Обновление OPNsense до версии 21.7

Задача:
---------------------------------------------------------------Обновиться OPNsense до версии 21.7
я ранее уже рассказывал в статье “Обновление OPNSense в режиме высокой доступности“, как обновлять OPNsense. Теперь пришло время обновить на следующую версию. Ну раз появилась статья, значит что-то пошло не по плану 😉

Из краткой инструкции обновления:
- Обновляем резервный файрвол
- Переводим в режим обслуживания главный файрвол
- Обновляем главный файрвол
- отключаем режим обслуживания на главном файрволе
я застрял на третьем пункте и обновление могло скачиваться бесконечно. Не выдержав, спустя сутки, я перезагрузил.
***GOT REQUEST TO UPGRADE*** Fetching packages-21.7-OpenSSL-amd64.tar: ..........................................................................................................................................................................................................................................................................................................................................................................................................................

Проверив из консоли обновления, стало понятно что, попросту он не может их найти
root@GWM:~ # pkg update Updating OPNsense repository catalogue... pkg: https://pkg.opnsense.org/FreeBSD:12:amd64/21.1/latest/meta.txz: No address record repository OPNsense has no meta file, using default settings pkg: https://pkg.opnsense.org/FreeBSD:12:amd64/21.1/latest/packagesite.txz: No address record Unable to update repository OPNsense Error updating repositories! root@GWM:~ #
Проверяем, действительно нет.
root@GWM:~ # ping google.com ping: cannot resolve google.com: Host name lookup failure root@GWM:~ #
Для решения я просто пересохранил настройки WAN интерфейса. Оказалось, что DNS сервера были левые и по сути не рабочими.
Исправим и проверив наличие интернета пробуем, обновиться из консоли
---------------------------------------------- | Hello, this is OPNsense 21.1 | @@@@@@@@@@@@@@@ | | @@@@ @@@@ | Website: https://opnsense.org/ | @@@\\\ ///@@@ | Handbook: https://docs.opnsense.org/ | )))))))) (((((((( | Forums: https://forum.opnsense.org/ | @@@/// \\\@@@ | Code: https://github.com/opnsense | @@@@ @@@@ | Twitter: https://twitter.com/opnsense | @@@@@@@@@@@@@@@ ---------------------------------------------- *** GWM.xaxa.local: OPNsense 21.1.9_1 (amd64/OpenSSL) *** HA (alc0) -> v4: 10.168.7.110/30 LAN (vmx0) -> v4: 192.168.7.110/24 WAN (vmx1) -> v4/DHCP4: 192.168.11.155/24 HTTPS: SHA256 3B 5C B6 55 8A A9 67 F5 E5 9A BC 51 3D 51 CC 6C E0 35 36 CA 99 FC 6D 94 9C F4 03 51 66 4A B8 D0 SSH: SHA256 M+v8Hdgl/1gVctrm25OKgVaStYZxYvmLmhmojfjsis0 (ECDSA) SSH: SHA256 nPvc9zFLGy1cnCHNPB6XLUtrtrm25OKg0AlPi6jv4yo (ED25519) SSH: SHA256 wyNe2Wf7qBYPqBEX+mf1hBz5pYhtrm25OKgVMTjA6H0 (RSA) 0) Logout 7) Ping host 1) Assign interfaces 8) Shell 2) Set interface IP address 9) pfTop 3) Reset the root password 10) Firewall log 4) Reset to factory defaults 11) Reload all services 5) Power off system 12) Update from console 6) Reboot system 13) Restore a backup Enter an option: 12 Fetching change log information, please wait... done This will automatically fetch all available updates and apply them. A major firmware upgrade is available for this installation: 21.7 Make sure you have read the release notes and migration guide before attempting this upgrade. Around 500MB will need to be downloaded and require 1000MB of free space. Continue with this major upgrade by typing the major upgrade version number displayed above. Minor updates may be available, answer 'y' to run them instead. Proceed with this action? [21.7/y/N]: N
Как видим обновлению требуется 1000MB свободного места. Прервав обновление, заходим в нормальный шел и проверяем свободное место
0) Logout 7) Ping host 1) Assign interfaces 8) Shell 2) Set interface IP address 9) pfTop 3) Reset the root password 10) Firewall log 4) Reset to factory defaults 11) Reload all services 5) Power off system 12) Update from console 6) Reboot system 13) Restore a backup Enter an option: 8 root@GWM:~ # df -h Filesystem Size Used Avail Capacity Mounted on /dev/gpt/rootfs 40G 7.0G 30G 19% / devfs 1.0K 1.0K 0B 100% /dev devfs 1.0K 1.0K 0B 100% /var/dhcpd/dev devfs 1.0K 1.0K 0B 100% /var/unbound/dev root@GWM:~ #
Возвращаемся в меню и проверяем обновление
root@GWM:~ # exit exit *** GWM.xaxa.local: OPNsense 21.1.9_1 (amd64/OpenSSL) *** HA (alc0) -> v4: 10.168.7.110/30 LAN (vmx0) -> v4: 192.168.7.110/24 WAN (vmx1) -> v4/DHCP4: 192.168.11.155/24 HTTPS: SHA256 3B 5C B6 55 8A A9 67 F5 E5 9A BC 51 3D 51 CC 6C E0 35 36 CA 99 FC 6D 94 9C F4 03 51 66 4A B8 D0 SSH: SHA256 M+v8Hdgl/1gVctrm25OKgVaStYZxYvmLmhmojfjsis0 (ECDSA) SSH: SHA256 nPvc9zFLGy1cnCHNPB6XLUtrtrm25OKg0AlPi6jv4yo (ED25519) SSH: SHA256 wyNe2Wf7qBYPqBEX+mf1hBz5pYhtrm25OKgVMTjA6H0 (RSA) 0) Logout 7) Ping host 1) Assign interfaces 8) Shell 2) Set interface IP address 9) pfTop 3) Reset the root password 10) Firewall log 4) Reset to factory defaults 11) Reload all services 5) Power off system 12) Update from console 6) Reboot system 13) Restore a backup Enter an option: 12 Fetching change log information, please wait... done This will automatically fetch all available updates and apply them. A major firmware upgrade is available for this installation: 21.7 Make sure you have read the release notes and migration guide before attempting this upgrade. Around 500MB will need to be downloaded and require 1000MB of free space. Continue with this major upgrade by typing the major upgrade version number displayed above. Minor updates may be available, answer 'y' to run them instead. Proceed with this action? [21.7/y/N]: y *** GWM.xaxa.local: OPNsense 21.1.9_1 (amd64/OpenSSL) *** HA (alc0) -> v4: 10.168.7.110/30 LAN (vmx0) -> v4: 192.168.7.110/24 WAN (vmx1) -> v4/DHCP4: 192.168.11.155/24 HTTPS: SHA256 3B 5C B6 55 8A A9 67 F5 E5 9A BC 51 3D 51 CC 6C E0 35 36 CA 99 FC 6D 94 9C F4 03 51 66 4A B8 D0 SSH: SHA256 M+v8Hdgl/1gVctrm25OKgVaStYZxYvmLmhmojfjsis0 (ECDSA) SSH: SHA256 nPvc9zFLGy1cnCHNPB6XLUtrtrm25OKg0AlPi6jv4yo (ED25519) SSH: SHA256 wyNe2Wf7qBYPqBEX+mf1hBz5pYhtrm25OKgVMTjA6H0 (RSA) 0) Logout 7) Ping host 1) Assign interfaces 8) Shell 2) Set interface IP address 9) pfTop 3) Reset the root password 10) Firewall log 4) Reset to factory defaults 11) Reload all services 5) Power off system 12) Update from console 6) Reboot system 13) Restore a backup Enter an option:
Наверно обновления для версии OPNsense 21.1.9_1 отсутствуют. Попробуем обновиться на 21.7
Enter an option: 12 Fetching change log information, please wait... done This will automatically fetch all available updates and apply them. A major firmware upgrade is available for this installation: 21.7 Make sure you have read the release notes and migration guide before attempting this upgrade. Around 500MB will need to be downloaded and require 1000MB of free space. Continue with this major upgrade by typing the major upgrade version number displayed above. Minor updates may be available, answer 'y' to run them instead. Proceed with this action? [21.7/y/N]: 21.7 Fetching packages-21.7-OpenSSL-amd64.tar: ................................................................................................................................................................................................................................................
К сожалению, это могло продолжаться вечно.
Проверяем что находится в папке “cache”
root@GWM:~ # ls -lah /var/cache/opnsense-update/ total 60 drwxr-xr-x 8 root wheel 512B Aug 18 21:28 . drwxr-xr-x 6 root wheel 512B Aug 18 21:30 .. drwxr-x--- 2 root wheel 512B Feb 1 2021 .sets.pending -rw-r--r-- 1 root wheel 28K Feb 1 2021 .upgrade.log prw-r--r-- 1 root wheel 0B Feb 1 2021 .upgrade.pipe drwxr-x--- 2 root wheel 512B Aug 15 19:15 31743 drwxr-xr-x 2 root wheel 512B Aug 18 20:56 52742 drwxr-x--- 2 root wheel 512B Aug 18 20:44 72645 drwxr-xr-x 2 root wheel 512B Aug 18 21:28 83398 drwxr-x--- 2 root wheel 512B Aug 16 06:29 92844 root@GWM:~ #
Очищаем кеш обновления и проверяем, удалился ли.
root@GWM:~ # opnsense-update -se root@GWM:~ # ls -lah /var/cache/opnsense-update/ total 8 drwxr-xr-x 2 root wheel 512B Aug 18 21:38 . drwxr-xr-x 6 root wheel 512B Aug 18 21:30 .. root@GWM:~ #
Пробуем ещё раз обновиться
0) Logout 7) Ping host 1) Assign interfaces 8) Shell 2) Set interface IP address 9) pfTop 3) Reset the root password 10) Firewall log 4) Reset to factory defaults 11) Reload all services 5) Power off system 12) Update from console 6) Reboot system 13) Restore a backup Enter an option: 12 Fetching change log information, please wait... done This will automatically fetch all available updates and apply them. A major firmware upgrade is available for this installation: 21.7 Make sure you have read the release notes and migration guide before attempting this upgrade. Around 500MB will need to be downloaded and require 1000MB of free space. Continue with this major upgrade by typing the major upgrade version number displayed above. Minor updates may be available, answer 'y' to run them instead. Proceed with this action? [21.7/y/N]: y Updating OPNsense repository catalogue... OPNsense repository is up to date. All repositories are up to date. Updating OPNsense repository catalogue... OPNsense repository is up to date. All repositories are up to date. Checking for upgrades (0 candidates): . done Processing candidates (0 candidates): . done Checking integrity... done (0 conflicting) Your packages are up to date. Checking integrity... done (0 conflicting) Nothing to do. Checking all packages: .......... done Nothing to do. Your system is up to date. Starting web GUI...done. Generating RRD graphs...done. *** GWM.xaxa.local: OPNsense 21.1.9_1 (amd64/OpenSSL) ***
Пробуем обновиться до версии 21.7
0) Logout 7) Ping host 1) Assign interfaces 8) Shell 2) Set interface IP address 9) pfTop 3) Reset the root password 10) Firewall log 4) Reset to factory defaults 11) Reload all services 5) Power off system 12) Update from console 6) Reboot system 13) Restore a backup Enter an option: 12 Fetching change log information, please wait... done This will automatically fetch all available updates and apply them. A major firmware upgrade is available for this installation: 21.7 Make sure you have read the release notes and migration guide before attempting this upgrade. Around 500MB will need to be downloaded and require 1000MB of free space. Continue with this major upgrade by typing the major upgrade version number displayed above. Minor updates may be available, answer 'y' to run them instead. Proceed with this action? [21.7/y/N]: 21.7 Fetching packages-21.7-OpenSSL-amd64.tar: ............................
Проверяем трафик на wan интерфейсе (Reporting: Traffic)

Проверяем, что действительно обновление в процессе. Подключаемся ещё раз к opnsense и проверяем размер папки
root@GWM:~ # du -h /var/cache/opnsense-update/ 12K /var/cache/opnsense-update/16104 137M /var/cache/opnsense-update/22326 137M /var/cache/opnsense-update/ root@GWM:~ # du -h /var/cache/opnsense-update/ 12K /var/cache/opnsense-update/16104 144M /var/cache/opnsense-update/22326 144M /var/cache/opnsense-update/ root@GWM:~ #
Как видно папка увеличивается в размере.

Порывшись я нашёл ссылки от куда качаются обновления
https://pkg.opnsense.org/FreeBSD:12:amd64/21.7/
В Linux узнать размер скачиваемого файла можно командой “wget –spider“, в unix я ничего умнее не придумал чем начать скачивать файл
root@GWM:~ # fetch https://pkg.opnsense.org/FreeBSD:12:amd64/21.7/sets/base-21.7-amd64.txz base-21.7-amd64.txz 0% of 172 MB 329 kBps^Z Suspended root@GWM:~ #
можно просто открыть сайт

докачать файл так и не удалось. При скачивании командой fetch из консоли opnsense, особого успеха не получилось. В итоге все обновления были скачены в другом месте на флешку и загружена на роутер при помощи WinSCP

Далее приведу пример офлайнового обновления opnsense
root@GWM:~ # opnsense-update -se root@GWM:~ # cd 21.7/ root@GWM:~/21.7 # ls -l total 1627764 -rw-r--r-- 1 root wheel 181050588 Aug 19 08:36 base-21.7-amd64.txz -rw-r--r-- 1 root wheel 1332 Aug 19 08:32 base-21.7-amd64.txz.sig -rw-r--r-- 1 root wheel 181065716 Aug 19 08:36 base-21.7.1-amd64.txz -rw-r--r-- 1 root wheel 1332 Aug 19 08:33 base-21.7.1-amd64.txz.sig -rw-r--r-- 1 root wheel 54680 Aug 19 08:33 bogons.txz -rw-r--r-- 1 root wheel 1332 Aug 19 08:33 bogons.txz.sig -rw-r--r-- 1 root wheel 224996 Aug 19 08:33 changelog.txz -rw-r--r-- 1 root wheel 1332 Aug 19 08:34 changelog.txz.sig -rw-r--r-- 1 root wheel 28619144 Aug 19 08:35 kernel-21.7-amd64.txz -rw-r--r-- 1 root wheel 1332 Aug 19 08:34 kernel-21.7-amd64.txz.sig -rw-r--r-- 1 root wheel 28620496 Aug 19 08:35 kernel-21.7.1-amd64.txz -rw-r--r-- 1 root wheel 1332 Aug 19 08:34 kernel-21.7.1-amd64.txz.sig -rw-r--r-- 1 root wheel 622702592 Aug 19 08:59 packages-21.7-LibreSSL-amd64.tar -rw-r--r-- 1 root wheel 1332 Aug 19 08:49 packages-21.7-LibreSSL-amd64.tar.sig -rw-r--r-- 1 root wheel 623691264 Aug 19 08:58 packages-21.7-OpenSSL-amd64.tar -rw-r--r-- 1 root wheel 1332 Aug 19 08:49 packages-21.7-OpenSSL-amd64.tar.sig root@GWM:~/21.7 # root@GWM:~/21.7 # opnsense-verify base-21.7-amd64.txz Verifying signature with trusted certificate pkg.opnsense.org.20210629... done root@GWM:~/21.7 # opnsense-verify base-21.7.1-amd64.txz Verifying signature with trusted certificate pkg.opnsense.org.20210629... done root@GWM:~/21.7 # opnsense-verify bogons.txz Verifying signature with trusted certificate pkg.opnsense.org.20210629... done root@GWM:~/21.7 # opnsense-verify changelog.txz Verifying signature with trusted certificate pkg.opnsense.org.20210629... done root@GWM:~/21.7 # opnsense-verify kernel-21.7-amd64.txz Verifying signature with trusted certificate pkg.opnsense.org.20210629... done root@GWM:~/21.7 # opnsense-verify kernel-21.7.1-amd64.txz Verifying signature with trusted certificate pkg.opnsense.org.20210629... done root@GWM:~/21.7 # opnsense-verify packages-21.7-LibreSSL-amd64.tar Verifying signature with trusted certificate pkg.opnsense.org.20210629... done root@GWM:~/21.7 # opnsense-verify packages-21.7-OpenSSL-amd64.tar Verifying signature with trusted certificate pkg.opnsense.org.20210629... done root@GWM:~/21.7 # root@GWM:~/21.7 # root@GWM:~/21.7 # opnsense-update -ur 21.7 -l ~/21.7/ Fetching packages-21.7-OpenSSL-amd64.tar: . done Fetching base-21.7-amd64.txz: . done Fetching kernel-21.7-amd64.txz: . done !!!!!!!!!!!! ATTENTION !!!!!!!!!!!!!!! ! A critical upgrade is in progress. ! ! Please do not turn off the system. ! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Extracting packages-21.7-OpenSSL-amd64.tar... done Extracting base-21.7-amd64.txz... done Installing kernel-21.7-amd64.txz... done Please reboot. root@GWM:~/21.7 # /usr/local/etc/rc.reboot
на всякий случай логи консоли при перезагрузке
root@GWM:~/21.7 # /usr/local/etc/rc.reboot >>> Invoking stop script 'beep' >>> Invoking stop script 'freebsd' Stopping acme_http_challenge. Waiting for PIDS: 61011. Stopping flowd. Waiting for PIDS: 70065 72036. flowd_aggregate not running? (check /var/run/flowd_aggregate.pid). Stopping vnstat. Waiting for PIDS: 47773. Stopping zabbix_agentd. Waiting for PIDS: 30196. >>> Invoking stop script 'backup' >>> Invoking backup script 'captiveportal' >>> Invoking backup script 'dhcpleases' >>> Invoking backup script 'duid' >>> Invoking backup script 'netflow' >>> Invoking backup script 'rrd' >>> Invoking stop script 'config' Shutdown NOW! shutdown: [pid 15920] root@GWM:~/21.7 # *** FINAL System shutdown message from root@GWM.xaxa.local *** System going down IMMEDIATELY System shutdown time has arrived
если в этот момент подключиться к роутеру напрямую
дожидаемся перезагрузки, обновляем пакеты

и обновляемся до версии 21.7.1

Свежие комментарии