[solved] opnsense trys to remove itself on upgrade

[ascii]

Hello guys,

i got no idea what happend. i tried to Upgrade today but it looks opnsense tries to delete itself.
anyone an idea how to fix this?

Code: [Select]

Last login: Fri Feb  2 18:10:48 2024 from 192.168.2.115
----------------------------------------------
|      Hello, this is OPNsense 23.7          |         @@@@@@@@@@@@@@@
|                                            |        @@@@         @@@@
| Website:      https://opnsense.org/        |         @@@\\\   ///@@@
| Handbook:     https://docs.opnsense.org/   |       ))))))))   ((((((((
| Forums:       https://forum.opnsense.org/  |         @@@///   \\\@@@
| Code:         https://github.com/opnsense  |        @@@@         @@@@
| Twitter:      https://twitter.com/opnsense |         @@@@@@@@@@@@@@@
----------------------------------------------

 HTTPS: SHA256 F3 82 F4 27 D8 55 BF 0B 48 AF 2E 5C 8D D7 C9 96
               15 D2 B5 FE 4E 51 A2 4C 9E D9 E5 79 E9 42 4E 97
 SSH:   SHA256 TM3ud5YFIp/TvIry1HLTNMlJZoHVn6Uzr3l8SauHOEQ (ECDSA)
 SSH:   SHA256 FHUp3mCIQfl3Y6M4vemV3no5m0DcgQV212OQSU1ousw (ED25519)
 SSH:   SHA256 UItAYMcQMA+r4J7n/RaE+JtSc5svcRrJncsXqmStHbA (RSA)

  0) Logout                              7) Ping host
  1) Assign interfaces                   8) Shell
  2) Set interface IP address            9) pfTop
  3) Reset the root password            10) Firewall log
  4) Reset to factory defaults          11) Reload all services
  5) Power off system                   12) Update from console
  6) Reboot system                      13) Restore a backup

Enter an option: 12

Fetching change log information, please wait... done

This will automatically fetch all available updates and apply them.

Proceed with this action? [y/N]: y

Hi there,

One more release it was indeed.  We have added considerable backend work
for improving security and adding a streaming function to avoid memory
exhaustion for data-intense data exchanges.  Note this is in preparation
for 24.1 where these will be used, but direct use in 23.7 is avoided to
lower the possibility for regressions.

The release date for 24.1 is January 30 and we approaching this differently
this time with release candidates only being available from the development
version meaning there will be no installation media before the final release.

While RC1 is mostly ready the publication is currently on hold due to chasing
down a kernel panic.  Watch out for the release notes of the RC1.  It should
be available this week with a follow-up RC2 in the following week.

Here are the full patch notes:

o system: change ZFS transaction group defaults to avoid excessive disk wear[1]
o firewall: validate if GeoIP and BGP ASN targets contain at least 1 kb of data before assuming timestamp is correct
o firmware: automatically install os-squid plugin install when web proxy is enabled before major upgrade
o firmware: refactor export and scrub Unbound DNS database before major upgrade
o firmware: disallow TLS lower than 1.3 on business mirror
o openvpn: add validation for netmask greater than 29 exactly as specified in the OpenVPN source code
o backend: support streaming output using the "stream_output" handler
o backend: implement optional trust model and add extended logging
o backend: support optional configd configuration files
o mvc: add an IPPortField type
o mvc: split configdRun() in order to return a resource which the controller can stream with minimal memory consumption
o ui: fix the missing dialog padding in some modals
o ui: set a default data-size for increased readability in selectpickers
o ui: show tooltip when grid td content does not fit
o plugins: os-bind 1.29[2]
o plugins: os-ddclient 1.20[3]
o plugins: os-frr 1.38[4]
o plugins: os-node_exporter 1.2[5]
o plugins: os-sunnyvalley 1.4 switches to new repository layout
o ports: py-netaddr 0.10.1[6]
o ports: sudo 1.9.15p5[7]

A hotfix release was issued as 23.7.12_5:

o reporting: print status message when Unbound DNS database was not found during firmware upgrade
o firmware: enable upgrade path to 24.1
o backend: only parse stream results when configd socket could be opened


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/core/commit/269b9fbaf
[2] https://github.com/opnsense/plugins/blob/stable/23.7/dns/bind/pkg-descr
[3] https://github.com/opnsense/plugins/blob/stable/23.7/dns/ddclient/pkg-descr
[4] https://github.com/opnsense/plugins/blob/stable/23.7/net/frr/pkg-descr
[5] https://github.com/opnsense/plugins/blob/stable/23.7/sysutils/node_exporter/pkg-descr
[6] https://netaddr.readthedocs.io/en/latest/changes.html#release-0-10-1
[7] https://www.sudo.ws/stable.html#1.9.15p5

Updating OPNsense repository catalogue...
OPNsense repository is up to date.
Updating SunnyValley repository catalogue...
SunnyValley repository is up to date.
Updating mimugmail repository catalogue...
mimugmail repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
Updating SunnyValley repository catalogue...
SunnyValley repository is up to date.
Updating mimugmail repository catalogue...
mimugmail repository is up to date.
All repositories are up to date.
Checking for upgrades (21 candidates): .......... done
Processing candidates (21 candidates): ........ done
Checking integrity... done (2 conflicting)
  - openssl-1.1.1w,1 [SunnyValley] conflicts with openssl111-1.1.1w [installed] on /usr/local/bin/c_rehash
  - openssl-1.1.1w,1 [SunnyValley] conflicts with openssl111-1.1.1w [OPNsense] on /usr/local/bin/c_rehash
Cannot solve problem using SAT solver, trying another plan
Cannot solve problem using SAT solver, trying another plan
Cannot solve problem using SAT solver, trying another plan
Checking integrity... done (0 conflicting)
The following 140 package(s) will be affected (of 0 checked):

Installed packages to be REMOVED:
        avahi-app: 0.8_1
        bind-tools: 9.18.20_1
        cpdup: 1.22
        curl: 8.5.0
        cyrus-sasl: 2.1.28_1
        cyrus-sasl-gssapi: 2.1.28
        dbus-glib: 0.112
        ddclient: 3.11.2_1
        gamin: 0.1.10_10
        glib: 2.78.3,2
        gnutls: 3.7.10
        hostapd: 2.10_8
        hw-probe: 1.6.5
        iperf3: 3.16
        isc-dhcp44-server: 4.4.3P1
        krb5: 1.21.2
        ldns: 1.8.3
        libevent: 2.1.12
        libfido2: 1.14.0
        lighttpd: 1.4.73
        monit: 5.33.0
        ntp: 4.2.8p17_1
        openldap26-client: 2.6.6
        openssh-portable: 9.6.p1_1,1
        openssl111: 1.1.1w
        openvpn: 2.6.8_1
        opnsense: 23.7.12
        opnsense-installer: 24.1
        opnsense-update: 23.7.10_1
        os-cache: 1.0_1
        os-ddclient: 1.20
        os-hw-probe: 1.0_1
        os-iperf: 1.0_1
        os-redis: 1.1_2
        p11-kit: 0.25.3
        php82: 8.2.14
        php82-ctype: 8.2.14
        php82-curl: 8.2.14
        php82-dom: 8.2.14
        php82-filter: 8.2.14
        php82-gettext: 8.2.14
        php82-google-api-php-client: 2.4.0
        php82-ldap: 8.2.14
        php82-mbstring: 8.2.14
        php82-opcache: 8.2.14
        php82-pcntl: 8.2.14
        php82-pdo: 8.2.14
        php82-pear: 1.10.13
        php82-pear-Crypt_CHAP: 1.5.0_1
        php82-pecl-mcrypt: 1.0.6
        php82-pecl-mongodb: 1.15.3
        php82-pecl-radius: 1.4.0b1_2
        php82-phalcon: 5.3.1
        php82-phpseclib: 3.0.34
        php82-session: 8.2.14
        php82-simplexml: 8.2.14
        php82-sockets: 8.2.14
        php82-sqlite3: 8.2.14
        php82-xml: 8.2.14
        php82-zlib: 8.2.14
        pkcs11-helper: 1.29.0_1
        py39-Babel: 2.14.0
        py39-Jinja2: 3.1.2
        py39-aioquic: 0.9.24
        py39-anyio: 4.2.0
        py39-async_generator: 1.10
        py39-attrs: 23.1.0
        py39-boto3: 1.34.7
        py39-botocore: 1.34.7
        py39-bottleneck: 1.3.7_1
        py39-certifi: 2023.11.17
        py39-cffi: 1.16.0
        py39-charset-normalizer: 3.3.2
        py39-cryptography: 41.0.7_2,1
        py39-cython: 0.29.37
        py39-dateutil: 2.8.2
        py39-dnspython: 2.4.2,1
        py39-duckdb: 0.8.1
        py39-exceptiongroup: 1.2.0
        py39-h11: 0.14.0
        py39-h2: 4.1.0
        py39-hpack: 4.0.0
        py39-httpcore: 1.0.2
        py39-httpx: 0.26.0
        py39-hyperframe: 6.0.0
        py39-idna: 3.6
        py39-importlib-metadata: 7.0.1
        py39-jmespath: 1.0.1
        py39-markdown: 3.3.7_1
        py39-markupsafe: 2.1.3
        py39-netaddr: 0.10.1
        py39-numexpr: 2.8.8
        py39-numpy: 1.25.0_4,1
        py39-openssl: 23.2.0,1
        py39-outcome: 1.3.0_1
        py39-pandas: 2.0.3,1
        py39-pyasn1: 0.5.0
        py39-pyasn1-modules: 0.3.0
        py39-pycparser: 2.21
        py39-pylsqpack: 0.3.18
        py39-pysocks: 1.7.1
        py39-pytz: 2023.3,1
        py39-requests: 2.31.0
        py39-s3transfer: 0.10.0
        py39-service-identity: 23.1.0
        py39-setuptools: 63.1.0_1
        py39-six: 1.16.0
        py39-sniffio: 1.3.0
        py39-sortedcontainers: 2.4.0
        py39-sqlite3: 3.9.18_7
        py39-trio: 0.24.0
        py39-typing-extensions: 4.9.0
        py39-tzdata: 2023.4
        py39-ujson: 5.9.0
        py39-urllib3: 1.26.18,1
        py39-vici: 5.9.11
        py39-yaml: 6.0.1
        py39-zipp: 3.17.0
        python39: 3.9.18
        redis: 7.2.3
        rrdtool: 1.8.0_3
        ruby: 3.1.4_1,1
        ruby31-gems: 3.4.20
        rubygem-rexml: 3.2.6
        squid: 6.6
        strongswan: 5.9.13
        sudo: 1.9.15p5
        suricata: 6.0.15
        syslog-ng: 4.4.0
        talloc: 2.3.4
        tdb: 1.4.7,1
        tevent: 0.13.0_1
        unbound: 1.19.0
        vim: 9.1.0015_1
        wget: 1.21.4
        wpa_supplicant: 2.10_10

New packages to be INSTALLED:
        openssl: 1.1.1w,1 [SunnyValley]

Installed packages to be UPGRADED:
        libxcb: 1.15_1 -> 1.15_2 [mimugmail]
        os-sunnyvalley: 1.4_1 -> 1.4_3 [OPNsense]

Installed packages to be REINSTALLED:
        libarchive-3.7.2,1 [mimugmail] (direct dependency changed: openssl)

Number of packages to be removed: 136
Number of packages to be installed: 1
Number of packages to be upgraded: 2
Number of packages to be reinstalled: 1

The operation will free 725 MiB.
pkg-static: Cannot delete vital package: opnsense!
pkg-static: If you are sure you want to remove opnsense,
pkg-static: unset the 'vital' flag with: pkg set -v 0 opnsense
Starting web GUI...done.
Generating RRD graphs...done.

*** OPNsense.lan.dom: OPNsense 23.7.12 ***

 LAN (em2)       -> v4: 192.168.2.2/25
                    v6/t6: /64
 S2Sxanten (wg1) ->
 WAN (em1)       -> v4/DHCP4: xyz/23
                    v6/DHCP6: /128
 guest (em0_vlan13) -> v4: 192.168.13.1/24
                    v6/t6: /64
 iot (em0_vlan15) -> v4: 192.168.15.1/24
 trunk (em0)     ->
 voip (em0_vlan14) -> v4: 192.168.14.1/29
 wireg (wg0)     -> v4: 10.10.100.0/24

 HTTPS: SHA256 F3 82 F4 27 D8 55 BF 0B 48 AF 2E 5C 8D D7 C9 96
               15 D2 B5 FE 4E 51 A2 4C 9E D9 E5 79 E9 42 4E 97
 SSH:   SHA256 TM3ud5YFIp/TvIry1HLTNMlJZoHVn6Uzr3l8SauHOEQ (ECDSA)
 SSH:   SHA256 FHUp3mCIQfl3Y6M4vemV3no5m0DcgQV212OQSU1ousw (ED25519)
 SSH:   SHA256 UItAYMcQMA+r4J7n/RaE+JtSc5svcRrJncsXqmStHbA (RSA)

  0) Logout                              7) Ping host
  1) Assign interfaces                   8) Shell
  2) Set interface IP address            9) pfTop
  3) Reset the root password            10) Firewall log
  4) Reset to factory defaults          11) Reload all services
  5) Power off system                   12) Update from console
  6) Reboot system                      13) Restore a backup

Enter an option:

this is the health audit

Code: [Select]

***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 23.7.12 at Fri Feb  2 18:35:12 CET 2024
>>> Root file system: /dev/gpt/rootfs
>>> Check installed kernel version
Version 23.7.10 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 23.7.10 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check installed repositories
OPNsense
mimugmail
SunnyValley
>>> Check installed plugins
os-adguardhome-maxit 1.10
os-api-backup 1.1
os-cache 1.0_1
os-collectd 1.4_1
os-crowdsec 1.0.7
os-ddclient 1.20
os-dmidecode 1.1_1
os-dyndns 1.27_3
os-etpro-telemetry 1.6_1
os-firewall 1.4_2
os-hw-probe 1.0_1
os-intrusion-detection-content-pt-open 1.0_1
os-ipcheck-community 0.3
os-iperf 1.0_1
os-nextcloud-backup 1.0_1
os-redis 1.1_2
os-sensei 1.16.2
os-sensei-updater 1.16
os-siproxd 1.3_2
os-smart 2.2_4
os-speedtest-community 0.9_4
os-sunnyvalley 1.4_1
os-vnstat 1.3_1
os-wireguard 2.6
>>> Check locked packages
No locks found.
>>> Check for missing package dependencies
Checking all packages: .......... done
py37-markupsafe has a missing dependency: python37
py37-markupsafe has a missing dependency: py37-setuptools
py37-markupsafe is missing a required shared library: libpython3.7m.so.1.0
>>> Check for missing or altered package files
Checking all packages: ....
os-adguardhome-maxit-1.10: checksum mismatch for /usr/local/AdGuardHome/AdGuardHome
os-adguardhome-maxit-1.10: checksum mismatch for /usr/local/AdGuardHome/AdGuardHome.sig
Checking all packages....
os-sensei-1.16.2: missing file /usr/local/zenarmor/output/archive/.placeholder
Checking all packages........ done
>>> Check for core packages consistency
Core package "opnsense" has 69 dependencies to check.
Checking packages: .......................
opnsense-23.7.12 version mismatch, expected 23.7.12_5
Checking packages: ............................................... done
***DONE***

[newsense]

Code: [Select]

pkg remove py37-markupsafe
Then retry the upgrade

[ascii]

Code: [Select]

pkg remove py37-markupsafe
Then retry the upgrade

i tried it but sadly didn't help.
still wnats to delete opnsense virtual package

[newsense]

There's also a repo priority conflict there with OpenSSL 1.1.1w coming from ZenArmor's repo with a higher priority than OPNsense.


If unsure where you are with ZenArmor and assuming not the latest, check their documentation about making a backup of their config prior an OPNsense major upgrade. then upgrade ZA first.


You can try renaming the ZenArmor repo in /usr/local/etc/pkg/repos/  by appending .bak to the name, and attempt the 24.1 upgrade without it if it appears to have no conflicts. Remove the .bak suffix when on 24.1

[ascii]

maybe i will try that.
whats is a bit more concerning is that the removal of the 135 packages.
in the GUI they are Marke aß obsolete.

[newsense]

That's because of the wrong repo priorities.

If you remove ZA froom the picture then the package solver should be able to continue without seeing OpenSSL 1.1.1w packages with a higher prio than the OpNsense ones from 24.1 which are built with OpenSSL3

[franco]

No, mimugmail third party is not compatible with anything lower than  24.1 now due to the OpenSSL 3 switch.


Cheers,
Franco

[ascii]

No, mimugmail third party is not compatible with anything lower than  24.1 now due to the OpenSSL 3 switch.


Cheers,
Franco

So that would mean the best approch would bei reinstall and apply a backup of the config.

[newsense]

Assuming you're fully prepared for the reinstall, what happens if you attempt the upgrade without ZA repo active ?

[franco]

One sec here... did you attempt the 24.1 upgrade yet? If yes, what are your current "kernel" and "base" version? (see packages tab). I'm assuming your "opnsense" package is at 23.7.12_5.


Cheers,
Franco

[newsense]

Don't think anything happened yet on the machine because of this in he first code post"

Code: [Select]

Checking for upgrades (21 candidates): .......... done
Processing candidates (21 candidates): ........ done
Checking integrity... done (2 conflicting)
  - openssl-1.1.1w,1 [SunnyValley] conflicts with openssl111-1.1.1w [installed] on /usr/local/bin/c_rehash
  - openssl-1.1.1w,1 [SunnyValley] conflicts with openssl111-1.1.1w [OPNsense] on /usr/local/bin/c_rehash
Cannot solve problem using SAT solver, trying another plan
Cannot solve problem using SAT solver, trying another plan
Cannot solve problem using SAT solver, trying another plan
Checking integrity... done (0 conflicting)
The following 140 package(s) will be affected (of 0 checked):

Which lead to this:

Code: [Select]

New packages to be INSTALLED:
        openssl: 1.1.1w,1 [SunnyValley]

Installed packages to be UPGRADED:
        libxcb: 1.15_1 -> 1.15_2 [mimugmail]
        os-sunnyvalley: 1.4_1 -> 1.4_3 [OPNsense]

Installed packages to be REINSTALLED:
        libarchive-3.7.2,1 [mimugmail] (direct dependency changed: openssl)

Number of packages to be removed: 136
Number of packages to be installed: 1
Number of packages to be upgraded: 2
Number of packages to be reinstalled: 1

The operation will free 725 MiB.
pkg-static: Cannot delete vital package: opnsense!
pkg-static: If you are sure you want to remove opnsense,
pkg-static: unset the 'vital' flag with: pkg set -v 0 opnsense
Starting web GUI...done.
Generating RRD graphs...done.

*** OPNsense.lan.dom: OPNsense 23.7.12 ***

 LAN (em2)       -> v4: 192.168.2.2/25
                    v6/t6: /64
 S2Sxanten (wg1) ->
 WAN (em1)       -> v4/DHCP4: xyz/23
Which is why I was suggesting temporarily disabling ZA repo to see if things can proceed only with OPNsense and mimugmail ones.

[ascii]

One sec here... did you attempt the 24.1 upgrade yet? If yes, what are your current "kernel" and "base" version? (see packages tab). I'm assuming your "opnsense" package is at 23.7.12_5.


Cheers,
Franco

Sorry for the delay. i'm out of town this week.

you are correct.
there was no upgrade to 24.1.
base and Kernel are at 23.7.10
opnsense is at 23.7.12_5

@newsense, i will try disabeling ZA repo on the weekend when i'm back home

[ascii]

the temp removal of zenarmor.com fixed everythink.
No it i's a clean 23.7.12_5 and an upgrade to 24.1 is suggested.

thanks

[LoudComputerGuy]

Hello everyone,

  I came across this thread and am in a similar situation.  I am currently at:

OPNsense 23.7.12_5-amd64
FreeBSD 13.2-RELEASE-p7
OpenSSL 1.1.1w

  And when I check for updates it wants to uninstall nearly every Opnsense package.  I have never had any problems with applying updates before - total first.  I tried disabling the ZenArmor repo (/usr/local/etc/pkg/repos/SunnyValley.conf) - no change.  I saw the prior person said he had to uninstall Zenarmor (which I have installed and configured).  All of this has been running fine for over a year now and I do not want to lose any of current configs.  If I do a Zenarmor backup and download that file, uninstall all Zenarmor pkgs, will Opnsense updates then work (assuming yes) and then can I reinstall Zenarmor and reapply my backed up config to get me back where I am now, but on the latest version of Opnsense?

Kindly requesting assistance on best way to solve this.  Additionally, is there any way to prevent this from happening again in the future?

Thanks.

[cookiemonster]

I suggest to fire the question to Zenarmor from the "send feedback" option in the OPN plugin UI.