hotfix release was issued as 22.7.11_1:

o firmware: enable upgrade path to 23.1 (OpenSSL only)


Stay safe,
Your OPNsense team

--
[1] https://scan.coverity.com/projects/opnsense-core
[2] https://github.com/opnsense/plugins/blob/stable/22.7/security/acme-client/pkg-descr
[3] https://curl.se/changes.html#7_87_0
[4] https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_87.html
[5] https://www.pcre.org/changelog.txt
[6] https://github.com/phalcon/cphalcon/releases/tag/v5.1.4
[7] https://www.php.net/ChangeLog-8.php#8.0.27
[8] https://sqlite.org/releaselog/3_40_1.html
[9] https://github.com/strongswan/strongswan/releases/tag/5.9.9
[10] https://nlnetlabs.nl/projects/unbound/download/#unbound-1-17-1

Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking for upgrades (34 candidates): .......... done
Processing candidates (34 candidates): .......... done
Checking integrity... done (0 conflicting)
The following 34 package(s) will be affected (of 0 checked):

Installed packages to be UPGRADED:
bind916: 9.16.30 -> 9.16.36
c-icap-modules: 0.5.5 -> 0.5.5_1
freeradius3: 3.0.25 -> 3.2.1_1
hw-probe: 1.6.4 -> 1.6.5
iperf3: 3.11 -> 3.12
isc-dhcp44-relay: 4.4.2P1 -> 4.4.3P1
mpd5: 5.9_9 -> 5.9_13
msktutil: 1.2 -> 1.2.1
opnsense: 22.7 -> 22.7.11_1
opnsense-installer: 22.1 -> 23.1.d
opnsense-lang: 22.7 -> 22.7.3
os-acme-client: 3.11 -> 3.15
os-bind: 1.23 -> 1.24_1
os-c-icap: 1.7_2 -> 1.7_3
os-clamav: 1.7_1 -> 1.8
os-freeradius: 1.9.19_1 -> 1.9.21_2
os-maltrail: 1.8 -> 1.10
os-net-snmp: 1.5_1 -> 1.5_2
os-nrpe: 1.0_2 -> 1.0_3
os-redis: 1.1_1 -> 1.1_2
os-rspamd: 1.12 -> 1.12_1
pftop: 0.8 -> 0.8_2
php80-dom: 8.0.20 -> 8.0.27
php80-filter: 8.0.20 -> 8.0.27
php80-phpseclib: 2.0.37 -> 3.0.18
php80-sockets: 8.0.20 -> 8.0.27
php80-sqlite3: 8.0.20 -> 8.0.27
php80-xml: 8.0.20 -> 8.0.27
redis: 7.0.4 -> 7.0.8
ruby: 2.7.6_2,1 -> 2.7.7,1
squid: 4.15 -> 5.7
strongswan: 5.9.6_2 -> 5.9.9_1
sudo: 1.9.11p3 -> 1.9.12p1
suricata: 6.0.6 -> 6.0.9_1

Number of packages to be upgraded: 34

The process will require 2 MiB more space.
[1/34] Upgrading freeradius3 from 3.0.25 to 3.2.1_1...
===> Creating groups.
Using existing group 'freeradius'.
===> Creating users
Using existing user 'freeradius'.
===> Setting user and group in radiusd.conf
[1/34] Extracting freeradius3-3.2.1_1: .......... done
You should remove /usr/local/etc/raddb if you don't need it any more.
freeradius3-3.0.25: missing file /usr/local/lib/freeradius-3.0.25/libfreeradius-dhcp.a
...
freeradius3-3.0.25: missing file /usr/local/share/examples/freeradius/raddb/mods-available/otp
freeradius3-3.0.25: missing file /usr/local/share/examples/freeradius/raddb/mods-config/sql/main/sqlite/process-radacct-refresh.sh
freeradius3-3.0.25: missing file /usr/local/share/examples/freeradius/raddb/mods-enabled/cache_eap
freeradius3-3.0.25: missing file /usr/local/share/licenses/freeradius3-3.0.25/GPLv2
freeradius3-3.0.25: missing file /usr/local/share/licenses/freeradius3-3.0.25/LICENSE
freeradius3-3.0.25: missing file /usr/local/share/licenses/freeradius3-3.0.25/catalog.mk
pkg-static: Fail to set time on /var/run/radiusd:No such file or directory
Starting web GUI...done.
Generating RRD graphs...done.
Installation out of date. The update to opnsense-22.7.11_1 is required.

*** OPNsense.parkcircus.org: OPNsense 22.7 (amd64/OpenSSL) ***

LAN (igb1)      -> v4:
WAN (igb0)      -> v4:

HTTPS: SHA256
SSH:   SHA256
SSH:   SHA256
SSH:   SHA256

  0) Logout                              7) Ping host
  1) Assign interfaces                   8) Shell
  2) Set interface IP address            9) pfTop
  3) Reset the root password            10) Firewall log
  4) Reset to factory defaults          11) Reload all services
  5) Power off system                   12) Update from console
  6) Reboot system                      13) Restore a backup

Enter an option:

[newsense]

It's unclear what happens with freeradius and why the upgrade process stops.

Is there enough free space for the upgrade to complete ?

[franco]

It's freeradius3 package bugging out. You can't reach the upgrade before the EoL version is installed. Just do a

# pkg remove freeradius3

And confirm and retry... reinstall the os-freeradius plugin after doing the major upgrade if you still need it.


Cheers,
Franco

[baqwas]

Thanks, franco and newsense!

I read franco's reply to another person a few minutes ago (sent several months back) and performed the same two steps to remove freeradius and reinstall. That got me to 22.7.11_1 and then I was able to upgrade 23.1. Obviously just using the search string "update" was insufficient to retrieve the applicable thread(s).

I am glad that franco reconfirmed the steps here.

Cannot thank you both enough for helping me to avoid a fresh re-install. Please consider the issue fully resolved thanks to your assistance.

Regards.

[newsense]

Great, now rinse and repeat until you get on 23.7.4


23.7.5 lands next week.