Re: PFire 2.21

Re: PFire 2.21

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 2462 bytes --]

Hello Paul,

this is the right place. Testing reports are always welcome. :-)

A crashing grub does not sound so good - especially if a firewall
machine is physical unreachable and no remote KVM console or similar
is available.

The 2.12 release was split up in two parts (one includes the new
kernel, firmware files are in the second) and as far as I am aware,
both should installed before rebooting.

> This may be my machine as I had used a live parted in the past to make a
> properly useful size var partition.
I did not get this.

@Core developers: Are we changing partition layout on existing
installations (enlarge /boot, drop /var)?

Yes, restoring too old backup files causes trouble. IPFire creates
a new backup before running a core upgrade, but if this fails, it
is hard to recover it. So better create a fresh backup before updating
to 2.21. Should we include this in the release notes?

Any observations after running on 2.21 (faster/slower/unstable/...)?

Thanks, and best regards,
Peter Müller


> Dear all,
> 
>  
> 
> Hopefully I am in the right place to report on 2.21
> 
> Just in case not - a quick summary
> 
> Moved to testing from stable 120.
> 
> Pakfire upgraded first to 121 - no reboot suggested.
> 
> Pakfire upgraded next to 2.21 - This time reboot required.
> 
>  
> 
> Reboot failed with a broken grub.  I could not fix this with the manual grub
> commands to get ipfire running at all so could not rewrite grub from a
> running system.  
> 
> This may be my machine as I had used a live parted in the past to make a
> properly useful size var partition.
> 
>  
> 
> Bit the bullet and downloaded nightly build of 2.21 and reinstalled a clean
> ipfire.
> 
> So far so good.
> 
>  
> 
> Only one comment about restoring previous settings from a backup.
> 
> My backup was old  and from a time when php was supported.  After restoring
> the backup a surprise was in store the next time apache web interface was
> restarted.  Apache failed as there is a reference in the conf files from
> backup to load php so extension. 
> 
> Commenting out the line fixes it of course.  Just thought I would mention
> that restoring backups from a version prior to the latest may have issues as
> features start to get expired.
> 
>  
> 
> By the way I really admire the stuff you do and a donation is en-route. 
> 
>  
> 
> Regards,
> 
> Paul
> 
>  
> 
>  
> 
> 
> 
>  
> 
> 

-- 
"We don't care.  We don't have to.  We're the Phone Company."


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: PFire 2.21

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 4159 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hello,

On Wed, 2018-06-27 at 23:07 +0200, Peter Müller wrote:
> Hello Paul,
> 
> this is the right place. Testing reports are always welcome. :-)
> 
> A crashing grub does not sound so good - especially if a firewall
> machine is physical unreachable and no remote KVM console or similar
> is available.
> 
> The 2.12 release was split up in two parts (one includes the new
> kernel, firmware files are in the second) and as far as I am aware,
> both should installed before rebooting.

Yes, you should install both in one go and then reboot. Pakfire should not
really allow you to only install one.

> > This may be my machine as I had used a live parted in the past to make a
> > properly useful size var partition.
> 
> I did not get this.

Changing the partition layout should not create any problems, because...

> @Core developers: Are we changing partition layout on existing
> installations (enlarge /boot, drop /var)?

... once the system is installed we never change any partition layout and
basically don't about it.

@Paul: Do you have any log files or so that can be useful to find out what went
wrong here?

> Yes, restoring too old backup files causes trouble. IPFire creates
> a new backup before running a core upgrade, but if this fails, it
> is hard to recover it. So better create a fresh backup before updating
> to 2.21. Should we include this in the release notes?

Pakfire automatically creates one. But people of course have to download that
from the system.

> Any observations after running on 2.21 (faster/slower/unstable/...)?

Best,
- -Michael

> 
> Thanks, and best regards,
> Peter Müller
> 
> 
> > Dear all,
> > 
> >  
> > 
> > Hopefully I am in the right place to report on 2.21
> > 
> > Just in case not - a quick summary
> > 
> > Moved to testing from stable 120.
> > 
> > Pakfire upgraded first to 121 - no reboot suggested.
> > 
> > Pakfire upgraded next to 2.21 - This time reboot required.
> > 
> >  
> > 
> > Reboot failed with a broken grub.  I could not fix this with the manual grub
> > commands to get ipfire running at all so could not rewrite grub from a
> > running system.  
> > 
> > This may be my machine as I had used a live parted in the past to make a
> > properly useful size var partition.
> > 
> >  
> > 
> > Bit the bullet and downloaded nightly build of 2.21 and reinstalled a clean
> > ipfire.
> > 
> > So far so good.
> > 
> >  
> > 
> > Only one comment about restoring previous settings from a backup.
> > 
> > My backup was old  and from a time when php was supported.  After restoring
> > the backup a surprise was in store the next time apache web interface was
> > restarted.  Apache failed as there is a reference in the conf files from
> > backup to load php so extension. 
> > 
> > Commenting out the line fixes it of course.  Just thought I would mention
> > that restoring backups from a version prior to the latest may have issues as
> > features start to get expired.
> > 
> >  
> > 
> > By the way I really admire the stuff you do and a donation is en-route. 
> > 
> >  
> > 
> > Regards,
> > 
> > Paul
> > 
> >  
> > 
> >  
> > 
> > 
> > 
> >  
> > 
> > 
> 
> 
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE5/rW5l3GGe2ypktxgHnw/2+QCQcFAls0u0oACgkQgHnw/2+Q
CQea5RAAlwmc2rNnuAO5vjeKkQRpRy2HqPrP3awFP/aCXMEiKHL5sSHCbMiuR/nF
tPaINsZPOCtTX4amaKCdy+5/XU0mtahnFcP1DtHvCDhByEQ6o/xSCVuMmGOx5gZQ
8n/IUHGgL9z4WTAM2pDUdIoOQlOIlXAU+4DZyPAaXoccAF5nHRRX7CSm7QfymcW9
Kes/Gm8QuJzW5oAj4TsPW1UUN9QF3qd3LzsINdyfCDKDZTLfwlgpoEZSWe36LzQp
jTVVVBZJpzJxs2O5hZ34hZXXl8GzkaL+oOpeuwFgAneydPhT9Qe4HjjTzNT2dAC1
GsjBRGXPwSC7s4qqTmiEwPRVopEAarEZBPEYU6KwW1Mhh72xAxi+lPqmges5S6M8
9V7zwUqkgOTsItJLqiRvW+pLj2cgSJ3lKvP2hTyS+YWaTm01xJ9Y/PleqXsK4r+T
B7U04EwRULiTkSVJqI4metGVKLHdee3zAvBRFtkyNITzIT+FGBiF5xEArh5JQPiq
W/pgGKRJ2pJylzTL9jU8eJ26go53RB8i9VVac6hDPl3N6n0/tXNkAWJrToCJHibW
FMPXBngRofWpTcfumphYKCmu1RyruMO76qgUKq1deHAJkER9jULs3OnkWd2K3r+A
0H2JUp2COUH188FMfEo7kyYodZ9ZO3cYaNVe5n1vehJe/ubnVGQ=
=PYHD
-----END PGP SIGNATURE-----

RE: PFire 2.21

[Paul Titjen]

[-- Attachment #1: Type: text/plain, Size: 5637 bytes --]

Hi Michael,

Sorry no logfiles as I just reloaded 2.21 from the nightly build.  So all history in old partitions is lost.  If the upgrade from 2.19 120 has been ok with other machines then my experience may have been a one off.  I am not overly confident of the BIOS of this machine I have either.

As for 2.21 - running well 
CPU usage is as expected.  Response is fast no issues.  OpenVPN running for road warrior connections and no issues there.  If any oddities come up I will report.

The backup issue is tricky. Even if you make it right before the upgrade it would still contain the conf for apache in this case with the php enabled.  The upgrade would then remove the php reference but of course if for any reason you needed to restore then it will come back and web GUI would not restart.
Because of your release  a few upgrades ago I knew php was going so was relatively quick to spot the fix I needed to do. I had enabled the SSH server before web GUI was lost and could fix.

My lesson is backup before upgrade - and then again after upgrade labelling them with the release #.  Maybe it is prudent to mention anything in release notes that might affect web GUI.

Regards,
Paul


-----Original Message-----
From: Michael Tremer <michael.tremer(a)ipfire.org> 
Sent: 28 June 2018 11:41
To: Peter Müller <peter.mueller(a)link38.eu>; Paul Titjen <paul.titjen(a)ministc.com>
Cc: development(a)lists.ipfire.org
Subject: Re: PFire 2.21

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hello,

On Wed, 2018-06-27 at 23:07 +0200, Peter Müller wrote:
> Hello Paul,
> 
> this is the right place. Testing reports are always welcome. :-)
> 
> A crashing grub does not sound so good - especially if a firewall 
> machine is physical unreachable and no remote KVM console or similar 
> is available.
> 
> The 2.12 release was split up in two parts (one includes the new 
> kernel, firmware files are in the second) and as far as I am aware, 
> both should installed before rebooting.

Yes, you should install both in one go and then reboot. Pakfire should not really allow you to only install one.

> > This may be my machine as I had used a live parted in the past to 
> > make a properly useful size var partition.
> 
> I did not get this.

Changing the partition layout should not create any problems, because...

> @Core developers: Are we changing partition layout on existing 
> installations (enlarge /boot, drop /var)?

... once the system is installed we never change any partition layout and basically don't about it.

@Paul: Do you have any log files or so that can be useful to find out what went wrong here?

> Yes, restoring too old backup files causes trouble. IPFire creates a 
> new backup before running a core upgrade, but if this fails, it is 
> hard to recover it. So better create a fresh backup before updating to 
> 2.21. Should we include this in the release notes?

Pakfire automatically creates one. But people of course have to download that from the system.

> Any observations after running on 2.21 (faster/slower/unstable/...)?

Best,
- -Michael

> 
> Thanks, and best regards,
> Peter Müller
> 
> 
> > Dear all,
> > 
> >  
> > 
> > Hopefully I am in the right place to report on 2.21
> > 
> > Just in case not - a quick summary
> > 
> > Moved to testing from stable 120.
> > 
> > Pakfire upgraded first to 121 - no reboot suggested.
> > 
> > Pakfire upgraded next to 2.21 - This time reboot required.
> > 
> >  
> > 
> > Reboot failed with a broken grub.  I could not fix this with the 
> > manual grub commands to get ipfire running at all so could not 
> > rewrite grub from a running system.
> > 
> > This may be my machine as I had used a live parted in the past to 
> > make a properly useful size var partition.
> > 
> >  
> > 
> > Bit the bullet and downloaded nightly build of 2.21 and reinstalled 
> > a clean ipfire.
> > 
> > So far so good.
> > 
> >  
> > 
> > Only one comment about restoring previous settings from a backup.
> > 
> > My backup was old  and from a time when php was supported.  After 
> > restoring the backup a surprise was in store the next time apache 
> > web interface was restarted.  Apache failed as there is a reference 
> > in the conf files from backup to load php so extension.
> > 
> > Commenting out the line fixes it of course.  Just thought I would 
> > mention that restoring backups from a version prior to the latest 
> > may have issues as features start to get expired.
> > 
> >  
> > 
> > By the way I really admire the stuff you do and a donation is en-route. 
> > 
> >  
> > 
> > Regards,
> > 
> > Paul
> > 
> >  
> > 
> >  
> > 
> > 
> > 
> >  
> > 
> > 
> 
> 
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE5/rW5l3GGe2ypktxgHnw/2+QCQcFAls0u0oACgkQgHnw/2+Q
CQea5RAAlwmc2rNnuAO5vjeKkQRpRy2HqPrP3awFP/aCXMEiKHL5sSHCbMiuR/nF
tPaINsZPOCtTX4amaKCdy+5/XU0mtahnFcP1DtHvCDhByEQ6o/xSCVuMmGOx5gZQ
8n/IUHGgL9z4WTAM2pDUdIoOQlOIlXAU+4DZyPAaXoccAF5nHRRX7CSm7QfymcW9
Kes/Gm8QuJzW5oAj4TsPW1UUN9QF3qd3LzsINdyfCDKDZTLfwlgpoEZSWe36LzQp
jTVVVBZJpzJxs2O5hZ34hZXXl8GzkaL+oOpeuwFgAneydPhT9Qe4HjjTzNT2dAC1
GsjBRGXPwSC7s4qqTmiEwPRVopEAarEZBPEYU6KwW1Mhh72xAxi+lPqmges5S6M8
9V7zwUqkgOTsItJLqiRvW+pLj2cgSJ3lKvP2hTyS+YWaTm01xJ9Y/PleqXsK4r+T
B7U04EwRULiTkSVJqI4metGVKLHdee3zAvBRFtkyNITzIT+FGBiF5xEArh5JQPiq
W/pgGKRJ2pJylzTL9jU8eJ26go53RB8i9VVac6hDPl3N6n0/tXNkAWJrToCJHibW
FMPXBngRofWpTcfumphYKCmu1RyruMO76qgUKq1deHAJkER9jULs3OnkWd2K3r+A
0H2JUp2COUH188FMfEo7kyYodZ9ZO3cYaNVe5n1vehJe/ubnVGQ=
=PYHD
-----END PGP SIGNATURE-----

IPFire 2.21 test report

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 2064 bytes --]

Hello,

just installed IPFire 2.21 - Core Update 122 on a testing machine.

Issues noticed during update:
(a) Update to 122 was not installed automatically, but needs user
interaction.
(b) Machine rebooted properly and came up again without manual action
required.
(c) WebUI shortly displays "local recursor" for DNS status at
the main page - DNSSEC status of nameservers, however, is green.
These were displayed correctly again after ~ 2 minutes.
(d) NRPE addon required reinstallation (probably due to some
configuration changes). The service did not appear in the list at
the WebUI; this needs some bugfixing.
(e) charon displays connection errors "could not write to socket:
operation not permitted" which disappeared after ~ 2 minutes and
everything was properly established.

Summary:
Reboot, basic functions			WORKS
Squid web proxy + URL filter		WORKS
IDS					WORKS
OpenVPN (N2N only)			WORKS
IPsec (N2N only)			WORKS
SSH					WORKS
QoS					WORKS
NRPE					WORKS (after reinstallation, some bugs left)

CPU load (especially when it comes to HW interrupts) is a bit
(but not significant) lower than it was while running C120.
RAM consumption stays at the same level. Entropy is ~ 400 bits
higher. Kernel reports two interesting log lines on boot:

19:02:35 kernel:  alg: No test for seqiv(rfc4106(gcm(aes))) (seqiv(rfc4106-gcm-aesni))

18:57:49 kernel:  xt_geoip: loading out-of-tree module taints kernel.

Just for the records. :-)

Systems seems to be safe against Spectre/Meltdown:

/sys/devices/system/cpu/vulnerabilities/meltdown:
Mitigation: PTI
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass:
Not affected
/sys/devices/system/cpu/vulnerabilities/spectre_v1:
Mitigation: __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/spectre_v2:
Mitigation: Full generic retpoline

In case any issues occur within the next time, I'll let you know.
Excellent work so far!

Thanks, and best regards,
Peter Müller
-- 
"We don't care.  We don't have to.  We're the Phone Company."


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: IPFire 2.21 test report

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 2594 bytes --]

Hello,

while testing some firewall stuff, I stumbled across bug #11777
(https://bugzilla.ipfire.org/show_bug.cgi?id=11777): In some cases,
GeoIP country data in firewall rules and WebUI seem to differ. :-(

Since this makes debugging extremely hard and unreliable, could
someone have a look at this please? Sorry for the noise, but this
is a nasty one...

Thanks and best regards,
Peter Müller


> Hello,
> 
> just installed IPFire 2.21 - Core Update 122 on a testing machine.
> 
> Issues noticed during update:
> (a) Update to 122 was not installed automatically, but needs user
> interaction.
> (b) Machine rebooted properly and came up again without manual action
> required.
> (c) WebUI shortly displays "local recursor" for DNS status at
> the main page - DNSSEC status of nameservers, however, is green.
> These were displayed correctly again after ~ 2 minutes.
> (d) NRPE addon required reinstallation (probably due to some
> configuration changes). The service did not appear in the list at
> the WebUI; this needs some bugfixing.
> (e) charon displays connection errors "could not write to socket:
> operation not permitted" which disappeared after ~ 2 minutes and
> everything was properly established.
> 
> Summary:
> Reboot, basic functions			WORKS
> Squid web proxy + URL filter		WORKS
> IDS					WORKS
> OpenVPN (N2N only)			WORKS
> IPsec (N2N only)			WORKS
> SSH					WORKS
> QoS					WORKS
> NRPE					WORKS (after reinstallation, some bugs left)
> 
> CPU load (especially when it comes to HW interrupts) is a bit
> (but not significant) lower than it was while running C120.
> RAM consumption stays at the same level. Entropy is ~ 400 bits
> higher. Kernel reports two interesting log lines on boot:
> 
> 19:02:35 kernel:  alg: No test for seqiv(rfc4106(gcm(aes))) (seqiv(rfc4106-gcm-aesni))
> 
> 18:57:49 kernel:  xt_geoip: loading out-of-tree module taints kernel.
> 
> Just for the records. :-)
> 
> Systems seems to be safe against Spectre/Meltdown:
> 
> /sys/devices/system/cpu/vulnerabilities/meltdown:
> Mitigation: PTI
> /sys/devices/system/cpu/vulnerabilities/spec_store_bypass:
> Not affected
> /sys/devices/system/cpu/vulnerabilities/spectre_v1:
> Mitigation: __user pointer sanitization
> /sys/devices/system/cpu/vulnerabilities/spectre_v2:
> Mitigation: Full generic retpoline
> 
> In case any issues occur within the next time, I'll let you know.
> Excellent work so far!
> 
> Thanks, and best regards,
> Peter Müller
> 

-- 
"We don't care.  We don't have to.  We're the Phone Company."


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]